目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1336

100%

CVE-2023-54157— Linux kernel 安全漏洞

AI 预测 7.8 利用难度: 中等 EPSS 0.17% · P6

影响版本矩阵 10

厂商产品版本范围状态
LinuxLinuxdd2283f2605e3b3e9c61bcae844b34f2afa4813f< 1bb8a65190d45cd5c7dbc85e29b9102110cd6be6affected
dd2283f2605e3b3e9c61bcae844b34f2afa4813f< 931ea1ed31be939c1efdbc49bc66d2a45684f9b4affected
dd2283f2605e3b3e9c61bcae844b34f2afa4813f< ca0cc0a9c6e56c699e2acbb93d8024523021f3c3affected
dd2283f2605e3b3e9c61bcae844b34f2afa4813f< d1d8875c8c13517f6fd1ff8d4d3e1ac366a17e07affected
4.20affected
< 4.20unaffected
5.15.115≤ 5.15.*unaffected
6.1.31≤ 6.1.*unaffected
… +2 条更多
获取后续新漏洞提醒登录后订阅

一、 漏洞 CVE-2023-54157 基础信息

漏洞信息

对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗

尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。

Vulnerability Title
binder: fix UAF of alloc->vma in race with munmap()
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF of alloc->vma in race with munmap() [ cmllamas: clean forward port from commit 015ac18be7de ("binder: fix UAF of alloc->vma in race with munmap()") in 5.10 stable. It is needed in mainline after the revert of commit a43cfc87caaf ("android: binder: stop saving a pointer to the VMA") as pointed out by Liam. The commit log and tags have been tweaked to reflect this. ] In commit 720c24192404 ("ANDROID: binder: change down_write to down_read") binder assumed the mmap read lock is sufficient to protect alloc->vma inside binder_update_page_range(). This used to be accurate until commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap"), which now downgrades the mmap_lock after detaching the vma from the rbtree in munmap(). Then it proceeds to teardown and free the vma with only the read lock held. This means that accesses to alloc->vma in binder_update_page_range() now will race with vm_area_free() in munmap() and can cause a UAF as shown in the following KASAN trace: ================================================================== BUG: KASAN: use-after-free in vm_insert_page+0x7c/0x1f0 Read of size 8 at addr ffff16204ad00600 by task server/558 CPU: 3 PID: 558 Comm: server Not tainted 5.10.150-00001-gdc8dcf942daa #1 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x2a0 show_stack+0x18/0x2c dump_stack+0xf8/0x164 print_address_description.constprop.0+0x9c/0x538 kasan_report+0x120/0x200 __asan_load8+0xa0/0xc4 vm_insert_page+0x7c/0x1f0 binder_update_page_range+0x278/0x50c binder_alloc_new_buf+0x3f0/0xba0 binder_transaction+0x64c/0x3040 binder_thread_write+0x924/0x2020 binder_ioctl+0x1610/0x2e5c __arm64_sys_ioctl+0xd4/0x120 el0_svc_common.constprop.0+0xac/0x270 do_el0_svc+0x38/0xa0 el0_svc+0x1c/0x2c el0_sync_handler+0xe8/0x114 el0_sync+0x180/0x1c0 Allocated by task 559: kasan_save_stack+0x38/0x6c __kasan_kmalloc.constprop.0+0xe4/0xf0 kasan_slab_alloc+0x18/0x2c kmem_cache_alloc+0x1b0/0x2d0 vm_area_alloc+0x28/0x94 mmap_region+0x378/0x920 do_mmap+0x3f0/0x600 vm_mmap_pgoff+0x150/0x17c ksys_mmap_pgoff+0x284/0x2dc __arm64_sys_mmap+0x84/0xa4 el0_svc_common.constprop.0+0xac/0x270 do_el0_svc+0x38/0xa0 el0_svc+0x1c/0x2c el0_sync_handler+0xe8/0x114 el0_sync+0x180/0x1c0 Freed by task 560: kasan_save_stack+0x38/0x6c kasan_set_track+0x28/0x40 kasan_set_free_info+0x24/0x4c __kasan_slab_free+0x100/0x164 kasan_slab_free+0x14/0x20 kmem_cache_free+0xc4/0x34c vm_area_free+0x1c/0x2c remove_vma+0x7c/0x94 __do_munmap+0x358/0x710 __vm_munmap+0xbc/0x130 __arm64_sys_munmap+0x4c/0x64 el0_svc_common.constprop.0+0xac/0x270 do_el0_svc+0x38/0xa0 el0_svc+0x1c/0x2c el0_sync_handler+0xe8/0x114 el0_sync+0x180/0x1c0 [...] ================================================================== To prevent the race above, revert back to taking the mmap write lock inside binder_update_page_range(). One might expect an increase of mmap lock contention. However, binder already serializes these calls via top level alloc->mutex. Also, there was no performance impact shown when running the binder benchmark tests.
来源: 美国国家漏洞数据库 NVD
CVSS Information
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Title
Linux kernel 安全漏洞
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于释放后重用,可能导致非法访问。
来源: 中国国家信息安全漏洞库 CNNVD
CVSS Information
N/A
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Type
N/A
来源: 中国国家信息安全漏洞库 CNNVD

受影响产品

厂商产品影响版本CPE订阅
LinuxLinux dd2283f2605e3b3e9c61bcae844b34f2afa4813f ~ 1bb8a65190d45cd5c7dbc85e29b9102110cd6be6 -
LinuxLinux 4.20 -

二、漏洞 CVE-2023-54157 的公开POC

#POC 描述源链接神龙链接
AI 生成 POC高级

未找到公开 POC。

登录以生成 AI POC

三、漏洞 CVE-2023-54157 的情报信息

登录查看更多情报信息。

CVE-2023-54157 其他参考 (3)

同批安全公告 · Linux · 2025-12-24 · 共 322 条

CVE-2022-50753Linux kernel 安全漏洞
CVE-2022-50764Linux kernel 安全漏洞
CVE-2022-50763Linux kernel 安全漏洞
CVE-2022-50762Linux kernel 安全漏洞
CVE-2022-50760Linux kernel 安全漏洞
CVE-2022-50761Linux kernel 安全漏洞
CVE-2022-50759Linux kernel 安全漏洞
CVE-2022-50758Linux kernel 安全漏洞
CVE-2022-50756Linux kernel 安全漏洞
CVE-2022-50757Linux kernel 安全漏洞
CVE-2022-50755Linux kernel 安全漏洞
CVE-2022-50750Linux kernel 安全漏洞
CVE-2022-50745Linux kernel 安全漏洞
CVE-2022-50746Linux kernel 安全漏洞
CVE-2022-50747Linux kernel 安全漏洞
CVE-2022-50748Linux kernel 安全漏洞
CVE-2022-50751Linux kernel 安全漏洞
CVE-2022-50754Linux kernel 安全漏洞
CVE-2022-50752Linux kernel 安全漏洞
CVE-2022-50765Linux kernel 安全漏洞

显示前 20 条,共 322 条。 查看全部 &rarr; →

IV. Related Vulnerabilities

V. Comments for CVE-2023-54157

暂无评论


发表评论