{
  "threat_severity" : "Low",
  "public_date" : "2024-03-02T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: mm/slab_common: slab_caches list corruption after kmem_cache_destroy()",
    "id" : "2267737",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2267737"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-401",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmm/slab_common: fix slab_caches list corruption after kmem_cache_destroy()\nAfter the commit in Fixes:, if a module that created a slab cache does not\nrelease all of its allocated objects before destroying the cache (at rmmod\ntime), we might end up releasing the kmem_cache object without removing it\nfrom the slab_caches list thus corrupting the list as kmem_cache_destroy()\nignores the return value from shutdown_cache(), which in turn never removes\nthe kmem_cache object from slabs_list in case __kmem_cache_shutdown() fails\nto release all of the cache's slabs.\nThis is easily observable on a kernel built with CONFIG_DEBUG_LIST=y\nas after that ill release the system will immediately trip on list_add,\nor list_del, assertions similar to the one shown below as soon as another\nkmem_cache gets created, or destroyed:\n[ 1041.213632] list_del corruption. next->prev should be ffff89f596fb5768, but was 52f1e5016aeee75d. (next=ffff89f595a1b268)\n[ 1041.219165] ------------[ cut here ]------------\n[ 1041.221517] kernel BUG at lib/list_debug.c:62!\n[ 1041.223452] invalid opcode: 0000 [#1] PREEMPT SMP PTI\n[ 1041.225408] CPU: 2 PID: 1852 Comm: rmmod Kdump: loaded Tainted: G    B   W  OE      6.5.0 #15\n[ 1041.228244] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc37 05/24/2023\n[ 1041.231212] RIP: 0010:__list_del_entry_valid+0xae/0xb0\nAnother quick way to trigger this issue, in a kernel with CONFIG_SLUB=y,\nis to set slub_debug to poison the released objects and then just run\ncat /proc/slabinfo after removing the module that leaks slab objects,\nin which case the kernel will panic:\n[   50.954843] general protection fault, probably for non-canonical address 0xa56b6b6b6b6b6b8b: 0000 [#1] PREEMPT SMP PTI\n[   50.961545] CPU: 2 PID: 1495 Comm: cat Kdump: loaded Tainted: G    B   W  OE      6.5.0 #15\n[   50.966808] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc37 05/24/2023\n[   50.972663] RIP: 0010:get_slabinfo+0x42/0xf0\nThis patch fixes this issue by properly checking shutdown_cache()'s\nreturn value before taking the kmem_cache_release() branch." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-11-28T00:00:00Z",
    "advisory" : "RHSA-2023:7549",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-513.9.1.el8_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support",
    "release_date" : "2023-11-28T00:00:00Z",
    "advisory" : "RHSA-2023:7539",
    "cpe" : "cpe:/o:redhat:rhel_eus:8.8",
    "package" : "kernel-0:4.18.0-477.36.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-01-30T00:00:00Z",
    "advisory" : "RHBA-2024:0611",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "rhel9/flatpak-runtime:el9-9030020230825103938.1706180714"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-01-30T00:00:00Z",
    "advisory" : "RHBA-2024:0611",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "rhel9/flatpak-sdk:el9-9030020230825103938.1706180712"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-01-25T00:00:00Z",
    "advisory" : "RHSA-2024:0448",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2",
    "package" : "kernel-0:5.14.0-284.48.1.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-52562\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-52562\nhttps://lore.kernel.org/linux-cve-announce/2024030253-CVE-2023-52562-da24@gregkh/T/#u" ],
  "name" : "CVE-2023-52562",
  "csaw" : false
}