{ "threat_severity" : "Moderate", "public_date" : "2025-10-07T00:00:00Z", "bugzilla" : { "description" : "kernel: md: don't dereference mddev after export_rdev()", "id" : "2402216", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2402216" }, "cvss3" : { "cvss3_base_score" : "7.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-911", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmd: don't dereference mddev after export_rdev()\nExcept for initial reference, mddev->kobject is referenced by\nrdev->kobject, and if the last rdev is freed, there is no guarantee that\nmddev is still valid. Hence mddev should not be used anymore after\nexport_rdev().\nThis problem can be triggered by following test for mdadm at very\nlow rate:\nNew file: mdadm/tests/23rdev-lifetime\ndevname=${dev0##*/}\ndevt=`cat /sys/block/$devname/dev`\npid=\"\"\nruntime=2\nclean_up_test() {\npill -9 $pid\necho clear > /sys/block/md0/md/array_state\n}\ntrap 'clean_up_test' EXIT\nadd_by_sysfs() {\nwhile true; do\necho $devt > /sys/block/md0/md/new_dev\ndone\n}\nremove_by_sysfs(){\nwhile true; do\necho remove > /sys/block/md0/md/dev-${devname}/state\ndone\n}\necho md0 > /sys/module/md_mod/parameters/new_array || die \"create md0 failed\"\nadd_by_sysfs &\npid=\"$pid $!\"\nremove_by_sysfs &\npid=\"$pid $!\"\nsleep $runtime\nexit 0\nTest cmd:\n./test --save-logs --logdir=/tmp/ --keep-going --dev=loop --tests=23rdev-lifetime\nTest result:\ngeneral protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6bcb: 0000 [#4] PREEMPT SMP\nCPU: 0 PID: 1292 Comm: test Tainted: G D W 6.5.0-rc2-00121-g01e55c376936 #562\nRIP: 0010:md_wakeup_thread+0x9e/0x320 [md_mod]\nCall Trace:\n\nmddev_unlock+0x1b6/0x310 [md_mod]\nrdev_attr_store+0xec/0x190 [md_mod]\nsysfs_kf_write+0x52/0x70\nkernfs_fop_write_iter+0x19a/0x2a0\nvfs_write+0x3b5/0x770\nksys_write+0x74/0x150\n__x64_sys_write+0x22/0x30\ndo_syscall_64+0x40/0x90\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nFix this problem by don't dereference mddev after export_rdev().", "A use-after-free vulnerability was found in the Linux kernel multiple device RAID subsystem's device lifetime management. A local user with privileges to manage MD arrays can trigger concurrent device addition and removal operations via sysfs, causing a race condition where the mddev structure is freed when the last rdev is removed but then dereferenced afterward, which leads to memory corruption and can result in denial of service via kernel crash or potentially privilege escalation through heap manipulation." ], "statement" : "The issue arises because of incorrect object lifetime management in the MD RAID device removal path. The mddev->kobject reference is primarily held through rdev->kobject references. When export_rdev() removes the last remaining device from an array, the mddev structure can be freed as its reference count drops to zero. However, the code path in rdev_attr_store() continues to use the mddev pointer after calling export_rdev(), leading to a use-after-free condition. This can be triggered by racing concurrent writes to sysfs: one thread continuously adds devices via /sys/block/md0/md/new_dev while another removes them via /sys/block/md0/md/dev-/state. The race window is narrow, occurring at very low frequency even under stress testing, which justifies the high attack complexity. The general protection fault shows the freed memory contains the SLAB poison pattern (0x6b6b6b6b6b6b6bcb), confirming use-after-free. While use-after-free vulnerabilities are known memory corruption primitives that can enable privilege escalation through careful heap manipulation, successful exploitation requires both timing the race precisely and controlling heap layout, making this significantly more complex than a straightforward memory safety violation.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2394", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-427.13.1.el9_4" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53665\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53665\nhttps://lore.kernel.org/linux-cve-announce/2025100704-CVE-2023-53665-3411@gregkh/T" ], "name" : "CVE-2023-53665", "mitigation" : { "value" : "To mitigate this issue, prevent the md_mod module from loading. See https://access.redhat.com/solutions/41278 for instructions on blacklisting kernel modules.", "lang" : "en:us" }, "csaw" : false }