CVE-2023-4611: 
Linux Kernel vulnerability analysis and mitigation

A use-after-free vulnerability (CVE-2023-4611) was discovered in the memory management subsystem (mm/mempolicy.c) of the Linux Kernel. The vulnerability was disclosed on August 29, 2023, and affects Linux Kernel versions up to (excluding) 6.5. The issue stems from a race condition between mbind() and VMA-locked page fault operations (NVD, Debian Tracker).

The vulnerability occurs when mbind() calls vma_replace_policy() without taking the per-VMA locks, replaces the VMA's vma->vm_policy pointer, and frees the old policy. This creates a race condition where a concurrent page fault might still be using the old policy in vma_alloc_folio(), resulting in use-after-free. While this typically manifests as a use-after-free read initially, it can lead to memory corruption, particularly when vma_alloc_folio() calls mpol_cond_put() on the freed policy, which conditionally changes the policy's refcount member. The vulnerability affects systems with CONFIG_NUMA, including non-NUMA systems built with CONFIG_NUMA enabled (Spinics Commit).

The vulnerability can allow a local attacker to crash the system or potentially cause a kernel information leak. The severity is rated as MEDIUM with a CVSS v3.1 base score of 6.3 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H) (NVD).

The vulnerability was fixed in Linux Kernel 6.5-rc4 with a patch that modifies mm/mempolicy.c to take the VMA lock before replacing the policy. The fix involves adding proper locking mechanisms to prevent the race condition between mbind() and page fault operations (Spinics Commit).