CVE-2023-52447: 
Linux Kernel vulnerability analysis and mitigation

CVE-2023-52447 is a use-after-free vulnerability discovered in the Linux kernel's BPF (Berkeley Packet Filter) subsystem. The vulnerability specifically affects how inner maps are handled in map arrays or map htabs, where the map may still be accessed by non-sleepable or sleepable programs after being freed (Security Online, NVD). The vulnerability affects Linux kernel versions from 5.9.0 up to versions before 6.1.75, 6.6.14, and 6.7.2.

The vulnerability occurs when updating or deleting an inner map in map array or map htab. The issue arises because bpfmapfdputptr() decreases the ref-counter of the inner map directly through bpfmapput(). If this is the last reference (common in most cases), the inner map is freed by ops->mapfree() in a kworker. However, most .mapfree() callbacks don't use synchronize_rcu() or its variants to wait for an RCU grace period, potentially leading to use-after-free conditions. The vulnerability has been assigned a CVSS v3.1 base score of 6.7 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability can lead to use-after-free conditions in the Linux kernel's BPF subsystem, potentially allowing attackers to execute arbitrary code, cause system crashes, or escalate privileges. The impact is particularly significant in containerized environments where BPF programs are commonly used for networking and security monitoring (Security Online).

The vulnerability has been fixed by implementing proper deferred freeing of inner maps. The fix ensures that bpfmapfreedeferred() is called after both one RCU grace period and one tasks trace RCU grace period if the inner map has been removed from the outer map. The fix uses callrcu() or callrcutasks_trace() when releasing the last ref-counter of the BPF map (Kernel Patch). Users should update to Linux kernel versions 6.1.75, 6.6.14, 6.7.2 or later.