CVE-2023-5717: 
Linux Kernel vulnerability analysis and mitigation

A heap out-of-bounds write vulnerability (CVE-2023-5717) was discovered in the Linux kernel's Linux Kernel Performance Events (perf) component. The vulnerability was reported by Budimir Markovic and disclosed on October 25, 2023. The issue affects Linux kernel versions from 3.2.95 up to 6.6-rc7. The vulnerability occurs when perf_read_group() is called while an event's sibling_list is smaller than its child's sibling_list, allowing it to increment or write to memory locations outside of the allocated buffer (NVD, Ubuntu).

The vulnerability stems from a group consistency issue that is non-atomic between parent (filedesc) and children (inherited) events. The problem became apparent after commit fa8c269353d5 which inverted perf_read_group() loops, changing the order of child_list and sibling_list traversal. The flaw allows for PERF_FORMAT_GROUP read() to attempt summing non-matching counter groups, resulting in potential out-of-bounds write operations. The issue has been assigned a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (Kernel Patch).

The vulnerability can be exploited to achieve local privilege escalation. However, on systems with default configurations like Ubuntu, where SECURITY_PERF_EVENTS_RESTRICT is enabled and kernel.perf_event_paranoid >= 2, unprivileged users are prevented from using perf by default, limiting the exploitation potential (Ubuntu).

The vulnerability has been fixed in Linux kernel commit 32671e3799ca2e4590773fd0e63aaa4229e50c06. The fix adds group_generation to distinguish cases where a parent group removes and adds an event, preventing the mis-matched inherited group reads. Various distributions have released patches, including Ubuntu, Debian, and Red Hat. Systems should be updated to versions containing the fix. Additionally, maintaining restrictive perf_event_paranoid settings provides protection against exploitation (Kernel Patch).