CVE-2023-52983

CVE-2023-52983 is a use-after-free vulnerability (CWE-416) in the Linux kernel's BFQ block IO scheduler. The issue arises in the bic_set_bfqq() function within the block/bfq component, where bic->bfqq is accessed after being freed in certain contexts. This stems from changes introduced by commit 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'"), leading to potential use-after-free conditions during bfqq handling.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), in a local attack vector (AV:L) with unchanged scope (S:U). Exploitation could result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), as indicated by the CVSS 3.1 base score of 7.8.

Mitigation requires applying the relevant stable kernel patches, available via the following git.kernel.org commits: 511c922c5bf6c8a166bea826e702336bc2424140, 7f77f3dab5066a7c9da73d72d1eee895ff84a8d5, b600de2d7d3a16f9007fad1bdae82a3951a26af2, and cb1876fc33af26d00efdd473311f1b664c77c44e. These patches resolve the issue by ensuring bfqq is always freed after bic_set_bfqq().