CVE-2023-52731

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-52731
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-52731.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-52731
Downstream
Related
Published
2024-05-21T15:22:57Z
Modified
2025-10-21T14:26:46.193308Z
Summary
fbdev: Fix invalid page access after closing deferred I/O devices
Details

In the Linux kernel, the following vulnerability has been resolved:

fbdev: Fix invalid page access after closing deferred I/O devices

When a fbdev with deferred I/O is once opened and closed, the dirty pages still remain queued in the pageref list, and eventually later those may be processed in the delayed work. This may lead to a corruption of pages, hitting an Oops.

This patch makes sure to cancel the delayed work and clean up the pageref list at closing the device for addressing the bug. A part of the cleanup code is factored out as a new helper function that is called from the common fb_release().

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
186b89659c4c67cccead52961eab0ca3b23951dc
Fixed
87b9802ca824fcee7915e717e9a60471af62e8e9
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
56c134f7f1b58be08bdb0ca8372474a4a5165f31
Fixed
f1d91f0e9d5a240a809698d7d9c5a538e7dcc149
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
56c134f7f1b58be08bdb0ca8372474a4a5165f31
Fixed
3efc61d95259956db25347e2a9562c3e54546e20

Affected versions

v5.*

v5.18
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8

v6.*

v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.10
v6.1.11
v6.1.12
v6.1.2
v6.1.3
v6.1.4
v6.1.5
v6.1.6
v6.1.7
v6.1.8
v6.1.9
v6.2-rc1
v6.2-rc2

Database specific

vanir_signatures

[
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@87b9802ca824fcee7915e717e9a60471af62e8e9",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "drivers/video/fbdev/core/fbmem.c"
        },
        "id": "CVE-2023-52731-07581e87",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "220971575929664324054009690615243493305",
                "9185951686281011176290410687136696656",
                "264287493988932985642503385094733320569",
                "139725680143808672036043953027139836404"
            ]
        },
        "signature_type": "Line"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3efc61d95259956db25347e2a9562c3e54546e20",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "drivers/video/fbdev/core/fbmem.c"
        },
        "id": "CVE-2023-52731-0d6669a3",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "220971575929664324054009690615243493305",
                "9185951686281011176290410687136696656",
                "264287493988932985642503385094733320569",
                "139725680143808672036043953027139836404"
            ]
        },
        "signature_type": "Line"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@87b9802ca824fcee7915e717e9a60471af62e8e9",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "include/linux/fb.h"
        },
        "id": "CVE-2023-52731-54a24210",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "208314558709312157804576410687663366253",
                "65731643813632477129050788631568493125",
                "317321520056188458598649025466962957916",
                "324299675841097761849055470457763504039"
            ]
        },
        "signature_type": "Line"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f1d91f0e9d5a240a809698d7d9c5a538e7dcc149",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "fb_deferred_io_cleanup",
            "file": "drivers/video/fbdev/core/fb_defio.c"
        },
        "id": "CVE-2023-52731-641f43fa",
        "digest": {
            "length": 342.0,
            "function_hash": "27856199660949061341878625827920241241"
        },
        "signature_type": "Function"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@87b9802ca824fcee7915e717e9a60471af62e8e9",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "fb_deferred_io_cleanup",
            "file": "drivers/video/fbdev/core/fb_defio.c"
        },
        "id": "CVE-2023-52731-7325ca48",
        "digest": {
            "length": 342.0,
            "function_hash": "27856199660949061341878625827920241241"
        },
        "signature_type": "Function"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f1d91f0e9d5a240a809698d7d9c5a538e7dcc149",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "include/linux/fb.h"
        },
        "id": "CVE-2023-52731-80a22706",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "208314558709312157804576410687663366253",
                "65731643813632477129050788631568493125",
                "317321520056188458598649025466962957916",
                "324299675841097761849055470457763504039"
            ]
        },
        "signature_type": "Line"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3efc61d95259956db25347e2a9562c3e54546e20",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "drivers/video/fbdev/core/fb_defio.c"
        },
        "id": "CVE-2023-52731-8146f7fe",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "193683203519382274571350174604638068986",
                "141683507981823005834249158989270412186",
                "254576598503723529119119703479687762881",
                "39589692959009294473752984823694310840",
                "172511225514792921681443205535939681568",
                "291958150988430345239879525922011389613",
                "118536200104104402653056766297592848686",
                "305121920666290730864292360559117239769"
            ]
        },
        "signature_type": "Line"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3efc61d95259956db25347e2a9562c3e54546e20",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "include/linux/fb.h"
        },
        "id": "CVE-2023-52731-895d8e0e",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "208314558709312157804576410687663366253",
                "65731643813632477129050788631568493125",
                "317321520056188458598649025466962957916",
                "324299675841097761849055470457763504039"
            ]
        },
        "signature_type": "Line"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f1d91f0e9d5a240a809698d7d9c5a538e7dcc149",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "drivers/video/fbdev/core/fb_defio.c"
        },
        "id": "CVE-2023-52731-93fff174",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "193683203519382274571350174604638068986",
                "141683507981823005834249158989270412186",
                "254576598503723529119119703479687762881",
                "39589692959009294473752984823694310840",
                "172511225514792921681443205535939681568",
                "291958150988430345239879525922011389613",
                "118536200104104402653056766297592848686",
                "305121920666290730864292360559117239769"
            ]
        },
        "signature_type": "Line"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@87b9802ca824fcee7915e717e9a60471af62e8e9",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "drivers/video/fbdev/core/fb_defio.c"
        },
        "id": "CVE-2023-52731-a18f4c30",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "193683203519382274571350174604638068986",
                "141683507981823005834249158989270412186",
                "254576598503723529119119703479687762881",
                "39589692959009294473752984823694310840",
                "172511225514792921681443205535939681568",
                "291958150988430345239879525922011389613",
                "118536200104104402653056766297592848686",
                "305121920666290730864292360559117239769"
            ]
        },
        "signature_type": "Line"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3efc61d95259956db25347e2a9562c3e54546e20",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "fb_deferred_io_cleanup",
            "file": "drivers/video/fbdev/core/fb_defio.c"
        },
        "id": "CVE-2023-52731-d138c589",
        "digest": {
            "length": 342.0,
            "function_hash": "27856199660949061341878625827920241241"
        },
        "signature_type": "Function"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f1d91f0e9d5a240a809698d7d9c5a538e7dcc149",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "drivers/video/fbdev/core/fbmem.c"
        },
        "id": "CVE-2023-52731-e76702c8",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "220971575929664324054009690615243493305",
                "9185951686281011176290410687136696656",
                "264287493988932985642503385094733320569",
                "139725680143808672036043953027139836404"
            ]
        },
        "signature_type": "Line"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.19.0
Fixed
6.1.13