CVE-2023-52803

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-52803
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-52803.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-52803
Related
Published
2024-05-21T16:15:18Z
Modified
2024-09-18T03:24:38.863783Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

SUNRPC: Fix RPC client cleaned up the freed pipefs dentries

RPC client pipefs dentries cleanup is in separated rpcremovepipedir() workqueue,which takes care about pipefs superblock locking. In some special scenarios, when kernel frees the pipefs sb of the current client and immediately alloctes a new pipefs sb, rpcremovepipedir function would misjudge the existence of pipefs sb which is not the one it used to hold. As a result, the rpcremovepipedir would clean the released freed pipefs dentries.

To fix this issue, rpcremovepipedir should check whether the current pipefs sb is consistent with the original pipefs sb.

This error can be catched by KASAN:

[ 250.497700] BUG: KASAN: slab-use-after-free in dgetparent+0x195/0x200 [ 250.498315] Read of size 4 at addr ffff88800a2ab804 by task kworker/0:18/106503 [ 250.500549] Workqueue: events rpcfreeclientwork [ 250.501001] Call Trace: [ 250.502880] kasanreport+0xb6/0xf0 [ 250.503209] ? dgetparent+0x195/0x200 [ 250.503561] dgetparent+0x195/0x200 [ 250.503897] ? _pfxrpcclntdirdepopulate+0x10/0x10 [ 250.504384] rpcrmdirdepopulate+0x1b/0x90 [ 250.504781] rpcremoveclientdir+0xf5/0x150 [ 250.505195] rpcfreeclientwork+0xe4/0x230 [ 250.505598] processonework+0x8ee/0x13b0 ... [ 22.039056] Allocated by task 244: [ 22.039390] kasansavestack+0x22/0x50 [ 22.039758] kasansettrack+0x25/0x30 [ 22.040109] _kasanslaballoc+0x59/0x70 [ 22.040487] kmemcachealloclru+0xf0/0x240 [ 22.040889] _dalloc+0x31/0x8e0 [ 22.041207] dalloc+0x44/0x1f0 [ 22.041514] _rpclookupcreateexclusive+0x11c/0x140 [ 22.041987] rpcmkdirpopulate.constprop.0+0x5f/0x110 [ 22.042459] rpccreateclientdir+0x34/0x150 [ 22.042874] rpcsetuppipedirsb+0x102/0x1c0 [ 22.043284] rpcclientregister+0x136/0x4e0 [ 22.043689] rpcnewclient+0x911/0x1020 [ 22.044057] rpccreatexprt+0xcb/0x370 [ 22.044417] rpccreate+0x36b/0x6c0 ... [ 22.049524] Freed by task 0: [ 22.049803] kasansavestack+0x22/0x50 [ 22.050165] kasansettrack+0x25/0x30 [ 22.050520] kasansavefreeinfo+0x2b/0x50 [ 22.050921] _kasanslabfree+0x10e/0x1a0 [ 22.051306] kmemcachefree+0xa5/0x390 [ 22.051667] rcucore+0x62c/0x1930 [ 22.051995] _dosoftirq+0x165/0x52a [ 22.052347] [ 22.052503] Last potentially related work creation: [ 22.052952] kasansavestack+0x22/0x50 [ 22.053313] _kasanrecordauxstack+0x8e/0xa0 [ 22.053739] _callrcucommon.constprop.0+0x6b/0x8b0 [ 22.054209] dentryfree+0xb2/0x140 [ 22.054540] _dentrykill+0x3be/0x540 [ 22.054900] shrinkdentrylist+0x199/0x510 [ 22.055293] shrinkdcacheparent+0x190/0x240 [ 22.055703] doonetree+0x11/0x40 [ 22.056028] shrinkdcacheforumount+0x61/0x140 [ 22.056461] genericshutdownsuper+0x70/0x590 [ 22.056879] killanonsuper+0x3a/0x60 [ 22.057234] rpckill_sb+0x121/0x200

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.205-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1
5.10.148-1
5.10.149-1
5.10.149-2
5.10.158-1
5.10.158-2
5.10.162-1
5.10.178-1
5.10.178-2
5.10.178-3
5.10.179-1
5.10.179-2
5.10.179-3
5.10.179-4
5.10.179-5
5.10.191-1
5.10.197-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.64-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.6.8-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1

Ecosystem specific

{
    "urgency": "not yet assigned"
}