CVE-2023-53035

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-53035
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53035.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-53035
Downstream
Related
Published
2025-05-02T15:54:54.876Z
Modified
2026-04-03T13:14:41.196153534Z
Summary
nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy()
Details

In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix kernel-infoleak in nilfsioctlwrap_copy()

The ioctl helper function nilfsioctlwrapcopy(), which exchanges a metadata array to/from user space, may copy uninitialized buffer regions to user space memory for read-only ioctl commands NILFSIOCTLGETSUINFO and NILFSIOCTLGET_CPINFO.

This can occur when the element size of the user space metadata given by the vsize member of the argument nilfsargv structure is larger than the size of the metadata element (nilfssuinfo structure or nilfscpinfo structure) on the file system side.

KMSAN-enabled kernels detect this issue as follows:

BUG: KMSAN: kernel-infoleak in instrumentcopytouser include/linux/instrumented.h:121 [inline] BUG: KMSAN: kernel-infoleak in copytouser+0xc0/0x100 lib/usercopy.c:33 instrumentcopytouser include/linux/instrumented.h:121 [inline] copytouser+0xc0/0x100 lib/usercopy.c:33 copytouser include/linux/uaccess.h:169 [inline] nilfsioctlwrapcopy+0x6fa/0xc10 fs/nilfs2/ioctl.c:99 nilfsioctlgetinfo fs/nilfs2/ioctl.c:1173 [inline] nilfsioctl+0x2402/0x4450 fs/nilfs2/ioctl.c:1290 nilfscompat_ioctl+0x1b8/0x200 fs/nilfs2/ioctl.c:1343 __docompatsys_ioctl fs/ioctl.c:968 [inline] __secompatsys_ioctl+0x7dd/0x1000 fs/ioctl.c:910 __ia32compatsysioctl+0x93/0xd0 fs/ioctl.c:910 dosyscall32irqs_on arch/x86/entry/common.c:112 [inline] __dofastsyscall32+0xa2/0x100 arch/x86/entry/common.c:178 dofastsyscall32+0x37/0x80 arch/x86/entry/common.c:203 doSYSENTER32+0x1f/0x30 arch/x86/entry/common.c:246 entrySYSENTERcompatafterhwframe+0x70/0x82

Uninit was created at: __allocpages+0x9f6/0xe90 mm/pagealloc.c:5572 alloc_pages+0xab0/0xd80 mm/mempolicy.c:2287 __getfreepages+0x34/0xc0 mm/pagealloc.c:5599 nilfsioctlwrapcopy+0x223/0xc10 fs/nilfs2/ioctl.c:74 nilfsioctlgetinfo fs/nilfs2/ioctl.c:1173 [inline] nilfsioctl+0x2402/0x4450 fs/nilfs2/ioctl.c:1290 nilfscompatioctl+0x1b8/0x200 fs/nilfs2/ioctl.c:1343 __docompatsys_ioctl fs/ioctl.c:968 [inline] __secompatsys_ioctl+0x7dd/0x1000 fs/ioctl.c:910 __ia32compatsysioctl+0x93/0xd0 fs/ioctl.c:910 dosyscall32irqs_on arch/x86/entry/common.c:112 [inline] __dofastsyscall32+0xa2/0x100 arch/x86/entry/common.c:178 dofastsyscall32+0x37/0x80 arch/x86/entry/common.c:203 doSYSENTER32+0x1f/0x30 arch/x86/entry/common.c:246 entrySYSENTERcompatafterhwframe+0x70/0x82

Bytes 16-127 of 3968 are uninitialized ...

This eliminates the leak issue by initializing the page allocated as buffer using getzeroedpage().

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53035.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
003ff182fddde09ddfb8d079bbdb02f9d2122082
Fixed
a94932381e8dae4117e9129b3c1282e18aa97b05
Fixed
9c5034e9a0e03db8d5e9eabb176340259b5b97e4
Fixed
8f5cbf6a8c0e19b062b829c5b7aca01468bb57f6
Fixed
d18db946cc6a394291539e030df32324285648f7
Fixed
5bb105cc72beb9d51bf12f5c657336d2d35bdc5d
Fixed
5f33b042f74fc9662eba17f4cd19b07d84bbc6c5
Fixed
8a6550b365c0ce2e65905de57dcbfe1f7d629726
Fixed
003587000276f81d0114b5ce773d80c119d8cb30

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53035.json"