In the Linux kernel, the following vulnerability has been resolved:
loop: Fix use-after-free issues
doreqfilebacked() calls blkmqcompleterequest() synchronously or asynchronously when using asynchronous I/O unless memory allocation fails. Hence, modify loophandlecmd() such that it does not dereference 'cmd' nor 'rq' after doreq_filebacked() finished unless we are sure that the request has not yet been completed. This patch fixes the following kernel crash:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000054 Call trace: cssput.42938+0x1c/0x1ac loopprocesswork+0xc8c/0xfd4 looprootcgworkfn+0x24/0x34 processonework+0x244/0x558 workerthread+0x400/0x8fc kthread+0x16c/0x1e0 retfromfork+0x10/0x20
[ { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6917395c4667cfb607ed8bf1826205a59414657c", "target": { "function": "loop_handle_cmd", "file": "drivers/block/loop.c" }, "digest": { "function_hash": "280424649477035275192816224685340893097", "length": 784.0 }, "deprecated": false, "id": "CVE-2023-53111-6626dcfc", "signature_version": "v1", "signature_type": "Function" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9b0cb770f5d7b1ff40bea7ca385438ee94570eec", "target": { "function": "loop_handle_cmd", "file": "drivers/block/loop.c" }, "digest": { "function_hash": "280424649477035275192816224685340893097", "length": 784.0 }, "deprecated": false, "id": "CVE-2023-53111-6a302578", "signature_version": "v1", "signature_type": "Function" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@407badf73ec9fb0d5744bf2ca1745c1818aa222f", "target": { "function": "loop_handle_cmd", "file": "drivers/block/loop.c" }, "digest": { "function_hash": "280424649477035275192816224685340893097", "length": 784.0 }, "deprecated": false, "id": "CVE-2023-53111-6d09bba3", "signature_version": "v1", "signature_type": "Function" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e3fda704903f6d1fc351412f1bc6620333959ada", "target": { "file": "drivers/block/loop.c" }, "digest": { "line_hashes": [ "193334294052310892089963391084207636149", "14782763506971191113900811479887234360", "92853807806449118286956205567760528423", "194792205469333789449066015464241290560", "328656966166700105584003487593755292885", "300336711901199600748931423816393718508", "253275767705370338346938100805343571224", "11216852390473757737263555310455517817", "323819976677972103276239289301126821271", "116000401357759611930347339058882673415", "250716287935165077556213854606662727265", "207318215247547956365750057382610700372", "263462564095510977466124483185600332132", "228455130055852946326097429808216676818", "139490683512698094925466343918437631481", "113328661416603041955617913630558656718", "154547763408913221873819650218363118631", "12319346714307597758267393922567958072", "79306971363493596568677698019427413026", "136089273696878758232448797733387709261", "195978069985388764849461313280523271034", "83138619049568730826365888537819399952", "263563130480527867575437123712573162182", "152292177077365007750050635731070098651", "327260244070899074665061388036246427611", "35117640948244452855285421422556939928", "39811224525780805187295994217874079455" ], "threshold": 0.9 }, "deprecated": false, "id": "CVE-2023-53111-7bbad26c", "signature_version": "v1", "signature_type": "Line" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9b0cb770f5d7b1ff40bea7ca385438ee94570eec", "target": { "file": "drivers/block/loop.c" }, "digest": { "line_hashes": [ "193334294052310892089963391084207636149", "14782763506971191113900811479887234360", "92853807806449118286956205567760528423", "194792205469333789449066015464241290560", "328656966166700105584003487593755292885", "300336711901199600748931423816393718508", "253275767705370338346938100805343571224", "11216852390473757737263555310455517817", "323819976677972103276239289301126821271", "116000401357759611930347339058882673415", "250716287935165077556213854606662727265", "207318215247547956365750057382610700372", "263462564095510977466124483185600332132", "228455130055852946326097429808216676818", "139490683512698094925466343918437631481", "113328661416603041955617913630558656718", "154547763408913221873819650218363118631", "12319346714307597758267393922567958072", "79306971363493596568677698019427413026", "136089273696878758232448797733387709261", "195978069985388764849461313280523271034", "83138619049568730826365888537819399952", "263563130480527867575437123712573162182", "152292177077365007750050635731070098651", "327260244070899074665061388036246427611", "35117640948244452855285421422556939928", "39811224525780805187295994217874079455" ], "threshold": 0.9 }, "deprecated": false, "id": "CVE-2023-53111-a76891cf", "signature_version": "v1", "signature_type": "Line" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@407badf73ec9fb0d5744bf2ca1745c1818aa222f", "target": { "file": "drivers/block/loop.c" }, "digest": { "line_hashes": [ "193334294052310892089963391084207636149", "14782763506971191113900811479887234360", "92853807806449118286956205567760528423", "194792205469333789449066015464241290560", "328656966166700105584003487593755292885", "300336711901199600748931423816393718508", "253275767705370338346938100805343571224", "11216852390473757737263555310455517817", "323819976677972103276239289301126821271", "116000401357759611930347339058882673415", "250716287935165077556213854606662727265", "207318215247547956365750057382610700372", "263462564095510977466124483185600332132", "228455130055852946326097429808216676818", "139490683512698094925466343918437631481", "113328661416603041955617913630558656718", "154547763408913221873819650218363118631", "12319346714307597758267393922567958072", "79306971363493596568677698019427413026", "136089273696878758232448797733387709261", "195978069985388764849461313280523271034", "83138619049568730826365888537819399952", "263563130480527867575437123712573162182", "152292177077365007750050635731070098651", "327260244070899074665061388036246427611", "35117640948244452855285421422556939928", "39811224525780805187295994217874079455" ], "threshold": 0.9 }, "deprecated": false, "id": "CVE-2023-53111-ac868202", "signature_version": "v1", "signature_type": "Line" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6917395c4667cfb607ed8bf1826205a59414657c", "target": { "file": "drivers/block/loop.c" }, "digest": { "line_hashes": [ "193334294052310892089963391084207636149", "14782763506971191113900811479887234360", "92853807806449118286956205567760528423", "194792205469333789449066015464241290560", "328656966166700105584003487593755292885", "300336711901199600748931423816393718508", "253275767705370338346938100805343571224", "11216852390473757737263555310455517817", "323819976677972103276239289301126821271", "116000401357759611930347339058882673415", "250716287935165077556213854606662727265", "207318215247547956365750057382610700372", "263462564095510977466124483185600332132", "228455130055852946326097429808216676818", "139490683512698094925466343918437631481", "113328661416603041955617913630558656718", "154547763408913221873819650218363118631", "12319346714307597758267393922567958072", "79306971363493596568677698019427413026", "136089273696878758232448797733387709261", "195978069985388764849461313280523271034", "83138619049568730826365888537819399952", "263563130480527867575437123712573162182", "152292177077365007750050635731070098651", "327260244070899074665061388036246427611", "35117640948244452855285421422556939928", "39811224525780805187295994217874079455" ], "threshold": 0.9 }, "deprecated": false, "id": "CVE-2023-53111-bc5f6027", "signature_version": "v1", "signature_type": "Line" }, { "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e3fda704903f6d1fc351412f1bc6620333959ada", "target": { "function": "loop_handle_cmd", "file": "drivers/block/loop.c" }, "digest": { "function_hash": "280424649477035275192816224685340893097", "length": 784.0 }, "deprecated": false, "id": "CVE-2023-53111-e7e2e7d4", "signature_version": "v1", "signature_type": "Function" } ]