| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025091642-CVE-2023-53311-bff3@gregkh>
Date: Tue, 16 Sep 2025 18:11:56 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2023-53311: nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput
During unmount process of nilfs2, nothing holds nilfs_root structure after
nilfs2 detaches its writer in nilfs_detach_log_writer(). Previously,
nilfs_evict_inode() could cause use-after-free read for nilfs_root if
inodes are left in "garbage_list" and released by nilfs_dispose_list at
the end of nilfs_detach_log_writer(), and this bug was fixed by commit
9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root in
nilfs_evict_inode()").
However, it turned out that there is another possibility of UAF in the
call path where mark_inode_dirty_sync() is called from iput():
nilfs_detach_log_writer()
nilfs_dispose_list()
iput()
mark_inode_dirty_sync()
__mark_inode_dirty()
nilfs_dirty_inode()
__nilfs_mark_inode_dirty()
nilfs_load_inode_block() --> causes UAF of nilfs_root struct
This can happen after commit 0ae45f63d4ef ("vfs: add support for a
lazytime mount option"), which changed iput() to call
mark_inode_dirty_sync() on its final reference if i_state has I_DIRTY_TIME
flag and i_nlink is non-zero.
This issue appears after commit 28a65b49eb53 ("nilfs2: do not write dirty
data after degenerating to read-only") when using the syzbot reproducer,
but the issue has potentially existed before.
Fix this issue by adding a "purging flag" to the nilfs structure, setting
that flag while disposing the "garbage_list" and checking it in
__nilfs_mark_inode_dirty().
Unlike commit 9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root
in nilfs_evict_inode()"), this patch does not rely on ns_writer to
determine whether to skip operations, so as not to break recovery on
mount. The nilfs_salvage_orphan_logs routine dirties the buffer of
salvaged data before attaching the log writer, so changing
__nilfs_mark_inode_dirty() to skip the operation when ns_writer is NULL
will cause recovery write to fail. The purpose of using the cleanup-only
flag is to allow for narrowing of such conditions.
The Linux kernel CVE team has assigned CVE-2023-53311 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.0 with commit 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 and fixed in 4.14.323 with commit 11afd67f1b3c28eb216e50a3ca8dbcb69bb71793
Issue introduced in 4.0 with commit 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 and fixed in 4.19.292 with commit a3c3b4cbf9b8554120fb230e6516e980c6277487
Issue introduced in 4.0 with commit 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 and fixed in 5.4.254 with commit d2c539c216cce74837a9cf5804eb205939b82227
Issue introduced in 4.0 with commit 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 and fixed in 5.10.191 with commit 37207240872456fbab44a110bde6640445233963
Issue introduced in 4.0 with commit 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 and fixed in 5.15.127 with commit 3645510cf926e6af2f4d44899370d7e5331c93bd
Issue introduced in 4.0 with commit 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 and fixed in 6.1.46 with commit 7532ff6edbf5242376b24a95a2fefb59bb653e5a
Issue introduced in 4.0 with commit 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 and fixed in 6.4.11 with commit 5828d5f5dc877dcfdd7b23102e978e2ecfd86d82
Issue introduced in 4.0 with commit 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8 and fixed in 6.5 with commit f8654743a0e6909dc634cbfad6db6816f10f3399
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2023-53311
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
fs/nilfs2/inode.c
fs/nilfs2/segment.c
fs/nilfs2/the_nilfs.h
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/11afd67f1b3c28eb216e50a3ca8dbcb69bb71793
https://git.kernel.org/stable/c/a3c3b4cbf9b8554120fb230e6516e980c6277487
https://git.kernel.org/stable/c/d2c539c216cce74837a9cf5804eb205939b82227
https://git.kernel.org/stable/c/37207240872456fbab44a110bde6640445233963
https://git.kernel.org/stable/c/3645510cf926e6af2f4d44899370d7e5331c93bd
https://git.kernel.org/stable/c/7532ff6edbf5242376b24a95a2fefb59bb653e5a
https://git.kernel.org/stable/c/5828d5f5dc877dcfdd7b23102e978e2ecfd86d82
https://git.kernel.org/stable/c/f8654743a0e6909dc634cbfad6db6816f10f3399
Powered by blists - more mailing lists