| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025100432-CVE-2023-53606-8c1a@gregkh> Date: Sat, 4 Oct 2025 17:52:00 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2023-53606: nfsd: clean up potential nfsd_file refcount leaks in COPY codepath From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: nfsd: clean up potential nfsd_file refcount leaks in COPY codepath There are two different flavors of the nfsd4_copy struct. One is embedded in the compound and is used directly in synchronous copies. The other is dynamically allocated, refcounted and tracked in the client struture. For the embedded one, the cleanup just involves releasing any nfsd_files held on its behalf. For the async one, the cleanup is a bit more involved, and we need to dequeue it from lists, unhash it, etc. There is at least one potential refcount leak in this code now. If the kthread_create call fails, then both the src and dst nfsd_files in the original nfsd4_copy object are leaked. The cleanup in this codepath is also sort of weird. In the async copy case, we'll have up to four nfsd_file references (src and dst for both flavors of copy structure). They are both put at the end of nfsd4_do_async_copy, even though the ones held on behalf of the embedded one outlive that structure. Change it so that we always clean up the nfsd_file refs held by the embedded copy structure before nfsd4_copy returns. Rework cleanup_async_copy to handle both inter and intra copies. Eliminate nfsd4_cleanup_intra_ssc since it now becomes a no-op. The Linux kernel CVE team has assigned CVE-2023-53606 to this issue. Affected and fixed versions =========================== Fixed in 5.10.220 with commit fd63299db8090307eae66f2aef17c8f00aafa0a9 Fixed in 5.15.154 with commit b3169b6ffe036b549c296a9e71591d29a1fb3209 Fixed in 6.1.16 with commit 75b8c681c563ef7e85da6862354efc18d2a08b1b Fixed in 6.2.3 with commit 8f565846fbe8182961498d4cbe618b15076a683b Fixed in 6.3 with commit 6ba434cb1a8d403ea9aad1b667c3ea3ad8b3191f Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-53606 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/nfsd/nfs4proc.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/fd63299db8090307eae66f2aef17c8f00aafa0a9 https://git.kernel.org/stable/c/b3169b6ffe036b549c296a9e71591d29a1fb3209 https://git.kernel.org/stable/c/75b8c681c563ef7e85da6862354efc18d2a08b1b https://git.kernel.org/stable/c/8f565846fbe8182961498d4cbe618b15076a683b https://git.kernel.org/stable/c/6ba434cb1a8d403ea9aad1b667c3ea3ad8b3191f
Powered by blists - more mailing lists