| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025100432-CVE-2023-53608-ccb6@gregkh> Date: Sat, 4 Oct 2025 17:52:02 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2023-53608: nilfs2: fix potential UAF of struct nilfs_sc_info in nilfs_segctor_thread() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential UAF of struct nilfs_sc_info in nilfs_segctor_thread() The finalization of nilfs_segctor_thread() can race with nilfs_segctor_kill_thread() which terminates that thread, potentially causing a use-after-free BUG as KASAN detected. At the end of nilfs_segctor_thread(), it assigns NULL to "sc_task" member of "struct nilfs_sc_info" to indicate the thread has finished, and then notifies nilfs_segctor_kill_thread() of this using waitqueue "sc_wait_task" on the struct nilfs_sc_info. However, here, immediately after the NULL assignment to "sc_task", it is possible that nilfs_segctor_kill_thread() will detect it and return to continue the deallocation, freeing the nilfs_sc_info structure before the thread does the notification. This fixes the issue by protecting the NULL assignment to "sc_task" and its notification, with spinlock "sc_state_lock" of the struct nilfs_sc_info. Since nilfs_segctor_kill_thread() does a final check to see if "sc_task" is NULL with "sc_state_lock" locked, this can eliminate the race. The Linux kernel CVE team has assigned CVE-2023-53608 to this issue. Affected and fixed versions =========================== Fixed in 4.14.313 with commit 034cce77d52ba013ce62b4f5258c29907eb1ada5 Fixed in 4.19.281 with commit 0dbf0e64b91ee8fcb278aea93eb06fc7d56ecbcc Fixed in 5.4.241 with commit 613bf23c070d11c525268f2945aa594704a9b764 Fixed in 5.10.178 with commit f32297dba338dc06d62286dedb3cdbd5175b1719 Fixed in 5.15.107 with commit 92684e02654c91a61a0b0561433b710bcece19fe Fixed in 6.1.24 with commit bae009a2f1b7c2011d2e92d8c84868d315c0b97e Fixed in 6.2.11 with commit b4d80bd6370b81a1725b6b8f7894802c23a14e9f Fixed in 6.3 with commit 6be49d100c22ffea3287a4b19d7639d259888e33 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-53608 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: fs/nilfs2/segment.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/034cce77d52ba013ce62b4f5258c29907eb1ada5 https://git.kernel.org/stable/c/0dbf0e64b91ee8fcb278aea93eb06fc7d56ecbcc https://git.kernel.org/stable/c/613bf23c070d11c525268f2945aa594704a9b764 https://git.kernel.org/stable/c/f32297dba338dc06d62286dedb3cdbd5175b1719 https://git.kernel.org/stable/c/92684e02654c91a61a0b0561433b710bcece19fe https://git.kernel.org/stable/c/bae009a2f1b7c2011d2e92d8c84868d315c0b97e https://git.kernel.org/stable/c/b4d80bd6370b81a1725b6b8f7894802c23a14e9f https://git.kernel.org/stable/c/6be49d100c22ffea3287a4b19d7639d259888e33
Powered by blists - more mailing lists