lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025100435-CVE-2023-53616-9379@gregkh>
Date: Sat,  4 Oct 2025 17:52:10 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2023-53616: jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount

syzbot found an invalid-free in diUnmount:

BUG: KASAN: double-free in slab_free mm/slub.c:3661 [inline]
BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3674
Free of addr ffff88806f410000 by task syz-executor131/3632

 CPU: 0 PID: 3632 Comm: syz-executor131 Not tainted 6.1.0-rc7-syzkaller-00012-gca57f02295f1 #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
 Call Trace:
  <TASK>
  __dump_stack lib/dump_stack.c:88 [inline]
  dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
  print_address_description+0x74/0x340 mm/kasan/report.c:284
  print_report+0x107/0x1f0 mm/kasan/report.c:395
  kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:460
  ____kasan_slab_free+0xfb/0x120
  kasan_slab_free include/linux/kasan.h:177 [inline]
  slab_free_hook mm/slub.c:1724 [inline]
  slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1750
  slab_free mm/slub.c:3661 [inline]
  __kmem_cache_free+0x71/0x110 mm/slub.c:3674
  diUnmount+0xef/0x100 fs/jfs/jfs_imap.c:195
  jfs_umount+0x108/0x370 fs/jfs/jfs_umount.c:63
  jfs_put_super+0x86/0x190 fs/jfs/super.c:194
  generic_shutdown_super+0x130/0x310 fs/super.c:492
  kill_block_super+0x79/0xd0 fs/super.c:1428
  deactivate_locked_super+0xa7/0xf0 fs/super.c:332
  cleanup_mnt+0x494/0x520 fs/namespace.c:1186
  task_work_run+0x243/0x300 kernel/task_work.c:179
  exit_task_work include/linux/task_work.h:38 [inline]
  do_exit+0x664/0x2070 kernel/exit.c:820
  do_group_exit+0x1fd/0x2b0 kernel/exit.c:950
  __do_sys_exit_group kernel/exit.c:961 [inline]
  __se_sys_exit_group kernel/exit.c:959 [inline]
  __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:959
  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
  do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[...]

JFS_IP(ipimap)->i_imap is not setting to NULL after free in diUnmount.
If jfs_remount() free JFS_IP(ipimap)->i_imap but then failed at diMount().
JFS_IP(ipimap)->i_imap will be freed once again.
Fix this problem by setting JFS_IP(ipimap)->i_imap to NULL after free.

The Linux kernel CVE team has assigned CVE-2023-53616 to this issue.


Affected and fixed versions
===========================

	Fixed in 4.14.326 with commit c3c0f0ddd851b3fa3e9d3450bbcd561f4f850469
	Fixed in 4.19.295 with commit 114ea3cb13ab25f7178cb60283adb93d2f96dad7
	Fixed in 5.4.257 with commit 5873df0195124be2f357de11bfd473ead4f90ed8
	Fixed in 5.10.197 with commit 756747d4b439e3e1159282ae89f17eefebbe9b25
	Fixed in 5.15.133 with commit ef7311101ca43dd73b45bca7a30ac72d9535ff87
	Fixed in 6.1.55 with commit 4de3a603010e0ca334487de24c6aab0777b7f808
	Fixed in 6.5.5 with commit 88484bde6f12126616b38e43b6c00edcd941f615
	Fixed in 6.6 with commit 6e2bda2c192d0244b5a78b787ef20aa10cb319b7

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-53616
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	fs/jfs/jfs_imap.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/c3c0f0ddd851b3fa3e9d3450bbcd561f4f850469
	https://git.kernel.org/stable/c/114ea3cb13ab25f7178cb60283adb93d2f96dad7
	https://git.kernel.org/stable/c/5873df0195124be2f357de11bfd473ead4f90ed8
	https://git.kernel.org/stable/c/756747d4b439e3e1159282ae89f17eefebbe9b25
	https://git.kernel.org/stable/c/ef7311101ca43dd73b45bca7a30ac72d9535ff87
	https://git.kernel.org/stable/c/4de3a603010e0ca334487de24c6aab0777b7f808
	https://git.kernel.org/stable/c/88484bde6f12126616b38e43b6c00edcd941f615
	https://git.kernel.org/stable/c/6e2bda2c192d0244b5a78b787ef20aa10cb319b7

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ