| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025120954-CVE-2023-53832-6d46@gregkh>
Date: Tue, 9 Dec 2025 10:31:16 +0900
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2023-53832: md/raid10: fix null-ptr-deref in raid10_sync_request
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
md/raid10: fix null-ptr-deref in raid10_sync_request
init_resync() inits mempool and sets conf->have_replacemnt at the beginning
of sync, close_sync() frees the mempool when sync is completed.
After [1] recovery might be skipped and init_resync() is called but
close_sync() is not. null-ptr-deref occurs with r10bio->dev[i].repl_bio.
The following is one way to reproduce the issue.
1) create a array, wait for resync to complete, mddev->recovery_cp is set
to MaxSector.
2) recovery is woken and it is skipped. conf->have_replacement is set to
0 in init_resync(). close_sync() not called.
3) some io errors and rdev A is set to WantReplacement.
4) a new device is added and set to A's replacement.
5) recovery is woken, A have replacement, but conf->have_replacemnt is
0. r10bio->dev[i].repl_bio will not be alloced and null-ptr-deref
occurs.
Fix it by not calling init_resync() if recovery skipped.
[1] commit 7e83ccbecd60 ("md/raid10: Allow skipping recovery when clean arrays are assembled")
The Linux kernel CVE team has assigned CVE-2023-53832 to this issue.
Affected and fixed versions
===========================
Issue introduced in 3.10 with commit 7e83ccbecd608b971f340e951c9e84cd0343002f and fixed in 4.19.283 with commit 38d33593260536840b49fd1dcac9aedfd14a9d42
Issue introduced in 3.10 with commit 7e83ccbecd608b971f340e951c9e84cd0343002f and fixed in 5.4.243 with commit 14964127be77884003976a392c9faa9ebaabbbe1
Issue introduced in 3.10 with commit 7e83ccbecd608b971f340e951c9e84cd0343002f and fixed in 5.10.180 with commit bdbf104b1c91fbf38f82c522ebf75429f094292a
Issue introduced in 3.10 with commit 7e83ccbecd608b971f340e951c9e84cd0343002f and fixed in 5.15.111 with commit 68695084077e3de9d3e94e09238ace2b6f246446
Issue introduced in 3.10 with commit 7e83ccbecd608b971f340e951c9e84cd0343002f and fixed in 6.1.28 with commit b50fd1c3d9d0175aa29ff2706ef36cc178bc356a
Issue introduced in 3.10 with commit 7e83ccbecd608b971f340e951c9e84cd0343002f and fixed in 6.2.15 with commit 99b503e4edc5938885d839cf0e7571963f75d800
Issue introduced in 3.10 with commit 7e83ccbecd608b971f340e951c9e84cd0343002f and fixed in 6.3.2 with commit 9e9efc77efd1956cc244af975240f2513d78a371
Issue introduced in 3.10 with commit 7e83ccbecd608b971f340e951c9e84cd0343002f and fixed in 6.4 with commit a405c6f0229526160aa3f177f65e20c86fce84c5
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2023-53832
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/md/raid10.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/38d33593260536840b49fd1dcac9aedfd14a9d42
https://git.kernel.org/stable/c/14964127be77884003976a392c9faa9ebaabbbe1
https://git.kernel.org/stable/c/bdbf104b1c91fbf38f82c522ebf75429f094292a
https://git.kernel.org/stable/c/68695084077e3de9d3e94e09238ace2b6f246446
https://git.kernel.org/stable/c/b50fd1c3d9d0175aa29ff2706ef36cc178bc356a
https://git.kernel.org/stable/c/99b503e4edc5938885d839cf0e7571963f75d800
https://git.kernel.org/stable/c/9e9efc77efd1956cc244af975240f2513d78a371
https://git.kernel.org/stable/c/a405c6f0229526160aa3f177f65e20c86fce84c5
Powered by blists - more mailing lists