| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025123030-CVE-2023-54293-c2bb@gregkh>
Date: Tue, 30 Dec 2025 13:23:46 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2023-54293: bcache: fixup btree_cache_wait list damage
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
bcache: fixup btree_cache_wait list damage
We get a kernel crash about "list_add corruption. next->prev should be
prev (ffff9c801bc01210), but was ffff9c77b688237c.
(next=ffffae586d8afe68)."
crash> struct list_head 0xffff9c801bc01210
struct list_head {
next = 0xffffae586d8afe68,
prev = 0xffffae586d8afe68
}
crash> struct list_head 0xffff9c77b688237c
struct list_head {
next = 0x0,
prev = 0x0
}
crash> struct list_head 0xffffae586d8afe68
struct list_head struct: invalid kernel virtual address: ffffae586d8afe68 type: "gdb_readmem_callback"
Cannot access memory at address 0xffffae586d8afe68
[230469.019492] Call Trace:
[230469.032041] prepare_to_wait+0x8a/0xb0
[230469.044363] ? bch_btree_keys_free+0x6c/0xc0 [escache]
[230469.056533] mca_cannibalize_lock+0x72/0x90 [escache]
[230469.068788] mca_alloc+0x2ae/0x450 [escache]
[230469.080790] bch_btree_node_get+0x136/0x2d0 [escache]
[230469.092681] bch_btree_check_thread+0x1e1/0x260 [escache]
[230469.104382] ? finish_wait+0x80/0x80
[230469.115884] ? bch_btree_check_recurse+0x1a0/0x1a0 [escache]
[230469.127259] kthread+0x112/0x130
[230469.138448] ? kthread_flush_work_fn+0x10/0x10
[230469.149477] ret_from_fork+0x35/0x40
bch_btree_check_thread() and bch_dirty_init_thread() may call
mca_cannibalize() to cannibalize other cached btree nodes. Only one thread
can do it at a time, so the op of other threads will be added to the
btree_cache_wait list.
We must call finish_wait() to remove op from btree_cache_wait before free
it's memory address. Otherwise, the list will be damaged. Also should call
bch_cannibalize_unlock() to release the btree_cache_alloc_lock and wake_up
other waiters.
The Linux kernel CVE team has assigned CVE-2023-54293 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.7 with commit 8e7102273f597dbb38af43da874f8c123f8e6dbe and fixed in 5.10.188 with commit bcb295778afda4f2feb0d3c0289a53fd43d5a3a6
Issue introduced in 5.7 with commit 8e7102273f597dbb38af43da874f8c123f8e6dbe and fixed in 5.15.121 with commit cbdd5b3322f7bbe6454c97cac994757f1192c07b
Issue introduced in 5.7 with commit 8e7102273f597dbb38af43da874f8c123f8e6dbe and fixed in 6.1.39 with commit 25ec4779d0fb3ed9cac1e4d9e0e4261b4a12f6ed
Issue introduced in 5.7 with commit 8e7102273f597dbb38af43da874f8c123f8e6dbe and fixed in 6.4.4 with commit 2882a4c4f0c90e99f37dbd8db369b9982fd613e7
Issue introduced in 5.7 with commit 8e7102273f597dbb38af43da874f8c123f8e6dbe and fixed in 6.5 with commit f0854489fc07d2456f7cc71a63f4faf9c716ffbe
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2023-54293
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/md/bcache/btree.c
drivers/md/bcache/btree.h
drivers/md/bcache/writeback.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/bcb295778afda4f2feb0d3c0289a53fd43d5a3a6
https://git.kernel.org/stable/c/cbdd5b3322f7bbe6454c97cac994757f1192c07b
https://git.kernel.org/stable/c/25ec4779d0fb3ed9cac1e4d9e0e4261b4a12f6ed
https://git.kernel.org/stable/c/2882a4c4f0c90e99f37dbd8db369b9982fd613e7
https://git.kernel.org/stable/c/f0854489fc07d2456f7cc71a63f4faf9c716ffbe
Powered by blists - more mailing lists