CVE-2023-53360

Summary

In the Linux kernel, the following vulnerability has been resolved:

NFSv4.2: Rework scratch handling for READ_PLUS (again)

I found that the read code might send multiple requests using the same nfs_pgio_header, but nfs4_proc_read_setup() is only called once. This is how we ended up occasionally double-freeing the scratch buffer, but also means we set a NULL pointer but non-zero length to the xdr scratch buffer. This results in an oops the first time decoding needs to copy something to scratch, which frequently happens when decoding READ_PLUS hole segments.

I fix this by moving scratch handling into the pageio read code. I provide a function to allocate scratch space for decoding read replies, and free the scratch buffer when the nfs_pgio_header is freed.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux886959f425b6a936a30b82a297ae3aecb3b8230f < adac9f0ddd2b291c7ce41f549fdb27a13616cff5affected
LinuxLinuxfbd2a05f29a95d5b42b294bf47e55a711424965b < a2f4cb206bd94b3f4a7bb05fcdce9525283b5681affected
LinuxLinuxfbd2a05f29a95d5b42b294bf47e55a711424965b < ae5d5672f1db711e91db6f52df5cb16ecd8f5692affected
LinuxLinuxfbd2a05f29a95d5b42b294bf47e55a711424965b < 303a78052091c81e9003915c521fdca1c7e117afaffected
LinuxLinux6.4affected
LinuxLinux0 < 6.4unaffected
LinuxLinux6.4.16 <= 6.4.*unaffected
LinuxLinux6.5.3 <= 6.5.*unaffected
LinuxLinux6.6 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References