CVE-2023-53360
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
NFSv4.2: Rework scratch handling for READ_PLUS (again)
I found that the read code might send multiple requests using the same nfs_pgio_header, but nfs4_proc_read_setup() is only called once. This is how we ended up occasionally double-freeing the scratch buffer, but also means we set a NULL pointer but non-zero length to the xdr scratch buffer. This results in an oops the first time decoding needs to copy something to scratch, which frequently happens when decoding READ_PLUS hole segments.
I fix this by moving scratch handling into the pageio read code. I provide a function to allocate scratch space for decoding read replies, and free the scratch buffer when the nfs_pgio_header is freed.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 886959f425b6a936a30b82a297ae3aecb3b8230f < adac9f0ddd2b291c7ce41f549fdb27a13616cff5 | affected |
| Linux | Linux | fbd2a05f29a95d5b42b294bf47e55a711424965b < a2f4cb206bd94b3f4a7bb05fcdce9525283b5681 | affected |
| Linux | Linux | fbd2a05f29a95d5b42b294bf47e55a711424965b < ae5d5672f1db711e91db6f52df5cb16ecd8f5692 | affected |
| Linux | Linux | fbd2a05f29a95d5b42b294bf47e55a711424965b < 303a78052091c81e9003915c521fdca1c7e117af | affected |
| Linux | Linux | 6.4 | affected |
| Linux | Linux | 0 < 6.4 | unaffected |
| Linux | Linux | 6.4.16 <= 6.4.* | unaffected |
| Linux | Linux | 6.5.3 <= 6.5.* | unaffected |
| Linux | Linux | 6.6 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://git.kernel.org/stable/c/adac9f0ddd2b291c7ce41f549fdb27a13616cff5
- https://git.kernel.org/stable/c/a2f4cb206bd94b3f4a7bb05fcdce9525283b5681
- https://git.kernel.org/stable/c/ae5d5672f1db711e91db6f52df5cb16ecd8f5692
- https://git.kernel.org/stable/c/303a78052091c81e9003915c521fdca1c7e117af
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.