-

CVE-2023-53311

In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput

During unmount process of nilfs2, nothing holds nilfs_root structure after
nilfs2 detaches its writer in nilfs_detach_log_writer().  Previously,
nilfs_evict_inode() could cause use-after-free read for nilfs_root if
inodes are left in "garbage_list" and released by nilfs_dispose_list at
the end of nilfs_detach_log_writer(), and this bug was fixed by commit
9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root in
nilfs_evict_inode()").

However, it turned out that there is another possibility of UAF in the
call path where mark_inode_dirty_sync() is called from iput():

nilfs_detach_log_writer()
  nilfs_dispose_list()
    iput()
      mark_inode_dirty_sync()
        __mark_inode_dirty()
          nilfs_dirty_inode()
            __nilfs_mark_inode_dirty()
              nilfs_load_inode_block() --> causes UAF of nilfs_root struct

This can happen after commit 0ae45f63d4ef ("vfs: add support for a
lazytime mount option"), which changed iput() to call
mark_inode_dirty_sync() on its final reference if i_state has I_DIRTY_TIME
flag and i_nlink is non-zero.

This issue appears after commit 28a65b49eb53 ("nilfs2: do not write dirty
data after degenerating to read-only") when using the syzbot reproducer,
but the issue has potentially existed before.

Fix this issue by adding a "purging flag" to the nilfs structure, setting
that flag while disposing the "garbage_list" and checking it in
__nilfs_mark_inode_dirty().

Unlike commit 9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root
in nilfs_evict_inode()"), this patch does not rely on ns_writer to
determine whether to skip operations, so as not to break recovery on
mount.  The nilfs_salvage_orphan_logs routine dirties the buffer of
salvaged data before attaching the log writer, so changing
__nilfs_mark_inode_dirty() to skip the operation when ns_writer is NULL
will cause recovery write to fail.  The purpose of using the cleanup-only
flag is to allow for narrowing of such conditions.

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
VendorLinux
Product Linux
Default Statusunaffected
Version < 11afd67f1b3c28eb216e50a3ca8dbcb69bb71793
Version 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8
Status affected
Version < a3c3b4cbf9b8554120fb230e6516e980c6277487
Version 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8
Status affected
Version < d2c539c216cce74837a9cf5804eb205939b82227
Version 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8
Status affected
Version < 37207240872456fbab44a110bde6640445233963
Version 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8
Status affected
Version < 3645510cf926e6af2f4d44899370d7e5331c93bd
Version 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8
Status affected
Version < 7532ff6edbf5242376b24a95a2fefb59bb653e5a
Version 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8
Status affected
Version < 5828d5f5dc877dcfdd7b23102e978e2ecfd86d82
Version 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8
Status affected
Version < f8654743a0e6909dc634cbfad6db6816f10f3399
Version 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8
Status affected
VendorLinux
Product Linux
Default Statusaffected
Version 4.0
Status affected
Version < 4.0
Version 0
Status unaffected
Version <= 4.14.*
Version 4.14.323
Status unaffected
Version <= 4.19.*
Version 4.19.292
Status unaffected
Version <= 5.4.*
Version 5.4.254
Status unaffected
Version <= 5.10.*
Version 5.10.191
Status unaffected
Version <= 5.15.*
Version 5.15.127
Status unaffected
Version <= 6.1.*
Version 6.1.46
Status unaffected
Version <= 6.4.*
Version 6.4.11
Status unaffected
Version <= *
Version 6.5
Status unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.03% 0.078
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string