-

CVE-2023-53311

In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput

During unmount process of nilfs2, nothing holds nilfs_root structure after
nilfs2 detaches its writer in nilfs_detach_log_writer().  Previously,
nilfs_evict_inode() could cause use-after-free read for nilfs_root if
inodes are left in "garbage_list" and released by nilfs_dispose_list at
the end of nilfs_detach_log_writer(), and this bug was fixed by commit
9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root in
nilfs_evict_inode()").

However, it turned out that there is another possibility of UAF in the
call path where mark_inode_dirty_sync() is called from iput():

nilfs_detach_log_writer()
  nilfs_dispose_list()
    iput()
      mark_inode_dirty_sync()
        __mark_inode_dirty()
          nilfs_dirty_inode()
            __nilfs_mark_inode_dirty()
              nilfs_load_inode_block() --> causes UAF of nilfs_root struct

This can happen after commit 0ae45f63d4ef ("vfs: add support for a
lazytime mount option"), which changed iput() to call
mark_inode_dirty_sync() on its final reference if i_state has I_DIRTY_TIME
flag and i_nlink is non-zero.

This issue appears after commit 28a65b49eb53 ("nilfs2: do not write dirty
data after degenerating to read-only") when using the syzbot reproducer,
but the issue has potentially existed before.

Fix this issue by adding a "purging flag" to the nilfs structure, setting
that flag while disposing the "garbage_list" and checking it in
__nilfs_mark_inode_dirty().

Unlike commit 9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root
in nilfs_evict_inode()"), this patch does not rely on ns_writer to
determine whether to skip operations, so as not to break recovery on
mount.  The nilfs_salvage_orphan_logs routine dirties the buffer of
salvaged data before attaching the log writer, so changing
__nilfs_mark_inode_dirty() to skip the operation when ns_writer is NULL
will cause recovery write to fail.  The purpose of using the cleanup-only
flag is to allow for narrowing of such conditions.

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version < 11afd67f1b3c28eb216e50a3ca8dbcb69bb71793
Version 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8
Status affected
Version < a3c3b4cbf9b8554120fb230e6516e980c6277487
Version 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8
Status affected
Version < d2c539c216cce74837a9cf5804eb205939b82227
Version 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8
Status affected
Version < 37207240872456fbab44a110bde6640445233963
Version 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8
Status affected
Version < 3645510cf926e6af2f4d44899370d7e5331c93bd
Version 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8
Status affected
Version < 7532ff6edbf5242376b24a95a2fefb59bb653e5a
Version 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8
Status affected
Version < 5828d5f5dc877dcfdd7b23102e978e2ecfd86d82
Version 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8
Status affected
Version < f8654743a0e6909dc634cbfad6db6816f10f3399
Version 0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 4.0
Status affected
Version < 4.0
Version 0
Status unaffected
Version <= 4.14.*
Version 4.14.323
Status unaffected
Version <= 4.19.*
Version 4.19.292
Status unaffected
Version <= 5.4.*
Version 5.4.254
Status unaffected
Version <= 5.10.*
Version 5.10.191
Status unaffected
Version <= 5.15.*
Version 5.15.127
Status unaffected
Version <= 6.1.*
Version 6.1.46
Status unaffected
Version <= 6.4.*
Version 6.4.11
Status unaffected
Version <= *
Version 6.5
Status unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.03% 0.078
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String