-
CVE-2023-53311
- EPSS 0.03%
- Published 16.09.2025 16:11:49
- Last modified 17.09.2025 14:18:55
- Source 416baaa9-dc9f-4396-8d5f-8c081f
- Teams watchlist Login
- Open Login
In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput During unmount process of nilfs2, nothing holds nilfs_root structure after nilfs2 detaches its writer in nilfs_detach_log_writer(). Previously, nilfs_evict_inode() could cause use-after-free read for nilfs_root if inodes are left in "garbage_list" and released by nilfs_dispose_list at the end of nilfs_detach_log_writer(), and this bug was fixed by commit 9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode()"). However, it turned out that there is another possibility of UAF in the call path where mark_inode_dirty_sync() is called from iput(): nilfs_detach_log_writer() nilfs_dispose_list() iput() mark_inode_dirty_sync() __mark_inode_dirty() nilfs_dirty_inode() __nilfs_mark_inode_dirty() nilfs_load_inode_block() --> causes UAF of nilfs_root struct This can happen after commit 0ae45f63d4ef ("vfs: add support for a lazytime mount option"), which changed iput() to call mark_inode_dirty_sync() on its final reference if i_state has I_DIRTY_TIME flag and i_nlink is non-zero. This issue appears after commit 28a65b49eb53 ("nilfs2: do not write dirty data after degenerating to read-only") when using the syzbot reproducer, but the issue has potentially existed before. Fix this issue by adding a "purging flag" to the nilfs structure, setting that flag while disposing the "garbage_list" and checking it in __nilfs_mark_inode_dirty(). Unlike commit 9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode()"), this patch does not rely on ns_writer to determine whether to skip operations, so as not to break recovery on mount. The nilfs_salvage_orphan_logs routine dirties the buffer of salvaged data before attaching the log writer, so changing __nilfs_mark_inode_dirty() to skip the operation when ns_writer is NULL will cause recovery write to fail. The purpose of using the cleanup-only flag is to allow for narrowing of such conditions.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users. Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
VendorLinux
≫
Product
Linux
Default Statusunaffected
Version <
11afd67f1b3c28eb216e50a3ca8dbcb69bb71793
Version
0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8
Status
affected
Version <
a3c3b4cbf9b8554120fb230e6516e980c6277487
Version
0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8
Status
affected
Version <
d2c539c216cce74837a9cf5804eb205939b82227
Version
0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8
Status
affected
Version <
37207240872456fbab44a110bde6640445233963
Version
0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8
Status
affected
Version <
3645510cf926e6af2f4d44899370d7e5331c93bd
Version
0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8
Status
affected
Version <
7532ff6edbf5242376b24a95a2fefb59bb653e5a
Version
0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8
Status
affected
Version <
5828d5f5dc877dcfdd7b23102e978e2ecfd86d82
Version
0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8
Status
affected
Version <
f8654743a0e6909dc634cbfad6db6816f10f3399
Version
0ae45f63d4ef8d8eeec49c7d8b44a1775fff13e8
Status
affected
VendorLinux
≫
Product
Linux
Default Statusaffected
Version
4.0
Status
affected
Version <
4.0
Version
0
Status
unaffected
Version <=
4.14.*
Version
4.14.323
Status
unaffected
Version <=
4.19.*
Version
4.19.292
Status
unaffected
Version <=
5.4.*
Version
5.4.254
Status
unaffected
Version <=
5.10.*
Version
5.10.191
Status
unaffected
Version <=
5.15.*
Version
5.15.127
Status
unaffected
Version <=
6.1.*
Version
6.1.46
Status
unaffected
Version <=
6.4.*
Version
6.4.11
Status
unaffected
Version <=
*
Version
6.5
Status
unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
Type | Source | Score | Percentile |
---|---|---|---|
EPSS | FIRST.org | 0.03% | 0.078 |
Source | Base Score | Exploit Score | Impact Score | Vector string |
---|