-

CVE-2023-53616

In the Linux kernel, the following vulnerability has been resolved:

jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount

syzbot found an invalid-free in diUnmount:

BUG: KASAN: double-free in slab_free mm/slub.c:3661 [inline]
BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3674
Free of addr ffff88806f410000 by task syz-executor131/3632

 CPU: 0 PID: 3632 Comm: syz-executor131 Not tainted 6.1.0-rc7-syzkaller-00012-gca57f02295f1 #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
 Call Trace:
  <TASK>
  __dump_stack lib/dump_stack.c:88 [inline]
  dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
  print_address_description+0x74/0x340 mm/kasan/report.c:284
  print_report+0x107/0x1f0 mm/kasan/report.c:395
  kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:460
  ____kasan_slab_free+0xfb/0x120
  kasan_slab_free include/linux/kasan.h:177 [inline]
  slab_free_hook mm/slub.c:1724 [inline]
  slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1750
  slab_free mm/slub.c:3661 [inline]
  __kmem_cache_free+0x71/0x110 mm/slub.c:3674
  diUnmount+0xef/0x100 fs/jfs/jfs_imap.c:195
  jfs_umount+0x108/0x370 fs/jfs/jfs_umount.c:63
  jfs_put_super+0x86/0x190 fs/jfs/super.c:194
  generic_shutdown_super+0x130/0x310 fs/super.c:492
  kill_block_super+0x79/0xd0 fs/super.c:1428
  deactivate_locked_super+0xa7/0xf0 fs/super.c:332
  cleanup_mnt+0x494/0x520 fs/namespace.c:1186
  task_work_run+0x243/0x300 kernel/task_work.c:179
  exit_task_work include/linux/task_work.h:38 [inline]
  do_exit+0x664/0x2070 kernel/exit.c:820
  do_group_exit+0x1fd/0x2b0 kernel/exit.c:950
  __do_sys_exit_group kernel/exit.c:961 [inline]
  __se_sys_exit_group kernel/exit.c:959 [inline]
  __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:959
  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
  do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[...]

JFS_IP(ipimap)->i_imap is not setting to NULL after free in diUnmount.
If jfs_remount() free JFS_IP(ipimap)->i_imap but then failed at diMount().
JFS_IP(ipimap)->i_imap will be freed once again.
Fix this problem by setting JFS_IP(ipimap)->i_imap to NULL after free.

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
VendorLinux
Product Linux
Default Statusunaffected
Version < c3c0f0ddd851b3fa3e9d3450bbcd561f4f850469
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
Version < 114ea3cb13ab25f7178cb60283adb93d2f96dad7
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
Version < 5873df0195124be2f357de11bfd473ead4f90ed8
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
Version < 756747d4b439e3e1159282ae89f17eefebbe9b25
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
Version < ef7311101ca43dd73b45bca7a30ac72d9535ff87
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
Version < 4de3a603010e0ca334487de24c6aab0777b7f808
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
Version < 88484bde6f12126616b38e43b6c00edcd941f615
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
Version < 6e2bda2c192d0244b5a78b787ef20aa10cb319b7
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
VendorLinux
Product Linux
Default Statusaffected
Version <= 4.14.*
Version 4.14.326
Status unaffected
Version <= 4.19.*
Version 4.19.295
Status unaffected
Version <= 5.4.*
Version 5.4.257
Status unaffected
Version <= 5.10.*
Version 5.10.197
Status unaffected
Version <= 5.15.*
Version 5.15.133
Status unaffected
Version <= 6.1.*
Version 6.1.55
Status unaffected
Version <= 6.5.*
Version 6.5.5
Status unaffected
Version <= *
Version 6.6
Status unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.02% 0.053
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string