-

CVE-2023-53616

In the Linux kernel, the following vulnerability has been resolved:

jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount

syzbot found an invalid-free in diUnmount:

BUG: KASAN: double-free in slab_free mm/slub.c:3661 [inline]
BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3674
Free of addr ffff88806f410000 by task syz-executor131/3632

 CPU: 0 PID: 3632 Comm: syz-executor131 Not tainted 6.1.0-rc7-syzkaller-00012-gca57f02295f1 #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
 Call Trace:
  <TASK>
  __dump_stack lib/dump_stack.c:88 [inline]
  dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
  print_address_description+0x74/0x340 mm/kasan/report.c:284
  print_report+0x107/0x1f0 mm/kasan/report.c:395
  kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:460
  ____kasan_slab_free+0xfb/0x120
  kasan_slab_free include/linux/kasan.h:177 [inline]
  slab_free_hook mm/slub.c:1724 [inline]
  slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1750
  slab_free mm/slub.c:3661 [inline]
  __kmem_cache_free+0x71/0x110 mm/slub.c:3674
  diUnmount+0xef/0x100 fs/jfs/jfs_imap.c:195
  jfs_umount+0x108/0x370 fs/jfs/jfs_umount.c:63
  jfs_put_super+0x86/0x190 fs/jfs/super.c:194
  generic_shutdown_super+0x130/0x310 fs/super.c:492
  kill_block_super+0x79/0xd0 fs/super.c:1428
  deactivate_locked_super+0xa7/0xf0 fs/super.c:332
  cleanup_mnt+0x494/0x520 fs/namespace.c:1186
  task_work_run+0x243/0x300 kernel/task_work.c:179
  exit_task_work include/linux/task_work.h:38 [inline]
  do_exit+0x664/0x2070 kernel/exit.c:820
  do_group_exit+0x1fd/0x2b0 kernel/exit.c:950
  __do_sys_exit_group kernel/exit.c:961 [inline]
  __se_sys_exit_group kernel/exit.c:959 [inline]
  __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:959
  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
  do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[...]

JFS_IP(ipimap)->i_imap is not setting to NULL after free in diUnmount.
If jfs_remount() free JFS_IP(ipimap)->i_imap but then failed at diMount().
JFS_IP(ipimap)->i_imap will be freed once again.
Fix this problem by setting JFS_IP(ipimap)->i_imap to NULL after free.

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version < c3c0f0ddd851b3fa3e9d3450bbcd561f4f850469
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
Version < 114ea3cb13ab25f7178cb60283adb93d2f96dad7
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
Version < 5873df0195124be2f357de11bfd473ead4f90ed8
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
Version < 756747d4b439e3e1159282ae89f17eefebbe9b25
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
Version < ef7311101ca43dd73b45bca7a30ac72d9535ff87
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
Version < 4de3a603010e0ca334487de24c6aab0777b7f808
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
Version < 88484bde6f12126616b38e43b6c00edcd941f615
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
Version < 6e2bda2c192d0244b5a78b787ef20aa10cb319b7
Version 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version <= 4.14.*
Version 4.14.326
Status unaffected
Version <= 4.19.*
Version 4.19.295
Status unaffected
Version <= 5.4.*
Version 5.4.257
Status unaffected
Version <= 5.10.*
Version 5.10.197
Status unaffected
Version <= 5.15.*
Version 5.15.133
Status unaffected
Version <= 6.1.*
Version 6.1.55
Status unaffected
Version <= 6.5.*
Version 6.5.5
Status unaffected
Version <= *
Version 6.6
Status unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.02% 0.053
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String