-

CVE-2023-53800

In the Linux kernel, the following vulnerability has been resolved:

ubi: Fix use-after-free when volume resizing failed

There is an use-after-free problem reported by KASAN:
  ==================================================================
  BUG: KASAN: use-after-free in ubi_eba_copy_table+0x11f/0x1c0 [ubi]
  Read of size 8 at addr ffff888101eec008 by task ubirsvol/4735

  CPU: 2 PID: 4735 Comm: ubirsvol
  Not tainted 6.1.0-rc1-00003-g84fa3304a7fc-dirty #14
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
  BIOS 1.14.0-1.fc33 04/01/2014
  Call Trace:
   <TASK>
   dump_stack_lvl+0x34/0x44
   print_report+0x171/0x472
   kasan_report+0xad/0x130
   ubi_eba_copy_table+0x11f/0x1c0 [ubi]
   ubi_resize_volume+0x4f9/0xbc0 [ubi]
   ubi_cdev_ioctl+0x701/0x1850 [ubi]
   __x64_sys_ioctl+0x11d/0x170
   do_syscall_64+0x35/0x80
   entry_SYSCALL_64_after_hwframe+0x46/0xb0
   </TASK>

When ubi_change_vtbl_record() returns an error in ubi_resize_volume(),
"new_eba_tbl" will be freed on error handing path, but it is holded
by "vol->eba_tbl" in ubi_eba_replace_table(). It means that the liftcycle
of "vol->eba_tbl" and "vol" are different, so when resizing volume in
next time, it causing an use-after-free fault.

Fix it by not freeing "new_eba_tbl" after it replaced in
ubi_eba_replace_table(), while will be freed in next volume resizing.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version < bf9875aa7f7d624a8c084425b14bf7e5907ebc30
Version 801c135ce73d5df1caf3eca35b66a10824ae0707
Status affected
Version < bf795ebbb9995e2fe7945de71177f01c2f1215dc
Version 801c135ce73d5df1caf3eca35b66a10824ae0707
Status affected
Version < 9c8be1f165baee53b5a36ea0b3c9281d403a1d0b
Version 801c135ce73d5df1caf3eca35b66a10824ae0707
Status affected
Version < 35f8d4064e54c18424db2997059d4c0b1d13d093
Version 801c135ce73d5df1caf3eca35b66a10824ae0707
Status affected
Version < 53818746e549e61841428892a8d94344494be797
Version 801c135ce73d5df1caf3eca35b66a10824ae0707
Status affected
Version < b0c951742348d216f094d16ed4f70ae73db881c0
Version 801c135ce73d5df1caf3eca35b66a10824ae0707
Status affected
Version < 3d6378f7056ac7350338f941001162a8f660853c
Version 801c135ce73d5df1caf3eca35b66a10824ae0707
Status affected
Version < 9af31d6ec1a4be4caab2550096c6bd2ba8fba472
Version 801c135ce73d5df1caf3eca35b66a10824ae0707
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 2.6.22
Status affected
Version < 2.6.22
Version 0
Status unaffected
Version <= 4.14.*
Version 4.14.308
Status unaffected
Version <= 4.19.*
Version 4.19.276
Status unaffected
Version <= 5.4.*
Version 5.4.235
Status unaffected
Version <= 5.10.*
Version 5.10.173
Status unaffected
Version <= 5.15.*
Version 5.15.100
Status unaffected
Version <= 6.1.*
Version 6.1.18
Status unaffected
Version <= 6.2.*
Version 6.2.5
Status unaffected
Version <= *
Version 6.3
Status unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.02% 0.058
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String