cve/published/2023/CVE-2023-52803.json - pub/scm/linux/security/vulns - Git at Google

 {
    "containers": {
       "cna": {
          "providerMetadata": {
             "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
          },
          "descriptions": [
             {
                "lang": "en",
                "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix RPC client cleaned up the freed pipefs dentries\n\nRPC client pipefs dentries cleanup is in separated rpc_remove_pipedir()\nworkqueue,which takes care about pipefs superblock locking.\nIn some special scenarios, when kernel frees the pipefs sb of the\ncurrent client and immediately alloctes a new pipefs sb,\nrpc_remove_pipedir function would misjudge the existence of pipefs\nsb which is not the one it used to hold. As a result,\nthe rpc_remove_pipedir would clean the released freed pipefs dentries.\n\nTo fix this issue, rpc_remove_pipedir should check whether the\ncurrent pipefs sb is consistent with the original pipefs sb.\n\nThis error can be catched by KASAN:\n=========================================================\n[  250.497700] BUG: KASAN: slab-use-after-free in dget_parent+0x195/0x200\n[  250.498315] Read of size 4 at addr ffff88800a2ab804 by task kworker/0:18/106503\n[  250.500549] Workqueue: events rpc_free_client_work\n[  250.501001] Call Trace:\n[  250.502880]  kasan_report+0xb6/0xf0\n[  250.503209]  ? dget_parent+0x195/0x200\n[  250.503561]  dget_parent+0x195/0x200\n[  250.503897]  ? __pfx_rpc_clntdir_depopulate+0x10/0x10\n[  250.504384]  rpc_rmdir_depopulate+0x1b/0x90\n[  250.504781]  rpc_remove_client_dir+0xf5/0x150\n[  250.505195]  rpc_free_client_work+0xe4/0x230\n[  250.505598]  process_one_work+0x8ee/0x13b0\n...\n[   22.039056] Allocated by task 244:\n[   22.039390]  kasan_save_stack+0x22/0x50\n[   22.039758]  kasan_set_track+0x25/0x30\n[   22.040109]  __kasan_slab_alloc+0x59/0x70\n[   22.040487]  kmem_cache_alloc_lru+0xf0/0x240\n[   22.040889]  __d_alloc+0x31/0x8e0\n[   22.041207]  d_alloc+0x44/0x1f0\n[   22.041514]  __rpc_lookup_create_exclusive+0x11c/0x140\n[   22.041987]  rpc_mkdir_populate.constprop.0+0x5f/0x110\n[   22.042459]  rpc_create_client_dir+0x34/0x150\n[   22.042874]  rpc_setup_pipedir_sb+0x102/0x1c0\n[   22.043284]  rpc_client_register+0x136/0x4e0\n[   22.043689]  rpc_new_client+0x911/0x1020\n[   22.044057]  rpc_create_xprt+0xcb/0x370\n[   22.044417]  rpc_create+0x36b/0x6c0\n...\n[   22.049524] Freed by task 0:\n[   22.049803]  kasan_save_stack+0x22/0x50\n[   22.050165]  kasan_set_track+0x25/0x30\n[   22.050520]  kasan_save_free_info+0x2b/0x50\n[   22.050921]  __kasan_slab_free+0x10e/0x1a0\n[   22.051306]  kmem_cache_free+0xa5/0x390\n[   22.051667]  rcu_core+0x62c/0x1930\n[   22.051995]  __do_softirq+0x165/0x52a\n[   22.052347]\n[   22.052503] Last potentially related work creation:\n[   22.052952]  kasan_save_stack+0x22/0x50\n[   22.053313]  __kasan_record_aux_stack+0x8e/0xa0\n[   22.053739]  __call_rcu_common.constprop.0+0x6b/0x8b0\n[   22.054209]  dentry_free+0xb2/0x140\n[   22.054540]  __dentry_kill+0x3be/0x540\n[   22.054900]  shrink_dentry_list+0x199/0x510\n[   22.055293]  shrink_dcache_parent+0x190/0x240\n[   22.055703]  do_one_tree+0x11/0x40\n[   22.056028]  shrink_dcache_for_umount+0x61/0x140\n[   22.056461]  generic_shutdown_super+0x70/0x590\n[   22.056879]  kill_anon_super+0x3a/0x60\n[   22.057234]  rpc_kill_sb+0x121/0x200"
             }
          ],
          "affected": [
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "unaffected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "include/linux/sunrpc/clnt.h",
                   "net/sunrpc/clnt.c"
                ],
                "versions": [
                   {
                      "version": "0157d021d23a087eecfa830502f81cfe843f0d16",
                      "lessThan": "17866066b8ac1cc38fb449670bc15dc9fee4b40a",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "0157d021d23a087eecfa830502f81cfe843f0d16",
                      "lessThan": "7d61d1da2ed1f682c41cae0c8d4719cdaccee5c5",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "0157d021d23a087eecfa830502f81cfe843f0d16",
                      "lessThan": "dedf2a0eb9448ae73b270743e6ea9b108189df46",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "0157d021d23a087eecfa830502f81cfe843f0d16",
                      "lessThan": "194454afa6aa9d6ed74f0c57127bc8beb27c20df",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "0157d021d23a087eecfa830502f81cfe843f0d16",
                      "lessThan": "7749fd2dbef72a52b5c9ffdbf877691950ed4680",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "0157d021d23a087eecfa830502f81cfe843f0d16",
                      "lessThan": "1cdb52ffd6600a37bd355d8dce58ecd03e55e618",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "0157d021d23a087eecfa830502f81cfe843f0d16",
                      "lessThan": "cc2e7ebbeb1d0601f7f3c8d93b78fcc03a95e44a",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "0157d021d23a087eecfa830502f81cfe843f0d16",
                      "lessThan": "bfca5fb4e97c46503ddfc582335917b0cc228264",
                      "status": "affected",
                      "versionType": "git"
                   }
                ]
             },
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "affected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "programFiles": [
                   "include/linux/sunrpc/clnt.h",
                   "net/sunrpc/clnt.c"
                ],
                "versions": [
                   {
                      "version": "3.4",
                      "status": "affected"
                   },
                   {
                      "version": "0",
                      "lessThan": "3.4",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "4.19.318",
                      "lessThanOrEqual": "4.19.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "5.4.280",
                      "lessThanOrEqual": "5.4.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "5.10.202",
                      "lessThanOrEqual": "5.10.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "5.15.140",
                      "lessThanOrEqual": "5.15.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "6.1.64",
                      "lessThanOrEqual": "6.1.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "6.5.13",
                      "lessThanOrEqual": "6.5.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "6.6.3",
                      "lessThanOrEqual": "6.6.*",
                      "status": "unaffected",
                      "versionType": "semver"
                   },
                   {
                      "version": "6.7",
                      "lessThanOrEqual": "*",
                      "status": "unaffected",
                      "versionType": "original_commit_for_fix"
                   }
                ]
             }
          ],
          "cpeApplicability": [
             {
                "nodes": [
                   {
                      "operator": "OR",
                      "negate": false,
                      "cpeMatch": [
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "3.4",
                            "versionEndExcluding": "4.19.318"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "3.4",
                            "versionEndExcluding": "5.4.280"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "3.4",
                            "versionEndExcluding": "5.10.202"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "3.4",
                            "versionEndExcluding": "5.15.140"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "3.4",
                            "versionEndExcluding": "6.1.64"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "3.4",
                            "versionEndExcluding": "6.5.13"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "3.4",
                            "versionEndExcluding": "6.6.3"
                         },
                         {
                            "vulnerable": true,
                            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                            "versionStartIncluding": "3.4",
                            "versionEndExcluding": "6.7"
                         }
                      ]
                   }
                ]
             }
          ],
          "references": [
             {
                "url": "https://git.kernel.org/stable/c/17866066b8ac1cc38fb449670bc15dc9fee4b40a"
             },
             {
                "url": "https://git.kernel.org/stable/c/7d61d1da2ed1f682c41cae0c8d4719cdaccee5c5"
             },
             {
                "url": "https://git.kernel.org/stable/c/dedf2a0eb9448ae73b270743e6ea9b108189df46"
             },
             {
                "url": "https://git.kernel.org/stable/c/194454afa6aa9d6ed74f0c57127bc8beb27c20df"
             },
             {
                "url": "https://git.kernel.org/stable/c/7749fd2dbef72a52b5c9ffdbf877691950ed4680"
             },
             {
                "url": "https://git.kernel.org/stable/c/1cdb52ffd6600a37bd355d8dce58ecd03e55e618"
             },
             {
                "url": "https://git.kernel.org/stable/c/cc2e7ebbeb1d0601f7f3c8d93b78fcc03a95e44a"
             },
             {
                "url": "https://git.kernel.org/stable/c/bfca5fb4e97c46503ddfc582335917b0cc228264"
             }
          ],
          "title": "SUNRPC: Fix RPC client cleaned up the freed pipefs dentries",
          "x_generator": {
             "engine": "bippy-1.2.0"
          }
       }
    },
    "cveMetadata": {
       "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
       "cveID": "CVE-2023-52803",
       "requesterUserId": "gregkh@kernel.org",
       "serial": "1",
       "state": "PUBLISHED"
    },
    "dataType": "CVE_RECORD",
    "dataVersion": "5.0"
 }
	{
	"containers": {
	"cna": {
	"providerMetadata": {
	"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
	},
	"descriptions": [
	{
	"lang": "en",
	"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix RPC client cleaned up the freed pipefs dentries\n\nRPC client pipefs dentries cleanup is in separated rpc_remove_pipedir()\nworkqueue,which takes care about pipefs superblock locking.\nIn some special scenarios, when kernel frees the pipefs sb of the\ncurrent client and immediately alloctes a new pipefs sb,\nrpc_remove_pipedir function would misjudge the existence of pipefs\nsb which is not the one it used to hold. As a result,\nthe rpc_remove_pipedir would clean the released freed pipefs dentries.\n\nTo fix this issue, rpc_remove_pipedir should check whether the\ncurrent pipefs sb is consistent with the original pipefs sb.\n\nThis error can be catched by KASAN:\n=========================================================\n[ 250.497700] BUG: KASAN: slab-use-after-free in dget_parent+0x195/0x200\n[ 250.498315] Read of size 4 at addr ffff88800a2ab804 by task kworker/0:18/106503\n[ 250.500549] Workqueue: events rpc_free_client_work\n[ 250.501001] Call Trace:\n[ 250.502880] kasan_report+0xb6/0xf0\n[ 250.503209] ? dget_parent+0x195/0x200\n[ 250.503561] dget_parent+0x195/0x200\n[ 250.503897] ? __pfx_rpc_clntdir_depopulate+0x10/0x10\n[ 250.504384] rpc_rmdir_depopulate+0x1b/0x90\n[ 250.504781] rpc_remove_client_dir+0xf5/0x150\n[ 250.505195] rpc_free_client_work+0xe4/0x230\n[ 250.505598] process_one_work+0x8ee/0x13b0\n...\n[ 22.039056] Allocated by task 244:\n[ 22.039390] kasan_save_stack+0x22/0x50\n[ 22.039758] kasan_set_track+0x25/0x30\n[ 22.040109] __kasan_slab_alloc+0x59/0x70\n[ 22.040487] kmem_cache_alloc_lru+0xf0/0x240\n[ 22.040889] __d_alloc+0x31/0x8e0\n[ 22.041207] d_alloc+0x44/0x1f0\n[ 22.041514] __rpc_lookup_create_exclusive+0x11c/0x140\n[ 22.041987] rpc_mkdir_populate.constprop.0+0x5f/0x110\n[ 22.042459] rpc_create_client_dir+0x34/0x150\n[ 22.042874] rpc_setup_pipedir_sb+0x102/0x1c0\n[ 22.043284] rpc_client_register+0x136/0x4e0\n[ 22.043689] rpc_new_client+0x911/0x1020\n[ 22.044057] rpc_create_xprt+0xcb/0x370\n[ 22.044417] rpc_create+0x36b/0x6c0\n...\n[ 22.049524] Freed by task 0:\n[ 22.049803] kasan_save_stack+0x22/0x50\n[ 22.050165] kasan_set_track+0x25/0x30\n[ 22.050520] kasan_save_free_info+0x2b/0x50\n[ 22.050921] __kasan_slab_free+0x10e/0x1a0\n[ 22.051306] kmem_cache_free+0xa5/0x390\n[ 22.051667] rcu_core+0x62c/0x1930\n[ 22.051995] __do_softirq+0x165/0x52a\n[ 22.052347]\n[ 22.052503] Last potentially related work creation:\n[ 22.052952] kasan_save_stack+0x22/0x50\n[ 22.053313] __kasan_record_aux_stack+0x8e/0xa0\n[ 22.053739] __call_rcu_common.constprop.0+0x6b/0x8b0\n[ 22.054209] dentry_free+0xb2/0x140\n[ 22.054540] __dentry_kill+0x3be/0x540\n[ 22.054900] shrink_dentry_list+0x199/0x510\n[ 22.055293] shrink_dcache_parent+0x190/0x240\n[ 22.055703] do_one_tree+0x11/0x40\n[ 22.056028] shrink_dcache_for_umount+0x61/0x140\n[ 22.056461] generic_shutdown_super+0x70/0x590\n[ 22.056879] kill_anon_super+0x3a/0x60\n[ 22.057234] rpc_kill_sb+0x121/0x200"
	}
	],
	"affected": [
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "unaffected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"include/linux/sunrpc/clnt.h",
	"net/sunrpc/clnt.c"
	],
	"versions": [
	{
	"version": "0157d021d23a087eecfa830502f81cfe843f0d16",
	"lessThan": "17866066b8ac1cc38fb449670bc15dc9fee4b40a",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "0157d021d23a087eecfa830502f81cfe843f0d16",
	"lessThan": "7d61d1da2ed1f682c41cae0c8d4719cdaccee5c5",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "0157d021d23a087eecfa830502f81cfe843f0d16",
	"lessThan": "dedf2a0eb9448ae73b270743e6ea9b108189df46",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "0157d021d23a087eecfa830502f81cfe843f0d16",
	"lessThan": "194454afa6aa9d6ed74f0c57127bc8beb27c20df",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "0157d021d23a087eecfa830502f81cfe843f0d16",
	"lessThan": "7749fd2dbef72a52b5c9ffdbf877691950ed4680",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "0157d021d23a087eecfa830502f81cfe843f0d16",
	"lessThan": "1cdb52ffd6600a37bd355d8dce58ecd03e55e618",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "0157d021d23a087eecfa830502f81cfe843f0d16",
	"lessThan": "cc2e7ebbeb1d0601f7f3c8d93b78fcc03a95e44a",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "0157d021d23a087eecfa830502f81cfe843f0d16",
	"lessThan": "bfca5fb4e97c46503ddfc582335917b0cc228264",
	"status": "affected",
	"versionType": "git"
	}
	]
	},
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "affected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"programFiles": [
	"include/linux/sunrpc/clnt.h",
	"net/sunrpc/clnt.c"
	],
	"versions": [
	{
	"version": "3.4",
	"status": "affected"
	},
	{
	"version": "0",
	"lessThan": "3.4",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "4.19.318",
	"lessThanOrEqual": "4.19.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "5.4.280",
	"lessThanOrEqual": "5.4.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "5.10.202",
	"lessThanOrEqual": "5.10.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "5.15.140",
	"lessThanOrEqual": "5.15.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "6.1.64",
	"lessThanOrEqual": "6.1.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "6.5.13",
	"lessThanOrEqual": "6.5.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "6.6.3",
	"lessThanOrEqual": "6.6.*",
	"status": "unaffected",
	"versionType": "semver"
	},
	{
	"version": "6.7",
	"lessThanOrEqual": "*",
	"status": "unaffected",
	"versionType": "original_commit_for_fix"
	}
	]
	}
	],
	"cpeApplicability": [
	{
	"nodes": [
	{
	"operator": "OR",
	"negate": false,
	"cpeMatch": [
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "3.4",
	"versionEndExcluding": "4.19.318"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "3.4",
	"versionEndExcluding": "5.4.280"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "3.4",
	"versionEndExcluding": "5.10.202"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "3.4",
	"versionEndExcluding": "5.15.140"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "3.4",
	"versionEndExcluding": "6.1.64"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "3.4",
	"versionEndExcluding": "6.5.13"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "3.4",
	"versionEndExcluding": "6.6.3"
	},
	{
	"vulnerable": true,
	"criteria": "cpe:2.3:o:linux:linux_kernel::::::::",
	"versionStartIncluding": "3.4",
	"versionEndExcluding": "6.7"
	}
	]
	}
	]
	}
	],
	"references": [
	{
	"url": "https://git.kernel.org/stable/c/17866066b8ac1cc38fb449670bc15dc9fee4b40a"
	},
	{
	"url": "https://git.kernel.org/stable/c/7d61d1da2ed1f682c41cae0c8d4719cdaccee5c5"
	},
	{
	"url": "https://git.kernel.org/stable/c/dedf2a0eb9448ae73b270743e6ea9b108189df46"
	},
	{
	"url": "https://git.kernel.org/stable/c/194454afa6aa9d6ed74f0c57127bc8beb27c20df"
	},
	{
	"url": "https://git.kernel.org/stable/c/7749fd2dbef72a52b5c9ffdbf877691950ed4680"
	},
	{
	"url": "https://git.kernel.org/stable/c/1cdb52ffd6600a37bd355d8dce58ecd03e55e618"
	},
	{
	"url": "https://git.kernel.org/stable/c/cc2e7ebbeb1d0601f7f3c8d93b78fcc03a95e44a"
	},
	{
	"url": "https://git.kernel.org/stable/c/bfca5fb4e97c46503ddfc582335917b0cc228264"
	}
	],
	"title": "SUNRPC: Fix RPC client cleaned up the freed pipefs dentries",
	"x_generator": {
	"engine": "bippy-1.2.0"
	}
	}
	},
	"cveMetadata": {
	"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
	"cveID": "CVE-2023-52803",
	"requesterUserId": "gregkh@kernel.org",
	"serial": "1",
	"state": "PUBLISHED"
	},
	"dataType": "CVE_RECORD",
	"dataVersion": "5.0"
	}