cve-2023-52803
Vulnerability from cvelistv5
Published
2024-05-21 15:31
Modified
2024-11-04 14:53
Severity ?
Summary
SUNRPC: Fix RPC client cleaned up the freed pipefs dentries
Impacted products
LinuxLinux
LinuxLinux
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-52803",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-17T17:36:49.719946Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-17T17:37:08.071Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:11:35.893Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/17866066b8ac1cc38fb449670bc15dc9fee4b40a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7d61d1da2ed1f682c41cae0c8d4719cdaccee5c5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/dedf2a0eb9448ae73b270743e6ea9b108189df46"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/194454afa6aa9d6ed74f0c57127bc8beb27c20df"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7749fd2dbef72a52b5c9ffdbf877691950ed4680"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/1cdb52ffd6600a37bd355d8dce58ecd03e55e618"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/cc2e7ebbeb1d0601f7f3c8d93b78fcc03a95e44a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/bfca5fb4e97c46503ddfc582335917b0cc228264"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/sunrpc/clnt.h",
            "net/sunrpc/clnt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "17866066b8ac",
              "status": "affected",
              "version": "0157d021d23a",
              "versionType": "git"
            },
            {
              "lessThan": "7d61d1da2ed1",
              "status": "affected",
              "version": "0157d021d23a",
              "versionType": "git"
            },
            {
              "lessThan": "dedf2a0eb944",
              "status": "affected",
              "version": "0157d021d23a",
              "versionType": "git"
            },
            {
              "lessThan": "194454afa6aa",
              "status": "affected",
              "version": "0157d021d23a",
              "versionType": "git"
            },
            {
              "lessThan": "7749fd2dbef7",
              "status": "affected",
              "version": "0157d021d23a",
              "versionType": "git"
            },
            {
              "lessThan": "1cdb52ffd660",
              "status": "affected",
              "version": "0157d021d23a",
              "versionType": "git"
            },
            {
              "lessThan": "cc2e7ebbeb1d",
              "status": "affected",
              "version": "0157d021d23a",
              "versionType": "git"
            },
            {
              "lessThan": "bfca5fb4e97c",
              "status": "affected",
              "version": "0157d021d23a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/sunrpc/clnt.h",
            "net/sunrpc/clnt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.4"
            },
            {
              "lessThan": "3.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.318",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.280",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.202",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.5.*",
              "status": "unaffected",
              "version": "6.5.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.7",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix RPC client cleaned up the freed pipefs dentries\n\nRPC client pipefs dentries cleanup is in separated rpc_remove_pipedir()\nworkqueue,which takes care about pipefs superblock locking.\nIn some special scenarios, when kernel frees the pipefs sb of the\ncurrent client and immediately alloctes a new pipefs sb,\nrpc_remove_pipedir function would misjudge the existence of pipefs\nsb which is not the one it used to hold. As a result,\nthe rpc_remove_pipedir would clean the released freed pipefs dentries.\n\nTo fix this issue, rpc_remove_pipedir should check whether the\ncurrent pipefs sb is consistent with the original pipefs sb.\n\nThis error can be catched by KASAN:\n=========================================================\n[  250.497700] BUG: KASAN: slab-use-after-free in dget_parent+0x195/0x200\n[  250.498315] Read of size 4 at addr ffff88800a2ab804 by task kworker/0:18/106503\n[  250.500549] Workqueue: events rpc_free_client_work\n[  250.501001] Call Trace:\n[  250.502880]  kasan_report+0xb6/0xf0\n[  250.503209]  ? dget_parent+0x195/0x200\n[  250.503561]  dget_parent+0x195/0x200\n[  250.503897]  ? __pfx_rpc_clntdir_depopulate+0x10/0x10\n[  250.504384]  rpc_rmdir_depopulate+0x1b/0x90\n[  250.504781]  rpc_remove_client_dir+0xf5/0x150\n[  250.505195]  rpc_free_client_work+0xe4/0x230\n[  250.505598]  process_one_work+0x8ee/0x13b0\n...\n[   22.039056] Allocated by task 244:\n[   22.039390]  kasan_save_stack+0x22/0x50\n[   22.039758]  kasan_set_track+0x25/0x30\n[   22.040109]  __kasan_slab_alloc+0x59/0x70\n[   22.040487]  kmem_cache_alloc_lru+0xf0/0x240\n[   22.040889]  __d_alloc+0x31/0x8e0\n[   22.041207]  d_alloc+0x44/0x1f0\n[   22.041514]  __rpc_lookup_create_exclusive+0x11c/0x140\n[   22.041987]  rpc_mkdir_populate.constprop.0+0x5f/0x110\n[   22.042459]  rpc_create_client_dir+0x34/0x150\n[   22.042874]  rpc_setup_pipedir_sb+0x102/0x1c0\n[   22.043284]  rpc_client_register+0x136/0x4e0\n[   22.043689]  rpc_new_client+0x911/0x1020\n[   22.044057]  rpc_create_xprt+0xcb/0x370\n[   22.044417]  rpc_create+0x36b/0x6c0\n...\n[   22.049524] Freed by task 0:\n[   22.049803]  kasan_save_stack+0x22/0x50\n[   22.050165]  kasan_set_track+0x25/0x30\n[   22.050520]  kasan_save_free_info+0x2b/0x50\n[   22.050921]  __kasan_slab_free+0x10e/0x1a0\n[   22.051306]  kmem_cache_free+0xa5/0x390\n[   22.051667]  rcu_core+0x62c/0x1930\n[   22.051995]  __do_softirq+0x165/0x52a\n[   22.052347]\n[   22.052503] Last potentially related work creation:\n[   22.052952]  kasan_save_stack+0x22/0x50\n[   22.053313]  __kasan_record_aux_stack+0x8e/0xa0\n[   22.053739]  __call_rcu_common.constprop.0+0x6b/0x8b0\n[   22.054209]  dentry_free+0xb2/0x140\n[   22.054540]  __dentry_kill+0x3be/0x540\n[   22.054900]  shrink_dentry_list+0x199/0x510\n[   22.055293]  shrink_dcache_parent+0x190/0x240\n[   22.055703]  do_one_tree+0x11/0x40\n[   22.056028]  shrink_dcache_for_umount+0x61/0x140\n[   22.056461]  generic_shutdown_super+0x70/0x590\n[   22.056879]  kill_anon_super+0x3a/0x60\n[   22.057234]  rpc_kill_sb+0x121/0x200"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-04T14:53:00.924Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/17866066b8ac1cc38fb449670bc15dc9fee4b40a"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d61d1da2ed1f682c41cae0c8d4719cdaccee5c5"
        },
        {
          "url": "https://git.kernel.org/stable/c/dedf2a0eb9448ae73b270743e6ea9b108189df46"
        },
        {
          "url": "https://git.kernel.org/stable/c/194454afa6aa9d6ed74f0c57127bc8beb27c20df"
        },
        {
          "url": "https://git.kernel.org/stable/c/7749fd2dbef72a52b5c9ffdbf877691950ed4680"
        },
        {
          "url": "https://git.kernel.org/stable/c/1cdb52ffd6600a37bd355d8dce58ecd03e55e618"
        },
        {
          "url": "https://git.kernel.org/stable/c/cc2e7ebbeb1d0601f7f3c8d93b78fcc03a95e44a"
        },
        {
          "url": "https://git.kernel.org/stable/c/bfca5fb4e97c46503ddfc582335917b0cc228264"
        }
      ],
      "title": "SUNRPC: Fix RPC client cleaned up the freed pipefs dentries",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52803",
    "datePublished": "2024-05-21T15:31:15.063Z",
    "dateReserved": "2024-05-21T15:19:24.247Z",
    "dateUpdated": "2024-11-04T14:53:00.924Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-52803\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-21T16:15:18.753\",\"lastModified\":\"2024-07-18T12:15:02.423\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nSUNRPC: Fix RPC client cleaned up the freed pipefs dentries\\n\\nRPC client pipefs dentries cleanup is in separated rpc_remove_pipedir()\\nworkqueue,which takes care about pipefs superblock locking.\\nIn some special scenarios, when kernel frees the pipefs sb of the\\ncurrent client and immediately alloctes a new pipefs sb,\\nrpc_remove_pipedir function would misjudge the existence of pipefs\\nsb which is not the one it used to hold. As a result,\\nthe rpc_remove_pipedir would clean the released freed pipefs dentries.\\n\\nTo fix this issue, rpc_remove_pipedir should check whether the\\ncurrent pipefs sb is consistent with the original pipefs sb.\\n\\nThis error can be catched by KASAN:\\n=========================================================\\n[  250.497700] BUG: KASAN: slab-use-after-free in dget_parent+0x195/0x200\\n[  250.498315] Read of size 4 at addr ffff88800a2ab804 by task kworker/0:18/106503\\n[  250.500549] Workqueue: events rpc_free_client_work\\n[  250.501001] Call Trace:\\n[  250.502880]  kasan_report+0xb6/0xf0\\n[  250.503209]  ? dget_parent+0x195/0x200\\n[  250.503561]  dget_parent+0x195/0x200\\n[  250.503897]  ? __pfx_rpc_clntdir_depopulate+0x10/0x10\\n[  250.504384]  rpc_rmdir_depopulate+0x1b/0x90\\n[  250.504781]  rpc_remove_client_dir+0xf5/0x150\\n[  250.505195]  rpc_free_client_work+0xe4/0x230\\n[  250.505598]  process_one_work+0x8ee/0x13b0\\n...\\n[   22.039056] Allocated by task 244:\\n[   22.039390]  kasan_save_stack+0x22/0x50\\n[   22.039758]  kasan_set_track+0x25/0x30\\n[   22.040109]  __kasan_slab_alloc+0x59/0x70\\n[   22.040487]  kmem_cache_alloc_lru+0xf0/0x240\\n[   22.040889]  __d_alloc+0x31/0x8e0\\n[   22.041207]  d_alloc+0x44/0x1f0\\n[   22.041514]  __rpc_lookup_create_exclusive+0x11c/0x140\\n[   22.041987]  rpc_mkdir_populate.constprop.0+0x5f/0x110\\n[   22.042459]  rpc_create_client_dir+0x34/0x150\\n[   22.042874]  rpc_setup_pipedir_sb+0x102/0x1c0\\n[   22.043284]  rpc_client_register+0x136/0x4e0\\n[   22.043689]  rpc_new_client+0x911/0x1020\\n[   22.044057]  rpc_create_xprt+0xcb/0x370\\n[   22.044417]  rpc_create+0x36b/0x6c0\\n...\\n[   22.049524] Freed by task 0:\\n[   22.049803]  kasan_save_stack+0x22/0x50\\n[   22.050165]  kasan_set_track+0x25/0x30\\n[   22.050520]  kasan_save_free_info+0x2b/0x50\\n[   22.050921]  __kasan_slab_free+0x10e/0x1a0\\n[   22.051306]  kmem_cache_free+0xa5/0x390\\n[   22.051667]  rcu_core+0x62c/0x1930\\n[   22.051995]  __do_softirq+0x165/0x52a\\n[   22.052347]\\n[   22.052503] Last potentially related work creation:\\n[   22.052952]  kasan_save_stack+0x22/0x50\\n[   22.053313]  __kasan_record_aux_stack+0x8e/0xa0\\n[   22.053739]  __call_rcu_common.constprop.0+0x6b/0x8b0\\n[   22.054209]  dentry_free+0xb2/0x140\\n[   22.054540]  __dentry_kill+0x3be/0x540\\n[   22.054900]  shrink_dentry_list+0x199/0x510\\n[   22.055293]  shrink_dcache_parent+0x190/0x240\\n[   22.055703]  do_one_tree+0x11/0x40\\n[   22.056028]  shrink_dcache_for_umount+0x61/0x140\\n[   22.056461]  generic_shutdown_super+0x70/0x590\\n[   22.056879]  kill_anon_super+0x3a/0x60\\n[   22.057234]  rpc_kill_sb+0x121/0x200\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: SUNRPC: el cliente RPC limpi\u00f3 los pipefs dentries liberados. La limpieza de pipefs dentries del cliente RPC est\u00e1 en la cola de trabajo separada rpc_remove_pipedir(), que se encarga del bloqueo del superbloque de pipefs. En algunos escenarios especiales, cuando el kernel libera el pipefs sb del cliente actual e inmediatamente asigna un nuevo pipefs sb, la funci\u00f3n rpc_remove_pipedir juzgar\u00eda mal la existencia de pipefs sb que no es el que sol\u00eda contener. Como resultado, rpc_remove_pipedir limpiar\u00eda las dentr\u00edas de pipefs liberadas. Para solucionar este problema, rpc_remove_pipedir debe verificar si el pipefs sb actual es consistente con el pipefs sb original. KASAN puede detectar este error: ============================================ =============== [250.497700] BUG: KASAN: slab-use-after-free en dget_parent+0x195/0x200 [250.498315] Lectura de tama\u00f1o 4 en la direcci\u00f3n ffff88800a2ab804 por tarea kworker/0 :18/106503 [250.500549] Cola de trabajo: eventos rpc_free_client_work [250.501001] Seguimiento de llamadas: [250.502880] kasan_report+0xb6/0xf0 [250.503209]? dget_parent+0x195/0x200 [ 250.503561] dget_parent+0x195/0x200 [ 250.503897] ? __pfx_rpc_clntdir_depopulate+0x10/0x10 [ 250.504384] rpc_rmdir_depopulate+0x1b/0x90 [ 250.504781] rpc_remove_client_dir+0xf5/0x150 [ 250.505195] /0x230 [ 250.505598] Process_one_work+0x8ee/0x13b0 ... [ 22.039056] Asignado por la tarea 244: [ 22.039390 ] kasan_save_stack+0x22/0x50 [ 22.039758] kasan_set_track+0x25/0x30 [ 22.040109] __kasan_slab_alloc+0x59/0x70 [ 22.040487] kmem_cache_alloc_lru+0xf0/0x240 [ 22.0408 89] __d_alloc+0x31/0x8e0 [ 22.041207] d_alloc+0x44/0x1f0 [ 22.041514] __rpc_lookup_create_exclusive +0x11c/0x140 [ 22.041987] rpc_mkdir_populate.constprop.0+0x5f/0x110 [ 22.042459] rpc_create_client_dir+0x34/0x150 [ 22.042874] rpc_setup_pipedir_sb+0x102/0x1c0 [ 22.043284] rpc_client_register+0x136/0x4e0 [ 22.043689] rpc_new_client+0x911/0x1020 [ 22.044057 ] rpc_create_xprt+0xcb/0x370 [ 22.044417] rpc_create+0x36b/0x6c0 ... [ 22.049524] Liberado por la tarea 0: [ 22.049803] kasan_save_stack+0x22/0x50 [ 22.050165] 25/0x30 [ 22.050520] kasan_save_free_info+0x2b/0x50 [ 22.050921] __kasan_slab_free+0x10e/0x1a0 [ 22.051306] kmem_cache_free+0xa5/0x390 [ 22.051667] rcu_core+0x62c/0x1930 [ 22.051995] __do_softirq+0x165/0x52a [ 22.052347] [ 22.052503] \u00daltima creaci\u00f3n de trabajo potencialmente relacionado: [ 22.052952] kasan_save_stack+0x22/ 0x50 [ 22.053313] __kasan_record_aux_stack+0x8e/0xa0 [ 22.053739] __call_rcu_common.constprop.0+0x6b/0x8b0 [ 22.054209] dentry_free+0xb2/0x140 [ __dentry_kill+ 0x3be/0x540 [22.054900] Shrink_dentry_list+0x199/0x510 [22.055293] Shrink_dcache_parent+ 0x190/0x240 [ 22.055703] do_one_tree+0x11/0x40 [ 22.056028] shrink_dcache_for_umount+0x61/0x140 [ 22.056461] generic_shutdown_super+0x70/0x590 [ 22.056879] 3a/0x60 [22.057234] rpc_kill_sb+0x121/0x200\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/17866066b8ac1cc38fb449670bc15dc9fee4b40a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/194454afa6aa9d6ed74f0c57127bc8beb27c20df\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/1cdb52ffd6600a37bd355d8dce58ecd03e55e618\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7749fd2dbef72a52b5c9ffdbf877691950ed4680\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7d61d1da2ed1f682c41cae0c8d4719cdaccee5c5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bfca5fb4e97c46503ddfc582335917b0cc228264\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cc2e7ebbeb1d0601f7f3c8d93b78fcc03a95e44a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/dedf2a0eb9448ae73b270743e6ea9b108189df46\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.