发布于3月6日3月6日 Members Ubuntu: (Multiple Advisories) (CVE-2023-52803): Linux kernel vulnerabilities Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/21/2024 Created 09/14/2024 Added 09/13/2024 Modified 10/02/2024 Description In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix RPC client cleaned up the freed pipefs dentries RPC client pipefs dentries cleanup is in separated rpc_remove_pipedir() workqueue,which takes care about pipefs superblock locking. In some special scenarios, when kernel frees the pipefs sb of the current client and immediately alloctes a new pipefs sb, rpc_remove_pipedir function would misjudge the existence of pipefs sb which is not the one it used to hold. As a result, the rpc_remove_pipedir would clean the released freed pipefs dentries. To fix this issue, rpc_remove_pipedir should check whether the current pipefs sb is consistent with the original pipefs sb. This error can be catched by KASAN: ========================================================= [250.497700] BUG: KASAN: slab-use-after-free in dget_parent+0x195/0x200 [250.498315] Read of size 4 at addr ffff88800a2ab804 by task kworker/0:18/106503 [250.500549] Workqueue: events rpc_free_client_work [250.501001] Call Trace: [250.502880]kasan_report+0xb6/0xf0 [250.503209]? dget_parent+0x195/0x200 [250.503561]dget_parent+0x195/0x200 [250.503897]? __pfx_rpc_clntdir_depopulate+0x10/0x10 [250.504384]rpc_rmdir_depopulate+0x1b/0x90 [250.504781]rpc_remove_client_dir+0xf5/0x150 [250.505195]rpc_free_client_work+0xe4/0x230 [250.505598]process_one_work+0x8ee/0x13b0 ... [ 22.039056] Allocated by task 244: [ 22.039390]kasan_save_stack+0x22/0x50 [ 22.039758]kasan_set_track+0x25/0x30 [ 22.040109]__kasan_slab_alloc+0x59/0x70 [ 22.040487]kmem_cache_alloc_lru+0xf0/0x240 [ 22.040889]__d_alloc+0x31/0x8e0 [ 22.041207]d_alloc+0x44/0x1f0 [ 22.041514]__rpc_lookup_create_exclusive+0x11c/0x140 [ 22.041987]rpc_mkdir_populate.constprop.0+0x5f/0x110 [ 22.042459]rpc_create_client_dir+0x34/0x150 [ 22.042874]rpc_setup_pipedir_sb+0x102/0x1c0 [ 22.043284]rpc_client_register+0x136/0x4e0 [ 22.043689]rpc_new_client+0x911/0x1020 [ 22.044057]rpc_create_xprt+0xcb/0x370 [ 22.044417]rpc_create+0x36b/0x6c0 ... [ 22.049524] Freed by task 0: [ 22.049803]kasan_save_stack+0x22/0x50 [ 22.050165]kasan_set_track+0x25/0x30 [ 22.050520]kasan_save_free_info+0x2b/0x50 [ 22.050921]__kasan_slab_free+0x10e/0x1a0 [ 22.051306]kmem_cache_free+0xa5/0x390 [ 22.051667]rcu_core+0x62c/0x1930 [ 22.051995]__do_softirq+0x165/0x52a [ 22.052347] [ 22.052503] Last potentially related work creation: [ 22.052952]kasan_save_stack+0x22/0x50 [ 22.053313]__kasan_record_aux_stack+0x8e/0xa0 [ 22.053739]__call_rcu_common.constprop.0+0x6b/0x8b0 [ 22.054209]dentry_free+0xb2/0x140 [ 22.054540]__dentry_kill+0x3be/0x540 [ 22.054900]shrink_dentry_list+0x199/0x510 [ 22.055293]shrink_dcache_parent+0x190/0x240 [ 22.055703]do_one_tree+0x11/0x40 [ 22.056028]shrink_dcache_for_umount+0x61/0x140 [ 22.056461]generic_shutdown_super+0x70/0x590 [ 22.056879]kill_anon_super+0x3a/0x60 [ 22.057234]rpc_kill_sb+0x121/0x200 Solution(s) ubuntu-upgrade-linux-image-5-4-0-1043-iot ubuntu-upgrade-linux-image-5-4-0-1051-xilinx-zynqmp ubuntu-upgrade-linux-image-5-4-0-1079-ibm ubuntu-upgrade-linux-image-5-4-0-1092-bluefield ubuntu-upgrade-linux-image-5-4-0-1099-gkeop ubuntu-upgrade-linux-image-5-4-0-1116-raspi ubuntu-upgrade-linux-image-5-4-0-1120-kvm ubuntu-upgrade-linux-image-5-4-0-1131-oracle ubuntu-upgrade-linux-image-5-4-0-1132-aws ubuntu-upgrade-linux-image-5-4-0-1136-gcp ubuntu-upgrade-linux-image-5-4-0-1137-azure ubuntu-upgrade-linux-image-5-4-0-195-generic ubuntu-upgrade-linux-image-5-4-0-195-generic-lpae ubuntu-upgrade-linux-image-5-4-0-195-lowlatency ubuntu-upgrade-linux-image-aws ubuntu-upgrade-linux-image-aws-lts-20-04 ubuntu-upgrade-linux-image-azure ubuntu-upgrade-linux-image-azure-lts-20-04 ubuntu-upgrade-linux-image-bluefield ubuntu-upgrade-linux-image-gcp ubuntu-upgrade-linux-image-gcp-lts-20-04 ubuntu-upgrade-linux-image-generic ubuntu-upgrade-linux-image-generic-hwe-18-04 ubuntu-upgrade-linux-image-generic-lpae ubuntu-upgrade-linux-image-gkeop ubuntu-upgrade-linux-image-gkeop-5-4 ubuntu-upgrade-linux-image-ibm ubuntu-upgrade-linux-image-ibm-lts-20-04 ubuntu-upgrade-linux-image-kvm ubuntu-upgrade-linux-image-lowlatency ubuntu-upgrade-linux-image-lowlatency-hwe-18-04 ubuntu-upgrade-linux-image-oem ubuntu-upgrade-linux-image-oem-osp1 ubuntu-upgrade-linux-image-oracle ubuntu-upgrade-linux-image-oracle-lts-20-04 ubuntu-upgrade-linux-image-raspi ubuntu-upgrade-linux-image-raspi-hwe-18-04 ubuntu-upgrade-linux-image-raspi2 ubuntu-upgrade-linux-image-raspi2-hwe-18-04 ubuntu-upgrade-linux-image-snapdragon-hwe-18-04 ubuntu-upgrade-linux-image-virtual ubuntu-upgrade-linux-image-virtual-hwe-18-04 ubuntu-upgrade-linux-image-xilinx-zynqmp References https://attackerkb.com/topics/cve-2023-52803 CVE - 2023-52803 USN-7003-1 USN-7003-2 USN-7003-3 USN-7003-4 USN-7003-5 USN-7006-1 View more
