CVE-2023-52900

MEDIUM EPSS 15.3%
Published Aug 21, 20241y ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Aug 21, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix general protection fault in nilfs_btree_insert() If nilfs2 reads a corrupted disk image and tries to reads a b-tree node block by calling __nilfs_btree_get_block() against an invalid virtual block address, it returns -ENOENT because conversion of the virtual block address to a disk block address fails. However, this return value is the same as the internal code that b-tree lookup routines return to indicate that the block being searched does not exist, so functions that operate on that b-tree may misbehave. When nilfs_btree_insert() receives this spurious 'not found' code from nilfs_btree_do_lookup(), it misunderstands that the 'not found' check was successful and continues the insert operation using incomplete lookup path data, causing the following crash: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] ... RIP: 0010:nilfs_btree_get_nonroot_node fs/nilfs2/btree.c:418 [inline] RIP: 0010:nilfs_btree_prepare_insert fs/nilfs2/btree.c:1077 [inline] RIP: 0010:nilfs_btree_insert+0x6d3/0x1c10 fs/nilfs2/btree.c:1238 Code: bc 24 80 00 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 ff e8 4b 02 92 fe 4d 8b 3f 49 83 c7 28 4c 89 f8 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 ff e8 2e 02 92 fe 4d 8b 3f 49 83 c7 02 ... Call Trace: <TASK> nilfs_bmap_do_insert fs/nilfs2/bmap.c:121 [inline] nilfs_bmap_insert+0x20d/0x360 fs/nilfs2/bmap.c:147 nilfs_get_block+0x414/0x8d0 fs/nilfs2/inode.c:101 __block_write_begin_int+0x54c/0x1a80 fs/buffer.c:1991 __block_write_begin fs/buffer.c:2041 [inline] block_write_begin+0x93/0x1e0 fs/buffer.c:2102 nilfs_write_begin+0x9c/0x110 fs/nilfs2/inode.c:261 generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772 __generic_file_write_iter+0x176/0x400 mm/filemap.c:3900 generic_file_write_iter+0xab/0x310 mm/filemap.c:3932 call_write_iter include/linux/fs.h:2186 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x7dc/0xc50 fs/read_write.c:584 ksys_write+0x177/0x2a0 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd ... </TASK> This patch fixes the root cause of this problem by replacing the error code that __nilfs_btree_get_block() returns on block address conversion failure from -ENOENT to another internal code -EINVAL which means that the b-tree metadata is corrupted. By returning -EINVAL, it propagates without glitches, and for all relevant b-tree operations, functions in the upper bmap layer output an error message indicating corrupted b-tree metadata via nilfs_bmap_convert_error(), and code -EIO will be eventually returned as it should be.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
15.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 10

VendorProductVersionRange
linuxlinux_kernel* <4.14.304
linuxlinux_kernel*≥4.15  –  <4.19.271
linuxlinux_kernel*≥4.20  –  <5.4.230
linuxlinux_kernel*≥5.5  –  <5.10.165
linuxlinux_kernel*≥5.11  –  <5.15.90
linuxlinux_kernel*≥5.16  –  <6.1.8
linuxlinux_kernel6.2any
linuxlinux_kernel6.2any
linuxlinux_kernel6.2any
linuxlinux_kernel6.2any

References 7

  • git.kernel.org https://git.kernel.org/stable/c/0bf463939c09e5b2c35c71ed74a5fd60a74d6a04
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3c2a2ff67d46106715c2132021b98bd057c27545
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/45627a1a6450662e1e0f8174ef07b05710a20062
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/712bd74eccb9d3626a0a236641962eca8e11a243
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7633355e5c7f29c049a9048e461427d1d8ed3051
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b0ba060d3287108eba17603bee3810e4cf2c272d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d9fde9eab1766170ff2ade67d09178d2cfd78749
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0bf463939c09e5b2c35c71ed74a5fd60a74d6a04
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3c2a2ff67d46106715c2132021b98bd057c27545
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/45627a1a6450662e1e0f8174ef07b05710a20062
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/712bd74eccb9d3626a0a236641962eca8e11a243
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7633355e5c7f29c049a9048e461427d1d8ed3051
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b0ba060d3287108eba17603bee3810e4cf2c272d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d9fde9eab1766170ff2ade67d09178d2cfd78749
    Patch