CVE-2023-52760 - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in gfs2_qd_dealloc In gfs2_put_super(), whether withdrawn or not, the quota should be cleaned up by gfs2_quota_cleanup(). Otherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu callback) has run for all gfs2_quota_data objects, resulting in use-after-free. Also, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called by gfs2_make_fs_ro(), so in gfs2_put_super(), after calling gfs2_make_fs_ro(), there is no need to call them again.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel

Configuration 1 [-]

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://git.kernel.org/stable/c/08a28272faa750d4357ea2cb48d2baefd778ea81
https://git.kernel.org/stable/c/7ad4e0a4f61c57c3ca291ee010a9d677d0199fba
https://git.kernel.org/stable/c/bdcb8aa434c6d36b5c215d02a9ef07551be25a37
https://lore.kernel.org/linux-cve-announce/2024052147-CVE-2023-52760-5ac4@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2023-52760
https://www.cve.org/CVERecord?id=CVE-2023-52760

History

No history.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-05-21T15:30:46.427Z

Updated: 2024-08-02T23:11:36.034Z

Reserved: 2024-05-21T15:19:24.237Z

Link: CVE-2023-52760

Vulnrichment

Updated: 2024-08-02T23:11:36.034Z

NVD

Status : Modified

Published: 2024-05-21T16:15:15.410

Modified: 2024-07-05T08:15:02.230

Link: CVE-2023-52760

Redhat

Severity : Moderate

Publid Date: 2024-05-21T00:00:00Z

Links: CVE-2023-52760 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-52760", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-21T15:19:24.237Z", "datePublished": "2024-05-21T15:30:46.427Z", "dateUpdated": "2024-08-02T23:11:36.034Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-07-05T07:51:24.354Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix slab-use-after-free in gfs2_qd_dealloc\n\nIn gfs2_put_super(), whether withdrawn or not, the quota should\nbe cleaned up by gfs2_quota_cleanup().\n\nOtherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu\ncallback) has run for all gfs2_quota_data objects, resulting in\nuse-after-free.\n\nAlso, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called\nby gfs2_make_fs_ro(), so in gfs2_put_super(), after calling\ngfs2_make_fs_ro(), there is no need to call them again."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/gfs2/super.c"], "versions": [{"version": "1da177e4c3f4", "lessThan": "7ad4e0a4f61c", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "08a28272faa7", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f4", "lessThan": "bdcb8aa434c6", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/gfs2/super.c"], "versions": [{"version": "6.1.97", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.6.3", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "custom"}, {"version": "6.7", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/7ad4e0a4f61c57c3ca291ee010a9d677d0199fba"}, {"url": "https://git.kernel.org/stable/c/08a28272faa750d4357ea2cb48d2baefd778ea81"}, {"url": "https://git.kernel.org/stable/c/bdcb8aa434c6d36b5c215d02a9ef07551be25a37"}], "title": "gfs2: Fix slab-use-after-free in gfs2_qd_dealloc", "x_generator": {"engine": "bippy-7d53e8ef8be4"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52760", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-22T18:26:22.936431Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:24:04.103Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:11:36.034Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/7ad4e0a4f61c57c3ca291ee010a9d677d0199fba", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/08a28272faa750d4357ea2cb48d2baefd778ea81", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/bdcb8aa434c6d36b5c215d02a9ef07551be25a37", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/7ad4e0a4f61c57c3ca291ee010a9d677d0199fba", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/08a28272faa750d4357ea2cb48d2baefd778ea81", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/bdcb8aa434c6d36b5c215d02a9ef07551be25a37", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:11:36.034Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52760", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-22T18:26:22.936431Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:25.678Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "gfs2: Fix slab-use-after-free in gfs2_qd_dealloc", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "1da177e4c3f4", "lessThan": "7ad4e0a4f61c", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "08a28272faa7", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f4", "lessThan": "bdcb8aa434c6", "versionType": "git"}], "programFiles": ["fs/gfs2/super.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "unaffected", "version": "6.1.97", "versionType": "custom", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.3", "versionType": "custom", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.7", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["fs/gfs2/super.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/7ad4e0a4f61c57c3ca291ee010a9d677d0199fba"}, {"url": "https://git.kernel.org/stable/c/08a28272faa750d4357ea2cb48d2baefd778ea81"}, {"url": "https://git.kernel.org/stable/c/bdcb8aa434c6d36b5c215d02a9ef07551be25a37"}], "x_generator": {"engine": "bippy-7d53e8ef8be4"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix slab-use-after-free in gfs2_qd_dealloc\n\nIn gfs2_put_super(), whether withdrawn or not, the quota should\nbe cleaned up by gfs2_quota_cleanup().\n\nOtherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu\ncallback) has run for all gfs2_quota_data objects, resulting in\nuse-after-free.\n\nAlso, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called\nby gfs2_make_fs_ro(), so in gfs2_put_super(), after calling\ngfs2_make_fs_ro(), there is no need to call them again."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-07-05T07:51:24.354Z"}}}, "cveMetadata": {"cveId": "CVE-2023-52760", "state": "PUBLISHED", "dateUpdated": "2024-08-02T23:11:36.034Z", "dateReserved": "2024-05-21T15:19:24.237Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-21T15:30:46.427Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "24DFB8C6-5FA0-4F09-BFF5-391E59AE9F03", "versionEndExcluding": "6.6.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix slab-use-after-free in gfs2_qd_dealloc\n\nIn gfs2_put_super(), whether withdrawn or not, the quota should\nbe cleaned up by gfs2_quota_cleanup().\n\nOtherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu\ncallback) has run for all gfs2_quota_data objects, resulting in\nuse-after-free.\n\nAlso, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called\nby gfs2_make_fs_ro(), so in gfs2_put_super(), after calling\ngfs2_make_fs_ro(), there is no need to call them again."}, {"lang": "es", "value": " En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: gfs2: corrige slab-use-after-free en gfs2_qd_dealloc. En gfs2_put_super(), ya sea retirada o no, gfs2_quota_cleanup() debe limpiar la cuota. De lo contrario, la estructura gfs2_sbd se liberar\u00e1 antes de que se ejecute gfs2_qd_dealloc (devoluci\u00f3n de llamada de rcu) para todos los objetos gfs2_quota_data, lo que dar\u00e1 como resultado un use after free. Adem\u00e1s, gfs2_destroy_threads() y gfs2_quota_cleanup() ya son llamados por gfs2_make_fs_ro(), por lo que en gfs2_put_super(), despu\u00e9s de llamar a gfs2_make_fs_ro(), no es necesario volver a llamarlos."}], "id": "CVE-2023-52760", "lastModified": "2024-07-05T08:15:02.230", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-05-21T16:15:15.410", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/08a28272faa750d4357ea2cb48d2baefd778ea81"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7ad4e0a4f61c57c3ca291ee010a9d677d0199fba"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/bdcb8aa434c6d36b5c215d02a9ef07551be25a37"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: gfs2: Fix slab-use-after-free in gfs2_qd_dealloc", "id": "2282659", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2282659"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\ngfs2: Fix slab-use-after-free in gfs2_qd_dealloc\nIn gfs2_put_super(), whether withdrawn or not, the quota should\nbe cleaned up by gfs2_quota_cleanup().\nOtherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu\ncallback) has run for all gfs2_quota_data objects, resulting in\nuse-after-free.\nAlso, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called\nby gfs2_make_fs_ro(), so in gfs2_put_super(), after calling\ngfs2_make_fs_ro(), there is no need to call them again."], "name": "CVE-2023-52760", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-52760\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-52760\nhttps://lore.kernel.org/linux-cve-announce/2024052147-CVE-2023-52760-5ac4@gregkh/T"], "threat_severity": "Moderate", "upstream_fix": "kernel 6.6.3, kernel 6.7"}