Bug 2176140 (CVE-2023-1252) - CVE-2023-1252 kernel: ovl: fix use after free in struct ovl_aio_req
Summary: CVE-2023-1252 kernel: ovl: fix use after free in struct ovl_aio_req
Keywords:
Status: NEW
Alias: CVE-2023-1252
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2176159 2176160 2176161 2176162 2176141
Blocks: 2156315
TreeView+ depends on / blocked
 
Reported: 2023-03-07 13:55 UTC by Alex
Modified: 2023-07-07 08:32 UTC (History)
36 users (show)

Fixed In Version: Linux kernel 5.16-rc1
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Linux kernel’s Ext4 File System in how a user triggers several file operations simultaneously with the overlay FS usage. This flaw allows a local user to crash or potentially escalate their privileges on the system. Only if patch 9a2544037600 ("ovl: fix use after free in struct ovl_aio_req") not applied yet, the kernel could be affected.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Alex 2023-03-07 13:55:31 UTC
A flaw found in the Linux Kernel. For the Ext4 file system if overlay FS being used, use after free could happen as result of the race condition. The bug actual if patch 9a2544037600 not applied yet. Example for triggering in a overlay on ext4 setup:

aio_read
  ovl_read_iter
    vfs_iter_read
      ext4_file_read_iter
        ext4_dio_read_iter
          iomap_dio_rw -> -EIOCBQUEUED
          /*
	   * Here IO is completed in a separate thread,
	   * ovl_aio_cleanup_handler() frees aio_req which has iocb embedded
	   */
          file_accessed(iocb->ki_filp); /**BOOM**/

Reference:
https://lore.kernel.org/lkml/20211115165433.449951285@linuxfoundation.org/

Comment 1 Alex 2023-03-07 13:55:59 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2176141]

Comment 4 Justin M. Forbes 2023-03-21 14:23:27 UTC
This was fixed for Fedora with the 5.14.19 stable kernel updates.


Note You need to log in before you can comment on or make changes to this bug.