2176140 – (CVE-2023-1252) CVE-2023-1252 kernel: ovl: fix use after free in struct ovl_aio_req

Bug 2176140 (CVE-2023-1252) - CVE-2023-1252 kernel: ovl: fix use after free in struct ovl_aio_req

Summary: CVE-2023-1252 kernel: ovl: fix use after free in struct ovl_aio_req

Keywords:
Status:	NEW
Alias:	CVE-2023-1252
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2176159 2176160 2176161 2176162 2176141
Blocks:	2156315
TreeView+	depends on / blocked

Reported:	2023-03-07 13:55 UTC by Alex
Modified:	2023-07-07 08:32 UTC (History)
CC List:	36 users (show)
Fixed In Version:	Linux kernel 5.16-rc1
Doc Type:	If docs needed, set a value
Doc Text:	A use-after-free flaw was found in the Linux kernel’s Ext4 File System in how a user triggers several file operations simultaneously with the overlay FS usage. This flaw allows a local user to crash or potentially escalate their privileges on the system. Only if patch 9a2544037600 ("ovl: fix use after free in struct ovl_aio_req") not applied yet, the kernel could be affected.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Alex 2023-03-07 13:55:31 UTC

A flaw found in the Linux Kernel. For the Ext4 file system if overlay FS being used, use after free could happen as result of the race condition. The bug actual if patch 9a2544037600 not applied yet. Example for triggering in a overlay on ext4 setup:

aio_read
  ovl_read_iter
    vfs_iter_read
      ext4_file_read_iter
        ext4_dio_read_iter
          iomap_dio_rw -> -EIOCBQUEUED
          /*
	   * Here IO is completed in a separate thread,
	   * ovl_aio_cleanup_handler() frees aio_req which has iocb embedded
	   */
          file_accessed(iocb->ki_filp); /**BOOM**/

Reference:
https://lore.kernel.org/lkml/20211115165433.449951285@linuxfoundation.org/

Comment 1 Alex 2023-03-07 13:55:59 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2176141]

Comment 4 Justin M. Forbes 2023-03-21 14:23:27 UTC

This was fixed for Fedora with the 5.14.19 stable kernel updates.

Note You need to log in before you can comment on or make changes to this bug.

acaringi
bhu
chwhite
ddepaula
debarbos
dfreiber
dvlasenk
ezulian
fhrbata
hkrzesin
jarod
jburrell
jfaracco
jferlan
jforbes
jlelli
joe.lawrence
jshortt
jstancek
jwyatt
kcarcia
kernel-mgr
lgoncalv
lleshchi
lzampier
nmurray
ptalbert
qzhao
rogbas
rvrbovsk
scweaver
swood
tyberry
vkumar
walters
williams