Bug 2219272 (CVE-2023-4385) - CVE-2023-4385 kernel: jfs: NULL pointer dereference in dbFree()
Summary: CVE-2023-4385 kernel: jfs: NULL pointer dereference in dbFree()
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2023-4385
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2219283 2219284
Blocks: 2219643
TreeView+ depends on / blocked
 
Reported: 2023-07-03 07:08 UTC by Dhananjay Arunesh
Modified: 2023-08-16 20:20 UTC (History)
48 users (show)

Fixed In Version: Kernel 5.19-rc1
Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference flaw was found in dbFree in fs/jfs/jfs_dmap.c in the journaling file system (JFS) in the Linux Kernel. This issue may allow a local attacker to crash the system due to a missing sanity check.
Clone Of:
Environment:
Last Closed: 2023-08-16 20:20:57 UTC
Embargoed:


Attachments (Terms of Use)

Description Dhananjay Arunesh 2023-07-03 07:08:51 UTC
A NULL pointer dereference flaw was found in dbFree in fs/jfs/jfs_dmap.c in  journaling file system (JFS) in the Linux Kernel. In this flaw, a local attacker may crash the system due to a missing sanity check.

In our fault-injection testing, the variable "nblocks" in dbFree() can be zero when kmalloc_array() fails in dtSearch(). In this case, the  variable "mp" in dbFree() would be NULL and then it is dereferenced in  "write_metapage(mp)".

References:
https://github.com/torvalds/linux/commit/0d4837fdb796f99369cf7691d33de1b856bcaf1f

Comment 5 Rohit Keshri 2023-08-16 16:34:05 UTC
The affected code was not introduced into any kernel versions shipped with Red Hat Enterprise Linux (except RHEL6) making this vulnerable not applicable to these platforms.

Comment 8 Product Security DevOps Team 2023-08-16 20:20:54 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-4385


Note You need to log in before you can comment on or make changes to this bug.