Bug 2181342 (CVE-2023-1611) - CVE-2023-1611 Kernel: race between quota disable and quota assign ioctls in fs/btrfs/ioctl.c
Summary: CVE-2023-1611 Kernel: race between quota disable and quota assign ioctls in f...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2023-1611
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2181346
Blocks: 2181257
TreeView+ depends on / blocked
 
Reported: 2023-03-23 18:18 UTC by Rohit Keshri
Modified: 2024-04-17 17:09 UTC (History)
44 users (show)

Fixed In Version: kernel 5.10.177, kernel 5.15.106, kernel 6.1.23, kernel 6.2.10
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel. This flaw allows an attacker to crash the system and possibly cause a kernel information lea
Clone Of:
Environment:
Last Closed: 2023-03-23 22:17:17 UTC
Embargoed:

Attachments (Terms of Use)

Description Rohit Keshri 2023-03-23 18:18:46 UTC 
A slab-use-after-free read flaw was found in btrfs_search_slot in fs/btrfs/ctree.c

The quota assigned ioctl can currently run in parallel with a quota disable ioctl call. The assign ioctl uses the quota root, while the disable ioctl frees that root, and therefore we can have a use-after-free triggered in the assign ioctl.

Reference:
https://lore.kernel.org/linux-btrfs/35b9a70650ea947387cf352914a8774b4f7e8a6f.1679481128.git.fdmanana@suse.com/
Comment 2 Rohit Keshri 2023-03-23 18:46:48 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2181346]
Comment 4 Product Security DevOps Team 2023-03-23 22:17:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-1611
Note You need to log in before you can comment on or make changes to this bug.