2363763 – (CVE-2023-53116) CVE-2023-53116 kernel: nvmet: avoid potential UAF in nvmet_req_complete()

Bug 2363763 (CVE-2023-53116) - CVE-2023-53116 kernel: nvmet: avoid potential UAF in nvmet_req_complete()

Summary: CVE-2023-53116 kernel: nvmet: avoid potential UAF in nvmet_req_complete()

Keywords:
Status:	NEW
Alias:	CVE-2023-53116
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-05-02 16:04 UTC by OSIDB Bzimport
Modified:	2025-05-05 05:51 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-05-02 16:04:47 UTC

In the Linux kernel, the following vulnerability has been resolved:

nvmet: avoid potential UAF in nvmet_req_complete()

An nvme target ->queue_response() operation implementation may free the
request passed as argument. Such implementation potentially could result
in a use after free of the request pointer when percpu_ref_put() is
called in nvmet_req_complete().

Avoid such problem by using a local variable to save the sq pointer
before calling __nvmet_req_complete(), thus avoiding dereferencing the
req pointer after that function call.

Comment 1 Avinash Hanwate 2025-05-05 05:47:06 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025050229-CVE-2023-53116-469c@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.