2395306 – (CVE-2023-53241) CVE-2023-53241 kernel: nfsd: call op_release, even when op_func returns an error

Bug 2395306 (CVE-2023-53241) - CVE-2023-53241 kernel: nfsd: call op_release, even when op_func returns an error

Summary: CVE-2023-53241 kernel: nfsd: call op_release, even when op_func returns an error

Keywords:
Status:	NEW
Alias:	CVE-2023-53241
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-09-15 15:06 UTC by OSIDB Bzimport
Modified:	2025-09-22 09:34 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-09-15 15:06:36 UTC

In the Linux kernel, the following vulnerability has been resolved:

nfsd: call op_release, even when op_func returns an error

For ops with "trivial" replies, nfsd4_encode_operation will shortcut
most of the encoding work and skip to just marshalling up the status.
One of the things it skips is calling op_release. This could cause a
memory leak in the layoutget codepath if there is an error at an
inopportune time.

Have the compound processing engine always call op_release, even when
op_func sets an error in op->status. With this change, we also need
nfsd4_block_get_device_info_scsi to set the gd_device pointer to NULL
on error to avoid a double free.

Comment 1 Keith Grant 2025-09-16 13:11:46 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025091516-CVE-2023-53241-c75a@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.