Bug 2395857 (CVE-2023-53307) - CVE-2023-53307 kernel: rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails
Summary: CVE-2023-53307 kernel: rbd: avoid use-after-free in do_rbd_add() when rbd_dev...
Keywords:
Status: NEW
Alias: CVE-2023-53307
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-16 17:02 UTC by OSIDB Bzimport
Modified: 2025-09-22 17:11 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-09-16 17:02:19 UTC 
In the Linux kernel, the following vulnerability has been resolved:

rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails

If getting an ID or setting up a work queue in rbd_dev_create() fails,
use-after-free on rbd_dev->rbd_client, rbd_dev->spec and rbd_dev->opts
is triggered in do_rbd_add().  The root cause is that the ownership of
these structures is transfered to rbd_dev prematurely and they all end
up getting freed when rbd_dev_create() calls rbd_dev_free() prior to
returning to do_rbd_add().

Found by Linux Verification Center (linuxtesting.org) with SVACE, an
incomplete patch submitted by Natalia Petrova <n.petrova>.
Comment 1 Jon Moroney 2025-09-16 18:41:06 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025091641-CVE-2023-53307-129b@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.