CVE-2023-52582

2024-03-0222:15:49

416baaa9-dc9f-4396-8d5f-8c081fb06d67

web.nvd.nist.gov

cve

2023

52582

linux kernel

netfs

vulnerability

network filesystem

folio

security advisory

6.2 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.7%

JSON

In the Linux kernel, the following vulnerability has been resolved:

netfs: Only call folio_start_fscache() one time for each folio

If a network filesystem using netfs implements a clamp_length()
function, it can set subrequest lengths smaller than a page size.

When we loop through the folios in netfs_rreq_unlock_folios() to
set any folios to be written back, we need to make sure we only
call folio_start_fscache() once for each folio.

Otherwise, this simple testcase:

mount -o fsc,rsize=1024,wsize=1024 127.0.0.1:/export /mnt/nfs
dd if=/dev/zero of=/mnt/nfs/file.bin bs=4096 count=1
1+0 records in
1+0 records out
4096 bytes (4.1 kB, 4.0 KiB) copied, 0.0126359 s, 324 kB/s
echo 3 > /proc/sys/vm/drop_caches
cat /mnt/nfs/file.bin > /dev/null

will trigger an oops similar to the following:

page dumped because: VM_BUG_ON_FOLIO(folio_test_private_2(folio))
------------[ cut here ]------------
kernel BUG at include/linux/netfs.h:44!
…
CPU: 5 PID: 134 Comm: kworker/u16:5 Kdump: loaded Not tainted 6.4.0-rc5
…
RIP: 0010:netfs_rreq_unlock_folios+0x68e/0x730 [netfs]
…
Call Trace:
netfs_rreq_assess+0x497/0x660 [netfs]
netfs_subreq_terminated+0x32b/0x610 [netfs]
nfs_netfs_read_completion+0x14e/0x1a0 [nfs]
nfs_read_completion+0x2f9/0x330 [nfs]
rpc_free_task+0x72/0xa0 [sunrpc]
rpc_async_release+0x46/0x70 [sunrpc]
process_one_work+0x3bd/0x710
worker_thread+0x89/0x610
kthread+0x181/0x1c0
ret_from_fork+0x29/0x50

Affected configurations

Vulners

Node

linuxlinux_kernelRange5.13–6.1.56

linuxlinux_kernelRange6.2.0–6.5.6

linuxlinux_kernelRange6.6.0≥

VendorProductVersionCPE
linuxlinux_kernel*cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linuxlinux_kernel*cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linuxlinux_kernel*cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
linux	linux_kernel	*	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	*	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	*	cpe:2.3:o:linux:linux_kernel::::::::

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "fs/netfs/buffered_read.c"
    ],
    "versions": [
      {
        "version": "3d3c95046742",
        "lessThan": "df9950d37df1",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "3d3c95046742",
        "lessThan": "d9f5537479d4",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "3d3c95046742",
        "lessThan": "df1c357f25d8",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "fs/netfs/buffered_read.c"
    ],
    "versions": [
      {
        "version": "5.13",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "5.13",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.1.56",
        "lessThanOrEqual": "6.1.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.5.6",
        "lessThanOrEqual": "6.5.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]