cve-2023-52900
Vulnerability from cvelistv5
Published
2024-08-21 06:10
Modified
2024-11-04 14:54
Severity ?
EPSS score ?
Summary
nilfs2: fix general protection fault in nilfs_btree_insert()
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52900",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:03:31.052227Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T17:33:15.051Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/btree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3c2a2ff67d46",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "git"
},
{
"lessThan": "d9fde9eab176",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "git"
},
{
"lessThan": "b0ba060d3287",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "git"
},
{
"lessThan": "712bd74eccb9",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "git"
},
{
"lessThan": "45627a1a6450",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "git"
},
{
"lessThan": "0bf463939c09",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "git"
},
{
"lessThan": "7633355e5c7f",
"status": "affected",
"version": "1da177e4c3f4",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/nilfs2/btree.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.304",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.271",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.230",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.165",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.90",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.2",
"versionType": "original_commit_for_fix"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix general protection fault in nilfs_btree_insert()\n\nIf nilfs2 reads a corrupted disk image and tries to reads a b-tree node\nblock by calling __nilfs_btree_get_block() against an invalid virtual\nblock address, it returns -ENOENT because conversion of the virtual block\naddress to a disk block address fails. However, this return value is the\nsame as the internal code that b-tree lookup routines return to indicate\nthat the block being searched does not exist, so functions that operate on\nthat b-tree may misbehave.\n\nWhen nilfs_btree_insert() receives this spurious \u0027not found\u0027 code from\nnilfs_btree_do_lookup(), it misunderstands that the \u0027not found\u0027 check was\nsuccessful and continues the insert operation using incomplete lookup path\ndata, causing the following crash:\n\n general protection fault, probably for non-canonical address\n 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN\n KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\n ...\n RIP: 0010:nilfs_btree_get_nonroot_node fs/nilfs2/btree.c:418 [inline]\n RIP: 0010:nilfs_btree_prepare_insert fs/nilfs2/btree.c:1077 [inline]\n RIP: 0010:nilfs_btree_insert+0x6d3/0x1c10 fs/nilfs2/btree.c:1238\n Code: bc 24 80 00 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89\n ff e8 4b 02 92 fe 4d 8b 3f 49 83 c7 28 4c 89 f8 48 c1 e8 03 \u003c42\u003e 80 3c\n 28 00 74 08 4c 89 ff e8 2e 02 92 fe 4d 8b 3f 49 83 c7 02\n ...\n Call Trace:\n \u003cTASK\u003e\n nilfs_bmap_do_insert fs/nilfs2/bmap.c:121 [inline]\n nilfs_bmap_insert+0x20d/0x360 fs/nilfs2/bmap.c:147\n nilfs_get_block+0x414/0x8d0 fs/nilfs2/inode.c:101\n __block_write_begin_int+0x54c/0x1a80 fs/buffer.c:1991\n __block_write_begin fs/buffer.c:2041 [inline]\n block_write_begin+0x93/0x1e0 fs/buffer.c:2102\n nilfs_write_begin+0x9c/0x110 fs/nilfs2/inode.c:261\n generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772\n __generic_file_write_iter+0x176/0x400 mm/filemap.c:3900\n generic_file_write_iter+0xab/0x310 mm/filemap.c:3932\n call_write_iter include/linux/fs.h:2186 [inline]\n new_sync_write fs/read_write.c:491 [inline]\n vfs_write+0x7dc/0xc50 fs/read_write.c:584\n ksys_write+0x177/0x2a0 fs/read_write.c:637\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n ...\n \u003c/TASK\u003e\n\nThis patch fixes the root cause of this problem by replacing the error\ncode that __nilfs_btree_get_block() returns on block address conversion\nfailure from -ENOENT to another internal code -EINVAL which means that the\nb-tree metadata is corrupted.\n\nBy returning -EINVAL, it propagates without glitches, and for all relevant\nb-tree operations, functions in the upper bmap layer output an error\nmessage indicating corrupted b-tree metadata via\nnilfs_bmap_convert_error(), and code -EIO will be eventually returned as\nit should be."
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T14:54:50.037Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3c2a2ff67d46106715c2132021b98bd057c27545"
},
{
"url": "https://git.kernel.org/stable/c/d9fde9eab1766170ff2ade67d09178d2cfd78749"
},
{
"url": "https://git.kernel.org/stable/c/b0ba060d3287108eba17603bee3810e4cf2c272d"
},
{
"url": "https://git.kernel.org/stable/c/712bd74eccb9d3626a0a236641962eca8e11a243"
},
{
"url": "https://git.kernel.org/stable/c/45627a1a6450662e1e0f8174ef07b05710a20062"
},
{
"url": "https://git.kernel.org/stable/c/0bf463939c09e5b2c35c71ed74a5fd60a74d6a04"
},
{
"url": "https://git.kernel.org/stable/c/7633355e5c7f29c049a9048e461427d1d8ed3051"
}
],
"title": "nilfs2: fix general protection fault in nilfs_btree_insert()",
"x_generator": {
"engine": "bippy-9e1c9544281a"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-52900",
"datePublished": "2024-08-21T06:10:40.533Z",
"dateReserved": "2024-08-21T06:07:11.014Z",
"dateUpdated": "2024-11-04T14:54:50.037Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2023-52900\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-08-21T07:15:06.297\",\"lastModified\":\"2024-09-13T13:40:28.597\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: fix general protection fault in nilfs_btree_insert()\\n\\nIf nilfs2 reads a corrupted disk image and tries to reads a b-tree node\\nblock by calling __nilfs_btree_get_block() against an invalid virtual\\nblock address, it returns -ENOENT because conversion of the virtual block\\naddress to a disk block address fails. However, this return value is the\\nsame as the internal code that b-tree lookup routines return to indicate\\nthat the block being searched does not exist, so functions that operate on\\nthat b-tree may misbehave.\\n\\nWhen nilfs_btree_insert() receives this spurious \u0027not found\u0027 code from\\nnilfs_btree_do_lookup(), it misunderstands that the \u0027not found\u0027 check was\\nsuccessful and continues the insert operation using incomplete lookup path\\ndata, causing the following crash:\\n\\n general protection fault, probably for non-canonical address\\n 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN\\n KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\\n ...\\n RIP: 0010:nilfs_btree_get_nonroot_node fs/nilfs2/btree.c:418 [inline]\\n RIP: 0010:nilfs_btree_prepare_insert fs/nilfs2/btree.c:1077 [inline]\\n RIP: 0010:nilfs_btree_insert+0x6d3/0x1c10 fs/nilfs2/btree.c:1238\\n Code: bc 24 80 00 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89\\n ff e8 4b 02 92 fe 4d 8b 3f 49 83 c7 28 4c 89 f8 48 c1 e8 03 \u003c42\u003e 80 3c\\n 28 00 74 08 4c 89 ff e8 2e 02 92 fe 4d 8b 3f 49 83 c7 02\\n ...\\n Call Trace:\\n \u003cTASK\u003e\\n nilfs_bmap_do_insert fs/nilfs2/bmap.c:121 [inline]\\n nilfs_bmap_insert+0x20d/0x360 fs/nilfs2/bmap.c:147\\n nilfs_get_block+0x414/0x8d0 fs/nilfs2/inode.c:101\\n __block_write_begin_int+0x54c/0x1a80 fs/buffer.c:1991\\n __block_write_begin fs/buffer.c:2041 [inline]\\n block_write_begin+0x93/0x1e0 fs/buffer.c:2102\\n nilfs_write_begin+0x9c/0x110 fs/nilfs2/inode.c:261\\n generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772\\n __generic_file_write_iter+0x176/0x400 mm/filemap.c:3900\\n generic_file_write_iter+0xab/0x310 mm/filemap.c:3932\\n call_write_iter include/linux/fs.h:2186 [inline]\\n new_sync_write fs/read_write.c:491 [inline]\\n vfs_write+0x7dc/0xc50 fs/read_write.c:584\\n ksys_write+0x177/0x2a0 fs/read_write.c:637\\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\\n ...\\n \u003c/TASK\u003e\\n\\nThis patch fixes the root cause of this problem by replacing the error\\ncode that __nilfs_btree_get_block() returns on block address conversion\\nfailure from -ENOENT to another internal code -EINVAL which means that the\\nb-tree metadata is corrupted.\\n\\nBy returning -EINVAL, it propagates without glitches, and for all relevant\\nb-tree operations, functions in the upper bmap layer output an error\\nmessage indicating corrupted b-tree metadata via\\nnilfs_bmap_convert_error(), and code -EIO will be eventually returned as\\nit should be.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nilfs2: soluciona el fallo de protecci\u00f3n general en nilfs_btree_insert() Si nilfs2 lee una imagen de disco corrupta e intenta leer un bloque de nodo de \u00e1rbol b llamando a __nilfs_btree_get_block() contra una direcci\u00f3n de bloque virtual no v\u00e1lida, devuelve -ENOENT porque falla la conversi\u00f3n de la direcci\u00f3n del bloque virtual a una direcci\u00f3n de bloque de disco. Sin embargo, este valor de retorno es el mismo que el c\u00f3digo interno que devuelven las rutinas de b\u00fasqueda del \u00e1rbol b para indicar que el bloque que se busca no existe, por lo que las funciones que operan en ese \u00e1rbol b pueden comportarse mal. Cuando nilfs_btree_insert() recibe este c\u00f3digo falso \u0027no encontrado\u0027 de nilfs_btree_do_lookup(), malinterpreta que la verificaci\u00f3n \u0027no encontrado\u0027 fue exitosa y contin\u00faa la operaci\u00f3n de inserci\u00f3n utilizando datos de ruta de b\u00fasqueda incompletos, lo que provoca el siguiente bloqueo: falla de protecci\u00f3n general, probablemente por direcci\u00f3n no can\u00f3nica 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref en el rango [0x0000000000000028-0x000000000000002f] ... RIP: 0010:nilfs_btree_get_nonroot_node fs/nilfs 2/btree.c:418 [en l\u00ednea] RIP: 0010:nilfs_btree_prepare_insert fs/nilfs2/btree.c:1077 [en l\u00ednea] RIP: 0010:nilfs_btree_insert+0x6d3/0x1c10 fs/nilfs2/btree.c:1238 C\u00f3digo: bc 24 80 00 00 00 4c 89 f8 48 c1 e8 3 42 80 3c 28 00 74 08 4c 89 ff e8 4b 02 92 fe 4d 8b 3f 49 83 c7 28 4c 89 f8 48 c1 e8 03 \u0026lt;42\u0026gt; 80 3c 28 00 74 08 4c 89 ff e8 2e 02 92 fe 4d 8b f 49 83 c7 02... Seguimiento de llamadas: nilfs_bmap_do_insert fs/nilfs2/bmap.c:121 [en l\u00ednea] nilfs_bmap_insert+0x20d/0x360 fs/nilfs2/bmap.c:147 nilfs_get_block+0x414/0x8d0 fs/nilfs2/inode.c: 101 __block_write_begin_int+0x54c/0x1a80 fs/buffer.c:1991 __block_write_begin fs/buffer.c:2041 [en l\u00ednea] block_write_begin+0x93/0x1e0 fs/buffer.c:2102 nilfs_write_begin+0x9c/0x110 fs/nilfs2/inode.c :261 generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772 __generic_file_write_iter+0x176/0x400 mm/filemap.c:3900 generic_file_write_iter+0xab/0x310 mm/filemap.c:3932 call_write_iter include/linux/fs.h:2186 [en l\u00ednea] new_sync_write fs/read_write.c:491 [en l\u00ednea] vfs_write+0x7dc/0xc50 fs/read_write.c:584 ksys_write+0x177/0x2a0 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [en l\u00ednea] do_syscall_64 +0x3d/0xb0 arch/x86/entry/common.c:80 Entry_SYSCALL_64_after_hwframe+0x63/0xcd ... Este parche soluciona la causa ra\u00edz de este problema reemplazando el c\u00f3digo de error que devuelve __nilfs_btree_get_block() en la conversi\u00f3n de direcciones de bloque falla de -ENOENT a otro c\u00f3digo interno -EINVAL, lo que significa que los metadatos del \u00e1rbol b est\u00e1n da\u00f1ados. Al devolver -EINVAL, se propaga sin fallos y, para todas las operaciones relevantes del \u00e1rbol b, las funciones en la capa superior del mapa b generan un mensaje de error que indica metadatos del \u00e1rbol b corruptos a trav\u00e9s de nilfs_bmap_convert_error(), y el c\u00f3digo -EIO se devolver\u00e1 eventualmente cuando deber\u00eda ser.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.14.304\",\"matchCriteriaId\":\"E8A9B982-D3D6-49CA-BF0A-196ED7947B3A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.15\",\"versionEndExcluding\":\"4.19.271\",\"matchCriteriaId\":\"D86DA289-B5BC-4629-BD56-AB453D481393\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.20\",\"versionEndExcluding\":\"5.4.230\",\"matchCriteriaId\":\"9DB7398D-9781-49C5-B2AE-1969B694B614\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.5\",\"versionEndExcluding\":\"5.10.165\",\"matchCriteriaId\":\"C6002D5B-9B6A-4788-B943-E3EE01E01303\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.90\",\"matchCriteriaId\":\"E995CDA5-7223-4FDB-BAD3-81B22C763A43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.8\",\"matchCriteriaId\":\"A6AFE6C9-3F59-4711-B2CF-7D6682FF6BD0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"FF501633-2F44-4913-A8EE-B021929F49F6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"2BDA597B-CAC1-4DF0-86F0-42E142C654E9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"725C78C9-12CE-406F-ABE8-0813A01D66E8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.2:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"A127C155-689C-4F67-B146-44A57F4BFD85\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0bf463939c09e5b2c35c71ed74a5fd60a74d6a04\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3c2a2ff67d46106715c2132021b98bd057c27545\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/45627a1a6450662e1e0f8174ef07b05710a20062\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/712bd74eccb9d3626a0a236641962eca8e11a243\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/7633355e5c7f29c049a9048e461427d1d8ed3051\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b0ba060d3287108eba17603bee3810e4cf2c272d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/d9fde9eab1766170ff2ade67d09178d2cfd78749\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.