CVE-2023-54099 (GCVE-0-2023-54099)
Vulnerability from cvelistv5
Published
2025-12-24 13:06
Modified
2025-12-24 13:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs: Protect reconfiguration of sb read-write from racing writes
The reconfigure / remount code takes a lot of effort to protect
filesystem's reconfiguration code from racing writes on remounting
read-only. However during remounting read-only filesystem to read-write
mode userspace writes can start immediately once we clear SB_RDONLY
flag. This is inconvenient for example for ext4 because we need to do
some writes to the filesystem (such as preparation of quota files)
before we can take userspace writes so we are clearing SB_RDONLY flag
before we are fully ready to accept userpace writes and syzbot has found
a way to exploit this [1]. Also as far as I'm reading the code
the filesystem remount code was protected from racing writes in the
legacy mount path by the mount's MNT_READONLY flag so this is relatively
new problem. It is actually fairly easy to protect remount read-write
from racing writes using sb->s_readonly_remount flag so let's just do
that instead of having to workaround these races in the filesystem code.
[1] https://lore.kernel.org/all/00000000000006a0df05f6667499@google.com/T/
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0336b42456e485fda1006b5b411e7372e20fbf03",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "7e4e87ec56aa6d008c64eab31b340a7c452b26cc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0ccfe21949bc9f706a86ee7351b74375c0745757",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "295ef44a2abaf97d7a594b1d4c60d4be3738191f",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "4abda85197ba5d695e6040d580b4b409ce0d3733",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "c541dce86c537714b6761a79a969c1623dfa222b",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/super.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.126",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.45",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.4.*",
"status": "unaffected",
"version": "6.4.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.5",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.253",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.190",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.126",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: Protect reconfiguration of sb read-write from racing writes\n\nThe reconfigure / remount code takes a lot of effort to protect\nfilesystem\u0027s reconfiguration code from racing writes on remounting\nread-only. However during remounting read-only filesystem to read-write\nmode userspace writes can start immediately once we clear SB_RDONLY\nflag. This is inconvenient for example for ext4 because we need to do\nsome writes to the filesystem (such as preparation of quota files)\nbefore we can take userspace writes so we are clearing SB_RDONLY flag\nbefore we are fully ready to accept userpace writes and syzbot has found\na way to exploit this [1]. Also as far as I\u0027m reading the code\nthe filesystem remount code was protected from racing writes in the\nlegacy mount path by the mount\u0027s MNT_READONLY flag so this is relatively\nnew problem. It is actually fairly easy to protect remount read-write\nfrom racing writes using sb-\u003es_readonly_remount flag so let\u0027s just do\nthat instead of having to workaround these races in the filesystem code.\n\n[1] https://lore.kernel.org/all/00000000000006a0df05f6667499@google.com/T/"
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T13:06:25.895Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0336b42456e485fda1006b5b411e7372e20fbf03"
},
{
"url": "https://git.kernel.org/stable/c/7e4e87ec56aa6d008c64eab31b340a7c452b26cc"
},
{
"url": "https://git.kernel.org/stable/c/0ccfe21949bc9f706a86ee7351b74375c0745757"
},
{
"url": "https://git.kernel.org/stable/c/295ef44a2abaf97d7a594b1d4c60d4be3738191f"
},
{
"url": "https://git.kernel.org/stable/c/4abda85197ba5d695e6040d580b4b409ce0d3733"
},
{
"url": "https://git.kernel.org/stable/c/c541dce86c537714b6761a79a969c1623dfa222b"
}
],
"title": "fs: Protect reconfiguration of sb read-write from racing writes",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2023-54099",
"datePublished": "2025-12-24T13:06:25.895Z",
"dateReserved": "2025-12-24T13:02:52.517Z",
"dateUpdated": "2025-12-24T13:06:25.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2023-54099\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-24T13:16:11.787\",\"lastModified\":\"2025-12-24T13:16:11.787\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfs: Protect reconfiguration of sb read-write from racing writes\\n\\nThe reconfigure / remount code takes a lot of effort to protect\\nfilesystem\u0027s reconfiguration code from racing writes on remounting\\nread-only. However during remounting read-only filesystem to read-write\\nmode userspace writes can start immediately once we clear SB_RDONLY\\nflag. This is inconvenient for example for ext4 because we need to do\\nsome writes to the filesystem (such as preparation of quota files)\\nbefore we can take userspace writes so we are clearing SB_RDONLY flag\\nbefore we are fully ready to accept userpace writes and syzbot has found\\na way to exploit this [1]. Also as far as I\u0027m reading the code\\nthe filesystem remount code was protected from racing writes in the\\nlegacy mount path by the mount\u0027s MNT_READONLY flag so this is relatively\\nnew problem. It is actually fairly easy to protect remount read-write\\nfrom racing writes using sb-\u003es_readonly_remount flag so let\u0027s just do\\nthat instead of having to workaround these races in the filesystem code.\\n\\n[1] https://lore.kernel.org/all/00000000000006a0df05f6667499@google.com/T/\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0336b42456e485fda1006b5b411e7372e20fbf03\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/0ccfe21949bc9f706a86ee7351b74375c0745757\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/295ef44a2abaf97d7a594b1d4c60d4be3738191f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4abda85197ba5d695e6040d580b4b409ce0d3733\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7e4e87ec56aa6d008c64eab31b340a7c452b26cc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c541dce86c537714b6761a79a969c1623dfa222b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…