fkie_cve-2023-53260
Vulnerability from fkie_nvd
Published
2025-09-15 15:15
Modified
2025-09-15 15:22
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: ovl: fix null pointer dereference in ovl_permission() Following process: P1 P2 path_lookupat link_path_walk inode_permission ovl_permission ovl_i_path_real(inode, &realpath) path->dentry = ovl_i_dentry_upper(inode) drop_cache __dentry_kill(ovl_dentry) iput(ovl_inode) ovl_destroy_inode(ovl_inode) dput(oi->__upperdentry) dentry_kill(upperdentry) dentry_unlink_inode upperdentry->d_inode = NULL realinode = d_inode(realpath.dentry) // return NULL inode_permission(realinode) inode->i_sb // NULL pointer dereference , will trigger an null pointer dereference at realinode: [ 335.664979] BUG: kernel NULL pointer dereference, address: 0000000000000002 [ 335.668032] CPU: 0 PID: 2592 Comm: ls Not tainted 6.3.0 [ 335.669956] RIP: 0010:inode_permission+0x33/0x2c0 [ 335.678939] Call Trace: [ 335.679165] <TASK> [ 335.679371] ovl_permission+0xde/0x320 [ 335.679723] inode_permission+0x15e/0x2c0 [ 335.680090] link_path_walk+0x115/0x550 [ 335.680771] path_lookupat.isra.0+0xb2/0x200 [ 335.681170] filename_lookup+0xda/0x240 [ 335.681922] vfs_statx+0xa6/0x1f0 [ 335.682233] vfs_fstatat+0x7b/0xb0 Fetch a reproducer in [Link]. Use the helper ovl_i_path_realinode() to get realinode and then do non-nullptr checking.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1a73f5b8f079fd42a544c1600beface50c63af7c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/53dd2ca2c02fdcfe3aad2345091d371063f97d17
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/69f9ae7edf9ec0ff500429101923347fcba5c8c4
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\novl: fix null pointer dereference in ovl_permission()\n\nFollowing process:\n          P1                     P2\n path_lookupat\n  link_path_walk\n   inode_permission\n    ovl_permission\n      ovl_i_path_real(inode, \u0026realpath)\n        path-\u003edentry = ovl_i_dentry_upper(inode)\n                          drop_cache\n\t\t\t   __dentry_kill(ovl_dentry)\n\t\t            iput(ovl_inode)\n\t\t             ovl_destroy_inode(ovl_inode)\n\t\t              dput(oi-\u003e__upperdentry)\n\t\t               dentry_kill(upperdentry)\n\t\t                dentry_unlink_inode\n\t\t\t\t upperdentry-\u003ed_inode = NULL\n      realinode = d_inode(realpath.dentry) // return NULL\n      inode_permission(realinode)\n       inode-\u003ei_sb  // NULL pointer dereference\n, will trigger an null pointer dereference at realinode:\n  [  335.664979] BUG: kernel NULL pointer dereference,\n                 address: 0000000000000002\n  [  335.668032] CPU: 0 PID: 2592 Comm: ls Not tainted 6.3.0\n  [  335.669956] RIP: 0010:inode_permission+0x33/0x2c0\n  [  335.678939] Call Trace:\n  [  335.679165]  \u003cTASK\u003e\n  [  335.679371]  ovl_permission+0xde/0x320\n  [  335.679723]  inode_permission+0x15e/0x2c0\n  [  335.680090]  link_path_walk+0x115/0x550\n  [  335.680771]  path_lookupat.isra.0+0xb2/0x200\n  [  335.681170]  filename_lookup+0xda/0x240\n  [  335.681922]  vfs_statx+0xa6/0x1f0\n  [  335.682233]  vfs_fstatat+0x7b/0xb0\n\nFetch a reproducer in [Link].\n\nUse the helper ovl_i_path_realinode() to get realinode and then do\nnon-nullptr checking."
    }
  ],
  "id": "CVE-2023-53260",
  "lastModified": "2025-09-15T15:22:27.090",
  "metrics": {},
  "published": "2025-09-15T15:15:53.430",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/1a73f5b8f079fd42a544c1600beface50c63af7c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/53dd2ca2c02fdcfe3aad2345091d371063f97d17"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/69f9ae7edf9ec0ff500429101923347fcba5c8c4"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.