ghsa-rwqr-mq87-5p2c
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
ubifs: Fix memory leak in alloc_wbufs()
kmemleak reported a sequence of memory leaks, and show them as following:
unreferenced object 0xffff8881575f8400 (size 1024): comm "mount", pid 19625, jiffies 4297119604 (age 20.383s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] __kmalloc+0x4d/0x150 [] ubifs_mount+0x307b/0x7170 [ubifs] [] legacy_get_tree+0xed/0x1d0 [] vfs_get_tree+0x7d/0x230 [] path_mount+0xdd4/0x17b0 [] __x64_sys_mount+0x1fa/0x270 [] do_syscall_64+0x35/0x80 [] entry_SYSCALL_64_after_hwframe+0x46/0xb0
unreferenced object 0xffff8881798a6e00 (size 512): comm "mount", pid 19677, jiffies 4297121912 (age 37.816s) hex dump (first 32 bytes): 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk backtrace: [] __kmalloc+0x4d/0x150 [] ubifs_wbuf_init+0x52/0x480 [ubifs] [] ubifs_mount+0x31f5/0x7170 [ubifs] [] legacy_get_tree+0xed/0x1d0 [] vfs_get_tree+0x7d/0x230 [] path_mount+0xdd4/0x17b0 [] __x64_sys_mount+0x1fa/0x270 [] do_syscall_64+0x35/0x80 [] entry_SYSCALL_64_after_hwframe+0x46/0xb0
The problem is that the ubifs_wbuf_init() returns an error in the loop which in the alloc_wbufs(), then the wbuf->buf and wbuf->inodes that were successfully alloced before are not freed.
Fix it by adding error hanging path in alloc_wbufs() which frees the memory alloced before when ubifs_wbuf_init() returns an error.
{
"affected": [],
"aliases": [
"CVE-2023-53468"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-01T12:15:48Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Fix memory leak in alloc_wbufs()\n\nkmemleak reported a sequence of memory leaks, and show them as following:\n\n unreferenced object 0xffff8881575f8400 (size 1024):\n comm \"mount\", pid 19625, jiffies 4297119604 (age 20.383s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [\u003cffffffff8176cecd\u003e] __kmalloc+0x4d/0x150\n [\u003cffffffffa0406b2b\u003e] ubifs_mount+0x307b/0x7170 [ubifs]\n [\u003cffffffff819fa8fd\u003e] legacy_get_tree+0xed/0x1d0\n [\u003cffffffff81936f2d\u003e] vfs_get_tree+0x7d/0x230\n [\u003cffffffff819b2bd4\u003e] path_mount+0xdd4/0x17b0\n [\u003cffffffff819b37aa\u003e] __x64_sys_mount+0x1fa/0x270\n [\u003cffffffff83c14295\u003e] do_syscall_64+0x35/0x80\n [\u003cffffffff83e0006a\u003e] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\n unreferenced object 0xffff8881798a6e00 (size 512):\n comm \"mount\", pid 19677, jiffies 4297121912 (age 37.816s)\n hex dump (first 32 bytes):\n 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n backtrace:\n [\u003cffffffff8176cecd\u003e] __kmalloc+0x4d/0x150\n [\u003cffffffffa0418342\u003e] ubifs_wbuf_init+0x52/0x480 [ubifs]\n [\u003cffffffffa0406ca5\u003e] ubifs_mount+0x31f5/0x7170 [ubifs]\n [\u003cffffffff819fa8fd\u003e] legacy_get_tree+0xed/0x1d0\n [\u003cffffffff81936f2d\u003e] vfs_get_tree+0x7d/0x230\n [\u003cffffffff819b2bd4\u003e] path_mount+0xdd4/0x17b0\n [\u003cffffffff819b37aa\u003e] __x64_sys_mount+0x1fa/0x270\n [\u003cffffffff83c14295\u003e] do_syscall_64+0x35/0x80\n [\u003cffffffff83e0006a\u003e] entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThe problem is that the ubifs_wbuf_init() returns an error in the\nloop which in the alloc_wbufs(), then the wbuf-\u003ebuf and wbuf-\u003einodes\nthat were successfully alloced before are not freed.\n\nFix it by adding error hanging path in alloc_wbufs() which frees\nthe memory alloced before when ubifs_wbuf_init() returns an error.",
"id": "GHSA-rwqr-mq87-5p2c",
"modified": "2025-10-01T12:30:29Z",
"published": "2025-10-01T12:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53468"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1f206002c6bc302bface871ef3f72c0bbcaa931c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/26ec45f1c504e15268383019df139d7983f1e67f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3e29634eb56e6547272fe4e568f63421f8b3b9fa"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4a1ff3c5d04b9079b4f768d9a71b51c4af578dd2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bf50229494f0443b3f08427d7df63e5a7e2a796a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e11f36d3bc4d23f620754a948fe7b82b63dcb185"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.