CVE-2023-53035
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
02/05/2025
Last modified:
05/05/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy()<br />
<br />
The ioctl helper function nilfs_ioctl_wrap_copy(), which exchanges a<br />
metadata array to/from user space, may copy uninitialized buffer regions<br />
to user space memory for read-only ioctl commands NILFS_IOCTL_GET_SUINFO<br />
and NILFS_IOCTL_GET_CPINFO.<br />
<br />
This can occur when the element size of the user space metadata given by<br />
the v_size member of the argument nilfs_argv structure is larger than the<br />
size of the metadata element (nilfs_suinfo structure or nilfs_cpinfo<br />
structure) on the file system side.<br />
<br />
KMSAN-enabled kernels detect this issue as follows:<br />
<br />
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user<br />
include/linux/instrumented.h:121 [inline]<br />
BUG: KMSAN: kernel-infoleak in _copy_to_user+0xc0/0x100 lib/usercopy.c:33<br />
instrument_copy_to_user include/linux/instrumented.h:121 [inline]<br />
_copy_to_user+0xc0/0x100 lib/usercopy.c:33<br />
copy_to_user include/linux/uaccess.h:169 [inline]<br />
nilfs_ioctl_wrap_copy+0x6fa/0xc10 fs/nilfs2/ioctl.c:99<br />
nilfs_ioctl_get_info fs/nilfs2/ioctl.c:1173 [inline]<br />
nilfs_ioctl+0x2402/0x4450 fs/nilfs2/ioctl.c:1290<br />
nilfs_compat_ioctl+0x1b8/0x200 fs/nilfs2/ioctl.c:1343<br />
__do_compat_sys_ioctl fs/ioctl.c:968 [inline]<br />
__se_compat_sys_ioctl+0x7dd/0x1000 fs/ioctl.c:910<br />
__ia32_compat_sys_ioctl+0x93/0xd0 fs/ioctl.c:910<br />
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]<br />
__do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178<br />
do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203<br />
do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246<br />
entry_SYSENTER_compat_after_hwframe+0x70/0x82<br />
<br />
Uninit was created at:<br />
__alloc_pages+0x9f6/0xe90 mm/page_alloc.c:5572<br />
alloc_pages+0xab0/0xd80 mm/mempolicy.c:2287<br />
__get_free_pages+0x34/0xc0 mm/page_alloc.c:5599<br />
nilfs_ioctl_wrap_copy+0x223/0xc10 fs/nilfs2/ioctl.c:74<br />
nilfs_ioctl_get_info fs/nilfs2/ioctl.c:1173 [inline]<br />
nilfs_ioctl+0x2402/0x4450 fs/nilfs2/ioctl.c:1290<br />
nilfs_compat_ioctl+0x1b8/0x200 fs/nilfs2/ioctl.c:1343<br />
__do_compat_sys_ioctl fs/ioctl.c:968 [inline]<br />
__se_compat_sys_ioctl+0x7dd/0x1000 fs/ioctl.c:910<br />
__ia32_compat_sys_ioctl+0x93/0xd0 fs/ioctl.c:910<br />
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]<br />
__do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178<br />
do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203<br />
do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246<br />
entry_SYSENTER_compat_after_hwframe+0x70/0x82<br />
<br />
Bytes 16-127 of 3968 are uninitialized<br />
...<br />
<br />
This eliminates the leak issue by initializing the page allocated as<br />
buffer using get_zeroed_page().
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/003587000276f81d0114b5ce773d80c119d8cb30
- https://git.kernel.org/stable/c/5bb105cc72beb9d51bf12f5c657336d2d35bdc5d
- https://git.kernel.org/stable/c/5f33b042f74fc9662eba17f4cd19b07d84bbc6c5
- https://git.kernel.org/stable/c/8a6550b365c0ce2e65905de57dcbfe1f7d629726
- https://git.kernel.org/stable/c/8f5cbf6a8c0e19b062b829c5b7aca01468bb57f6
- https://git.kernel.org/stable/c/9c5034e9a0e03db8d5e9eabb176340259b5b97e4
- https://git.kernel.org/stable/c/a94932381e8dae4117e9129b3c1282e18aa97b05
- https://git.kernel.org/stable/c/d18db946cc6a394291539e030df32324285648f7