CVE-2023-53665

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> md: don&amp;#39;t dereference mddev after export_rdev()<br /> <br /> Except for initial reference, mddev-&gt;kobject is referenced by<br /> rdev-&gt;kobject, and if the last rdev is freed, there is no guarantee that<br /> mddev is still valid. Hence mddev should not be used anymore after<br /> export_rdev().<br /> <br /> This problem can be triggered by following test for mdadm at very<br /> low rate:<br /> <br /> New file: mdadm/tests/23rdev-lifetime<br /> <br /> devname=${dev0##*/}<br /> devt=`cat /sys/block/$devname/dev`<br /> pid=""<br /> runtime=2<br /> <br /> clean_up_test() {<br /> pill -9 $pid<br /> echo clear &gt; /sys/block/md0/md/array_state<br /> }<br /> <br /> trap &amp;#39;clean_up_test&amp;#39; EXIT<br /> <br /> add_by_sysfs() {<br /> while true; do<br /> echo $devt &gt; /sys/block/md0/md/new_dev<br /> done<br /> }<br /> <br /> remove_by_sysfs(){<br /> while true; do<br /> echo remove &gt; /sys/block/md0/md/dev-${devname}/state<br /> done<br /> }<br /> <br /> echo md0 &gt; /sys/module/md_mod/parameters/new_array || die "create md0 failed"<br /> <br /> add_by_sysfs &amp;<br /> pid="$pid $!"<br /> <br /> remove_by_sysfs &amp;<br /> pid="$pid $!"<br /> <br /> sleep $runtime<br /> exit 0<br /> <br /> Test cmd:<br /> <br /> ./test --save-logs --logdir=/tmp/ --keep-going --dev=loop --tests=23rdev-lifetime<br /> <br /> Test result:<br /> <br /> general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6bcb: 0000 [#4] PREEMPT SMP<br /> CPU: 0 PID: 1292 Comm: test Tainted: G D W 6.5.0-rc2-00121-g01e55c376936 #562<br /> RIP: 0010:md_wakeup_thread+0x9e/0x320 [md_mod]<br /> Call Trace:<br /> <br /> mddev_unlock+0x1b6/0x310 [md_mod]<br /> rdev_attr_store+0xec/0x190 [md_mod]<br /> sysfs_kf_write+0x52/0x70<br /> kernfs_fop_write_iter+0x19a/0x2a0<br /> vfs_write+0x3b5/0x770<br /> ksys_write+0x74/0x150<br /> __x64_sys_write+0x22/0x30<br /> do_syscall_64+0x40/0x90<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> Fix this problem by don&amp;#39;t dereference mddev after export_rdev().