CVE-2023-53260

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ovl: fix null pointer dereference in ovl_permission()<br /> <br /> Following process:<br /> P1 P2<br /> path_lookupat<br /> link_path_walk<br /> inode_permission<br /> ovl_permission<br /> ovl_i_path_real(inode, &amp;realpath)<br /> path-&gt;dentry = ovl_i_dentry_upper(inode)<br /> drop_cache<br /> __dentry_kill(ovl_dentry)<br /> iput(ovl_inode)<br /> ovl_destroy_inode(ovl_inode)<br /> dput(oi-&gt;__upperdentry)<br /> dentry_kill(upperdentry)<br /> dentry_unlink_inode<br /> upperdentry-&gt;d_inode = NULL<br /> realinode = d_inode(realpath.dentry) // return NULL<br /> inode_permission(realinode)<br /> inode-&gt;i_sb // NULL pointer dereference<br /> , will trigger an null pointer dereference at realinode:<br /> [ 335.664979] BUG: kernel NULL pointer dereference,<br /> address: 0000000000000002<br /> [ 335.668032] CPU: 0 PID: 2592 Comm: ls Not tainted 6.3.0<br /> [ 335.669956] RIP: 0010:inode_permission+0x33/0x2c0<br /> [ 335.678939] Call Trace:<br /> [ 335.679165] <br /> [ 335.679371] ovl_permission+0xde/0x320<br /> [ 335.679723] inode_permission+0x15e/0x2c0<br /> [ 335.680090] link_path_walk+0x115/0x550<br /> [ 335.680771] path_lookupat.isra.0+0xb2/0x200<br /> [ 335.681170] filename_lookup+0xda/0x240<br /> [ 335.681922] vfs_statx+0xa6/0x1f0<br /> [ 335.682233] vfs_fstatat+0x7b/0xb0<br /> <br /> Fetch a reproducer in [Link].<br /> <br /> Use the helper ovl_i_path_realinode() to get realinode and then do<br /> non-nullptr checking.