Bug 1214352 (CVE-2023-4394)

Summary: VUL-0: CVE-2023-4394: kernel-source-rt,kernel-source,kernel-source-azure: memory leak in btrfs_get_dev_args_from_path()
Product: [Novell Products] SUSE Security Incidents Reporter: Cathy Hu <cathy.hu>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: chester.lin, dsterba, rgoldwyn, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/375624/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Cathy Hu 2023-08-17 08:43:28 UTC 
CVE-2023-4394

A use-after-free flaw was found in btrfs_get_dev_args_from_path in fs/btrfs/volumes.c in btrfs file-system in the Linux Kernel. In this flaw a local  attacker with some special privilege may cause a system crash or a leak of internal kernel information.

In btrfs_get_dev_args_from_path(), btrfs_get_bdev_and_sb() can fail if the path is invalid. In this case, btrfs_get_dev_args_from_path() returns directly without freeing args->uuid and args->fsid allocated before, which causes memory leaks.

References:
https://patchwork.kernel.org/project/linux-btrfs/patch/20220815151606.3479183-1-r33s3n6@gmail.com/

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4394
https://bugzilla.redhat.com/show_bug.cgi?id=2219263
Comment 1 Cathy Hu 2023-08-17 08:45:01 UTC 
Fixing commit: https://github.com/torvalds/linux/commit/9ea0106a7a3d8116860712e3f17cd52ce99f6707

Introducing commit: https://github.com/torvalds/linux/commit/faa775c41d655a4786e9d53cb075a77bb5a75f66

Not affected (contains fixing and introducing commit):
- ALP-current
- stable

Not Affected (does not contain introducing commit):
- SLE12-SP5
- SLE15-SP4-AZURE
- SLE15-SP4-RT
- SLE15-SP4
- SLE15-SP5
- SLE15-SP5-AZURE
- SLE15-SP5-RT
- cve/linux-3.0
- cve/linux-4.12
- cve/linux-4.4
- cve/linux-5.3
Comment 2 Chester Lin 2023-08-17 14:13:34 UTC 
(In reply to Hu from comment #1)
> Fixing commit:
> https://github.com/torvalds/linux/commit/
> 9ea0106a7a3d8116860712e3f17cd52ce99f6707
> 
> Introducing commit:
> https://github.com/torvalds/linux/commit/
> faa775c41d655a4786e9d53cb075a77bb5a75f66
> 
> Not affected (contains fixing and introducing commit):
> - ALP-current
> - stable
> 

Confirmed the fix patch is included.

> Not Affected (does not contain introducing commit):
> - SLE12-SP5
> - SLE15-SP4-AZURE
> - SLE15-SP4-RT
> - SLE15-SP4
> - SLE15-SP5
> - SLE15-SP5-AZURE
> - SLE15-SP5-RT
> - cve/linux-3.0
> - cve/linux-4.12
> - cve/linux-4.4
> - cve/linux-5.3

The bug patch faa775c41d65 was introduced in v5.16-rc1 and confirmed it's not backported in any of SLE* or cve/linux-* branches.

Reassigned back to the security team but still CC filesystem developers just in case they have any comments.
Comment 3 Andrea Mattiazzo 2024-06-11 09:59:29 UTC 
All done, closing.