Bugzilla – Bug 1214351
VUL-0: CVE-2023-4389: kernel-source,kernel-source-azure,kernel-source-rt: double free in btrfs_get_root_ref()
Last modified: 2024-05-24 12:27:30 UTC
CVE-2023-4389 An error due to a double decrement of reference count was found in btrfs_get_root_ref in fs/btrfs/disk-io.c in btrfs filesystem in the Linux Kernel. In this flaw a local attacker with user privilege may lead to a system crash or may leak internal kernel information. In btrfs_get_root_ref(), when btrfs_insert_fs_root() fails, btrfs_put_root() will be called to possibly free the memory area of the variable root. However, this variable is then used again in error handling code after "goto fail", when ret is not -EEXIST. References: https://patchwork.kernel.org/project/linux-btrfs/patch/20220324134454.15192-1-baijiaju1990@gmail.com/ References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4389 https://bugzilla.redhat.com/show_bug.cgi?id=2219271 https://www.cve.org/CVERecord?id=CVE-2023-4389 https://access.redhat.com/security/cve/CVE-2023-4389 https://patchwork.kernel.org/project/linux-btrfs/patch/20220324134454.15192-1-baijiaju1990@gmail.com/
I think this is the fixing commit: https://github.com/torvalds/linux/commit/168a2f776b9762f4021421008512dd7ab7474df1 And this is the introducing commit: https://github.com/torvalds/linux/commit/bc44d7c4b2b179c4b74fba208b9908e2ecbc1b4d Affected: - cve/linux-5.3 - SLE15-SP4-AZURE - SLE15-SP4-RT - SLE15-SP4 - SLE15-SP5 - SLE15-SP5-AZURE - SLE15-SP5-RT Not affected (contains introducing and fixing commit): - ALP-current - stable Not affected (does not contain introducing commit): - SLE12-SP5 - cve/linux-3.0 - cve/linux-4.12 - cve/linux-4.4
(In reply to Hu from comment #1) > I think this is the fixing commit: > https://github.com/torvalds/linux/commit/ > 168a2f776b9762f4021421008512dd7ab7474df1 > > And this is the introducing commit: > https://github.com/torvalds/linux/commit/ > bc44d7c4b2b179c4b74fba208b9908e2ecbc1b4d > > Affected: > - cve/linux-5.3 > - SLE15-SP4-AZURE > - SLE15-SP4-RT > - SLE15-SP4 > - SLE15-SP5 > - SLE15-SP5-AZURE > - SLE15-SP5-RT > > Not affected (contains introducing and fixing commit): > - ALP-current > - stable > > Not affected (does not contain introducing commit): > - SLE12-SP5 > - cve/linux-3.0 > - cve/linux-4.12 > - cve/linux-4.4 Reassigning to a concrete person to ensure progress [1] (feel free to pass to the next one), see also the process at [2]. Hi David, Since you are one of BTRFS upstream maintainers, could you please handle this CVE? It seems that we need to backport the fix patch into cve/linux-5.3 and SLE15-SP4 and then the rest child branches can inherit this patch. Thanks. [1] https://confluence.suse.com/display/KSS/Kernel+Security+Sentinel [2] https://wiki.suse.net/index.php/SUSE-Labs/Kernel/Security
Gently ping.
We are supposed to submit the kernel maintenance updates today including a fix for this bug, but it's not ready. The upstream fix seems pretty simple so I can try to backport it to cve/linux-5.3, but beware I know nothing about btrfs.
OK, I pushed the fix to cve/linux-5.3 (commit 14e72e8de28e6495d9d96a2197eeafbffd819726).
SUSE-SU-2023:4030-1: An update that solves 13 vulnerabilities and has two security fixes can now be installed. Category: security (important) Bug References: 1207036, 1208995, 1210169, 1210643, 1212703, 1214233, 1214351, 1214380, 1214386, 1215115, 1215117, 1215150, 1215221, 1215275, 1215299 CVE References: CVE-2020-36766, CVE-2023-1192, CVE-2023-1206, CVE-2023-1859, CVE-2023-2177, CVE-2023-23454, CVE-2023-40283, CVE-2023-42753, CVE-2023-4389, CVE-2023-4622, CVE-2023-4623, CVE-2023-4881, CVE-2023-4921 Sources used: SUSE Linux Enterprise Live Patching 15-SP2 (src): kernel-livepatch-SLE15-SP2_Update_41-1-150200.5.3.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): kernel-obs-build-5.3.18-150200.24.166.1, kernel-source-5.3.18-150200.24.166.1, kernel-default-base-5.3.18-150200.24.166.1.150200.9.83.1, kernel-syms-5.3.18-150200.24.166.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): kernel-obs-build-5.3.18-150200.24.166.1, kernel-source-5.3.18-150200.24.166.1, kernel-default-base-5.3.18-150200.24.166.1.150200.9.83.1, kernel-syms-5.3.18-150200.24.166.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): kernel-obs-build-5.3.18-150200.24.166.1, kernel-source-5.3.18-150200.24.166.1, kernel-default-base-5.3.18-150200.24.166.1.150200.9.83.1, kernel-syms-5.3.18-150200.24.166.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4058-1: An update that solves 18 vulnerabilities, contains three features and has 71 security fixes can now be installed. Category: security (important) Bug References: 1065729, 1152472, 1187236, 1201284, 1202845, 1206453, 1208995, 1210169, 1210643, 1210658, 1212639, 1212703, 1213123, 1213534, 1213808, 1214022, 1214037, 1214040, 1214233, 1214351, 1214479, 1214543, 1214635, 1214813, 1214873, 1214928, 1214940, 1214941, 1214942, 1214943, 1214944, 1214945, 1214946, 1214947, 1214948, 1214949, 1214950, 1214951, 1214952, 1214953, 1214954, 1214955, 1214957, 1214958, 1214959, 1214961, 1214962, 1214963, 1214964, 1214965, 1214966, 1214967, 1214986, 1214988, 1214990, 1214991, 1214992, 1214993, 1214995, 1214997, 1214998, 1215115, 1215117, 1215123, 1215124, 1215148, 1215150, 1215221, 1215275, 1215322, 1215467, 1215523, 1215581, 1215752, 1215858, 1215860, 1215861, 1215875, 1215877, 1215894, 1215895, 1215896, 1215899, 1215911, 1215915, 1215916, 1215941, 1215956, 1215957 CVE References: CVE-2023-1192, CVE-2023-1206, CVE-2023-1859, CVE-2023-2177, CVE-2023-37453, CVE-2023-39192, CVE-2023-39193, CVE-2023-39194, CVE-2023-40283, CVE-2023-4155, CVE-2023-42753, CVE-2023-42754, CVE-2023-4389, CVE-2023-4622, CVE-2023-4623, CVE-2023-4881, CVE-2023-4921, CVE-2023-5345 Jira References: PED-1549, PED-2023, PED-2025 Sources used: openSUSE Leap 15.5 (src): kernel-source-azure-5.14.21-150500.33.20.1, kernel-syms-azure-5.14.21-150500.33.20.1 Public Cloud Module 15-SP5 (src): kernel-source-azure-5.14.21-150500.33.20.1, kernel-syms-azure-5.14.21-150500.33.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4095-1: An update that solves 14 vulnerabilities and has eight security fixes can now be installed. Category: security (important) Bug References: 1176588, 1202845, 1207036, 1207270, 1208995, 1210169, 1210643, 1210658, 1212703, 1213812, 1214233, 1214351, 1214380, 1214386, 1215115, 1215117, 1215150, 1215221, 1215275, 1215299, 1215322, 1215356 CVE References: CVE-2020-36766, CVE-2023-1192, CVE-2023-1206, CVE-2023-1859, CVE-2023-2177, CVE-2023-23454, CVE-2023-4004, CVE-2023-40283, CVE-2023-42753, CVE-2023-4389, CVE-2023-4622, CVE-2023-4623, CVE-2023-4881, CVE-2023-4921 Sources used: SUSE Linux Enterprise Live Patching 15-SP3 (src): kernel-livepatch-SLE15-SP3_Update_37-1-150300.7.5.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): kernel-syms-5.3.18-150300.59.138.1, kernel-source-5.3.18-150300.59.138.1, kernel-obs-build-5.3.18-150300.59.138.1, kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): kernel-syms-5.3.18-150300.59.138.1, kernel-source-5.3.18-150300.59.138.1, kernel-obs-build-5.3.18-150300.59.138.1, kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): kernel-syms-5.3.18-150300.59.138.1, kernel-source-5.3.18-150300.59.138.1, kernel-obs-build-5.3.18-150300.59.138.1, kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): kernel-syms-5.3.18-150300.59.138.1, kernel-source-5.3.18-150300.59.138.1, kernel-obs-build-5.3.18-150300.59.138.1, kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2 SUSE Manager Proxy 4.2 (src): kernel-source-5.3.18-150300.59.138.1, kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2 SUSE Manager Retail Branch Server 4.2 (src): kernel-source-5.3.18-150300.59.138.1, kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2 SUSE Manager Server 4.2 (src): kernel-source-5.3.18-150300.59.138.1, kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2 SUSE Enterprise Storage 7.1 (src): kernel-syms-5.3.18-150300.59.138.1, kernel-source-5.3.18-150300.59.138.1, kernel-obs-build-5.3.18-150300.59.138.1, kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2 SUSE Linux Enterprise Micro 5.1 (src): kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2 SUSE Linux Enterprise Micro 5.2 (src): kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2 SUSE Linux Enterprise Micro for Rancher 5.2 (src): kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4142-1: An update that solves 13 vulnerabilities and has eight security fixes can now be installed. Category: security (important) Bug References: 1176588, 1202845, 1207270, 1208995, 1210169, 1210643, 1210658, 1212703, 1213812, 1214233, 1214351, 1214380, 1214386, 1215115, 1215117, 1215150, 1215221, 1215275, 1215299, 1215322, 1215356 CVE References: CVE-2020-36766, CVE-2023-1192, CVE-2023-1206, CVE-2023-1859, CVE-2023-2177, CVE-2023-4004, CVE-2023-40283, CVE-2023-42753, CVE-2023-4389, CVE-2023-4622, CVE-2023-4623, CVE-2023-4881, CVE-2023-4921 Sources used: NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done, closing