1214352 – (CVE-2023-4394) VUL-0: CVE-2023-4394: kernel-source-rt,kernel-source,kernel-source-azure: memory leak in btrfs_get_dev_args_from_path()

Bug 1214352 (CVE-2023-4394) - VUL-0: CVE-2023-4394: kernel-source-rt,kernel-source,kernel-source-azure: memory leak in btrfs_get_dev_args_from_path()

Summary: VUL-0: CVE-2023-4394: kernel-source-rt,kernel-source,kernel-source-azure: mem...

Status:	RESOLVED FIXED

Alias:	CVE-2023-4394

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/375624/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-08-17 08:43 UTC by Cathy Hu
Modified:	2024-06-11 09:59 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Cathy Hu 2023-08-17 08:43:28 UTC

CVE-2023-4394

A use-after-free flaw was found in btrfs_get_dev_args_from_path in fs/btrfs/volumes.c in btrfs file-system in the Linux Kernel. In this flaw a local  attacker with some special privilege may cause a system crash or a leak of internal kernel information.

In btrfs_get_dev_args_from_path(), btrfs_get_bdev_and_sb() can fail if the path is invalid. In this case, btrfs_get_dev_args_from_path() returns directly without freeing args->uuid and args->fsid allocated before, which causes memory leaks.

References:
https://patchwork.kernel.org/project/linux-btrfs/patch/20220815151606.3479183-1-r33s3n6@gmail.com/

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4394
https://bugzilla.redhat.com/show_bug.cgi?id=2219263

Comment 1 Cathy Hu 2023-08-17 08:45:01 UTC

Fixing commit: https://github.com/torvalds/linux/commit/9ea0106a7a3d8116860712e3f17cd52ce99f6707

Introducing commit: https://github.com/torvalds/linux/commit/faa775c41d655a4786e9d53cb075a77bb5a75f66

Not affected (contains fixing and introducing commit):
- ALP-current
- stable

Not Affected (does not contain introducing commit):
- SLE12-SP5
- SLE15-SP4-AZURE
- SLE15-SP4-RT
- SLE15-SP4
- SLE15-SP5
- SLE15-SP5-AZURE
- SLE15-SP5-RT
- cve/linux-3.0
- cve/linux-4.12
- cve/linux-4.4
- cve/linux-5.3

Comment 2 Chester Lin 2023-08-17 14:13:34 UTC

(In reply to Hu from comment #1)
> Fixing commit:
> https://github.com/torvalds/linux/commit/
> 9ea0106a7a3d8116860712e3f17cd52ce99f6707
> 
> Introducing commit:
> https://github.com/torvalds/linux/commit/
> faa775c41d655a4786e9d53cb075a77bb5a75f66
> 
> Not affected (contains fixing and introducing commit):
> - ALP-current
> - stable
> 

Confirmed the fix patch is included.

> Not Affected (does not contain introducing commit):
> - SLE12-SP5
> - SLE15-SP4-AZURE
> - SLE15-SP4-RT
> - SLE15-SP4
> - SLE15-SP5
> - SLE15-SP5-AZURE
> - SLE15-SP5-RT
> - cve/linux-3.0
> - cve/linux-4.12
> - cve/linux-4.4
> - cve/linux-5.3

The bug patch faa775c41d65 was introduced in v5.16-rc1 and confirmed it's not backported in any of SLE* or cve/linux-* branches.

Reassigned back to the security team but still CC filesystem developers just in case they have any comments.

Comment 3 Andrea Mattiazzo 2024-06-11 09:59:29 UTC

All done, closing.