Bug 1225116 (CVE-2023-52852) - VUL-0: CVE-2023-52852: kernel: f2fs: compress: fix to avoid use-after-free on dic
Summary: VUL-0: CVE-2023-52852: kernel: f2fs: compress: fix to avoid use-after-free on...
Status: RESOLVED INVALID
Alias: CVE-2023-52852
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Major
Target Milestone: ---
Assignee: Kernel Bugs
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/407081/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-52852:7.8:(AV:...
Keywords:
Depends on:
Blocks: 1225117
  Show dependency treegraph
 
Reported: 2024-05-23 11:15 UTC by SMASH SMASH
Modified: 2024-05-23 11:16 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-05-23 11:15:41 UTC 
In the Linux kernel, the following vulnerability has been resolved:

f2fs: compress: fix to avoid use-after-free on dic

Call trace:
 __memcpy+0x128/0x250
 f2fs_read_multi_pages+0x940/0xf7c
 f2fs_mpage_readpages+0x5a8/0x624
 f2fs_readahead+0x5c/0x110
 page_cache_ra_unbounded+0x1b8/0x590
 do_sync_mmap_readahead+0x1dc/0x2e4
 filemap_fault+0x254/0xa8c
 f2fs_filemap_fault+0x2c/0x104
 __do_fault+0x7c/0x238
 do_handle_mm_fault+0x11bc/0x2d14
 do_mem_abort+0x3a8/0x1004
 el0_da+0x3c/0xa0
 el0t_64_sync_handler+0xc4/0xec
 el0t_64_sync+0x1b4/0x1b8

In f2fs_read_multi_pages(), once f2fs_decompress_cluster() was called if
we hit cached page in compress_inode's cache, dic may be released, it needs
break the loop rather than continuing it, in order to avoid accessing
invalid dic pointer.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52852
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2023/CVE-2023-52852.mbox
https://git.kernel.org/stable/c/8c4504cc0c64862740a6acb301e0cfa59580dbc5
https://git.kernel.org/stable/c/9375ea7f269093d7c884857ae1f47633a91f429c
https://git.kernel.org/stable/c/932ddb5c29e884cc6fac20417ece72ba4a35c401
https://git.kernel.org/stable/c/9d065aa52b6ee1b06f9c4eca881c9b4425a12ba2
https://git.kernel.org/stable/c/b0327c84e91a0f4f0abced8cb83ec86a7083f086
https://www.cve.org/CVERecord?id=CVE-2023-52852
Comment 1 Carlos López 2024-05-23 11:16:42 UTC 
f2fs is not supported in our kernels, closing.