{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2023-52803","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-05-21T15:19:24.247Z","datePublished":"2024-05-21T15:31:15.063Z","dateUpdated":"2025-05-04T07:43:28.931Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T07:43:28.931Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix RPC client cleaned up the freed pipefs dentries\n\nRPC client pipefs dentries cleanup is in separated rpc_remove_pipedir()\nworkqueue,which takes care about pipefs superblock locking.\nIn some special scenarios, when kernel frees the pipefs sb of the\ncurrent client and immediately alloctes a new pipefs sb,\nrpc_remove_pipedir function would misjudge the existence of pipefs\nsb which is not the one it used to hold. As a result,\nthe rpc_remove_pipedir would clean the released freed pipefs dentries.\n\nTo fix this issue, rpc_remove_pipedir should check whether the\ncurrent pipefs sb is consistent with the original pipefs sb.\n\nThis error can be catched by KASAN:\n=========================================================\n[  250.497700] BUG: KASAN: slab-use-after-free in dget_parent+0x195/0x200\n[  250.498315] Read of size 4 at addr ffff88800a2ab804 by task kworker/0:18/106503\n[  250.500549] Workqueue: events rpc_free_client_work\n[  250.501001] Call Trace:\n[  250.502880]  kasan_report+0xb6/0xf0\n[  250.503209]  ? dget_parent+0x195/0x200\n[  250.503561]  dget_parent+0x195/0x200\n[  250.503897]  ? __pfx_rpc_clntdir_depopulate+0x10/0x10\n[  250.504384]  rpc_rmdir_depopulate+0x1b/0x90\n[  250.504781]  rpc_remove_client_dir+0xf5/0x150\n[  250.505195]  rpc_free_client_work+0xe4/0x230\n[  250.505598]  process_one_work+0x8ee/0x13b0\n...\n[   22.039056] Allocated by task 244:\n[   22.039390]  kasan_save_stack+0x22/0x50\n[   22.039758]  kasan_set_track+0x25/0x30\n[   22.040109]  __kasan_slab_alloc+0x59/0x70\n[   22.040487]  kmem_cache_alloc_lru+0xf0/0x240\n[   22.040889]  __d_alloc+0x31/0x8e0\n[   22.041207]  d_alloc+0x44/0x1f0\n[   22.041514]  __rpc_lookup_create_exclusive+0x11c/0x140\n[   22.041987]  rpc_mkdir_populate.constprop.0+0x5f/0x110\n[   22.042459]  rpc_create_client_dir+0x34/0x150\n[   22.042874]  rpc_setup_pipedir_sb+0x102/0x1c0\n[   22.043284]  rpc_client_register+0x136/0x4e0\n[   22.043689]  rpc_new_client+0x911/0x1020\n[   22.044057]  rpc_create_xprt+0xcb/0x370\n[   22.044417]  rpc_create+0x36b/0x6c0\n...\n[   22.049524] Freed by task 0:\n[   22.049803]  kasan_save_stack+0x22/0x50\n[   22.050165]  kasan_set_track+0x25/0x30\n[   22.050520]  kasan_save_free_info+0x2b/0x50\n[   22.050921]  __kasan_slab_free+0x10e/0x1a0\n[   22.051306]  kmem_cache_free+0xa5/0x390\n[   22.051667]  rcu_core+0x62c/0x1930\n[   22.051995]  __do_softirq+0x165/0x52a\n[   22.052347]\n[   22.052503] Last potentially related work creation:\n[   22.052952]  kasan_save_stack+0x22/0x50\n[   22.053313]  __kasan_record_aux_stack+0x8e/0xa0\n[   22.053739]  __call_rcu_common.constprop.0+0x6b/0x8b0\n[   22.054209]  dentry_free+0xb2/0x140\n[   22.054540]  __dentry_kill+0x3be/0x540\n[   22.054900]  shrink_dentry_list+0x199/0x510\n[   22.055293]  shrink_dcache_parent+0x190/0x240\n[   22.055703]  do_one_tree+0x11/0x40\n[   22.056028]  shrink_dcache_for_umount+0x61/0x140\n[   22.056461]  generic_shutdown_super+0x70/0x590\n[   22.056879]  kill_anon_super+0x3a/0x60\n[   22.057234]  rpc_kill_sb+0x121/0x200"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/linux/sunrpc/clnt.h","net/sunrpc/clnt.c"],"versions":[{"version":"0157d021d23a087eecfa830502f81cfe843f0d16","lessThan":"17866066b8ac1cc38fb449670bc15dc9fee4b40a","status":"affected","versionType":"git"},{"version":"0157d021d23a087eecfa830502f81cfe843f0d16","lessThan":"7d61d1da2ed1f682c41cae0c8d4719cdaccee5c5","status":"affected","versionType":"git"},{"version":"0157d021d23a087eecfa830502f81cfe843f0d16","lessThan":"dedf2a0eb9448ae73b270743e6ea9b108189df46","status":"affected","versionType":"git"},{"version":"0157d021d23a087eecfa830502f81cfe843f0d16","lessThan":"194454afa6aa9d6ed74f0c57127bc8beb27c20df","status":"affected","versionType":"git"},{"version":"0157d021d23a087eecfa830502f81cfe843f0d16","lessThan":"7749fd2dbef72a52b5c9ffdbf877691950ed4680","status":"affected","versionType":"git"},{"version":"0157d021d23a087eecfa830502f81cfe843f0d16","lessThan":"1cdb52ffd6600a37bd355d8dce58ecd03e55e618","status":"affected","versionType":"git"},{"version":"0157d021d23a087eecfa830502f81cfe843f0d16","lessThan":"cc2e7ebbeb1d0601f7f3c8d93b78fcc03a95e44a","status":"affected","versionType":"git"},{"version":"0157d021d23a087eecfa830502f81cfe843f0d16","lessThan":"bfca5fb4e97c46503ddfc582335917b0cc228264","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/linux/sunrpc/clnt.h","net/sunrpc/clnt.c"],"versions":[{"version":"3.4","status":"affected"},{"version":"0","lessThan":"3.4","status":"unaffected","versionType":"semver"},{"version":"4.19.318","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.280","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.202","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.140","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.64","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.5.13","lessThanOrEqual":"6.5.*","status":"unaffected","versionType":"semver"},{"version":"6.6.3","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.7","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.4","versionEndExcluding":"4.19.318"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.4","versionEndExcluding":"5.4.280"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.4","versionEndExcluding":"5.10.202"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.4","versionEndExcluding":"5.15.140"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.4","versionEndExcluding":"6.1.64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.4","versionEndExcluding":"6.5.13"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.4","versionEndExcluding":"6.6.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.4","versionEndExcluding":"6.7"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/17866066b8ac1cc38fb449670bc15dc9fee4b40a"},{"url":"https://git.kernel.org/stable/c/7d61d1da2ed1f682c41cae0c8d4719cdaccee5c5"},{"url":"https://git.kernel.org/stable/c/dedf2a0eb9448ae73b270743e6ea9b108189df46"},{"url":"https://git.kernel.org/stable/c/194454afa6aa9d6ed74f0c57127bc8beb27c20df"},{"url":"https://git.kernel.org/stable/c/7749fd2dbef72a52b5c9ffdbf877691950ed4680"},{"url":"https://git.kernel.org/stable/c/1cdb52ffd6600a37bd355d8dce58ecd03e55e618"},{"url":"https://git.kernel.org/stable/c/cc2e7ebbeb1d0601f7f3c8d93b78fcc03a95e44a"},{"url":"https://git.kernel.org/stable/c/bfca5fb4e97c46503ddfc582335917b0cc228264"}],"title":"SUNRPC: Fix RPC client cleaned up the freed pipefs dentries","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-06-17T17:36:49.719946Z","id":"CVE-2023-52803","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-17T17:37:08.071Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T23:11:35.893Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/17866066b8ac1cc38fb449670bc15dc9fee4b40a","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/7d61d1da2ed1f682c41cae0c8d4719cdaccee5c5","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/dedf2a0eb9448ae73b270743e6ea9b108189df46","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/194454afa6aa9d6ed74f0c57127bc8beb27c20df","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/7749fd2dbef72a52b5c9ffdbf877691950ed4680","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/1cdb52ffd6600a37bd355d8dce58ecd03e55e618","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/cc2e7ebbeb1d0601f7f3c8d93b78fcc03a95e44a","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/bfca5fb4e97c46503ddfc582335917b0cc228264","tags":["x_transferred"]}]}]}}