CVE-2023-52566 (GCVE-0-2023-52566)
Vulnerability from cvelistv5
Published
2024-03-02 21:59
Modified
2026-05-11 19:29
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential use after free in nilfs_gccache_submit_read_data() In nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the reference count of bh when the call to nilfs_dat_translate() fails. If the reference count hits 0 and its owner page gets unlocked, bh may be freed. However, bh->b_page is dereferenced to put the page after that, which may result in a use-after-free bug. This patch moves the release operation after unlocking and putting the page. NOTE: The function in question is only called in GC, and in combination with current userland tools, address translation using DAT does not occur in that function, so the code path that causes this issue will not be executed. However, it is possible to run that code path by intentionally modifying the userland GC library or by calling the GC ioctl directly. [konishi.ryusuke@gmail.com: NOTE added to the commit log]
References
Impacted products
Vendor Product Version
Linux Linux Version: a3d93f709e893187d301aa5458b2248db9f22bd1
Version: a3d93f709e893187d301aa5458b2248db9f22bd1
Version: a3d93f709e893187d301aa5458b2248db9f22bd1
Version: a3d93f709e893187d301aa5458b2248db9f22bd1
Version: a3d93f709e893187d301aa5458b2248db9f22bd1
Version: a3d93f709e893187d301aa5458b2248db9f22bd1
Version: a3d93f709e893187d301aa5458b2248db9f22bd1
Version: a3d93f709e893187d301aa5458b2248db9f22bd1
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-52566",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-24T14:54:19.803278Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-06T14:43:57.106Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:03:21.025Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/fb1084e63ee56958b0a56e17a50a4fd86445b9c1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/bb61224f6abc8e71bfdf06d7c984e23460875f5b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/193b5a1c6c67c36b430989dc063fe7ea4e200a33"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7130a87ca32396eb9bf48b71a2d42259ae44c6c7"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3936e8714907cd55e37c7cc50e50229e4a9042e8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/980663f1d189eedafd18d80053d9cf3e2ceb5c8c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/28df4646ad8b433340772edc90ca709cdefc53e2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7ee29facd8a9c5a26079148e36bcf07141b3a6bc"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nilfs2/gcinode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fb1084e63ee56958b0a56e17a50a4fd86445b9c1",
              "status": "affected",
              "version": "a3d93f709e893187d301aa5458b2248db9f22bd1",
              "versionType": "git"
            },
            {
              "lessThan": "bb61224f6abc8e71bfdf06d7c984e23460875f5b",
              "status": "affected",
              "version": "a3d93f709e893187d301aa5458b2248db9f22bd1",
              "versionType": "git"
            },
            {
              "lessThan": "193b5a1c6c67c36b430989dc063fe7ea4e200a33",
              "status": "affected",
              "version": "a3d93f709e893187d301aa5458b2248db9f22bd1",
              "versionType": "git"
            },
            {
              "lessThan": "7130a87ca32396eb9bf48b71a2d42259ae44c6c7",
              "status": "affected",
              "version": "a3d93f709e893187d301aa5458b2248db9f22bd1",
              "versionType": "git"
            },
            {
              "lessThan": "3936e8714907cd55e37c7cc50e50229e4a9042e8",
              "status": "affected",
              "version": "a3d93f709e893187d301aa5458b2248db9f22bd1",
              "versionType": "git"
            },
            {
              "lessThan": "980663f1d189eedafd18d80053d9cf3e2ceb5c8c",
              "status": "affected",
              "version": "a3d93f709e893187d301aa5458b2248db9f22bd1",
              "versionType": "git"
            },
            {
              "lessThan": "28df4646ad8b433340772edc90ca709cdefc53e2",
              "status": "affected",
              "version": "a3d93f709e893187d301aa5458b2248db9f22bd1",
              "versionType": "git"
            },
            {
              "lessThan": "7ee29facd8a9c5a26079148e36bcf07141b3a6bc",
              "status": "affected",
              "version": "a3d93f709e893187d301aa5458b2248db9f22bd1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nilfs2/gcinode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.30"
            },
            {
              "lessThan": "2.6.30",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.327",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.56",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.5.*",
              "status": "unaffected",
              "version": "6.5.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.6",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.327",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.296",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.258",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.198",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.134",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.56",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5.6",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential use after free in nilfs_gccache_submit_read_data()\n\nIn nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the\nreference count of bh when the call to nilfs_dat_translate() fails.  If\nthe reference count hits 0 and its owner page gets unlocked, bh may be\nfreed.  However, bh-\u003eb_page is dereferenced to put the page after that,\nwhich may result in a use-after-free bug.  This patch moves the release\noperation after unlocking and putting the page.\n\nNOTE: The function in question is only called in GC, and in combination\nwith current userland tools, address translation using DAT does not occur\nin that function, so the code path that causes this issue will not be\nexecuted.  However, it is possible to run that code path by intentionally\nmodifying the userland GC library or by calling the GC ioctl directly.\n\n[konishi.ryusuke@gmail.com: NOTE added to the commit log]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T19:29:16.504Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fb1084e63ee56958b0a56e17a50a4fd86445b9c1"
        },
        {
          "url": "https://git.kernel.org/stable/c/bb61224f6abc8e71bfdf06d7c984e23460875f5b"
        },
        {
          "url": "https://git.kernel.org/stable/c/193b5a1c6c67c36b430989dc063fe7ea4e200a33"
        },
        {
          "url": "https://git.kernel.org/stable/c/7130a87ca32396eb9bf48b71a2d42259ae44c6c7"
        },
        {
          "url": "https://git.kernel.org/stable/c/3936e8714907cd55e37c7cc50e50229e4a9042e8"
        },
        {
          "url": "https://git.kernel.org/stable/c/980663f1d189eedafd18d80053d9cf3e2ceb5c8c"
        },
        {
          "url": "https://git.kernel.org/stable/c/28df4646ad8b433340772edc90ca709cdefc53e2"
        },
        {
          "url": "https://git.kernel.org/stable/c/7ee29facd8a9c5a26079148e36bcf07141b3a6bc"
        }
      ],
      "title": "nilfs2: fix potential use after free in nilfs_gccache_submit_read_data()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52566",
    "datePublished": "2024-03-02T21:59:38.167Z",
    "dateReserved": "2024-03-02T21:55:42.567Z",
    "dateUpdated": "2026-05-11T19:29:16.504Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.