CVE-2023-52731

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-52731
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52731.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-52731
Downstream
Related
Published
2024-05-21T15:22:57Z
Modified
2025-10-08T16:15:44.757845Z
Summary
fbdev: Fix invalid page access after closing deferred I/O devices
Details

In the Linux kernel, the following vulnerability has been resolved:

fbdev: Fix invalid page access after closing deferred I/O devices

When a fbdev with deferred I/O is once opened and closed, the dirty pages still remain queued in the pageref list, and eventually later those may be processed in the delayed work. This may lead to a corruption of pages, hitting an Oops.

This patch makes sure to cancel the delayed work and clean up the pageref list at closing the device for addressing the bug. A part of the cleanup code is factored out as a new helper function that is called from the common fb_release().

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
186b89659c4c67cccead52961eab0ca3b23951dc
Fixed
87b9802ca824fcee7915e717e9a60471af62e8e9
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
56c134f7f1b58be08bdb0ca8372474a4a5165f31
Fixed
f1d91f0e9d5a240a809698d7d9c5a538e7dcc149
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
56c134f7f1b58be08bdb0ca8372474a4a5165f31
Fixed
3efc61d95259956db25347e2a9562c3e54546e20

Affected versions

v5.*

v5.18
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8

v6.*

v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.10
v6.1.11
v6.1.12
v6.1.2
v6.1.3
v6.1.4
v6.1.5
v6.1.6
v6.1.7
v6.1.8
v6.1.9
v6.2-rc1
v6.2-rc2

Database specific 

{
    "vanir_signatures": [
        {
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "220971575929664324054009690615243493305",
                    "9185951686281011176290410687136696656",
                    "264287493988932985642503385094733320569",
                    "139725680143808672036043953027139836404"
                ]
            },
            "id": "CVE-2023-52731-07581e87",
            "deprecated": false,
            "target": {
                "file": "drivers/video/fbdev/core/fbmem.c"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@87b9802ca824fcee7915e717e9a60471af62e8e9"
        },
        {
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "220971575929664324054009690615243493305",
                    "9185951686281011176290410687136696656",
                    "264287493988932985642503385094733320569",
                    "139725680143808672036043953027139836404"
                ]
            },
            "id": "CVE-2023-52731-0d6669a3",
            "deprecated": false,
            "target": {
                "file": "drivers/video/fbdev/core/fbmem.c"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3efc61d95259956db25347e2a9562c3e54546e20"
        },
        {
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "208314558709312157804576410687663366253",
                    "65731643813632477129050788631568493125",
                    "317321520056188458598649025466962957916",
                    "324299675841097761849055470457763504039"
                ]
            },
            "id": "CVE-2023-52731-54a24210",
            "deprecated": false,
            "target": {
                "file": "include/linux/fb.h"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@87b9802ca824fcee7915e717e9a60471af62e8e9"
        },
        {
            "signature_version": "v1",
            "digest": {
                "length": 342.0,
                "function_hash": "27856199660949061341878625827920241241"
            },
            "id": "CVE-2023-52731-641f43fa",
            "deprecated": false,
            "target": {
                "file": "drivers/video/fbdev/core/fb_defio.c",
                "function": "fb_deferred_io_cleanup"
            },
            "signature_type": "Function",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f1d91f0e9d5a240a809698d7d9c5a538e7dcc149"
        },
        {
            "signature_version": "v1",
            "digest": {
                "length": 342.0,
                "function_hash": "27856199660949061341878625827920241241"
            },
            "id": "CVE-2023-52731-7325ca48",
            "deprecated": false,
            "target": {
                "file": "drivers/video/fbdev/core/fb_defio.c",
                "function": "fb_deferred_io_cleanup"
            },
            "signature_type": "Function",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@87b9802ca824fcee7915e717e9a60471af62e8e9"
        },
        {
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "208314558709312157804576410687663366253",
                    "65731643813632477129050788631568493125",
                    "317321520056188458598649025466962957916",
                    "324299675841097761849055470457763504039"
                ]
            },
            "id": "CVE-2023-52731-80a22706",
            "deprecated": false,
            "target": {
                "file": "include/linux/fb.h"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f1d91f0e9d5a240a809698d7d9c5a538e7dcc149"
        },
        {
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "193683203519382274571350174604638068986",
                    "141683507981823005834249158989270412186",
                    "254576598503723529119119703479687762881",
                    "39589692959009294473752984823694310840",
                    "172511225514792921681443205535939681568",
                    "291958150988430345239879525922011389613",
                    "118536200104104402653056766297592848686",
                    "305121920666290730864292360559117239769"
                ]
            },
            "id": "CVE-2023-52731-8146f7fe",
            "deprecated": false,
            "target": {
                "file": "drivers/video/fbdev/core/fb_defio.c"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3efc61d95259956db25347e2a9562c3e54546e20"
        },
        {
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "208314558709312157804576410687663366253",
                    "65731643813632477129050788631568493125",
                    "317321520056188458598649025466962957916",
                    "324299675841097761849055470457763504039"
                ]
            },
            "id": "CVE-2023-52731-895d8e0e",
            "deprecated": false,
            "target": {
                "file": "include/linux/fb.h"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3efc61d95259956db25347e2a9562c3e54546e20"
        },
        {
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "193683203519382274571350174604638068986",
                    "141683507981823005834249158989270412186",
                    "254576598503723529119119703479687762881",
                    "39589692959009294473752984823694310840",
                    "172511225514792921681443205535939681568",
                    "291958150988430345239879525922011389613",
                    "118536200104104402653056766297592848686",
                    "305121920666290730864292360559117239769"
                ]
            },
            "id": "CVE-2023-52731-93fff174",
            "deprecated": false,
            "target": {
                "file": "drivers/video/fbdev/core/fb_defio.c"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f1d91f0e9d5a240a809698d7d9c5a538e7dcc149"
        },
        {
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "193683203519382274571350174604638068986",
                    "141683507981823005834249158989270412186",
                    "254576598503723529119119703479687762881",
                    "39589692959009294473752984823694310840",
                    "172511225514792921681443205535939681568",
                    "291958150988430345239879525922011389613",
                    "118536200104104402653056766297592848686",
                    "305121920666290730864292360559117239769"
                ]
            },
            "id": "CVE-2023-52731-a18f4c30",
            "deprecated": false,
            "target": {
                "file": "drivers/video/fbdev/core/fb_defio.c"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@87b9802ca824fcee7915e717e9a60471af62e8e9"
        },
        {
            "signature_version": "v1",
            "digest": {
                "length": 342.0,
                "function_hash": "27856199660949061341878625827920241241"
            },
            "id": "CVE-2023-52731-d138c589",
            "deprecated": false,
            "target": {
                "file": "drivers/video/fbdev/core/fb_defio.c",
                "function": "fb_deferred_io_cleanup"
            },
            "signature_type": "Function",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3efc61d95259956db25347e2a9562c3e54546e20"
        },
        {
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "220971575929664324054009690615243493305",
                    "9185951686281011176290410687136696656",
                    "264287493988932985642503385094733320569",
                    "139725680143808672036043953027139836404"
                ]
            },
            "id": "CVE-2023-52731-e76702c8",
            "deprecated": false,
            "target": {
                "file": "drivers/video/fbdev/core/fbmem.c"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f1d91f0e9d5a240a809698d7d9c5a538e7dcc149"
        }
    ]
}

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.19.0
Fixed
6.1.13