DEBIAN-CVE-2023-53311

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2023-53311
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2023-53311.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2023-53311
Upstream
Published
2025-09-16T17:15:36Z
Modified
2025-09-19T07:33:41.707210Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix use-after-free of nilfsroot in dirtying inodes via iput During unmount process of nilfs2, nothing holds nilfsroot structure after nilfs2 detaches its writer in nilfsdetachlogwriter(). Previously, nilfsevictinode() could cause use-after-free read for nilfsroot if inodes are left in "garbagelist" and released by nilfsdisposelist at the end of nilfsdetachlogwriter(), and this bug was fixed by commit 9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfsroot in nilfsevictinode()"). However, it turned out that there is another possibility of UAF in the call path where markinodedirtysync() is called from iput(): nilfsdetachlogwriter() nilfsdisposelist() iput() markinodedirtysync() _markinodedirty() nilfsdirtyinode() _nilfsmarkinodedirty() nilfsloadinodeblock() --> causes UAF of nilfsroot struct This can happen after commit 0ae45f63d4ef ("vfs: add support for a lazytime mount option"), which changed iput() to call markinodedirtysync() on its final reference if istate has IDIRTYTIME flag and inlink is non-zero. This issue appears after commit 28a65b49eb53 ("nilfs2: do not write dirty data after degenerating to read-only") when using the syzbot reproducer, but the issue has potentially existed before. Fix this issue by adding a "purging flag" to the nilfs structure, setting that flag while disposing the "garbagelist" and checking it in _nilfsmarkinodedirty(). Unlike commit 9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfsroot in nilfsevictinode()"), this patch does not rely on nswriter to determine whether to skip operations, so as not to break recovery on mount. The nilfssalvageorphanlogs routine dirties the buffer of salvaged data before attaching the log writer, so changing _nilfsmarkinodedirty() to skip the operation when ns_writer is NULL will cause recovery write to fail. The purpose of using the cleanup-only flag is to allow for narrowing of such conditions.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.191-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1
5.10.148-1
5.10.149-1
5.10.149-2
5.10.158-1
5.10.158-2
5.10.162-1
5.10.178-1
5.10.178-2
5.10.178-3
5.10.179-1
5.10.179-2
5.10.179-3
5.10.179-4
5.10.179-5

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.52-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.4.11-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:14 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.4.11-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}