CVE-2023-52566 (GCVE-0-2023-52566)

Vulnerability from cvelistv5 – Published: 2024-03-02 21:59 – Updated: 2026-05-11 19:29
VLAI
Title
nilfs2: fix potential use after free in nilfs_gccache_submit_read_data()
Summary
In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential use after free in nilfs_gccache_submit_read_data() In nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the reference count of bh when the call to nilfs_dat_translate() fails. If the reference count hits 0 and its owner page gets unlocked, bh may be freed. However, bh->b_page is dereferenced to put the page after that, which may result in a use-after-free bug. This patch moves the release operation after unlocking and putting the page. NOTE: The function in question is only called in GC, and in combination with current userland tools, address translation using DAT does not occur in that function, so the code path that causes this issue will not be executed. However, it is possible to run that code path by intentionally modifying the userland GC library or by calling the GC ioctl directly. [konishi.ryusuke@gmail.com: NOTE added to the commit log]
Severity
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: a3d93f709e893187d301aa5458b2248db9f22bd1 , < fb1084e63ee56958b0a56e17a50a4fd86445b9c1 (git)
Affected: a3d93f709e893187d301aa5458b2248db9f22bd1 , < bb61224f6abc8e71bfdf06d7c984e23460875f5b (git)
Affected: a3d93f709e893187d301aa5458b2248db9f22bd1 , < 193b5a1c6c67c36b430989dc063fe7ea4e200a33 (git)
Affected: a3d93f709e893187d301aa5458b2248db9f22bd1 , < 7130a87ca32396eb9bf48b71a2d42259ae44c6c7 (git)
Affected: a3d93f709e893187d301aa5458b2248db9f22bd1 , < 3936e8714907cd55e37c7cc50e50229e4a9042e8 (git)
Affected: a3d93f709e893187d301aa5458b2248db9f22bd1 , < 980663f1d189eedafd18d80053d9cf3e2ceb5c8c (git)
Affected: a3d93f709e893187d301aa5458b2248db9f22bd1 , < 28df4646ad8b433340772edc90ca709cdefc53e2 (git)
Affected: a3d93f709e893187d301aa5458b2248db9f22bd1 , < 7ee29facd8a9c5a26079148e36bcf07141b3a6bc (git)
Create a notification for this product.
Linux Linux Affected: 2.6.30
Unaffected: 0 , < 2.6.30 (semver)
Unaffected: 4.14.327 , ≤ 4.14.* (semver)
Unaffected: 4.19.296 , ≤ 4.19.* (semver)
Unaffected: 5.4.258 , ≤ 5.4.* (semver)
Unaffected: 5.10.198 , ≤ 5.10.* (semver)
Unaffected: 5.15.134 , ≤ 5.15.* (semver)
Unaffected: 6.1.56 , ≤ 6.1.* (semver)
Unaffected: 6.5.6 , ≤ 6.5.* (semver)
Unaffected: 6.6 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-52566",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-24T14:54:19.803278Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-06T14:43:57.106Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:03:21.025Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/fb1084e63ee56958b0a56e17a50a4fd86445b9c1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/bb61224f6abc8e71bfdf06d7c984e23460875f5b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/193b5a1c6c67c36b430989dc063fe7ea4e200a33"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7130a87ca32396eb9bf48b71a2d42259ae44c6c7"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3936e8714907cd55e37c7cc50e50229e4a9042e8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/980663f1d189eedafd18d80053d9cf3e2ceb5c8c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/28df4646ad8b433340772edc90ca709cdefc53e2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7ee29facd8a9c5a26079148e36bcf07141b3a6bc"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nilfs2/gcinode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fb1084e63ee56958b0a56e17a50a4fd86445b9c1",
              "status": "affected",
              "version": "a3d93f709e893187d301aa5458b2248db9f22bd1",
              "versionType": "git"
            },
            {
              "lessThan": "bb61224f6abc8e71bfdf06d7c984e23460875f5b",
              "status": "affected",
              "version": "a3d93f709e893187d301aa5458b2248db9f22bd1",
              "versionType": "git"
            },
            {
              "lessThan": "193b5a1c6c67c36b430989dc063fe7ea4e200a33",
              "status": "affected",
              "version": "a3d93f709e893187d301aa5458b2248db9f22bd1",
              "versionType": "git"
            },
            {
              "lessThan": "7130a87ca32396eb9bf48b71a2d42259ae44c6c7",
              "status": "affected",
              "version": "a3d93f709e893187d301aa5458b2248db9f22bd1",
              "versionType": "git"
            },
            {
              "lessThan": "3936e8714907cd55e37c7cc50e50229e4a9042e8",
              "status": "affected",
              "version": "a3d93f709e893187d301aa5458b2248db9f22bd1",
              "versionType": "git"
            },
            {
              "lessThan": "980663f1d189eedafd18d80053d9cf3e2ceb5c8c",
              "status": "affected",
              "version": "a3d93f709e893187d301aa5458b2248db9f22bd1",
              "versionType": "git"
            },
            {
              "lessThan": "28df4646ad8b433340772edc90ca709cdefc53e2",
              "status": "affected",
              "version": "a3d93f709e893187d301aa5458b2248db9f22bd1",
              "versionType": "git"
            },
            {
              "lessThan": "7ee29facd8a9c5a26079148e36bcf07141b3a6bc",
              "status": "affected",
              "version": "a3d93f709e893187d301aa5458b2248db9f22bd1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nilfs2/gcinode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.30"
            },
            {
              "lessThan": "2.6.30",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.327",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.296",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.56",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.5.*",
              "status": "unaffected",
              "version": "6.5.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.6",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.327",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.296",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.258",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.198",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.134",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.56",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5.6",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential use after free in nilfs_gccache_submit_read_data()\n\nIn nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the\nreference count of bh when the call to nilfs_dat_translate() fails.  If\nthe reference count hits 0 and its owner page gets unlocked, bh may be\nfreed.  However, bh-\u003eb_page is dereferenced to put the page after that,\nwhich may result in a use-after-free bug.  This patch moves the release\noperation after unlocking and putting the page.\n\nNOTE: The function in question is only called in GC, and in combination\nwith current userland tools, address translation using DAT does not occur\nin that function, so the code path that causes this issue will not be\nexecuted.  However, it is possible to run that code path by intentionally\nmodifying the userland GC library or by calling the GC ioctl directly.\n\n[konishi.ryusuke@gmail.com: NOTE added to the commit log]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T19:29:16.504Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fb1084e63ee56958b0a56e17a50a4fd86445b9c1"
        },
        {
          "url": "https://git.kernel.org/stable/c/bb61224f6abc8e71bfdf06d7c984e23460875f5b"
        },
        {
          "url": "https://git.kernel.org/stable/c/193b5a1c6c67c36b430989dc063fe7ea4e200a33"
        },
        {
          "url": "https://git.kernel.org/stable/c/7130a87ca32396eb9bf48b71a2d42259ae44c6c7"
        },
        {
          "url": "https://git.kernel.org/stable/c/3936e8714907cd55e37c7cc50e50229e4a9042e8"
        },
        {
          "url": "https://git.kernel.org/stable/c/980663f1d189eedafd18d80053d9cf3e2ceb5c8c"
        },
        {
          "url": "https://git.kernel.org/stable/c/28df4646ad8b433340772edc90ca709cdefc53e2"
        },
        {
          "url": "https://git.kernel.org/stable/c/7ee29facd8a9c5a26079148e36bcf07141b3a6bc"
        }
      ],
      "title": "nilfs2: fix potential use after free in nilfs_gccache_submit_read_data()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52566",
    "datePublished": "2024-03-02T21:59:38.167Z",
    "dateReserved": "2024-03-02T21:55:42.567Z",
    "dateUpdated": "2026-05-11T19:29:16.504Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2023-52566",
      "date": "2026-05-27",
      "epss": "7e-05",
      "percentile": "0.00557"
    },
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: fix potential use after free in nilfs_gccache_submit_read_data()\\n\\nIn nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the\\nreference count of bh when the call to nilfs_dat_translate() fails.  If\\nthe reference count hits 0 and its owner page gets unlocked, bh may be\\nfreed.  However, bh-\u003eb_page is dereferenced to put the page after that,\\nwhich may result in a use-after-free bug.  This patch moves the release\\noperation after unlocking and putting the page.\\n\\nNOTE: The function in question is only called in GC, and in combination\\nwith current userland tools, address translation using DAT does not occur\\nin that function, so the code path that causes this issue will not be\\nexecuted.  However, it is possible to run that code path by intentionally\\nmodifying the userland GC library or by calling the GC ioctl directly.\\n\\n[konishi.ryusuke@gmail.com: NOTE added to the commit log]\"}, {\"lang\": \"es\", \"value\": \"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nilfs2: soluciona el uso potencial despu\\u00e9s de liberar en nilfs_gccache_submit_read_data() En nilfs_gccache_submit_read_data(), se llama a brelse(bh) para eliminar el recuento de referencias de bh cuando falla la llamada a nilfs_dat_translate(). Si el recuento de referencias llega a 0 y la p\\u00e1gina del propietario se desbloquea, es posible que bh quede liberado. Sin embargo, se elimina la referencia a bh-\u0026gt;b_page para colocar la p\\u00e1gina despu\\u00e9s de eso, lo que puede provocar un error de Use After Free. Este parche mueve la operaci\\u00f3n de lanzamiento despu\\u00e9s de desbloquear y poner la p\\u00e1gina. NOTA: La funci\\u00f3n en cuesti\\u00f3n solo se llama en GC y, en combinaci\\u00f3n con las herramientas actuales del usuario, la traducci\\u00f3n de direcciones usando DAT no ocurre en esa funci\\u00f3n, por lo que la ruta del c\\u00f3digo que causa este problema no se ejecutar\\u00e1. Sin embargo, es posible ejecutar esa ruta de c\\u00f3digo modificando intencionalmente la librer\\u00eda GC del \\u00e1rea de usuario o llamando directamente al GC ioctl. [konishi.ryusuke@gmail.com: NOTA agregada al registro de confirmaci\\u00f3n]\"}]",
      "id": "CVE-2023-52566",
      "lastModified": "2024-11-21T08:40:04.560",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 5.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 3.6}]}",
      "published": "2024-03-02T22:15:49.023",
      "references": "[{\"url\": \"https://git.kernel.org/stable/c/193b5a1c6c67c36b430989dc063fe7ea4e200a33\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/28df4646ad8b433340772edc90ca709cdefc53e2\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/3936e8714907cd55e37c7cc50e50229e4a9042e8\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/7130a87ca32396eb9bf48b71a2d42259ae44c6c7\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/7ee29facd8a9c5a26079148e36bcf07141b3a6bc\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/980663f1d189eedafd18d80053d9cf3e2ceb5c8c\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/bb61224f6abc8e71bfdf06d7c984e23460875f5b\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/fb1084e63ee56958b0a56e17a50a4fd86445b9c1\", \"source\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}, {\"url\": \"https://git.kernel.org/stable/c/193b5a1c6c67c36b430989dc063fe7ea4e200a33\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/28df4646ad8b433340772edc90ca709cdefc53e2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/3936e8714907cd55e37c7cc50e50229e4a9042e8\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/7130a87ca32396eb9bf48b71a2d42259ae44c6c7\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/7ee29facd8a9c5a26079148e36bcf07141b3a6bc\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/980663f1d189eedafd18d80053d9cf3e2ceb5c8c\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/bb61224f6abc8e71bfdf06d7c984e23460875f5b\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.kernel.org/stable/c/fb1084e63ee56958b0a56e17a50a4fd86445b9c1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-416\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-52566\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-03-02T22:15:49.023\",\"lastModified\":\"2025-04-08T15:08:55.437\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: fix potential use after free in nilfs_gccache_submit_read_data()\\n\\nIn nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the\\nreference count of bh when the call to nilfs_dat_translate() fails.  If\\nthe reference count hits 0 and its owner page gets unlocked, bh may be\\nfreed.  However, bh-\u003eb_page is dereferenced to put the page after that,\\nwhich may result in a use-after-free bug.  This patch moves the release\\noperation after unlocking and putting the page.\\n\\nNOTE: The function in question is only called in GC, and in combination\\nwith current userland tools, address translation using DAT does not occur\\nin that function, so the code path that causes this issue will not be\\nexecuted.  However, it is possible to run that code path by intentionally\\nmodifying the userland GC library or by calling the GC ioctl directly.\\n\\n[konishi.ryusuke@gmail.com: NOTE added to the commit log]\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nilfs2: soluciona el uso potencial despu\u00e9s de liberar en nilfs_gccache_submit_read_data() En nilfs_gccache_submit_read_data(), se llama a brelse(bh) para eliminar el recuento de referencias de bh cuando falla la llamada a nilfs_dat_translate(). Si el recuento de referencias llega a 0 y la p\u00e1gina del propietario se desbloquea, es posible que bh quede liberado. Sin embargo, se elimina la referencia a bh-\u0026gt;b_page para colocar la p\u00e1gina despu\u00e9s de eso, lo que puede provocar un error de Use After Free. Este parche mueve la operaci\u00f3n de lanzamiento despu\u00e9s de desbloquear y poner la p\u00e1gina. NOTA: La funci\u00f3n en cuesti\u00f3n solo se llama en GC y, en combinaci\u00f3n con las herramientas actuales del usuario, la traducci\u00f3n de direcciones usando DAT no ocurre en esa funci\u00f3n, por lo que la ruta del c\u00f3digo que causa este problema no se ejecutar\u00e1. Sin embargo, es posible ejecutar esa ruta de c\u00f3digo modificando intencionalmente la librer\u00eda GC del \u00e1rea de usuario o llamando directamente al GC ioctl. [konishi.ryusuke@gmail.com: NOTA agregada al registro de confirmaci\u00f3n]\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.6.30\",\"versionEndExcluding\":\"4.14.327\",\"matchCriteriaId\":\"B58818EF-4D8C-46CE-8E39-5297CF2BD101\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.15\",\"versionEndExcluding\":\"4.19.296\",\"matchCriteriaId\":\"78DAD65C-4893-461B-91B2-F4E7C212F140\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.20\",\"versionEndExcluding\":\"5.4.258\",\"matchCriteriaId\":\"1208C905-CEAA-49F2-B357-72A5185B2656\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.5\",\"versionEndExcluding\":\"5.10.198\",\"matchCriteriaId\":\"66D916C3-4087-44FF-9CD9-D2826BCC9E3D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.134\",\"matchCriteriaId\":\"346A7B1E-5048-460C-9640-5EFA2075158B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.56\",\"matchCriteriaId\":\"5EA89569-DD45-4A69-BB4D-8356FA9386BD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.5.6\",\"matchCriteriaId\":\"870FC772-173A-4A0F-B1AF-7976AD6057D3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.6:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"84267A4F-DBC2-444F-B41D-69E15E1BEC97\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.6:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"FB440208-241C-4246-9A83-C1715C0DAA6C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.6:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"0DC421F1-3D5A-4BEF-BF76-4E468985D20B\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/193b5a1c6c67c36b430989dc063fe7ea4e200a33\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/28df4646ad8b433340772edc90ca709cdefc53e2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3936e8714907cd55e37c7cc50e50229e4a9042e8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/7130a87ca32396eb9bf48b71a2d42259ae44c6c7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/7ee29facd8a9c5a26079148e36bcf07141b3a6bc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/980663f1d189eedafd18d80053d9cf3e2ceb5c8c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/bb61224f6abc8e71bfdf06d7c984e23460875f5b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/fb1084e63ee56958b0a56e17a50a4fd86445b9c1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/193b5a1c6c67c36b430989dc063fe7ea4e200a33\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/28df4646ad8b433340772edc90ca709cdefc53e2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3936e8714907cd55e37c7cc50e50229e4a9042e8\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/7130a87ca32396eb9bf48b71a2d42259ae44c6c7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/7ee29facd8a9c5a26079148e36bcf07141b3a6bc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/980663f1d189eedafd18d80053d9cf3e2ceb5c8c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/bb61224f6abc8e71bfdf06d7c984e23460875f5b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/fb1084e63ee56958b0a56e17a50a4fd86445b9c1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/fb1084e63ee56958b0a56e17a50a4fd86445b9c1\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/bb61224f6abc8e71bfdf06d7c984e23460875f5b\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/193b5a1c6c67c36b430989dc063fe7ea4e200a33\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/7130a87ca32396eb9bf48b71a2d42259ae44c6c7\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/3936e8714907cd55e37c7cc50e50229e4a9042e8\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/980663f1d189eedafd18d80053d9cf3e2ceb5c8c\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/28df4646ad8b433340772edc90ca709cdefc53e2\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/7ee29facd8a9c5a26079148e36bcf07141b3a6bc\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T23:03:21.025Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.5, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-52566\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-24T14:54:19.803278Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-416\", \"description\": \"CWE-416 Use After Free\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-24T14:54:25.927Z\"}}], \"cna\": {\"title\": \"nilfs2: fix potential use after free in nilfs_gccache_submit_read_data()\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"a3d93f709e893187d301aa5458b2248db9f22bd1\", \"lessThan\": \"fb1084e63ee56958b0a56e17a50a4fd86445b9c1\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"a3d93f709e893187d301aa5458b2248db9f22bd1\", \"lessThan\": \"bb61224f6abc8e71bfdf06d7c984e23460875f5b\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"a3d93f709e893187d301aa5458b2248db9f22bd1\", \"lessThan\": \"193b5a1c6c67c36b430989dc063fe7ea4e200a33\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"a3d93f709e893187d301aa5458b2248db9f22bd1\", \"lessThan\": \"7130a87ca32396eb9bf48b71a2d42259ae44c6c7\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"a3d93f709e893187d301aa5458b2248db9f22bd1\", \"lessThan\": \"3936e8714907cd55e37c7cc50e50229e4a9042e8\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"a3d93f709e893187d301aa5458b2248db9f22bd1\", \"lessThan\": \"980663f1d189eedafd18d80053d9cf3e2ceb5c8c\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"a3d93f709e893187d301aa5458b2248db9f22bd1\", \"lessThan\": \"28df4646ad8b433340772edc90ca709cdefc53e2\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"a3d93f709e893187d301aa5458b2248db9f22bd1\", \"lessThan\": \"7ee29facd8a9c5a26079148e36bcf07141b3a6bc\", \"versionType\": \"git\"}], \"programFiles\": [\"fs/nilfs2/gcinode.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.6.30\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"2.6.30\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"4.14.327\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.14.*\"}, {\"status\": \"unaffected\", \"version\": \"4.19.296\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.19.*\"}, {\"status\": \"unaffected\", \"version\": \"5.4.258\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.198\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.134\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1.56\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.5.6\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.5.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"fs/nilfs2/gcinode.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/fb1084e63ee56958b0a56e17a50a4fd86445b9c1\"}, {\"url\": \"https://git.kernel.org/stable/c/bb61224f6abc8e71bfdf06d7c984e23460875f5b\"}, {\"url\": \"https://git.kernel.org/stable/c/193b5a1c6c67c36b430989dc063fe7ea4e200a33\"}, {\"url\": \"https://git.kernel.org/stable/c/7130a87ca32396eb9bf48b71a2d42259ae44c6c7\"}, {\"url\": \"https://git.kernel.org/stable/c/3936e8714907cd55e37c7cc50e50229e4a9042e8\"}, {\"url\": \"https://git.kernel.org/stable/c/980663f1d189eedafd18d80053d9cf3e2ceb5c8c\"}, {\"url\": \"https://git.kernel.org/stable/c/28df4646ad8b433340772edc90ca709cdefc53e2\"}, {\"url\": \"https://git.kernel.org/stable/c/7ee29facd8a9c5a26079148e36bcf07141b3a6bc\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnilfs2: fix potential use after free in nilfs_gccache_submit_read_data()\\n\\nIn nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the\\nreference count of bh when the call to nilfs_dat_translate() fails.  If\\nthe reference count hits 0 and its owner page gets unlocked, bh may be\\nfreed.  However, bh-\u003eb_page is dereferenced to put the page after that,\\nwhich may result in a use-after-free bug.  This patch moves the release\\noperation after unlocking and putting the page.\\n\\nNOTE: The function in question is only called in GC, and in combination\\nwith current userland tools, address translation using DAT does not occur\\nin that function, so the code path that causes this issue will not be\\nexecuted.  However, it is possible to run that code path by intentionally\\nmodifying the userland GC library or by calling the GC ioctl directly.\\n\\n[konishi.ryusuke@gmail.com: NOTE added to the commit log]\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.14.327\", \"versionStartIncluding\": \"2.6.30\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.19.296\", \"versionStartIncluding\": \"2.6.30\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.4.258\", \"versionStartIncluding\": \"2.6.30\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.198\", \"versionStartIncluding\": \"2.6.30\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.134\", \"versionStartIncluding\": \"2.6.30\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.56\", \"versionStartIncluding\": \"2.6.30\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.5.6\", \"versionStartIncluding\": \"2.6.30\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6\", \"versionStartIncluding\": \"2.6.30\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T07:38:53.975Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-52566\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-04T07:38:53.975Z\", \"dateReserved\": \"2024-03-02T21:55:42.567Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-03-02T21:59:38.167Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.