CVE-2023-53035

EUVD-2025-13227
In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy()

The ioctl helper function nilfs_ioctl_wrap_copy(), which exchanges a
metadata array to/from user space, may copy uninitialized buffer regions
to user space memory for read-only ioctl commands NILFS_IOCTL_GET_SUINFO
and NILFS_IOCTL_GET_CPINFO.

This can occur when the element size of the user space metadata given by
the v_size member of the argument nilfs_argv structure is larger than the
size of the metadata element (nilfs_suinfo structure or nilfs_cpinfo
structure) on the file system side.

KMSAN-enabled kernels detect this issue as follows:

 BUG: KMSAN: kernel-infoleak in instrument_copy_to_user
 include/linux/instrumented.h:121 [inline]
 BUG: KMSAN: kernel-infoleak in _copy_to_user+0xc0/0x100 lib/usercopy.c:33
  instrument_copy_to_user include/linux/instrumented.h:121 [inline]
  _copy_to_user+0xc0/0x100 lib/usercopy.c:33
  copy_to_user include/linux/uaccess.h:169 [inline]
  nilfs_ioctl_wrap_copy+0x6fa/0xc10 fs/nilfs2/ioctl.c:99
  nilfs_ioctl_get_info fs/nilfs2/ioctl.c:1173 [inline]
  nilfs_ioctl+0x2402/0x4450 fs/nilfs2/ioctl.c:1290
  nilfs_compat_ioctl+0x1b8/0x200 fs/nilfs2/ioctl.c:1343
  __do_compat_sys_ioctl fs/ioctl.c:968 [inline]
  __se_compat_sys_ioctl+0x7dd/0x1000 fs/ioctl.c:910
  __ia32_compat_sys_ioctl+0x93/0xd0 fs/ioctl.c:910
  do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
  __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178
  do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203
  do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246
  entry_SYSENTER_compat_after_hwframe+0x70/0x82

 Uninit was created at:
  __alloc_pages+0x9f6/0xe90 mm/page_alloc.c:5572
  alloc_pages+0xab0/0xd80 mm/mempolicy.c:2287
  __get_free_pages+0x34/0xc0 mm/page_alloc.c:5599
  nilfs_ioctl_wrap_copy+0x223/0xc10 fs/nilfs2/ioctl.c:74
  nilfs_ioctl_get_info fs/nilfs2/ioctl.c:1173 [inline]
  nilfs_ioctl+0x2402/0x4450 fs/nilfs2/ioctl.c:1290
  nilfs_compat_ioctl+0x1b8/0x200 fs/nilfs2/ioctl.c:1343
  __do_compat_sys_ioctl fs/ioctl.c:968 [inline]
  __se_compat_sys_ioctl+0x7dd/0x1000 fs/ioctl.c:910
  __ia32_compat_sys_ioctl+0x93/0xd0 fs/ioctl.c:910
  do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
  __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178
  do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203
  do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246
  entry_SYSENTER_compat_after_hwframe+0x70/0x82

 Bytes 16-127 of 3968 are uninitialized
 ...

This eliminates the leak issue by initializing the page allocated as
buffer using get_zeroed_page().
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.1 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 28%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
2.6.31 ≤
𝑥
< 4.14.312
linuxlinux_kernel
4.15 ≤
𝑥
< 4.19.280
linuxlinux_kernel
4.20 ≤
𝑥
< 5.4.240
linuxlinux_kernel
5.5 ≤
𝑥
< 5.10.177
linuxlinux_kernel
5.11 ≤
𝑥
< 5.15.105
linuxlinux_kernel
5.16 ≤
𝑥
< 6.1.22
linuxlinux_kernel
6.2 ≤
𝑥
< 6.2.9
linuxlinux_kernel
6.3:rc1
linuxlinux_kernel
6.3:rc2
linuxlinux_kernel
6.3:rc3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.129-1
fixed
bookworm (security)
6.1.135-1
fixed
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.234-1
fixed
sid
6.12.25-1
fixed
trixie
6.12.22-1
fixed
References
https://git.kernel.org/stable/c/003587000276f81d0114b5ce773d80c119d8cb30
https://git.kernel.org/stable/c/5bb105cc72beb9d51bf12f5c657336d2d35bdc5d
https://git.kernel.org/stable/c/5f33b042f74fc9662eba17f4cd19b07d84bbc6c5
https://git.kernel.org/stable/c/8a6550b365c0ce2e65905de57dcbfe1f7d629726
https://git.kernel.org/stable/c/8f5cbf6a8c0e19b062b829c5b7aca01468bb57f6
https://git.kernel.org/stable/c/9c5034e9a0e03db8d5e9eabb176340259b5b97e4
https://git.kernel.org/stable/c/a94932381e8dae4117e9129b3c1282e18aa97b05
https://git.kernel.org/stable/c/d18db946cc6a394291539e030df32324285648f7