CVE-2023-53360

17.09.2025, 15:15

In the Linux kernel, the following vulnerability has been resolved:

NFSv4.2: Rework scratch handling for READ_PLUS (again)

I found that the read code might send multiple requests using the same
nfs_pgio_header, but nfs4_proc_read_setup() is only called once. This is
how we ended up occasionally double-freeing the scratch buffer, but also
means we set a NULL pointer but non-zero length to the xdr scratch
buffer. This results in an oops the first time decoding needs to copy
something to scratch, which frequently happens when decoding READ_PLUS
hole segments.

I fix this by moving scratch handling into the pageio read code. I
provide a function to allocate scratch space for decoding read replies,
and free the scratch buffer when the nfs_pgio_header is freed.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Linux	CNA	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Vendor	Product	Version
linux	linux_kernel	6.4 ≤ 𝑥 < 6.4.16
linux	linux_kernel	6.5 ≤ 𝑥 < 6.5.3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 not-affected
bullseye (security)	5.10.237-1 fixed
bookworm	6.1.148-1 fixed
bookworm (security)	6.1.147-1 fixed
trixie	6.12.43-1 fixed
trixie (security)	6.12.41-1 fixed
forky	6.16.7-1 fixed
sid	6.16.7-1 fixed

Common Weakness Enumeration

CWE-415 - Double Free
The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.

References

https://git.kernel.org/stable/c/303a78052091c81e9003915c521fdca1c7e117af

https://git.kernel.org/stable/c/a2f4cb206bd94b3f4a7bb05fcdce9525283b5681

https://git.kernel.org/stable/c/adac9f0ddd2b291c7ce41f549fdb27a13616cff5

https://git.kernel.org/stable/c/ae5d5672f1db711e91db6f52df5cb16ecd8f5692