CVE-2023-53481
EUVD-2025-3278801.10.2025, 12:15
In the Linux kernel, the following vulnerability has been resolved:
ubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed
Following process will trigger an infinite loop in ubi_wl_put_peb():
ubifs_bgt ubi_bgt
ubifs_leb_unmap
ubi_leb_unmap
ubi_eba_unmap_leb
ubi_wl_put_peb wear_leveling_worker
e1 = rb_entry(rb_first(&ubi->used)
e2 = get_peb_for_wl(ubi)
ubi_io_read_vid_hdr // return err (flash fault)
out_error:
ubi->move_from = ubi->move_to = NULL
wl_entry_destroy(ubi, e1)
ubi->lookuptbl[e->pnum] = NULL
retry:
e = ubi->lookuptbl[pnum]; // return NULL
if (e == ubi->move_from) { // NULL == NULL gets true
goto retry; // infinite loop !!!
$ top
PID USER PR NI VIRT RES SHR S %CPU %MEM COMMAND
7676 root 20 0 0 0 0 R 100.0 0.0 ubifs_bgt0_0
Fix it by:
1) Letting ubi_wl_put_peb() returns directly if wearl leveling entry has
been removed from 'ubi->lookuptbl'.
2) Using 'ubi->wl_lock' protecting wl entry deletion to preventing an
use-after-free problem for wl entry in ubi_wl_put_peb().
Fetch a reproducer in [Link].Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | 2.6.25 ≤ 𝑥 < 4.14.308 |
| linux | linux_kernel | 4.15 ≤ 𝑥 < 4.19.276 |
| linux | linux_kernel | 4.20 ≤ 𝑥 < 5.4.235 |
| linux | linux_kernel | 5.5 ≤ 𝑥 < 5.10.173 |
| linux | linux_kernel | 5.11 ≤ 𝑥 < 5.15.100 |
| linux | linux_kernel | 5.16 ≤ 𝑥 < 6.1.18 |
| linux | linux_kernel | 6.2 ≤ 𝑥 < 6.2.5 |
𝑥
= Vulnerable software versions
Debian Releases
Common Weakness Enumeration
References