Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-3wc5-j3q5-m2xc

Опубликовано: 07 окт. 2025
Источник: github
Github: Не прошло ревью
CVSS3: 5.5

Описание

In the Linux kernel, the following vulnerability has been resolved:

md: don't dereference mddev after export_rdev()

Except for initial reference, mddev->kobject is referenced by rdev->kobject, and if the last rdev is freed, there is no guarantee that mddev is still valid. Hence mddev should not be used anymore after export_rdev().

This problem can be triggered by following test for mdadm at very low rate:

New file: mdadm/tests/23rdev-lifetime

devname=${dev0##*/} devt=cat /sys/block/$devname/dev pid="" runtime=2

clean_up_test() { pill -9 $pid echo clear > /sys/block/md0/md/array_state }

trap 'clean_up_test' EXIT

add_by_sysfs() { while true; do echo $devt > /sys/block/md0/md/new_dev done }

remove_by_sysfs(){ while true; do echo remove > /sys/block/md0/md/dev-${devname}/state done }

echo md0 > /sys/module/md_mod/parameters/new_array || die "create md0 failed"

add_by_sysfs & pid="$pid $!"

remov...

In the Linux kernel, the following vulnerability has been resolved:

md: don't dereference mddev after export_rdev()

Except for initial reference, mddev->kobject is referenced by rdev->kobject, and if the last rdev is freed, there is no guarantee that mddev is still valid. Hence mddev should not be used anymore after export_rdev().

This problem can be triggered by following test for mdadm at very low rate:

New file: mdadm/tests/23rdev-lifetime

devname=${dev0##*/} devt=cat /sys/block/$devname/dev pid="" runtime=2

clean_up_test() { pill -9 $pid echo clear > /sys/block/md0/md/array_state }

trap 'clean_up_test' EXIT

add_by_sysfs() { while true; do echo $devt > /sys/block/md0/md/new_dev done }

remove_by_sysfs(){ while true; do echo remove > /sys/block/md0/md/dev-${devname}/state done }

echo md0 > /sys/module/md_mod/parameters/new_array || die "create md0 failed"

add_by_sysfs & pid="$pid $!"

remove_by_sysfs & pid="$pid $!"

sleep $runtime exit 0

Test cmd:

./test --save-logs --logdir=/tmp/ --keep-going --dev=loop --tests=23rdev-lifetime

Test result:

general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6bcb: 0000 [#4] PREEMPT SMP CPU: 0 PID: 1292 Comm: test Tainted: G D W 6.5.0-rc2-00121-g01e55c376936 #562 RIP: 0010:md_wakeup_thread+0x9e/0x320 [md_mod] Call Trace: mddev_unlock+0x1b6/0x310 [md_mod] rdev_attr_store+0xec/0x190 [md_mod] sysfs_kf_write+0x52/0x70 kernfs_fop_write_iter+0x19a/0x2a0 vfs_write+0x3b5/0x770 ksys_write+0x74/0x150 __x64_sys_write+0x22/0x30 do_syscall_64+0x40/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Fix this problem by don't dereference mddev after export_rdev().

Ссылки

EPSS

Процентиль: 6%
0.00025
Низкий

5.5 Medium

CVSS3

CVE ID

CVE-2023-53665

Связанные уязвимости

ubuntu логотип

CVE-2023-53665

CVSS3: 5.5
ubuntu
4 месяца назад

In the Linux kernel, the following vulnerability has been resolved: md: don't dereference mddev after export_rdev() Except for initial reference, mddev->kobject is referenced by rdev->kobject, and if the last rdev is freed, there is no guarantee that mddev is still valid. Hence mddev should not be used anymore after export_rdev(). This problem can be triggered by following test for mdadm at very low rate: New file: mdadm/tests/23rdev-lifetime devname=${dev0##*/} devt=`cat /sys/block/$devname/dev` pid="" runtime=2 clean_up_test() { pill -9 $pid echo clear > /sys/block/md0/md/array_state } trap 'clean_up_test' EXIT add_by_sysfs() { while true; do echo $devt > /sys/block/md0/md/new_dev done } remove_by_sysfs(){ while true; do echo remove > /sys/block/md0/md/dev-${devname}/state done } echo md0 > /sys/module/md_mod/parameters/new_array || die "create md0 failed" add_by_sysfs & pid="$pid $!" remove_by_sysfs & pid="$pid $!" sleep $runtime exit 0 Test cmd: ./test --save-logs --logdir=/tmp/...

nvd логотип

CVE-2023-53665

CVSS3: 5.5
nvd
4 месяца назад

In the Linux kernel, the following vulnerability has been resolved: md: don't dereference mddev after export_rdev() Except for initial reference, mddev->kobject is referenced by rdev->kobject, and if the last rdev is freed, there is no guarantee that mddev is still valid. Hence mddev should not be used anymore after export_rdev(). This problem can be triggered by following test for mdadm at very low rate: New file: mdadm/tests/23rdev-lifetime devname=${dev0##*/} devt=`cat /sys/block/$devname/dev` pid="" runtime=2 clean_up_test() { pill -9 $pid echo clear > /sys/block/md0/md/array_state } trap 'clean_up_test' EXIT add_by_sysfs() { while true; do echo $devt > /sys/block/md0/md/new_dev done } remove_by_sysfs(){ while true; do echo remove > /sys/block/md0/md/dev-${devname}/state done } echo md0 > /sys/module/md_mod/parameters/new_array || die "create md0 failed" add_by_sysfs & pid="$pid $!" remove_b

debian логотип

CVE-2023-53665

CVSS3: 5.5
debian
4 месяца назад

In the Linux kernel, the following vulnerability has been resolved: m ...

suse-cvrf логотип

SUSE-SU-2025:4128-1

suse-cvrf
3 месяца назад

Security update for the Linux Kernel

suse-cvrf логотип

SUSE-SU-2025:4301-1

suse-cvrf
2 месяца назад

Security update for the Linux Kernel

EPSS

Процентиль: 6%
0.00025
Низкий

5.5 Medium

CVSS3

CVE ID

CVE-2023-53665