CVE-2023-52803: SUNRPC: Fix RPC client cleaned up the freed pipefs dentries

Published May 21, 2024
·
Updated

In the Linux kernel, the following vulnerability has been resolved:

SUNRPC: Fix RPC client cleaned up the freed pipefs dentries

RPC client pipefs dentries cleanup is in separated rpcremovepipedir() workqueue,which takes care about pipefs superblock locking. In some special scenarios, when kernel frees the pipefs sb of the current client and immediately alloctes a new pipefs sb, rpcremovepipedir function would misjudge the existence of pipefs sb which is not the one it used to hold. As a result, the rpcremovepipedir would clean the released freed pipefs dentries.

To fix this issue, rpcremovepipedir should check whether the current pipefs sb is consistent with the original pipefs sb.

This error can be catched by KASAN: ========================================================= [ 250.497700] BUG: KASAN: slab-use-after-free in dgetparent+0x195/0x200 [ 250.498315] Read of size 4 at addr ffff88800a2ab804 by task kworker/0:18/106503 [ 250.500549] Workqueue: events rpcfreeclientwork [ 250.501001] Call Trace: [ 250.502880] kasanreport+0xb6/0xf0 [ 250.503209] ? dgetparent+0x195/0x200 [ 250.503561] dgetparent+0x195/0x200 [ 250.503897] ? pfxrpcclntdirdepopulate+0x10/0x10 [ 250.504384] rpcrmdirdepopulate+0x1b/0x90 [ 250.504781] rpcremoveclientdir+0xf5/0x150 [ 250.505195] rpcfreeclientwork+0xe4/0x230 [ 250.505598] processonework+0x8ee/0x13b0 ... [ 22.039056] Allocated by task 244: [ 22.039390] kasansavestack+0x22/0x50 [ 22.039758] kasansettrack+0x25/0x30 [ 22.040109] kasanslaballoc+0x59/0x70 [ 22.040487] kmemcachealloclru+0xf0/0x240 [ 22.040889] dalloc+0x31/0x8e0 [ 22.041207] dalloc+0x44/0x1f0 [ 22.041514] rpclookupcreateexclusive+0x11c/0x140 [ 22.041987] rpcmkdirpopulate.constprop.0+0x5f/0x110 [ 22.042459] rpccreateclientdir+0x34/0x150 [ 22.042874] rpcsetuppipedirsb+0x102/0x1c0 [ 22.043284] rpcclientregister+0x136/0x4e0 [ 22.043689] rpcnewclient+0x911/0x1020 [ 22.044057] rpccreatexprt+0xcb/0x370 [ 22.044417] rpccreate+0x36b/0x6c0 ... [ 22.049524] Freed by task 0: [ 22.049803] kasansavestack+0x22/0x50 [ 22.050165] kasansettrack+0x25/0x30 [ 22.050520] kasansavefreeinfo+0x2b/0x50 [ 22.050921] kasanslabfree+0x10e/0x1a0 [ 22.051306] kmemcachefree+0xa5/0x390 [ 22.051667] rcucore+0x62c/0x1930 [ 22.051995] dosoftirq+0x165/0x52a [ 22.052347] [ 22.052503] Last potentially related work creation: [ 22.052952] kasansavestack+0x22/0x50 [ 22.053313] kasanrecordauxstack+0x8e/0xa0 [ 22.053739] callrcucommon.constprop.0+0x6b/0x8b0 [ 22.054209] dentryfree+0xb2/0x140 [ 22.054540] dentrykill+0x3be/0x540 [ 22.054900] shrinkdentrylist+0x199/0x510 [ 22.055293] shrinkdcacheparent+0x190/0x240 [ 22.055703] doonetree+0x11/0x40 [ 22.056028] shrinkdcacheforumount+0x61/0x140 [ 22.056461] genericshutdownsuper+0x70/0x590 [ 22.056879] killanonsuper+0x3a/0x60 [ 22.057234] rpckillsb+0x121/0x200

Other sources

In the Linux kernel, the following vulnerability has been resolved:

SUNRPC: Fix RPC client cleaned up the freed pipefs dentries

The Linux kernel CVE team has assigned CVE-2023-52803 to this issue.

Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024052100-CVE-2023-52803-1f43@gregkh/T

Red Hat

Linux Kernel is vulnerable to a denial of service, caused by a use-after-free in dgetparent. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.

IBM

Affected Software

18 affected componentsFixes available
IBM Security Verify Governance<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Software Stack<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Virtual Appliance<=ISVG 10.0.2
IBM Security Verify Governance Identity Manager Container<=ISVG 10.0.2
debian/linux
5.10.223-15.10.234-16.1.129-16.1.135-16.12.25-16.12.27-1
redhat/kernel<5.10.202
5.10.202
redhat/kernel<5.15.140
5.15.140
redhat/kernel<6.1.64
6.1.64
redhat/kernel<6.5.13
6.5.13
redhat/kernel<6.6.3
6.6.3
redhat/kernel<6.7
6.7
Linux Linux kernel>=3.4<4.19.318
Linux Linux kernel>=4.20<5.4.280
Linux Linux kernel>=5.5<5.10.202
Linux Linux kernel>=5.11<5.15.140
Linux Linux kernel>=5.16<6.1.64
Linux Linux kernel>=6.2<6.5.13
Linux Linux kernel>=6.6<6.6.3

Remediation

Patch Available

https://git.kernel.org/stable/c/17866066b8ac1cc38fb449670bc15dc9fee4b40a

Patch Available

https://git.kernel.org/stable/c/194454afa6aa9d6ed74f0c57127bc8beb27c20df

Patch Available

https://git.kernel.org/stable/c/1cdb52ffd6600a37bd355d8dce58ecd03e55e618

Patch Available

https://git.kernel.org/stable/c/7749fd2dbef72a52b5c9ffdbf877691950ed4680

Patch Available

https://git.kernel.org/stable/c/7d61d1da2ed1f682c41cae0c8d4719cdaccee5c5

Patch Available

https://git.kernel.org/stable/c/bfca5fb4e97c46503ddfc582335917b0cc228264

Patch Available

https://git.kernel.org/stable/c/cc2e7ebbeb1d0601f7f3c8d93b78fcc03a95e44a

Patch Available

https://git.kernel.org/stable/c/dedf2a0eb9448ae73b270743e6ea9b108189df46

Event History

May 21, 2024
CVE Published
via MITRE·03:31 PM
Data Sourced
via MITRE·03:31 PM
Description
Data Sourced
via NVD·04:15 PM
Description
Data Sourced
via NVD·04:15 PM
RemedySeverityWeaknessAffected Software
May 22, 2024
Data Sourced
via Red Hat·08:18 PM
DescriptionSeverityAffected Software
Sep 12, 2024
Data Sourced
via Launchpad·10:27 AM
Description
Apr 28, 2025
Data Sourced
via Ubuntu·02:16 PM
RemedyDescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2023-52803?

CVE-2023-52803 has a medium severity rating due to its impact on RPC client operations.

2

How do I fix CVE-2023-52803?

To fix CVE-2023-52803, update the Linux kernel to versions 5.10.202, 5.15.140, 6.1.64, 6.5.13, 6.6.3, or 6.7 as applicable.

3

What software is affected by CVE-2023-52803?

CVE-2023-52803 affects certain versions of the Linux kernel across various distributions, including Red Hat and Debian.

4

What is the nature of the vulnerability in CVE-2023-52803?

CVE-2023-52803 involves improper cleanup of freed pipefs dentries in the RPC client implementation of the Linux kernel.

5

Is there a workaround for CVE-2023-52803?

No specific workaround is recommended for CVE-2023-52803; updating to a secure version is the best course of action.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203