PT-2023-9423 · Linux+4 · Linux Kernel+4
Syzbot
·
Published
2023-01-16
·
Updated
2025-09-29
·
CVE-2023-52896
CVSS v3.1
4.7
Medium
| Vector | AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Linux kernel (affected versions not specified)
Description
The vulnerability is related to a race condition between the quota rescan and disable functions in the btrfs component of the Linux kernel, leading to a NULL pointer dereference. This occurs when one task is trying to start the quota rescan worker while another task is trying to disable quotas. The steps involved in this race condition are:
- Quotas are enabled;
- One task calls the quota rescan ioctl, entering
btrfs qgroup rescan(), which callsqgroup rescan init()and then joins and commits a transaction; - Another task calls the quota disable ioctl, entering
btrfs quota disable(), which clears the quota enabled flag and callsbtrfs qgroup wait for completion(), then starts a transaction and locksfs info->qgroup ioctl lock; - The first task queues the rescan worker;
- The rescan worker starts and checks if it should stop, resulting in no iterations because the quota enabled flag was cleared;
- The second task sets
fs info->quota rootto NULL; - The rescan worker attempts to start a transaction using
fs info->quota root, leading to a NULL pointer dereference inbtrfs start transaction(). This results in a general protection fault and a stack trace indicating the NULL pointer dereference.
Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
NULL Pointer Dereference
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Linux Kernel
Red Os
Suse