CVE-2023-54313

Name of the Vulnerable Software and Affected Versions Linux kernel versions 6.3.0-12064-g2edfa098e750-dirty and earlier

Description The Linux kernel contains a flaw in the ovl get acl rcu() function, which can lead to a null pointer dereference. The issue occurs during the process of obtaining an Access Control List (ACL) for an overlay filesystem. Specifically, a null pointer is dereferenced when attempting to access a real inode. The call trace indicates the issue originates from ovl get inode acl, get cached acl rcu, generic permission, ovl permission, inode permission, link path walk, path lookupat.isra.0, filename lookup, and vfs fstatat. The root cause is a failure to check for a null pointer before accessing the realinode.

Recommendations Versions prior to 6.3.0-12064-g2edfa098e750-dirty should be updated. As a temporary workaround, consider using the ovl i path realinode() helper function to obtain the real inode and perform a non-null pointer check before proceeding.