CVE-2023-53035

HIGH
2025-05-02 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Linux Information Disclosure Linux Kernel Redhat Suse
7.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
May 02, 2025 - 16:15 nvd
HIGH 7.1

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy()

The ioctl helper function nilfs_ioctl_wrap_copy(), which exchanges a metadata array to/from user space, may copy uninitialized buffer regions to user space memory for read-only ioctl commands NILFS_IOCTL_GET_SUINFO and NILFS_IOCTL_GET_CPINFO.

This can occur when the element size of the user space metadata given by the v_size member of the argument nilfs_argv structure is larger than the size of the metadata element (nilfs_suinfo structure or nilfs_cpinfo structure) on the file system side.

KMSAN-enabled kernels detect this issue as follows:

BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_user+0xc0/0x100 lib/usercopy.c:33 instrument_copy_to_user include/linux/instrumented.h:121 [inline] _copy_to_user+0xc0/0x100 lib/usercopy.c:33 copy_to_user include/linux/uaccess.h:169 [inline] nilfs_ioctl_wrap_copy+0x6fa/0xc10 fs/nilfs2/ioctl.c:99 nilfs_ioctl_get_info fs/nilfs2/ioctl.c:1173 [inline] nilfs_ioctl+0x2402/0x4450 fs/nilfs2/ioctl.c:1290 nilfs_compat_ioctl+0x1b8/0x200 fs/nilfs2/ioctl.c:1343 __do_compat_sys_ioctl fs/ioctl.c:968 [inline] __se_compat_sys_ioctl+0x7dd/0x1000 fs/ioctl.c:910 __ia32_compat_sys_ioctl+0x93/0xd0 fs/ioctl.c:910 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178 do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246 entry_SYSENTER_compat_after_hwframe+0x70/0x82

Uninit was created at: __alloc_pages+0x9f6/0xe90 mm/page_alloc.c:5572 alloc_pages+0xab0/0xd80 mm/mempolicy.c:2287 __get_free_pages+0x34/0xc0 mm/page_alloc.c:5599 nilfs_ioctl_wrap_copy+0x223/0xc10 fs/nilfs2/ioctl.c:74 nilfs_ioctl_get_info fs/nilfs2/ioctl.c:1173 [inline] nilfs_ioctl+0x2402/0x4450 fs/nilfs2/ioctl.c:1290 nilfs_compat_ioctl+0x1b8/0x200 fs/nilfs2/ioctl.c:1343 __do_compat_sys_ioctl fs/ioctl.c:968 [inline] __se_compat_sys_ioctl+0x7dd/0x1000 fs/ioctl.c:910 __ia32_compat_sys_ioctl+0x93/0xd0 fs/ioctl.c:910 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178 do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246 entry_SYSENTER_compat_after_hwframe+0x70/0x82

Bytes 16-127 of 3968 are uninitialized ...

This eliminates the leak issue by initializing the page allocated as buffer using get_zeroed_page().

AnalysisAI

This is a kernel information disclosure vulnerability in the Linux kernel's nilfs2 filesystem driver affecting the nilfs_ioctl_wrap_copy() function. When processing certain read-only ioctl commands (NILFS_IOCTL_GET_SUINFO and NILFS_IOCTL_GET_CPINFO), the kernel may leak uninitialized memory contents to userspace when the user-provided buffer size exceeds the kernel's metadata structure size. With an EPSS score of 0.11% (29th percentile), exploitation probability is relatively low, and patches are available from the vendor across multiple kernel versions.

Technical ContextAI

The vulnerability affects the nilfs2 log-structured filesystem driver in the Linux kernel, specifically in the ioctl helper function nilfs_ioctl_wrap_copy() located in fs/nilfs2/ioctl.c. According to CPE data, affected versions include multiple kernel release candidates (6.3 rc1-rc3) and various stable branches. The root cause is uninitialized memory allocation: when allocating buffer pages via __get_free_pages() for metadata exchange operations, the function fails to zero-initialize the memory before copying it to userspace. When a userspace process provides a v_size value in the nilfs_argv structure that exceeds the kernel's nilfs_suinfo or nilfs_cpinfo structure sizes, the excess buffer bytes contain uninitialized kernel memory that gets disclosed through copy_to_user(). KMSAN (Kernel Memory Sanitizer) detection confirms bytes 16-127 of 3968-byte allocations remain uninitialized before being copied to userspace.

RemediationAI

Immediately update to patched Linux kernel versions that include the fix implemented via get_zeroed_page() instead of __get_free_pages() in nilfs_ioctl_wrap_copy(). The patches are available through multiple kernel stable branches accessible at https://git.kernel.org/stable/ with commit hashes listed in the references. Organizations using distribution-maintained kernels should apply the latest security updates from their vendor (Red Hat, Ubuntu, SUSE, Debian, etc.) that incorporate these upstream fixes. Until patching is complete, consider disabling the nilfs2 kernel module (rmmod nilfs2) if it is not required for production workloads, or restrict access to nilfs2-mounted filesystems to only trusted administrators. For environments where nilfs2 is essential, implement additional access controls and monitoring to detect unusual ioctl activity targeting nilfs2 filesystems. Verify the fix is present by checking for the use of get_zeroed_page() in fs/nilfs2/ioctl.c or confirming kernel version includes the security commits.

Vendor StatusVendor

Share

CVE-2023-53035 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy