目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1336

100%

CVE-2023-54271— Linux kernel 安全漏洞

AI 预测 7.8 利用难度: 困难 EPSS 0.17% · P6

影响版本矩阵 12

厂商产品版本范围状态
LinuxLinux9d179b865449b351ad5cb76dbea480c9170d4a27< da6cc648c1f570290af1ddbe6b7ca3d91b1d6db9affected
9d179b865449b351ad5cb76dbea480c9170d4a27< 33f0370bb7ce15a59d72a4d8a05421d334a04addaffected
9d179b865449b351ad5cb76dbea480c9170d4a27< e39ef7880d1057b2ebcdb013405f4d84a257db23affected
9d179b865449b351ad5cb76dbea480c9170d4a27< 7d63c6f9765339dcfc34b7365ced7c518012e4feaffected
9d179b865449b351ad5cb76dbea480c9170d4a27< ec14a87ee1999b19d8b7ed0fa95fea80644624aeaffected
5.4affected
< 5.4unaffected
5.15.210≤ 5.15.*unaffected
… +4 条更多
获取后续新漏洞提醒登录后订阅

一、 漏洞 CVE-2023-54271 基础信息

漏洞信息

对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗

尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。

Vulnerability Title
blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init blk-iocost sometimes causes the following crash: BUG: kernel NULL pointer dereference, address: 00000000000000e0 ... RIP: 0010:_raw_spin_lock+0x17/0x30 Code: be 01 02 00 00 e8 79 38 39 ff 31 d2 89 d0 5d c3 0f 1f 00 0f 1f 44 00 00 55 48 89 e5 65 ff 05 48 d0 34 7e b9 01 00 00 00 31 c0 <f0> 0f b1 0f 75 02 5d c3 89 c6 e8 ea 04 00 00 5d c3 0f 1f 84 00 00 RSP: 0018:ffffc900023b3d40 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 00000000000000e0 RCX: 0000000000000001 RDX: ffffc900023b3d20 RSI: ffffc900023b3cf0 RDI: 00000000000000e0 RBP: ffffc900023b3d40 R08: ffffc900023b3c10 R09: 0000000000000003 R10: 0000000000000064 R11: 000000000000000a R12: ffff888102337000 R13: fffffffffffffff2 R14: ffff88810af408c8 R15: ffff8881070c3600 FS: 00007faaaf364fc0(0000) GS:ffff88842fdc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000e0 CR3: 00000001097b1000 CR4: 0000000000350ea0 Call Trace: <TASK> ioc_weight_write+0x13d/0x410 cgroup_file_write+0x7a/0x130 kernfs_fop_write_iter+0xf5/0x170 vfs_write+0x298/0x370 ksys_write+0x5f/0xb0 __x64_sys_write+0x1b/0x20 do_syscall_64+0x3d/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 This happens because iocg->ioc is NULL. The field is initialized by ioc_pd_init() and never cleared. The NULL deref is caused by blkcg_activate_policy() installing blkg_policy_data before initializing it. blkcg_activate_policy() was doing the following: 1. Allocate pd's for all existing blkg's and install them in blkg->pd[]. 2. Initialize all pd's. 3. Online all pd's. blkcg_activate_policy() only grabs the queue_lock and may release and re-acquire the lock as allocation may need to sleep. ioc_weight_write() grabs blkcg->lock and iterates all its blkg's. The two can race and if ioc_weight_write() runs during #1 or between #1 and #2, it can encounter a pd which is not initialized yet, leading to crash. The crash can be reproduced with the following script: #!/bin/bash echo +io > /sys/fs/cgroup/cgroup.subtree_control systemd-run --unit touch-sda --scope dd if=/dev/sda of=/dev/null bs=1M count=1 iflag=direct echo 100 > /sys/fs/cgroup/system.slice/io.weight bash -c "echo '8:0 enable=1' > /sys/fs/cgroup/io.cost.qos" & sleep .2 echo 100 > /sys/fs/cgroup/system.slice/io.weight with the following patch applied: > diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c > index fc49be622e05..38d671d5e10c 100644 > --- a/block/blk-cgroup.c > +++ b/block/blk-cgroup.c > @@ -1553,6 +1553,12 @@ int blkcg_activate_policy(struct gendisk *disk, const struct blkcg_policy *pol) > pd->online = false; > } > > + if (system_state == SYSTEM_RUNNING) { > + spin_unlock_irq(&q->queue_lock); > + ssleep(1); > + spin_lock_irq(&q->queue_lock); > + } > + > /* all allocated, init in the same order */ > if (pol->pd_init_fn) > list_for_each_entry_reverse(blkg, &q->blkg_list, q_node) I don't see a reason why all pd's should be allocated, initialized and onlined together. The only ordering requirement is that parent blkgs to be initialized and onlined before children, which is guaranteed from the walking order. Let's fix the bug by allocating, initializing and onlining pd for each blkg and holding blkcg->lock over initialization and onlining. This ensures that an installed blkg is always fully initialized and onlined removing the the race window.
来源: 美国国家漏洞数据库 NVD
CVSS Information
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Title
Linux kernel 安全漏洞
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于blk-cgroup中blkg_policy_data在初始化前安装,可能导致空指针取消引用。
来源: 中国国家信息安全漏洞库 CNNVD
CVSS Information
N/A
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Type
N/A
来源: 中国国家信息安全漏洞库 CNNVD

受影响产品

厂商产品影响版本CPE订阅
LinuxLinux 9d179b865449b351ad5cb76dbea480c9170d4a27 ~ da6cc648c1f570290af1ddbe6b7ca3d91b1d6db9 -
LinuxLinux 5.4 -

二、漏洞 CVE-2023-54271 的公开POC

#POC 描述源链接神龙链接
AI 生成 POC高级

未找到公开 POC。

登录以生成 AI POC

三、漏洞 CVE-2023-54271 的情报信息

登录查看更多情报信息。

CVE-2023-54271 补丁与修复 (2)

CVE-2023-54271 其他参考 (3)

同批安全公告 · Linux · 2025-12-30 · 共 244 条

CVE-2023-54266Linux kernel 安全漏洞
CVE-2023-54250Linux kernel 安全漏洞
CVE-2023-54249Linux kernel 安全漏洞
CVE-2023-54251Linux kernel 安全漏洞
CVE-2023-54253Linux kernel 安全漏洞
CVE-2023-54252Linux kernel 安全漏洞
CVE-2023-54254Linux kernel 安全漏洞
CVE-2023-54255Linux kernel 安全漏洞
CVE-2023-54257Linux kernel 安全漏洞
CVE-2023-54258Linux kernel 安全漏洞
CVE-2023-54259Linux kernel 安全漏洞
CVE-2023-54260Linux kernel 安全漏洞
CVE-2023-54261Linux kernel 安全漏洞
CVE-2023-54262Linux kernel 安全漏洞
CVE-2023-54263Linux kernel 安全漏洞
CVE-2023-54264Linux kernel 安全漏洞
CVE-2023-54275Linux kernel 安全漏洞
CVE-2023-54276Linux kernel 安全漏洞
CVE-2023-54278Linux kernel 安全漏洞
CVE-2023-54274Linux kernel 安全漏洞

显示前 20 条,共 244 条。 查看全部 &rarr; →

IV. Related Vulnerabilities

V. Comments for CVE-2023-54271

暂无评论


发表评论