{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-53035", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-03-27T16:40:15.763Z", "datePublished": "2025-05-02T15:54:54.876Z", "dateUpdated": "2026-05-11T19:37:18.401Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T19:37:18.401Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy()\n\nThe ioctl helper function nilfs_ioctl_wrap_copy(), which exchanges a\nmetadata array to/from user space, may copy uninitialized buffer regions\nto user space memory for read-only ioctl commands NILFS_IOCTL_GET_SUINFO\nand NILFS_IOCTL_GET_CPINFO.\n\nThis can occur when the element size of the user space metadata given by\nthe v_size member of the argument nilfs_argv structure is larger than the\nsize of the metadata element (nilfs_suinfo structure or nilfs_cpinfo\nstructure) on the file system side.\n\nKMSAN-enabled kernels detect this issue as follows:\n\n BUG: KMSAN: kernel-infoleak in instrument_copy_to_user\n include/linux/instrumented.h:121 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_user+0xc0/0x100 lib/usercopy.c:33\n instrument_copy_to_user include/linux/instrumented.h:121 [inline]\n _copy_to_user+0xc0/0x100 lib/usercopy.c:33\n copy_to_user include/linux/uaccess.h:169 [inline]\n nilfs_ioctl_wrap_copy+0x6fa/0xc10 fs/nilfs2/ioctl.c:99\n nilfs_ioctl_get_info fs/nilfs2/ioctl.c:1173 [inline]\n nilfs_ioctl+0x2402/0x4450 fs/nilfs2/ioctl.c:1290\n nilfs_compat_ioctl+0x1b8/0x200 fs/nilfs2/ioctl.c:1343\n __do_compat_sys_ioctl fs/ioctl.c:968 [inline]\n __se_compat_sys_ioctl+0x7dd/0x1000 fs/ioctl.c:910\n __ia32_compat_sys_ioctl+0x93/0xd0 fs/ioctl.c:910\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178\n do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\n\n Uninit was created at:\n __alloc_pages+0x9f6/0xe90 mm/page_alloc.c:5572\n alloc_pages+0xab0/0xd80 mm/mempolicy.c:2287\n __get_free_pages+0x34/0xc0 mm/page_alloc.c:5599\n nilfs_ioctl_wrap_copy+0x223/0xc10 fs/nilfs2/ioctl.c:74\n nilfs_ioctl_get_info fs/nilfs2/ioctl.c:1173 [inline]\n nilfs_ioctl+0x2402/0x4450 fs/nilfs2/ioctl.c:1290\n nilfs_compat_ioctl+0x1b8/0x200 fs/nilfs2/ioctl.c:1343\n __do_compat_sys_ioctl fs/ioctl.c:968 [inline]\n __se_compat_sys_ioctl+0x7dd/0x1000 fs/ioctl.c:910\n __ia32_compat_sys_ioctl+0x93/0xd0 fs/ioctl.c:910\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178\n do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\n\n Bytes 16-127 of 3968 are uninitialized\n ...\n\nThis eliminates the leak issue by initializing the page allocated as\nbuffer using get_zeroed_page()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/nilfs2/ioctl.c"], "versions": [{"version": "003ff182fddde09ddfb8d079bbdb02f9d2122082", "lessThan": "a94932381e8dae4117e9129b3c1282e18aa97b05", "status": "affected", "versionType": "git"}, {"version": "003ff182fddde09ddfb8d079bbdb02f9d2122082", "lessThan": "9c5034e9a0e03db8d5e9eabb176340259b5b97e4", "status": "affected", "versionType": "git"}, {"version": "003ff182fddde09ddfb8d079bbdb02f9d2122082", "lessThan": "8f5cbf6a8c0e19b062b829c5b7aca01468bb57f6", "status": "affected", "versionType": "git"}, {"version": "003ff182fddde09ddfb8d079bbdb02f9d2122082", "lessThan": "d18db946cc6a394291539e030df32324285648f7", "status": "affected", "versionType": "git"}, {"version": "003ff182fddde09ddfb8d079bbdb02f9d2122082", "lessThan": "5bb105cc72beb9d51bf12f5c657336d2d35bdc5d", "status": "affected", "versionType": "git"}, {"version": "003ff182fddde09ddfb8d079bbdb02f9d2122082", "lessThan": "5f33b042f74fc9662eba17f4cd19b07d84bbc6c5", "status": "affected", "versionType": "git"}, {"version": "003ff182fddde09ddfb8d079bbdb02f9d2122082", "lessThan": "8a6550b365c0ce2e65905de57dcbfe1f7d629726", "status": "affected", "versionType": "git"}, {"version": "003ff182fddde09ddfb8d079bbdb02f9d2122082", "lessThan": "003587000276f81d0114b5ce773d80c119d8cb30", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/nilfs2/ioctl.c"], "versions": [{"version": "2.6.31", "status": "affected"}, {"version": "0", "lessThan": "2.6.31", "status": "unaffected", "versionType": "semver"}, {"version": "4.14.312", "lessThanOrEqual": "4.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.280", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.240", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.177", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.105", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.22", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.2.9", "lessThanOrEqual": "6.2.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "4.14.312"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "4.19.280"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "5.4.240"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "5.10.177"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "5.15.105"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "6.1.22"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "6.2.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "6.3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/a94932381e8dae4117e9129b3c1282e18aa97b05"}, {"url": "https://git.kernel.org/stable/c/9c5034e9a0e03db8d5e9eabb176340259b5b97e4"}, {"url": "https://git.kernel.org/stable/c/8f5cbf6a8c0e19b062b829c5b7aca01468bb57f6"}, {"url": "https://git.kernel.org/stable/c/d18db946cc6a394291539e030df32324285648f7"}, {"url": "https://git.kernel.org/stable/c/5bb105cc72beb9d51bf12f5c657336d2d35bdc5d"}, {"url": "https://git.kernel.org/stable/c/5f33b042f74fc9662eba17f4cd19b07d84bbc6c5"}, {"url": "https://git.kernel.org/stable/c/8a6550b365c0ce2e65905de57dcbfe1f7d629726"}, {"url": "https://git.kernel.org/stable/c/003587000276f81d0114b5ce773d80c119d8cb30"}], "title": "nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "EC0BEB73-DA7C-4C61-96C3-F093EFA256BF", "versionEndExcluding": "4.14.312", "versionStartIncluding": "2.6.31", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B8449DA5-0637-406C-99C3-84AF4CB5F3EB", "versionEndExcluding": "4.19.280", "versionStartIncluding": "4.15", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2C5F51A3-AEBF-4E51-AA58-D8C8B4554A86", "versionEndExcluding": "5.4.240", "versionStartIncluding": "4.20", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9FED8369-E7A1-48C6-9700-6ADEDEC371F7", "versionEndExcluding": "5.10.177", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0888AE70-CB0A-45C0-B9BD-A5371244C8DB", "versionEndExcluding": "5.15.105", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "642B6F99-95C6-47F5-A9B1-5C45FE08CAD0", "versionEndExcluding": "6.1.22", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "914F22DD-1E6F-4B0A-A14D-3A9F068F6761", "versionEndExcluding": "6.2.9", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc1:*:*:*:*:*:*", "matchCriteriaId": "B8E3B0E8-FA27-4305-87BB-AF6C25B160CB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc2:*:*:*:*:*:*", "matchCriteriaId": "A47F0FC3-CE52-4BA1-BA51-22F783938431", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.3:rc3:*:*:*:*:*:*", "matchCriteriaId": "3583026A-27EC-4A4C-850A-83F2AF970673", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy()\n\nThe ioctl helper function nilfs_ioctl_wrap_copy(), which exchanges a\nmetadata array to/from user space, may copy uninitialized buffer regions\nto user space memory for read-only ioctl commands NILFS_IOCTL_GET_SUINFO\nand NILFS_IOCTL_GET_CPINFO.\n\nThis can occur when the element size of the user space metadata given by\nthe v_size member of the argument nilfs_argv structure is larger than the\nsize of the metadata element (nilfs_suinfo structure or nilfs_cpinfo\nstructure) on the file system side.\n\nKMSAN-enabled kernels detect this issue as follows:\n\n BUG: KMSAN: kernel-infoleak in instrument_copy_to_user\n include/linux/instrumented.h:121 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_user+0xc0/0x100 lib/usercopy.c:33\n instrument_copy_to_user include/linux/instrumented.h:121 [inline]\n _copy_to_user+0xc0/0x100 lib/usercopy.c:33\n copy_to_user include/linux/uaccess.h:169 [inline]\n nilfs_ioctl_wrap_copy+0x6fa/0xc10 fs/nilfs2/ioctl.c:99\n nilfs_ioctl_get_info fs/nilfs2/ioctl.c:1173 [inline]\n nilfs_ioctl+0x2402/0x4450 fs/nilfs2/ioctl.c:1290\n nilfs_compat_ioctl+0x1b8/0x200 fs/nilfs2/ioctl.c:1343\n __do_compat_sys_ioctl fs/ioctl.c:968 [inline]\n __se_compat_sys_ioctl+0x7dd/0x1000 fs/ioctl.c:910\n __ia32_compat_sys_ioctl+0x93/0xd0 fs/ioctl.c:910\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178\n do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\n\n Uninit was created at:\n __alloc_pages+0x9f6/0xe90 mm/page_alloc.c:5572\n alloc_pages+0xab0/0xd80 mm/mempolicy.c:2287\n __get_free_pages+0x34/0xc0 mm/page_alloc.c:5599\n nilfs_ioctl_wrap_copy+0x223/0xc10 fs/nilfs2/ioctl.c:74\n nilfs_ioctl_get_info fs/nilfs2/ioctl.c:1173 [inline]\n nilfs_ioctl+0x2402/0x4450 fs/nilfs2/ioctl.c:1290\n nilfs_compat_ioctl+0x1b8/0x200 fs/nilfs2/ioctl.c:1343\n __do_compat_sys_ioctl fs/ioctl.c:968 [inline]\n __se_compat_sys_ioctl+0x7dd/0x1000 fs/ioctl.c:910\n __ia32_compat_sys_ioctl+0x93/0xd0 fs/ioctl.c:910\n do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178\n do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246\n entry_SYSENTER_compat_after_hwframe+0x70/0x82\n\n Bytes 16-127 of 3968 are uninitialized\n ...\n\nThis eliminates the leak issue by initializing the page allocated as\nbuffer using get_zeroed_page()."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nilfs2: correcci\u00f3n de una fuga de informaci\u00f3n del kernel en nilfs_ioctl_wrap_copy(). La funci\u00f3n auxiliar de ioctl nilfs_ioctl_wrap_copy(), que intercambia una matriz de metadatos hacia/desde el espacio de usuario, puede copiar regiones de b\u00fafer no inicializadas a la memoria del espacio de usuario para los comandos ioctl de solo lectura NILFS_IOCTL_GET_SUINFO y NILFS_IOCTL_GET_CPINFO. Esto puede ocurrir cuando el tama\u00f1o del elemento de los metadatos del espacio de usuario, indicado por el miembro v_size de la estructura del argumento nilfs_argv, es mayor que el tama\u00f1o del elemento de metadatos (estructura nilfs_suinfo o nilfs_cpinfo) en el sistema de archivos. Los kernels con KMSAN habilitado detectan este problema de la siguiente manera: ERROR: KMSAN: fuga de informaci\u00f3n del kernel en instrument_copy_to_user include/linux/instrumented.h:121 [en l\u00ednea] ERROR: KMSAN: fuga de informaci\u00f3n del kernel en _copy_to_user+0xc0/0x100 lib/usercopy.c:33 instrument_copy_to_user include/linux/instrumented.h:121 [en l\u00ednea] _copy_to_user+0xc0/0x100 lib/usercopy.c:33 copy_to_user include/linux/uaccess.h:169 [en l\u00ednea] nilfs_ioctl_wrap_copy+0x6fa/0xc10 fs/nilfs2/ioctl.c:99 nilfs_ioctl_get_info fs/nilfs2/ioctl.c:1173 [en l\u00ednea] nilfs_ioctl+0x2402/0x4450 fs/nilfs2/ioctl.c:1290 nilfs_compat_ioctl+0x1b8/0x200 fs/nilfs2/ioctl.c:1343 __do_compat_sys_ioctl fs/ioctl.c:968 [en l\u00ednea] __se_compat_sys_ioctl+0x7dd/0x1000 fs/ioctl.c:910 __ia32_compat_sys_ioctl+0x93/0xd0 fs/ioctl.c:910 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [en l\u00ednea] __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178 do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246 entry_SYSENTER_compat_after_hwframe+0x70/0x82 Uninit se cre\u00f3 en: __alloc_pages+0x9f6/0xe90 mm/page_alloc.c:5572 alloc_pages+0xab0/0xd80 mm/mempolicy.c:2287 __get_free_pages+0x34/0xc0 mm/page_alloc.c:5599 nilfs_ioctl_wrap_copy+0x223/0xc10 fs/nilfs2/ioctl.c:74 nilfs_ioctl_get_info fs/nilfs2/ioctl.c:1173 [en l\u00ednea] nilfs_ioctl+0x2402/0x4450 fs/nilfs2/ioctl.c:1290 nilfs_compat_ioctl+0x1b8/0x200 fs/nilfs2/ioctl.c:1343 __do_compat_sys_ioctl fs/ioctl.c:968 [en l\u00ednea] __se_compat_sys_ioctl+0x7dd/0x1000 fs/ioctl.c:910 __ia32_compat_sys_ioctl+0x93/0xd0 fs/ioctl.c:910 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [en l\u00ednea] __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178 do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246 entry_SYSENTER_compat_after_hwframe+0x70/0x82 Los bytes 16-127 de 3968 no est\u00e1n inicializados... Esto elimina el problema de p\u00e9rdida al inicializar la p\u00e1gina asignada como b\u00fafer usando get_zeroed_page()."}], "id": "CVE-2023-53035", "lastModified": "2026-03-17T14:58:26.503", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-05-02T16:15:22.627", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/003587000276f81d0114b5ce773d80c119d8cb30"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5bb105cc72beb9d51bf12f5c657336d2d35bdc5d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5f33b042f74fc9662eba17f4cd19b07d84bbc6c5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8a6550b365c0ce2e65905de57dcbfe1f7d629726"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8f5cbf6a8c0e19b062b829c5b7aca01468bb57f6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9c5034e9a0e03db8d5e9eabb176340259b5b97e4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a94932381e8dae4117e9129b3c1282e18aa97b05"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d18db946cc6a394291539e030df32324285648f7"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy()", "id": "2363706", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2363706"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy()\nThe ioctl helper function nilfs_ioctl_wrap_copy(), which exchanges a\nmetadata array to/from user space, may copy uninitialized buffer regions\nto user space memory for read-only ioctl commands NILFS_IOCTL_GET_SUINFO\nand NILFS_IOCTL_GET_CPINFO.\nThis can occur when the element size of the user space metadata given by\nthe v_size member of the argument nilfs_argv structure is larger than the\nsize of the metadata element (nilfs_suinfo structure or nilfs_cpinfo\nstructure) on the file system side.\nKMSAN-enabled kernels detect this issue as follows:\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user\ninclude/linux/instrumented.h:121 [inline]\nBUG: KMSAN: kernel-infoleak in _copy_to_user+0xc0/0x100 lib/usercopy.c:33\ninstrument_copy_to_user include/linux/instrumented.h:121 [inline]\n_copy_to_user+0xc0/0x100 lib/usercopy.c:33\ncopy_to_user include/linux/uaccess.h:169 [inline]\nnilfs_ioctl_wrap_copy+0x6fa/0xc10 fs/nilfs2/ioctl.c:99\nnilfs_ioctl_get_info fs/nilfs2/ioctl.c:1173 [inline]\nnilfs_ioctl+0x2402/0x4450 fs/nilfs2/ioctl.c:1290\nnilfs_compat_ioctl+0x1b8/0x200 fs/nilfs2/ioctl.c:1343\n__do_compat_sys_ioctl fs/ioctl.c:968 [inline]\n__se_compat_sys_ioctl+0x7dd/0x1000 fs/ioctl.c:910\n__ia32_compat_sys_ioctl+0x93/0xd0 fs/ioctl.c:910\ndo_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n__do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178\ndo_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203\ndo_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246\nentry_SYSENTER_compat_after_hwframe+0x70/0x82\nUninit was created at:\n__alloc_pages+0x9f6/0xe90 mm/page_alloc.c:5572\nalloc_pages+0xab0/0xd80 mm/mempolicy.c:2287\n__get_free_pages+0x34/0xc0 mm/page_alloc.c:5599\nnilfs_ioctl_wrap_copy+0x223/0xc10 fs/nilfs2/ioctl.c:74\nnilfs_ioctl_get_info fs/nilfs2/ioctl.c:1173 [inline]\nnilfs_ioctl+0x2402/0x4450 fs/nilfs2/ioctl.c:1290\nnilfs_compat_ioctl+0x1b8/0x200 fs/nilfs2/ioctl.c:1343\n__do_compat_sys_ioctl fs/ioctl.c:968 [inline]\n__se_compat_sys_ioctl+0x7dd/0x1000 fs/ioctl.c:910\n__ia32_compat_sys_ioctl+0x93/0xd0 fs/ioctl.c:910\ndo_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]\n__do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178\ndo_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203\ndo_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246\nentry_SYSENTER_compat_after_hwframe+0x70/0x82\nBytes 16-127 of 3968 are uninitialized\n...\nThis eliminates the leak issue by initializing the page allocated as\nbuffer using get_zeroed_page()."], "name": "CVE-2023-53035", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-05-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-53035\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53035\nhttps://lore.kernel.org/linux-cve-announce/2025050200-CVE-2023-53035-badd@gregkh/T"], "threat_severity": "Moderate"}

{"created": "2025-07-12T22:00:47.514925+00:00", "updated": "2025-07-12T22:00:47.514988+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}