{ "threat_severity" : "Moderate", "public_date" : "2025-05-02T00:00:00Z", "bugzilla" : { "description" : "kernel: nfsd: don't replace page in rq_pages if it's a continuation of last page", "id" : "2363709", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2363709" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnfsd: don't replace page in rq_pages if it's a continuation of last page\nThe splice read calls nfsd_splice_actor to put the pages containing file\ndata into the svc_rqst->rq_pages array. It's possible however to get a\nsplice result that only has a partial page at the end, if (e.g.) the\nfilesystem hands back a short read that doesn't cover the whole page.\nnfsd_splice_actor will plop the partial page into its rq_pages array and\nreturn. Then later, when nfsd_splice_actor is called again, the\nremainder of the page may end up being filled out. At this point,\nnfsd_splice_actor will put the page into the array _again_ corrupting\nthe reply. If this is done enough times, rq_next_page will overrun the\narray and corrupt the trailing fields -- the rq_respages and\nrq_next_page pointers themselves.\nIf we've already added the page to the array in the last pass, don't add\nit to the array a second time when dealing with a splice continuation.\nThis was originally handled properly in nfsd_splice_actor, but commit\n91e23b1c3982 (\"NFSD: Clean up nfsd_splice_actor()\") removed the check\nfor it." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-05-09T00:00:00Z", "advisory" : "RHSA-2023:2458", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-284.11.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-05-09T00:00:00Z", "advisory" : "RHSA-2023:2458", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-284.11.1.el9_2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-53083\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-53083\nhttps://lore.kernel.org/linux-cve-announce/2025050217-CVE-2023-53083-5b4e@gregkh/T" ], "name" : "CVE-2023-53083", "csaw" : false }