Re: CVE-2023-53027: erofs: fix kvcalloc() misuse with __GFP_NOFAIL

From: Gao Xiang
Date: Fri Mar 28 2025 - 02:56:18 EST




On 2025/3/28 14:53, Greg Kroah-Hartman wrote:
On Fri, Mar 28, 2025 at 02:43:04PM +0800, Gao Xiang wrote:
Hi,

On 2025/3/28 00:44, Greg Kroah-Hartman wrote:
Description
===========

In the Linux kernel, the following vulnerability has been resolved:

erofs: fix kvcalloc() misuse with __GFP_NOFAIL

As reported by syzbot [1], kvcalloc() cannot work with __GFP_NOFAIL.
Let's use kcalloc() instead.

[1] https://lore.kernel.org/r/0000000000007796bd05f1852ec2@xxxxxxxxxx

The Linux kernel CVE team has assigned CVE-2023-53027 to this issue.

I think this CVE is invalid since it was then reverted by
upstream commit 647dd2c3f0e1 ("erofs: Revert "erofs: fix kvcalloc()
misuse with __GFP_NOFAIL"")

since it's not the correct way to fix this.

Ah, that commit was not in the "normal" revert style, which is why we
didn't notice that.

Yeah, that is somewhat awkward.. Anyway, backport this incorrect
fix due to a CVE just makes it worse.


I've now rejected this CVE id, thanks for letting us know!

Thanks!

Thanks,
Gao Xiang


greg k-h