CVE-2023-54317

Vulnerability

In the Linux kernel's device-mapper flakey target, the corrupt_bio_write feature is designed to intentionally corrupt write bios for testing. However, when a write bio uses the kernel's shared zero page (ZERO_PAGE(0)) — as done by __blkdev_issue_zero_pages to zero a block range — the corruption modifies the zero page itself. Since the zero page is shared across the system, this causes non-zeroed memory to be returned to userspace, breaking assumptions made by glibc's calloc and leading to crashes in various userspace programs [1][2][3].

ExploitationAn attacker with local access and the ability to trigger a write-zero operation on a block device using dm-flakey with corrupt_bio_write enabled can cause the corruption. No special privileges beyond the ability to configure device-mapper are required, but the attack surface is limited to systems where dm-flakey is explicitly loaded and configured for testing or fault injection.

ImpactThe corruption of the zero page results in memory that should be zeroed containing arbitrary data. This violates the fundamental guarantee that newly mapped memory is zeroed, which glibc's calloc relies on. Consequently, programs may read uninitialized data, leading to unpredictable behavior, data corruption, or crashes. The impact is system-wide because the zero page is a single zero page is shared by all processes.

MitigationThe fix, committed to the Linux kernel stable tree, adds a check in the dm-flakey corruption code to skip corrupting the bio if the page is equal to ZERO_PAGE(0) [1][2][3]. Users should apply the latest kernel updates from their distribution. There is no known workaround other than avoiding the use of dm-flakey with corrupt_bio_write on systems where zero-page writes may occur.