CVE-2023-52497: 
Linux Kernel vulnerability analysis and mitigation

CVE-2023-52497 affects the Linux kernel's EROFS (Enhanced Read-Only File System) implementation, specifically related to LZ4 inplace decompression. The vulnerability was discovered in March 2024 and affects Linux kernel versions from 5.3 up to (excluding) 6.7.3. The issue occurs in the EROFS filesystem's handling of LZ4 compressed data decompression (NVD).

The vulnerability stems from how EROFS handles compressed buffer mapping for inplace decompression. LZ4, like most LZ77 algorithms, expects compressed data to be arranged at the end of the decompressed buffer and uses memmove() for overlapping. While EROFS arranges compressed data correctly, it maps two individual virtual buffers where the relative order is uncertain. This issue became apparent with recent Intel x86 processors featuring the FSRM feature, which exposes the problem through 'rep movsb' instructions. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H (NVD).

The vulnerability can lead to data corruption on systems using EROFS with LZ4 compression, particularly on newer Intel x86 processors with the FSRM feature. The CVSS scoring indicates potential impacts on data integrity (Low) and system availability (High), though there is no impact on confidentiality (NVD).

The issue has been fixed in the Linux kernel through a patch that modifies how EROFS handles LZ4 inplace decompression. The fix strictly uses the decompressed buffer for LZ4 inplace decompression. Various Linux distributions have released updates incorporating this fix, including Ubuntu and Debian. Users should update their systems to the patched versions (Kernel Patch).