CVE-2023-52980
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
block: ublk: extending queue_size to fix overflow
When validating drafted SPDK ublk target, in a case that assigning large queue depth to multiqueue ublk device, ublk target would run into a weird incorrect state. During rounds of review and debug, An overflow bug was found in ublk driver.
In ublk_cmd.h, UBLK_MAX_QUEUE_DEPTH is 4096 which means each ublk queue depth can be set as large as 4096. But when setting qd for a ublk device, sizeof(struct ublk_queue) + depth * sizeof(struct ublk_io) will be larger than 65535 if qd is larger than 2728. Then queue_size is overflowed, and ublk_get_queue() references a wrong pointer position. The wrong content of ublk_queue elements will lead to out-of-bounds memory access.
Extend queue_size in ublk_device as "unsigned int".
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 71f28f3136aff5890cd56de78abc673f8393cad9 < ee1e3fe4b4579f856997190a00ea4db0307b4332 | affected |
| Linux | Linux | 71f28f3136aff5890cd56de78abc673f8393cad9 < 29baef789c838bd5c02f50c88adbbc6b955aaf61 | affected |
| Linux | Linux | 6.0 | affected |
| Linux | Linux | 0 < 6.0 | unaffected |
| Linux | Linux | 6.1.11 <= 6.1.* | unaffected |
| Linux | Linux | 6.2 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/ee1e3fe4b4579f856997190a00ea4db0307b4332
- https://git.kernel.org/stable/c/29baef789c838bd5c02f50c88adbbc6b955aaf61
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.