CVE-2023-53493

Summary

In the Linux kernel, the following vulnerability has been resolved:

accel/qaic: tighten bounds checking in decode_message()

Copy the bounds checking from encode_message() to decode_message().

This patch addresses the following concerns. Ensure that there is enough space for at least one header so that we don't have a negative size later.

if (msg_hdr_len < sizeof(*trans_hdr))

Ensure that we have enough space to read the next header from the msg->data.

if (msg_len > msg_hdr_len - sizeof(*trans_hdr))
	return -EINVAL;

Check that the trans_hdr->len is not below the minimum size:

if (hdr_len < sizeof(*trans_hdr))

This minimum check ensures that we don't corrupt memory in decode_passthrough() when we do.

memcpy(out_trans->data, in_trans->data, len - sizeof(in_trans->hdr));

And finally, use size_add() to prevent an integer overflow:

if (size_add(msg_len, hdr_len) > msg_hdr_len)

Affected Software

VendorProductVersion RangeStatus
LinuxLinux129776ac2e38231fa9c02ce20e116c99de291666 < 57d14cb3bae4619ce2fb5235cb318c3d5d8f53fdaffected
LinuxLinux129776ac2e38231fa9c02ce20e116c99de291666 < 51b56382ed2a2b03347372272362b3baa623ed1eaffected
LinuxLinux6.4affected
LinuxLinux0 < 6.4unaffected
LinuxLinux6.4.7 <= 6.4.*unaffected
LinuxLinux6.5 <= *unaffected

Weaknesses

References