CVE-2023-52454
Vulnerability from cvelistv5
Published
2024-02-23 14:46
Modified
2024-12-19 08:19
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length If the host sends an H2CData command with an invalid DATAL, the kernel may crash in nvmet_tcp_build_pdu_iovec(). Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 lr : nvmet_tcp_io_work+0x6ac/0x718 [nvmet_tcp] Call trace: process_one_work+0x174/0x3c8 worker_thread+0x2d0/0x3e8 kthread+0x104/0x110 Fix the bug by raising a fatal error if DATAL isn't coherent with the packet size. Also, the PDU length should never exceed the MAXH2CDATA parameter which has been communicated to the host in nvmet_tcp_handle_icreq().
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/24e05760186dc070d3db190ca61efdbce23afc88Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2871aa407007f6f531fae181ad252486e022df42Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4cb3cf7177ae3666be7fb27d4ad4d72a295fb02dPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/70154e8d015c9b4fb56c1a2ef1fc8b83d45c7f68Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ee5e7632e981673f42a50ade25e71e612e543d9dPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/efa56305908ba20de2104f1b8508c6a7401833bePatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f775f2621c2ac5cc3a0b3a64665dad4fb146e510Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/24e05760186dc070d3db190ca61efdbce23afc88Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/2871aa407007f6f531fae181ad252486e022df42Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/4cb3cf7177ae3666be7fb27d4ad4d72a295fb02dPatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/70154e8d015c9b4fb56c1a2ef1fc8b83d45c7f68Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/ee5e7632e981673f42a50ade25e71e612e543d9dPatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/efa56305908ba20de2104f1b8508c6a7401833bePatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/f775f2621c2ac5cc3a0b3a64665dad4fb146e510Patch
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html
Impacted products
Vendor Product Version
Linux Linux Version: 5.0
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-52454",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-02-26T14:16:59.030675Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:23:40.242Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:03:19.623Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ee5e7632e981673f42a50ade25e71e612e543d9d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f775f2621c2ac5cc3a0b3a64665dad4fb146e510"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/4cb3cf7177ae3666be7fb27d4ad4d72a295fb02d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2871aa407007f6f531fae181ad252486e022df42"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/24e05760186dc070d3db190ca61efdbce23afc88"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/70154e8d015c9b4fb56c1a2ef1fc8b83d45c7f68"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/efa56305908ba20de2104f1b8508c6a7401833be"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/target/tcp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ee5e7632e981673f42a50ade25e71e612e543d9d",
              "status": "affected",
              "version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
              "versionType": "git"
            },
            {
              "lessThan": "f775f2621c2ac5cc3a0b3a64665dad4fb146e510",
              "status": "affected",
              "version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
              "versionType": "git"
            },
            {
              "lessThan": "4cb3cf7177ae3666be7fb27d4ad4d72a295fb02d",
              "status": "affected",
              "version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
              "versionType": "git"
            },
            {
              "lessThan": "2871aa407007f6f531fae181ad252486e022df42",
              "status": "affected",
              "version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
              "versionType": "git"
            },
            {
              "lessThan": "24e05760186dc070d3db190ca61efdbce23afc88",
              "status": "affected",
              "version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
              "versionType": "git"
            },
            {
              "lessThan": "70154e8d015c9b4fb56c1a2ef1fc8b83d45c7f68",
              "status": "affected",
              "version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
              "versionType": "git"
            },
            {
              "lessThan": "efa56305908ba20de2104f1b8508c6a7401833be",
              "status": "affected",
              "version": "872d26a391da92ed8f0c0f5cb5fef428067b7f30",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/target/tcp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.268",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.148",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length\n\nIf the host sends an H2CData command with an invalid DATAL,\nthe kernel may crash in nvmet_tcp_build_pdu_iovec().\n\nUnable to handle kernel NULL pointer dereference at\nvirtual address 0000000000000000\nlr : nvmet_tcp_io_work+0x6ac/0x718 [nvmet_tcp]\nCall trace:\n  process_one_work+0x174/0x3c8\n  worker_thread+0x2d0/0x3e8\n  kthread+0x104/0x110\n\nFix the bug by raising a fatal error if DATAL isn\u0027t coherent\nwith the packet size.\nAlso, the PDU length should never exceed the MAXH2CDATA parameter which\nhas been communicated to the host in nvmet_tcp_handle_icreq()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:19:48.837Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ee5e7632e981673f42a50ade25e71e612e543d9d"
        },
        {
          "url": "https://git.kernel.org/stable/c/f775f2621c2ac5cc3a0b3a64665dad4fb146e510"
        },
        {
          "url": "https://git.kernel.org/stable/c/4cb3cf7177ae3666be7fb27d4ad4d72a295fb02d"
        },
        {
          "url": "https://git.kernel.org/stable/c/2871aa407007f6f531fae181ad252486e022df42"
        },
        {
          "url": "https://git.kernel.org/stable/c/24e05760186dc070d3db190ca61efdbce23afc88"
        },
        {
          "url": "https://git.kernel.org/stable/c/70154e8d015c9b4fb56c1a2ef1fc8b83d45c7f68"
        },
        {
          "url": "https://git.kernel.org/stable/c/efa56305908ba20de2104f1b8508c6a7401833be"
        }
      ],
      "title": "nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52454",
    "datePublished": "2024-02-23T14:46:17.827Z",
    "dateReserved": "2024-02-20T12:30:33.293Z",
    "dateUpdated": "2024-12-19T08:19:48.837Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-52454\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-02-23T15:15:08.137\",\"lastModified\":\"2024-11-21T08:39:48.320\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length\\n\\nIf the host sends an H2CData command with an invalid DATAL,\\nthe kernel may crash in nvmet_tcp_build_pdu_iovec().\\n\\nUnable to handle kernel NULL pointer dereference at\\nvirtual address 0000000000000000\\nlr : nvmet_tcp_io_work+0x6ac/0x718 [nvmet_tcp]\\nCall trace:\\n  process_one_work+0x174/0x3c8\\n  worker_thread+0x2d0/0x3e8\\n  kthread+0x104/0x110\\n\\nFix the bug by raising a fatal error if DATAL isn\u0027t coherent\\nwith the packet size.\\nAlso, the PDU length should never exceed the MAXH2CDATA parameter which\\nhas been communicated to the host in nvmet_tcp_handle_icreq().\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: nvmet-tcp: soluciona un p\u00e1nico del kernel cuando el host env\u00eda una longitud de PDU H2C no v\u00e1lida. Si el host env\u00eda un comando H2CData con un DATAL no v\u00e1lido, el kernel puede fallar en nvmet_tcp_build_pdu_iovec(). No se puede manejar la desreferencia del puntero NULL del kernel en la direcci\u00f3n virtual 0000000000000000 lr: nvmet_tcp_io_work+0x6ac/0x718 [nvmet_tcp] Rastreo de llamadas: Process_one_work+0x174/0x3c8 trabajador_thread+0x2d0/0x3e8 kthread+0x104/0x110 Solucione el error generando un error fatal si DATAL es No es coherente con el tama\u00f1o del paquete. Adem\u00e1s, la longitud de la PDU nunca debe exceder el par\u00e1metro MAXH2CDATA que se ha comunicado al host en nvmet_tcp_handle_icreq().\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.0.0\",\"versionEndExcluding\":\"5.4.268\",\"matchCriteriaId\":\"DC321538-B8AF-474D-83B4-EC34D319F835\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.5.0\",\"versionEndExcluding\":\"5.10.209\",\"matchCriteriaId\":\"5D2E4F24-2FBB-4434-8598-2B1499E566B5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11.0\",\"versionEndExcluding\":\"5.15.148\",\"matchCriteriaId\":\"E25E1389-4B0F-407A-9C94-5908FF3EE88B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16.0\",\"versionEndExcluding\":\"6.1.75\",\"matchCriteriaId\":\"2C4951FA-80C0-4B4C-9836-6E5035DEB0F9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2.0\",\"versionEndExcluding\":\"6.6.14\",\"matchCriteriaId\":\"BDBBEB0E-D13A-4567-8984-51C5375350B9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7.0\",\"versionEndExcluding\":\"6.7.2\",\"matchCriteriaId\":\"0EA3778C-730B-464C-8023-18CA6AC0B807\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/24e05760186dc070d3db190ca61efdbce23afc88\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/2871aa407007f6f531fae181ad252486e022df42\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4cb3cf7177ae3666be7fb27d4ad4d72a295fb02d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/70154e8d015c9b4fb56c1a2ef1fc8b83d45c7f68\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ee5e7632e981673f42a50ade25e71e612e543d9d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/efa56305908ba20de2104f1b8508c6a7401833be\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f775f2621c2ac5cc3a0b3a64665dad4fb146e510\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/24e05760186dc070d3db190ca61efdbce23afc88\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/2871aa407007f6f531fae181ad252486e022df42\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4cb3cf7177ae3666be7fb27d4ad4d72a295fb02d\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/70154e8d015c9b4fb56c1a2ef1fc8b83d45c7f68\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ee5e7632e981673f42a50ade25e71e612e543d9d\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/efa56305908ba20de2104f1b8508c6a7401833be\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f775f2621c2ac5cc3a0b3a64665dad4fb146e510\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.