cve-2023-52636
Vulnerability from cvelistv5
Published
2024-04-02 07:01
Modified
2024-11-04 14:50
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: libceph: just wait for more data to be available on the socket A short read may occur while reading the message footer from the socket. Later, when the socket is ready for another read, the messenger invokes all read_partial_*() handlers, including read_partial_sparse_msg_data(). The expectation is that read_partial_sparse_msg_data() would bail, allowing the messenger to invoke read_partial() for the footer and pick up where it left off. However read_partial_sparse_msg_data() violates that and ends up calling into the state machine in the OSD client. The sparse-read state machine assumes that it's a new op and interprets some piece of the footer as the sparse-read header and returns bogus extents/data length, etc. To determine whether read_partial_sparse_msg_data() should bail, let's reuse cursor->total_resid. Because once it reaches to zero that means all the extents and data have been successfully received in last read, else it could break out when partially reading any of the extents and data. And then osd_sparse_read() could continue where it left off. [ idryomov: changelog ]
Impacted products
Vendor Product Version
Linux Linux Version: 6.6
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:03:21.209Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/da9c33a70f095d5d55c36d0bfeba969e31de08ae"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/bd9442e553ab8bf74b8be3b3c0a43bf4af4dc9b8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/8e46a2d068c92a905d01cbb018b00d66991585ab"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-52636",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:53:29.480667Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:37.157Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/ceph/messenger.h",
            "net/ceph/messenger_v1.c",
            "net/ceph/messenger_v2.c",
            "net/ceph/osd_client.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "da9c33a70f09",
              "status": "affected",
              "version": "d396f89db39a",
              "versionType": "git"
            },
            {
              "lessThan": "bd9442e553ab",
              "status": "affected",
              "version": "d396f89db39a",
              "versionType": "git"
            },
            {
              "lessThan": "8e46a2d068c9",
              "status": "affected",
              "version": "d396f89db39a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/ceph/messenger.h",
            "net/ceph/messenger_v1.c",
            "net/ceph/messenger_v2.c",
            "net/ceph/osd_client.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: just wait for more data to be available on the socket\n\nA short read may occur while reading the message footer from the\nsocket.  Later, when the socket is ready for another read, the\nmessenger invokes all read_partial_*() handlers, including\nread_partial_sparse_msg_data().  The expectation is that\nread_partial_sparse_msg_data() would bail, allowing the messenger to\ninvoke read_partial() for the footer and pick up where it left off.\n\nHowever read_partial_sparse_msg_data() violates that and ends up\ncalling into the state machine in the OSD client.  The sparse-read\nstate machine assumes that it\u0027s a new op and interprets some piece of\nthe footer as the sparse-read header and returns bogus extents/data\nlength, etc.\n\nTo determine whether read_partial_sparse_msg_data() should bail, let\u0027s\nreuse cursor-\u003etotal_resid.  Because once it reaches to zero that means\nall the extents and data have been successfully received in last read,\nelse it could break out when partially reading any of the extents and\ndata.  And then osd_sparse_read() could continue where it left off.\n\n[ idryomov: changelog ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-04T14:50:11.010Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/da9c33a70f095d5d55c36d0bfeba969e31de08ae"
        },
        {
          "url": "https://git.kernel.org/stable/c/bd9442e553ab8bf74b8be3b3c0a43bf4af4dc9b8"
        },
        {
          "url": "https://git.kernel.org/stable/c/8e46a2d068c92a905d01cbb018b00d66991585ab"
        }
      ],
      "title": "libceph: just wait for more data to be available on the socket",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52636",
    "datePublished": "2024-04-02T07:01:38.187Z",
    "dateReserved": "2024-03-06T09:52:12.093Z",
    "dateUpdated": "2024-11-04T14:50:11.010Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-52636\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-04-02T07:15:41.337\",\"lastModified\":\"2024-04-02T12:50:42.233\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nlibceph: just wait for more data to be available on the socket\\n\\nA short read may occur while reading the message footer from the\\nsocket.  Later, when the socket is ready for another read, the\\nmessenger invokes all read_partial_*() handlers, including\\nread_partial_sparse_msg_data().  The expectation is that\\nread_partial_sparse_msg_data() would bail, allowing the messenger to\\ninvoke read_partial() for the footer and pick up where it left off.\\n\\nHowever read_partial_sparse_msg_data() violates that and ends up\\ncalling into the state machine in the OSD client.  The sparse-read\\nstate machine assumes that it\u0027s a new op and interprets some piece of\\nthe footer as the sparse-read header and returns bogus extents/data\\nlength, etc.\\n\\nTo determine whether read_partial_sparse_msg_data() should bail, let\u0027s\\nreuse cursor-\u003etotal_resid.  Because once it reaches to zero that means\\nall the extents and data have been successfully received in last read,\\nelse it could break out when partially reading any of the extents and\\ndata.  And then osd_sparse_read() could continue where it left off.\\n\\n[ idryomov: changelog ]\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: \\\"libceph: just wait for more data to be available on the socket\\\". Puede ocurrir una lectura breve mientras se lee el pie de p\u00e1gina del mensaje desde el socket. M\u00e1s tarde, cuando el socket est\u00e1 listo para otra lectura, el mensajero invoca todos los controladores read_partial_*(), incluido read_partial_sparse_msg_data(). La expectativa es que read_partial_sparse_msg_data() saldr\u00eda, permitiendo al mensajero invocar read_partial() para el pie de p\u00e1gina y continuar donde lo dej\u00f3. Sin embargo, read_partial_sparse_msg_data() viola eso y termina llamando a la m\u00e1quina de estado en el cliente OSD. La m\u00e1quina de estado de lectura dispersa asume que es una nueva operaci\u00f3n e interpreta alguna parte del pie de p\u00e1gina como el encabezado de lectura dispersa y devuelve extensiones/longitud de datos falsas, etc. Para determinar si read_partial_sparse_msg_data() debe rescatarse, reutilicemos cursor-\u0026gt;total_resid . Porque una vez que llega a cero, significa que todas las extensiones y datos se recibieron correctamente en la \u00faltima lectura; de lo contrario, podr\u00eda romperse al leer parcialmente cualquiera de las extensiones y datos. Y luego osd_sparse_read() podr\u00eda continuar donde lo dej\u00f3. [idryomov: registro de cambios]\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/8e46a2d068c92a905d01cbb018b00d66991585ab\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bd9442e553ab8bf74b8be3b3c0a43bf4af4dc9b8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/da9c33a70f095d5d55c36d0bfeba969e31de08ae\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.