ghsa-fqg2-664v-fx4j
Vulnerability from github
Published
2024-04-02 09:30
Modified
2024-04-02 09:30
Details

In the Linux kernel, the following vulnerability has been resolved:

libceph: just wait for more data to be available on the socket

A short read may occur while reading the message footer from the socket. Later, when the socket is ready for another read, the messenger invokes all read_partial_*() handlers, including read_partial_sparse_msg_data(). The expectation is that read_partial_sparse_msg_data() would bail, allowing the messenger to invoke read_partial() for the footer and pick up where it left off.

However read_partial_sparse_msg_data() violates that and ends up calling into the state machine in the OSD client. The sparse-read state machine assumes that it's a new op and interprets some piece of the footer as the sparse-read header and returns bogus extents/data length, etc.

To determine whether read_partial_sparse_msg_data() should bail, let's reuse cursor->total_resid. Because once it reaches to zero that means all the extents and data have been successfully received in last read, else it could break out when partially reading any of the extents and data. And then osd_sparse_read() could continue where it left off.

[ idryomov: changelog ]

Show details on source website


{
  "affected": [],
  "aliases": [
    "CVE-2023-52636"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-02T07:15:41Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: just wait for more data to be available on the socket\n\nA short read may occur while reading the message footer from the\nsocket.  Later, when the socket is ready for another read, the\nmessenger invokes all read_partial_*() handlers, including\nread_partial_sparse_msg_data().  The expectation is that\nread_partial_sparse_msg_data() would bail, allowing the messenger to\ninvoke read_partial() for the footer and pick up where it left off.\n\nHowever read_partial_sparse_msg_data() violates that and ends up\ncalling into the state machine in the OSD client.  The sparse-read\nstate machine assumes that it\u0027s a new op and interprets some piece of\nthe footer as the sparse-read header and returns bogus extents/data\nlength, etc.\n\nTo determine whether read_partial_sparse_msg_data() should bail, let\u0027s\nreuse cursor-\u003etotal_resid.  Because once it reaches to zero that means\nall the extents and data have been successfully received in last read,\nelse it could break out when partially reading any of the extents and\ndata.  And then osd_sparse_read() could continue where it left off.\n\n[ idryomov: changelog ]",
  "id": "GHSA-fqg2-664v-fx4j",
  "modified": "2024-04-02T09:30:40Z",
  "published": "2024-04-02T09:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52636"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8e46a2d068c92a905d01cbb018b00d66991585ab"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bd9442e553ab8bf74b8be3b3c0a43bf4af4dc9b8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/da9c33a70f095d5d55c36d0bfeba969e31de08ae"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.