gsd-2023-52454
Vulnerability from gsd
Modified
2024-02-21 06:01
Details
In the Linux kernel, the following vulnerability has been resolved:
nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length
If the host sends an H2CData command with an invalid DATAL,
the kernel may crash in nvmet_tcp_build_pdu_iovec().
Unable to handle kernel NULL pointer dereference at
virtual address 0000000000000000
lr : nvmet_tcp_io_work+0x6ac/0x718 [nvmet_tcp]
Call trace:
process_one_work+0x174/0x3c8
worker_thread+0x2d0/0x3e8
kthread+0x104/0x110
Fix the bug by raising a fatal error if DATAL isn't coherent
with the packet size.
Also, the PDU length should never exceed the MAXH2CDATA parameter which
has been communicated to the host in nvmet_tcp_handle_icreq().
Aliases
{ gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2023-52454", ], details: "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length\n\nIf the host sends an H2CData command with an invalid DATAL,\nthe kernel may crash in nvmet_tcp_build_pdu_iovec().\n\nUnable to handle kernel NULL pointer dereference at\nvirtual address 0000000000000000\nlr : nvmet_tcp_io_work+0x6ac/0x718 [nvmet_tcp]\nCall trace:\n process_one_work+0x174/0x3c8\n worker_thread+0x2d0/0x3e8\n kthread+0x104/0x110\n\nFix the bug by raising a fatal error if DATAL isn't coherent\nwith the packet size.\nAlso, the PDU length should never exceed the MAXH2CDATA parameter which\nhas been communicated to the host in nvmet_tcp_handle_icreq().", id: "GSD-2023-52454", modified: "2024-02-21T06:01:53.218522Z", schema_version: "1.4.0", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "cve@kernel.org", ID: "CVE-2023-52454", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Linux", version: { version_data: [ { version_affected: "<", version_name: "872d26a391da", version_value: "ee5e7632e981", }, { version_value: "not down converted", x_cve_json_5_version_data: { defaultStatus: "affected", versions: [ { status: "affected", version: "5.0", }, { lessThan: "5.0", status: "unaffected", version: "0", versionType: "custom", }, { lessThanOrEqual: "5.4.*", status: "unaffected", version: "5.4.268", versionType: "custom", }, { lessThanOrEqual: "5.10.*", status: "unaffected", version: "5.10.209", versionType: "custom", }, { lessThanOrEqual: "5.15.*", status: "unaffected", version: "5.15.148", versionType: "custom", }, { lessThanOrEqual: "6.1.*", status: "unaffected", version: "6.1.75", versionType: "custom", }, { lessThanOrEqual: "6.6.*", status: "unaffected", version: "6.6.14", versionType: "custom", }, { lessThanOrEqual: "6.7.*", status: "unaffected", version: "6.7.2", versionType: "custom", }, { lessThanOrEqual: "*", status: "unaffected", version: "6.8", versionType: "original_commit_for_fix", }, ], }, }, ], }, }, ], }, vendor_name: "Linux", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length\n\nIf the host sends an H2CData command with an invalid DATAL,\nthe kernel may crash in nvmet_tcp_build_pdu_iovec().\n\nUnable to handle kernel NULL pointer dereference at\nvirtual address 0000000000000000\nlr : nvmet_tcp_io_work+0x6ac/0x718 [nvmet_tcp]\nCall trace:\n process_one_work+0x174/0x3c8\n worker_thread+0x2d0/0x3e8\n kthread+0x104/0x110\n\nFix the bug by raising a fatal error if DATAL isn't coherent\nwith the packet size.\nAlso, the PDU length should never exceed the MAXH2CDATA parameter which\nhas been communicated to the host in nvmet_tcp_handle_icreq().", }, ], }, generator: { engine: "bippy-8df59b4913de", }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://git.kernel.org/stable/c/ee5e7632e981673f42a50ade25e71e612e543d9d", refsource: "MISC", url: "https://git.kernel.org/stable/c/ee5e7632e981673f42a50ade25e71e612e543d9d", }, { name: "https://git.kernel.org/stable/c/f775f2621c2ac5cc3a0b3a64665dad4fb146e510", refsource: "MISC", url: "https://git.kernel.org/stable/c/f775f2621c2ac5cc3a0b3a64665dad4fb146e510", }, { name: "https://git.kernel.org/stable/c/4cb3cf7177ae3666be7fb27d4ad4d72a295fb02d", refsource: "MISC", url: "https://git.kernel.org/stable/c/4cb3cf7177ae3666be7fb27d4ad4d72a295fb02d", }, { name: "https://git.kernel.org/stable/c/2871aa407007f6f531fae181ad252486e022df42", refsource: "MISC", url: "https://git.kernel.org/stable/c/2871aa407007f6f531fae181ad252486e022df42", }, { name: "https://git.kernel.org/stable/c/24e05760186dc070d3db190ca61efdbce23afc88", refsource: "MISC", url: "https://git.kernel.org/stable/c/24e05760186dc070d3db190ca61efdbce23afc88", }, { name: "https://git.kernel.org/stable/c/70154e8d015c9b4fb56c1a2ef1fc8b83d45c7f68", refsource: "MISC", url: "https://git.kernel.org/stable/c/70154e8d015c9b4fb56c1a2ef1fc8b83d45c7f68", }, { name: "https://git.kernel.org/stable/c/efa56305908ba20de2104f1b8508c6a7401833be", refsource: "MISC", url: "https://git.kernel.org/stable/c/efa56305908ba20de2104f1b8508c6a7401833be", }, ], }, }, "nvd.nist.gov": { cve: { configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "DC321538-B8AF-474D-83B4-EC34D319F835", versionEndExcluding: "5.4.268", versionStartIncluding: "5.0.0", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "5D2E4F24-2FBB-4434-8598-2B1499E566B5", versionEndExcluding: "5.10.209", versionStartIncluding: "5.5.0", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "E25E1389-4B0F-407A-9C94-5908FF3EE88B", versionEndExcluding: "5.15.148", versionStartIncluding: "5.11.0", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "2C4951FA-80C0-4B4C-9836-6E5035DEB0F9", versionEndExcluding: "6.1.75", versionStartIncluding: "5.16.0", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "BDBBEB0E-D13A-4567-8984-51C5375350B9", versionEndExcluding: "6.6.14", versionStartIncluding: "6.2.0", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "0EA3778C-730B-464C-8023-18CA6AC0B807", versionEndExcluding: "6.7.2", versionStartIncluding: "6.7.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length\n\nIf the host sends an H2CData command with an invalid DATAL,\nthe kernel may crash in nvmet_tcp_build_pdu_iovec().\n\nUnable to handle kernel NULL pointer dereference at\nvirtual address 0000000000000000\nlr : nvmet_tcp_io_work+0x6ac/0x718 [nvmet_tcp]\nCall trace:\n process_one_work+0x174/0x3c8\n worker_thread+0x2d0/0x3e8\n kthread+0x104/0x110\n\nFix the bug by raising a fatal error if DATAL isn't coherent\nwith the packet size.\nAlso, the PDU length should never exceed the MAXH2CDATA parameter which\nhas been communicated to the host in nvmet_tcp_handle_icreq().", }, { lang: "es", value: "En el kernel de Linux, se resolvió la siguiente vulnerabilidad: nvmet-tcp: soluciona un pánico del kernel cuando el host envía una longitud de PDU H2C no válida. Si el host envía un comando H2CData con un DATAL no válido, el kernel puede fallar en nvmet_tcp_build_pdu_iovec(). No se puede manejar la desreferencia del puntero NULL del kernel en la dirección virtual 0000000000000000 lr: nvmet_tcp_io_work+0x6ac/0x718 [nvmet_tcp] Rastreo de llamadas: Process_one_work+0x174/0x3c8 trabajador_thread+0x2d0/0x3e8 kthread+0x104/0x110 Solucione el error generando un error fatal si DATAL es No es coherente con el tamaño del paquete. Además, la longitud de la PDU nunca debe exceder el parámetro MAXH2CDATA que se ha comunicado al host en nvmet_tcp_handle_icreq().", }, ], id: "CVE-2023-52454", lastModified: "2024-04-19T18:40:14.427", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-02-23T15:15:08.137", references: [ { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/24e05760186dc070d3db190ca61efdbce23afc88", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/2871aa407007f6f531fae181ad252486e022df42", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/4cb3cf7177ae3666be7fb27d4ad4d72a295fb02d", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/70154e8d015c9b4fb56c1a2ef1fc8b83d45c7f68", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/ee5e7632e981673f42a50ade25e71e612e543d9d", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/efa56305908ba20de2104f1b8508c6a7401833be", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/f775f2621c2ac5cc3a0b3a64665dad4fb146e510", }, ], sourceIdentifier: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-476", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }, }, }, }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.