CVE-2023-52454

In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length If the host sends an H2CData command with an invalid DATAL, the kernel may crash in nvmet_tcp_build_pdu_iovec(). Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 lr : nvmet_tcp_io_work+0x6ac/0x718 [nvmet_tcp] Call trace: process_one_work+0x174/0x3c8 worker_thread+0x2d0/0x3e8 kthread+0x104/0x110 Fix the bug by raising a fatal error if DATAL isn't coherent with the packet size. Also, the PDU length should never exceed the MAXH2CDATA parameter which has been communicated to the host in nvmet_tcp_handle_icreq().

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/24e05760186dc070d3db190ca61efdbce23afc88	Patch
https://git.kernel.org/stable/c/2871aa407007f6f531fae181ad252486e022df42	Patch
https://git.kernel.org/stable/c/4cb3cf7177ae3666be7fb27d4ad4d72a295fb02d	Patch
https://git.kernel.org/stable/c/70154e8d015c9b4fb56c1a2ef1fc8b83d45c7f68	Patch
https://git.kernel.org/stable/c/ee5e7632e981673f42a50ade25e71e612e543d9d	Patch
https://git.kernel.org/stable/c/efa56305908ba20de2104f1b8508c6a7401833be	Patch
https://git.kernel.org/stable/c/f775f2621c2ac5cc3a0b3a64665dad4fb146e510	Patch
https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

History

No history.

Information

Published : 2024-02-23 15:15

Updated : 2024-06-25 21:15

NVD link : CVE-2023-52454

Mitre link : CVE-2023-52454

CVE.ORG link : CVE-2023-52454

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-476

NULL Pointer Dereference

{"id": "CVE-2023-52454", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-02-23T15:15:08.137", "references": [{"url": "https://git.kernel.org/stable/c/24e05760186dc070d3db190ca61efdbce23afc88", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2871aa407007f6f531fae181ad252486e022df42", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4cb3cf7177ae3666be7fb27d4ad4d72a295fb02d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/70154e8d015c9b4fb56c1a2ef1fc8b83d45c7f68", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ee5e7632e981673f42a50ade25e71e612e543d9d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/efa56305908ba20de2104f1b8508c6a7401833be", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f775f2621c2ac5cc3a0b3a64665dad4fb146e510", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length\n\nIf the host sends an H2CData command with an invalid DATAL,\nthe kernel may crash in nvmet_tcp_build_pdu_iovec().\n\nUnable to handle kernel NULL pointer dereference at\nvirtual address 0000000000000000\nlr : nvmet_tcp_io_work+0x6ac/0x718 [nvmet_tcp]\nCall trace:\n process_one_work+0x174/0x3c8\n worker_thread+0x2d0/0x3e8\n kthread+0x104/0x110\n\nFix the bug by raising a fatal error if DATAL isn't coherent\nwith the packet size.\nAlso, the PDU length should never exceed the MAXH2CDATA parameter which\nhas been communicated to the host in nvmet_tcp_handle_icreq()."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: nvmet-tcp: soluciona un p\u00e1nico del kernel cuando el host env\u00eda una longitud de PDU H2C no v\u00e1lida. Si el host env\u00eda un comando H2CData con un DATAL no v\u00e1lido, el kernel puede fallar en nvmet_tcp_build_pdu_iovec(). No se puede manejar la desreferencia del puntero NULL del kernel en la direcci\u00f3n virtual 0000000000000000 lr: nvmet_tcp_io_work+0x6ac/0x718 [nvmet_tcp] Rastreo de llamadas: Process_one_work+0x174/0x3c8 trabajador_thread+0x2d0/0x3e8 kthread+0x104/0x110 Solucione el error generando un error fatal si DATAL es No es coherente con el tama\u00f1o del paquete. Adem\u00e1s, la longitud de la PDU nunca debe exceder el par\u00e1metro MAXH2CDATA que se ha comunicado al host en nvmet_tcp_handle_icreq()."}], "lastModified": "2024-06-25T21:15:52.690", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DC321538-B8AF-474D-83B4-EC34D319F835", "versionEndExcluding": "5.4.268", "versionStartIncluding": "5.0.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5D2E4F24-2FBB-4434-8598-2B1499E566B5", "versionEndExcluding": "5.10.209", "versionStartIncluding": "5.5.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E25E1389-4B0F-407A-9C94-5908FF3EE88B", "versionEndExcluding": "5.15.148", "versionStartIncluding": "5.11.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2C4951FA-80C0-4B4C-9836-6E5035DEB0F9", "versionEndExcluding": "6.1.75", "versionStartIncluding": "5.16.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BDBBEB0E-D13A-4567-8984-51C5375350B9", "versionEndExcluding": "6.6.14", "versionStartIncluding": "6.2.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0EA3778C-730B-464C-8023-18CA6AC0B807", "versionEndExcluding": "6.7.2", "versionStartIncluding": "6.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}