CVE-2023-52464

EDAC/thunderx: Fix possible out-of-bounds string access

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

EDAC/thunderx: Fix possible out-of-bounds string access

Enabling -Wstringop-overflow globally exposes a warning for a common bug
in the usage of strncat():

drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':
drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' specified bound 1024 equals destination size [-Werror=stringop-overflow=]
1136 | strncat(msg, other, OCX_MESSAGE_SIZE);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
...
1145 | strncat(msg, other, OCX_MESSAGE_SIZE);
...
1150 | strncat(msg, other, OCX_MESSAGE_SIZE);

...

Apparently the author of this driver expected strncat() to behave the
way that strlcat() does, which uses the size of the destination buffer
as its third argument rather than the length of the source buffer. The
result is that there is no check on the size of the allocated buffer.

Change it to strlcat().

[ bp: Trim compiler output, fixup commit message. ]

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: EDAC/thunderx: corrige un posible acceso a cadenas fuera de los límites Al habilitar -Wstringop-overflow globalmente se expone una advertencia para un error común en el uso de strncat(): drivers/edac/ thunderx_edac.c: En la función 'thunderx_ocx_com_threaded_isr': drivers/edac/thunderx_edac.c:1136:17: error: 'strncat' el límite especificado 1024 es igual al tamaño de destino [-Werror=stringop-overflow=] 1136 | strncat(msj, otro, OCX_MESSAGE_SIZE); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ... 1145 | strncat(msj, otro, OCX_MESSAGE_SIZE); ... 1150 | strncat(msj, otro, OCX_MESSAGE_SIZE); ... Aparentemente, el autor de este controlador esperaba que strncat() se comportara de la manera que lo hace strlcat(), que utiliza el tamaño del búfer de destino como tercer argumento en lugar de la longitud del búfer de origen. El resultado es que no se comprueba el tamaño del búfer asignado. Cámbielo a strlcat(). [bp: recortar la salida del compilador, mensaje de confirmación de reparación. ]

A flaw was found in the Linux Kernel. An improper buffer size is provided to the strncat function, which may result in an out-of-bounds write, leading to memory corruption or a denial of service.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

High

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-20 CVE Reserved
2024-02-23 CVE Published
2024-04-21 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-805: Buffer Access with Incorrect Length Value

CAPEC

References (13)

URL	Tag	Source
https://git.kernel.org/stable/c/41003396f932d7f027725c7acebb6a7caa41dc3e	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00016.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/71c17ee02538802ceafc830f0736aa35b564e601	2024-01-25
https://git.kernel.org/stable/c/5da3b6e7196f0b4f3728e4e25eb20233a9ddfaf6	2024-01-25
https://git.kernel.org/stable/c/6aa7865ba7ff7f0ede0035180fb3b9400ceb405a	2024-01-25
https://git.kernel.org/stable/c/700cf4bead80fac994dcc43ae1ca5d86d8959b21	2024-01-25
https://git.kernel.org/stable/c/9dbac9fdae6e3b411fc4c3fca3bf48f70609c398	2024-01-25
https://git.kernel.org/stable/c/e1c86511241588efffaa49556196f09a498d5057	2024-01-25
https://git.kernel.org/stable/c/426fae93c01dffa379225eb2bd4d3cdc42c6eec5	2024-01-25
https://git.kernel.org/stable/c/475c58e1a471e9b873e3e39958c64a2d278275c8	2023-11-23

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-52464	2024-07-08
https://bugzilla.redhat.com/show_bug.cgi?id=2265800	2024-07-08

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.12 < 4.19.306 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.12 < 4.19.306"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.12 < 5.4.268 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.12 < 5.4.268"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.12 < 5.10.209 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.12 < 5.10.209"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.12 < 5.15.148 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.12 < 5.15.148"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.12 < 6.1.75 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.12 < 6.1.75"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.12 < 6.6.14 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.12 < 6.6.14"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.12 < 6.7.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.12 < 6.7.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.12 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.12 < 6.8"		en		Affected