CVE-2023-52636
libceph: just wait for more data to be available on the socket
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
libceph: just wait for more data to be available on the socket
A short read may occur while reading the message footer from the
socket. Later, when the socket is ready for another read, the
messenger invokes all read_partial_*() handlers, including
read_partial_sparse_msg_data(). The expectation is that
read_partial_sparse_msg_data() would bail, allowing the messenger to
invoke read_partial() for the footer and pick up where it left off.
However read_partial_sparse_msg_data() violates that and ends up
calling into the state machine in the OSD client. The sparse-read
state machine assumes that it's a new op and interprets some piece of
the footer as the sparse-read header and returns bogus extents/data
length, etc.
To determine whether read_partial_sparse_msg_data() should bail, let's
reuse cursor->total_resid. Because once it reaches to zero that means
all the extents and data have been successfully received in last read,
else it could break out when partially reading any of the extents and
data. And then osd_sparse_read() could continue where it left off.
[ idryomov: changelog ]
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: "libceph: just wait for more data to be available on the socket". Puede ocurrir una lectura breve mientras se lee el pie de página del mensaje desde el socket. Más tarde, cuando el socket está listo para otra lectura, el mensajero invoca todos los controladores read_partial_*(), incluido read_partial_sparse_msg_data(). La expectativa es que read_partial_sparse_msg_data() saldría, permitiendo al mensajero invocar read_partial() para el pie de página y continuar donde lo dejó. Sin embargo, read_partial_sparse_msg_data() viola eso y termina llamando a la máquina de estado en el cliente OSD. La máquina de estado de lectura dispersa asume que es una nueva operación e interpreta alguna parte del pie de página como el encabezado de lectura dispersa y devuelve extensiones/longitud de datos falsas, etc. Para determinar si read_partial_sparse_msg_data() debe rescatarse, reutilicemos cursor->total_resid . Porque una vez que llega a cero, significa que todas las extensiones y datos se recibieron correctamente en la última lectura; de lo contrario, podría romperse al leer parcialmente cualquiera de las extensiones y datos. Y luego osd_sparse_read() podría continuar donde lo dejó. [idryomov: registro de cambios]
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-03-06 CVE Reserved
- 2024-04-02 CVE Published
- 2024-04-02 EPSS Updated
- 2024-09-11 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/d396f89db39a2f259e2125ca43b4c31bb65afcad | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.6 < 6.6.17 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6 < 6.6.17" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.6 < 6.7.5 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6 < 6.7.5" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.6 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6 < 6.8" | en |
Affected
| ||||||