CVE-2023-52636

libceph: just wait for more data to be available on the socket

Severity Score

5.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: libceph: just wait for more data to be available on the socket A short read may occur while reading the message footer from the
socket. Later, when the socket is ready for another read, the
messenger invokes all read_partial_*() handlers, including
read_partial_sparse_msg_data(). The expectation is that
read_partial_sparse_msg_data() would bail, allowing the messenger to
invoke read_partial() for the footer and pick up where it left off. However read_partial_sparse_msg_data() violates that and ends up
calling into the state machine in the OSD client. The sparse-read
state machine assumes that it's a new op and interprets some piece of
the footer as the sparse-read header and returns bogus extents/data
length, etc. To determine whether read_partial_sparse_msg_data() should bail, let's
reuse cursor->total_resid. Because once it reaches to zero that means
all the extents and data have been successfully received in last read,
else it could break out when partially reading any of the extents and
data. And then osd_sparse_read() could continue where it left off. [ idryomov: changelog ]

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: "libceph: just wait for more data to be available on the socket". Puede ocurrir una lectura breve mientras se lee el pie de página del mensaje desde el socket. Más tarde, cuando el socket está listo para otra lectura, el mensajero invoca todos los controladores read_partial_*(), incluido read_partial_sparse_msg_data(). La expectativa es que read_partial_sparse_msg_data() saldría, permitiendo al mensajero invocar read_partial() para el pie de página y continuar donde lo dejó. Sin embargo, read_partial_sparse_msg_data() viola eso y termina llamando a la máquina de estado en el cliente OSD. La máquina de estado de lectura dispersa asume que es una nueva operación e interpreta alguna parte del pie de página como el encabezado de lectura dispersa y devuelve extensiones/longitud de datos falsas, etc. Para determinar si read_partial_sparse_msg_data() debe rescatarse, reutilicemos cursor->total_resid . Porque una vez que llega a cero, significa que todas las extensiones y datos se recibieron correctamente en la última lectura; de lo contrario, podría romperse al leer parcialmente cualquiera de las extensiones y datos. Y luego osd_sparse_read() podría continuar donde lo dejó. [idryomov: registro de cambios]

In the Linux kernel, the following vulnerability has been resolved: libceph: just wait for more data to be available on the socket A short read may occur while reading the message footer from the socket. Later, when the socket is ready for another read, the messenger invokes all read_partial_*() handlers, including read_partial_sparse_msg_data(). The expectation is that read_partial_sparse_msg_data() would bail, allowing the messenger to invoke read_partial() for the footer and pick up where it left off. However read_partial_sparse_msg_data() violates that and ends up calling into the state machine in the OSD client. The sparse-read state machine assumes that it's a new op and interprets some piece of the footer as the sparse-read header and returns bogus extents/data length, etc. To determine whether read_partial_sparse_msg_data() should bail, let's reuse cursor->total_resid. Because once it reaches to zero that means all the extents and data have been successfully received in last read, else it could break out when partially reading any of the extents and data. And then osd_sparse_read() could continue where it left off. [ idryomov: changelog ]

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-03-06 CVE Reserved
2024-04-02 CVE Published
2024-04-02 EPSS Updated
2024-12-19 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (4)

URL	Tag	Source
https://git.kernel.org/stable/c/d396f89db39a2f259e2125ca43b4c31bb65afcad	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/da9c33a70f095d5d55c36d0bfeba969e31de08ae	2024-02-16
https://git.kernel.org/stable/c/bd9442e553ab8bf74b8be3b3c0a43bf4af4dc9b8	2024-02-16
https://git.kernel.org/stable/c/8e46a2d068c92a905d01cbb018b00d66991585ab	2024-02-07

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6 < 6.6.17 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6 < 6.6.17"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6 < 6.7.5 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6 < 6.7.5"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6 < 6.8"		en		Affected