cve-2023-52842
Vulnerability from cvelistv5
Published
2024-05-21 15:31
Modified
2024-11-04 14:53
Severity ?
Summary
virtio/vsock: Fix uninit-value in virtio_transport_recv_pkt()
Impacted products
Vendor Product Version
Linux Linux Version: 6.3
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-52842",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-21T17:26:02.672939Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:23:39.841Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:11:36.053Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/cd12535b97dd7d18cf655ec78ce1cf1f29a576be"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/0b8906fb48b99e993d6e8a12539f618f4854dd26"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/34c4effacfc329aeca5635a69fd9e0f6c90b4101"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/vmw_vsock/virtio_transport_common.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cd12535b97dd",
              "status": "affected",
              "version": "baddcc2c7157",
              "versionType": "git"
            },
            {
              "lessThan": "0b8906fb48b9",
              "status": "affected",
              "version": "71dc9ec9ac7d",
              "versionType": "git"
            },
            {
              "lessThan": "34c4effacfc3",
              "status": "affected",
              "version": "71dc9ec9ac7d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/vmw_vsock/virtio_transport_common.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.7",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio/vsock: Fix uninit-value in virtio_transport_recv_pkt()\n\nKMSAN reported the following uninit-value access issue:\n\n=====================================================\nBUG: KMSAN: uninit-value in virtio_transport_recv_pkt+0x1dfb/0x26a0 net/vmw_vsock/virtio_transport_common.c:1421\n virtio_transport_recv_pkt+0x1dfb/0x26a0 net/vmw_vsock/virtio_transport_common.c:1421\n vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120\n process_one_work kernel/workqueue.c:2630 [inline]\n process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703\n worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784\n kthread+0x3cc/0x520 kernel/kthread.c:388\n ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n\nUninit was stored to memory at:\n virtio_transport_space_update net/vmw_vsock/virtio_transport_common.c:1274 [inline]\n virtio_transport_recv_pkt+0x1ee8/0x26a0 net/vmw_vsock/virtio_transport_common.c:1415\n vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120\n process_one_work kernel/workqueue.c:2630 [inline]\n process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703\n worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784\n kthread+0x3cc/0x520 kernel/kthread.c:388\n ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n\nUninit was created at:\n slab_post_alloc_hook+0x105/0xad0 mm/slab.h:767\n slab_alloc_node mm/slub.c:3478 [inline]\n kmem_cache_alloc_node+0x5a2/0xaf0 mm/slub.c:3523\n kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:559\n __alloc_skb+0x2fd/0x770 net/core/skbuff.c:650\n alloc_skb include/linux/skbuff.h:1286 [inline]\n virtio_vsock_alloc_skb include/linux/virtio_vsock.h:66 [inline]\n virtio_transport_alloc_skb+0x90/0x11e0 net/vmw_vsock/virtio_transport_common.c:58\n virtio_transport_reset_no_sock net/vmw_vsock/virtio_transport_common.c:957 [inline]\n virtio_transport_recv_pkt+0x1279/0x26a0 net/vmw_vsock/virtio_transport_common.c:1387\n vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120\n process_one_work kernel/workqueue.c:2630 [inline]\n process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703\n worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784\n kthread+0x3cc/0x520 kernel/kthread.c:388\n ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n\nCPU: 1 PID: 10664 Comm: kworker/1:5 Not tainted 6.6.0-rc3-00146-g9f3ebbef746f #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014\nWorkqueue: vsock-loopback vsock_loopback_work\n=====================================================\n\nThe following simple reproducer can cause the issue described above:\n\nint main(void)\n{\n  int sock;\n  struct sockaddr_vm addr = {\n    .svm_family = AF_VSOCK,\n    .svm_cid = VMADDR_CID_ANY,\n    .svm_port = 1234,\n  };\n\n  sock = socket(AF_VSOCK, SOCK_STREAM, 0);\n  connect(sock, (struct sockaddr *)\u0026addr, sizeof(addr));\n  return 0;\n}\n\nThis issue occurs because the `buf_alloc` and `fwd_cnt` fields of the\n`struct virtio_vsock_hdr` are not initialized when a new skb is allocated\nin `virtio_transport_init_hdr()`. This patch resolves the issue by\ninitializing these fields during allocation."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-04T14:53:40.906Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cd12535b97dd7d18cf655ec78ce1cf1f29a576be"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b8906fb48b99e993d6e8a12539f618f4854dd26"
        },
        {
          "url": "https://git.kernel.org/stable/c/34c4effacfc329aeca5635a69fd9e0f6c90b4101"
        }
      ],
      "title": "virtio/vsock: Fix uninit-value in virtio_transport_recv_pkt()",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52842",
    "datePublished": "2024-05-21T15:31:41.180Z",
    "dateReserved": "2024-05-21T15:19:24.254Z",
    "dateUpdated": "2024-11-04T14:53:40.906Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-52842\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-21T16:15:21.510\",\"lastModified\":\"2024-11-21T08:40:42.140\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvirtio/vsock: Fix uninit-value in virtio_transport_recv_pkt()\\n\\nKMSAN reported the following uninit-value access issue:\\n\\n=====================================================\\nBUG: KMSAN: uninit-value in virtio_transport_recv_pkt+0x1dfb/0x26a0 net/vmw_vsock/virtio_transport_common.c:1421\\n virtio_transport_recv_pkt+0x1dfb/0x26a0 net/vmw_vsock/virtio_transport_common.c:1421\\n vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120\\n process_one_work kernel/workqueue.c:2630 [inline]\\n process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703\\n worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784\\n kthread+0x3cc/0x520 kernel/kthread.c:388\\n ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147\\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\\n\\nUninit was stored to memory at:\\n virtio_transport_space_update net/vmw_vsock/virtio_transport_common.c:1274 [inline]\\n virtio_transport_recv_pkt+0x1ee8/0x26a0 net/vmw_vsock/virtio_transport_common.c:1415\\n vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120\\n process_one_work kernel/workqueue.c:2630 [inline]\\n process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703\\n worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784\\n kthread+0x3cc/0x520 kernel/kthread.c:388\\n ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147\\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\\n\\nUninit was created at:\\n slab_post_alloc_hook+0x105/0xad0 mm/slab.h:767\\n slab_alloc_node mm/slub.c:3478 [inline]\\n kmem_cache_alloc_node+0x5a2/0xaf0 mm/slub.c:3523\\n kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:559\\n __alloc_skb+0x2fd/0x770 net/core/skbuff.c:650\\n alloc_skb include/linux/skbuff.h:1286 [inline]\\n virtio_vsock_alloc_skb include/linux/virtio_vsock.h:66 [inline]\\n virtio_transport_alloc_skb+0x90/0x11e0 net/vmw_vsock/virtio_transport_common.c:58\\n virtio_transport_reset_no_sock net/vmw_vsock/virtio_transport_common.c:957 [inline]\\n virtio_transport_recv_pkt+0x1279/0x26a0 net/vmw_vsock/virtio_transport_common.c:1387\\n vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120\\n process_one_work kernel/workqueue.c:2630 [inline]\\n process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703\\n worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784\\n kthread+0x3cc/0x520 kernel/kthread.c:388\\n ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147\\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\\n\\nCPU: 1 PID: 10664 Comm: kworker/1:5 Not tainted 6.6.0-rc3-00146-g9f3ebbef746f #3\\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014\\nWorkqueue: vsock-loopback vsock_loopback_work\\n=====================================================\\n\\nThe following simple reproducer can cause the issue described above:\\n\\nint main(void)\\n{\\n  int sock;\\n  struct sockaddr_vm addr = {\\n    .svm_family = AF_VSOCK,\\n    .svm_cid = VMADDR_CID_ANY,\\n    .svm_port = 1234,\\n  };\\n\\n  sock = socket(AF_VSOCK, SOCK_STREAM, 0);\\n  connect(sock, (struct sockaddr *)\u0026addr, sizeof(addr));\\n  return 0;\\n}\\n\\nThis issue occurs because the `buf_alloc` and `fwd_cnt` fields of the\\n`struct virtio_vsock_hdr` are not initialized when a new skb is allocated\\nin `virtio_transport_init_hdr()`. This patch resolves the issue by\\ninitializing these fields during allocation.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: virtio/vsock: corrige el valor uninit en virtio_transport_recv_pkt(). KMSAN inform\u00f3 el siguiente problema de acceso al valor uninit: ================ ===================================== ERROR: KMSAN: valor uninit en virtio_transport_recv_pkt+0x1dfb/0x26a0 net/vmw_vsock/virtio_transport_common.c:1421 virtio_transport_recv_pkt+0x1dfb/0x26a0 net/vmw_vsock/virtio_transport_common.c:1421 vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120 Process_one_work workqueue.c:2630 [en l\u00ednea] process_scheduled_works+ 0xff6/0x1e60 kernel/workqueue.c:2703 worker_thread+0xeca/0x14d0 kernel/workqueue.c:2784 kthread+0x3cc/0x520 kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 Uninit se almacen\u00f3 en la memoria en: virtio_transport_space_update net/vmw_vsock/virtio_transport_common.c:1274 [en l\u00ednea] virtio_transport_recv_pkt+0x1ee8/0x26a0 net/vmw_vsock/virt io_transport_common.c:1415 vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/vsock_loopback.c:120 Process_one_work kernel/workqueue.c:2630 [en l\u00ednea] Process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703 trabajador_thread+0xeca/0x14d0 kernel/workqueue.c:2784 hilo +0x3cc/0x520 kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 Uninit se cre\u00f3 en: slab_post_alloc_hook+ 0x105/0xad0 mm/slab.h: 767 slab_alloc_node mm/slub.c: 3478 [inline] kmem_cache_alloc_node+0x5a2/0xaf0 mm/slub.c: 3523 kmalloc_reserve+0x13c/0x4a0 net/skbuff. fd /0x770 net/core/skbuff.c:650 alloc_skb include/linux/skbuff.h:1286 [en l\u00ednea] virtio_vsock_alloc_skb include/linux/virtio_vsock.h:66 [en l\u00ednea] virtio_transport_alloc_skb+0x90/0x11e0 net/vmw_vsock/virtio_transport_common.c: 58 virtio_transport_reset_no_sock net/vmw_vsock/virtio_transport_common.c:957 [en l\u00ednea] virtio_transport_recv_pkt+0x1279/0x26a0 net/vmw_vsock/virtio_transport_common.c:1387 vsock_loopback_work+0x3bb/0x5a0 net/vmw_vsock/v sock_loopback.c:120 proceso_one_work kernel/workqueue.c:2630 [en l\u00ednea] Process_scheduled_works+0xff6/0x1e60 kernel/workqueue.c:2703 trabajador_thread+0xeca/0x14d0 kernel/workqueue.c:2784 kthread+0x3cc/0x520 kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/ Process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 CPU: 1 PID: 10664 Comm: kworker/1:5 No contaminado 6.6.0-rc3-00146-g9f3ebbef746f #3 Nombre de hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 01/04/2014 Cola de trabajo: vsock-loopback vsock_loopback_work ===================== ================================= El siguiente reproductor simple puede causar el problema descrito anteriormente: int main(void) { calcet\u00edn interno; struct sockaddr_vm addr = { .svm_family = AF_VSOCK, .svm_cid = VMADDR_CID_ANY, .svm_port = 1234, }; sock = socket(AF_VSOCK, SOCK_STREAM, 0); connect(socket, (struct sockaddr *)\u0026amp;addr, sizeof(addr)); return 0; } Este problema ocurre porque los campos `buf_alloc` y `fwd_cnt` de `struct virtio_vsock_hdr` no se inicializan cuando se asigna un nuevo skb en `virtio_transport_init_hdr()`. Este parche resuelve el problema inicializando estos campos durante la asignaci\u00f3n.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0b8906fb48b99e993d6e8a12539f618f4854dd26\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/34c4effacfc329aeca5635a69fd9e0f6c90b4101\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cd12535b97dd7d18cf655ec78ce1cf1f29a576be\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/0b8906fb48b99e993d6e8a12539f618f4854dd26\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/34c4effacfc329aeca5635a69fd9e0f6c90b4101\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/cd12535b97dd7d18cf655ec78ce1cf1f29a576be\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.