CVE-2023-52767

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-52767
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-52767.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-52767
Downstream
Related
Published
2024-05-21T15:30:50Z
Modified
2025-10-15T03:51:22.044741Z
Summary
tls: fix NULL deref on tls_sw_splice_eof() with empty record
Details

In the Linux kernel, the following vulnerability has been resolved:

tls: fix NULL deref on tlsswsplice_eof() with empty record

syzkaller discovered that if tlsswspliceeof() is executed as part of sendfile() when the plaintext/ciphertext skmsg are empty, the send path gets confused because the empty ciphertext buffer does not have enough space for the encryption overhead. This causes tlspushrecord() to go on the split = true path (which is only supposed to be used when interacting with an attached BPF program), and then get further confused and hit the tlsmergeopen_record() path, which then assumes that there must be at least one populated buffer element, leading to a NULL deref.

It is possible to have empty plaintext/ciphertext buffers if we previously bailed from tlsswsendmsglocked() via the tlstrimbothmsgs() path. tlsswpushpendingrecord() already handles this case correctly; let's do the same check in tlsswsplice_eof().

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5ad627faed136089e27bcd15e0c33760e575c8c3
Fixed
944900fe2736c07288efe2d9394db4d3ca23f2c9
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
df720d288dbb1793e82b6ccbfc670ec871e9def4
Fixed
2214e2bb5489145aba944874d0ee1652a0a63dc8
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
df720d288dbb1793e82b6ccbfc670ec871e9def4
Fixed
53f2cb491b500897a619ff6abd72f565933760f0

Affected versions

v6.*

v6.4
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.2
v6.6.3
v6.7-rc1

Database specific 

{
    "vanir_signatures": [
        {
            "digest": {
                "line_hashes": [
                    "84569846159298223121702970588491608750",
                    "301022234079520655751304839221340205198",
                    "209015387310399055674936900573120747324",
                    "163453022809532030840320933643310131529",
                    "91150104626554823899881393461588592905",
                    "325638852436319311063229198778147818907",
                    "246005760300839748892309042808248830653",
                    "185320141540387186288713057737075721940"
                ],
                "threshold": 0.9
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@53f2cb491b500897a619ff6abd72f565933760f0",
            "signature_type": "Line",
            "target": {
                "file": "net/tls/tls_sw.c"
            },
            "deprecated": false,
            "signature_version": "v1",
            "id": "CVE-2023-52767-2a36ffa1"
        },
        {
            "digest": {
                "line_hashes": [
                    "84569846159298223121702970588491608750",
                    "301022234079520655751304839221340205198",
                    "209015387310399055674936900573120747324",
                    "163453022809532030840320933643310131529",
                    "91150104626554823899881393461588592905",
                    "325638852436319311063229198778147818907",
                    "246005760300839748892309042808248830653",
                    "185320141540387186288713057737075721940"
                ],
                "threshold": 0.9
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@944900fe2736c07288efe2d9394db4d3ca23f2c9",
            "signature_type": "Line",
            "target": {
                "file": "net/tls/tls_sw.c"
            },
            "deprecated": false,
            "signature_version": "v1",
            "id": "CVE-2023-52767-660d8c4d"
        },
        {
            "digest": {
                "length": 831.0,
                "function_hash": "136860189917197782114001158163491885579"
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@944900fe2736c07288efe2d9394db4d3ca23f2c9",
            "signature_type": "Function",
            "target": {
                "function": "tls_sw_splice_eof",
                "file": "net/tls/tls_sw.c"
            },
            "deprecated": false,
            "signature_version": "v1",
            "id": "CVE-2023-52767-7d4092ba"
        },
        {
            "digest": {
                "length": 1169.0,
                "function_hash": "62800527370107821642615384122160974655"
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@53f2cb491b500897a619ff6abd72f565933760f0",
            "signature_type": "Function",
            "target": {
                "function": "tls_sw_splice_eof",
                "file": "net/tls/tls_sw.c"
            },
            "deprecated": false,
            "signature_version": "v1",
            "id": "CVE-2023-52767-ca78eba6"
        }
    ]
}

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.5.0
Fixed
6.6.4