CVE-2023-52842

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-52842
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-52842.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-52842
Downstream
Related
Published
2024-05-21T15:31:41Z
Modified
2025-10-15T04:46:55.285676Z
Summary
virtio/vsock: Fix uninit-value in virtio_transport_recv_pkt()
Details

In the Linux kernel, the following vulnerability has been resolved:

virtio/vsock: Fix uninit-value in virtiotransportrecv_pkt()

KMSAN reported the following uninit-value access issue:

===================================================== BUG: KMSAN: uninit-value in virtiotransportrecvpkt+0x1dfb/0x26a0 net/vmwvsock/virtiotransportcommon.c:1421 virtiotransportrecvpkt+0x1dfb/0x26a0 net/vmwvsock/virtiotransportcommon.c:1421 vsockloopbackwork+0x3bb/0x5a0 net/vmwvsock/vsockloopback.c:120 processonework kernel/workqueue.c:2630 [inline] processscheduledworks+0xff6/0x1e60 kernel/workqueue.c:2703 workerthread+0xeca/0x14d0 kernel/workqueue.c:2784 kthread+0x3cc/0x520 kernel/kthread.c:388 retfromfork+0x66/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x11/0x20 arch/x86/entry/entry_64.S:304

Uninit was stored to memory at: virtiotransportspaceupdate net/vmwvsock/virtiotransportcommon.c:1274 [inline] virtiotransportrecvpkt+0x1ee8/0x26a0 net/vmwvsock/virtiotransportcommon.c:1415 vsockloopbackwork+0x3bb/0x5a0 net/vmwvsock/vsockloopback.c:120 processonework kernel/workqueue.c:2630 [inline] processscheduledworks+0xff6/0x1e60 kernel/workqueue.c:2703 workerthread+0xeca/0x14d0 kernel/workqueue.c:2784 kthread+0x3cc/0x520 kernel/kthread.c:388 retfromfork+0x66/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x11/0x20 arch/x86/entry/entry_64.S:304

Uninit was created at: slabpostallochook+0x105/0xad0 mm/slab.h:767 slaballocnode mm/slub.c:3478 [inline] kmemcacheallocnode+0x5a2/0xaf0 mm/slub.c:3523 kmallocreserve+0x13c/0x4a0 net/core/skbuff.c:559 _allocskb+0x2fd/0x770 net/core/skbuff.c:650 allocskb include/linux/skbuff.h:1286 [inline] virtiovsockallocskb include/linux/virtiovsock.h:66 [inline] virtiotransportallocskb+0x90/0x11e0 net/vmwvsock/virtiotransportcommon.c:58 virtiotransportresetnosock net/vmwvsock/virtiotransportcommon.c:957 [inline] virtiotransportrecvpkt+0x1279/0x26a0 net/vmwvsock/virtiotransportcommon.c:1387 vsockloopbackwork+0x3bb/0x5a0 net/vmwvsock/vsockloopback.c:120 processonework kernel/workqueue.c:2630 [inline] processscheduledworks+0xff6/0x1e60 kernel/workqueue.c:2703 workerthread+0xeca/0x14d0 kernel/workqueue.c:2784 kthread+0x3cc/0x520 kernel/kthread.c:388 retfromfork+0x66/0x80 arch/x86/kernel/process.c:147 retfromforkasm+0x11/0x20 arch/x86/entry/entry64.S:304

CPU: 1 PID: 10664 Comm: kworker/1:5 Not tainted 6.6.0-rc3-00146-g9f3ebbef746f #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014

Workqueue: vsock-loopback vsockloopbackwork

The following simple reproducer can cause the issue described above:

int main(void) { int sock; struct sockaddrvm addr = { .svmfamily = AFVSOCK, .svmcid = VMADDRCIDANY, .svm_port = 1234, };

sock = socket(AFVSOCK, SOCKSTREAM, 0); connect(sock, (struct sockaddr *)&addr, sizeof(addr)); return 0; }

This issue occurs because the buf_alloc and fwd_cnt fields of the struct virtio_vsock_hdr are not initialized when a new skb is allocated in virtio_transport_init_hdr(). This patch resolves the issue by initializing these fields during allocation.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
baddcc2c71572968cdaeee1c4ab3dc0ad90fa765
Fixed
cd12535b97dd7d18cf655ec78ce1cf1f29a576be
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
71dc9ec9ac7d3eee785cdc986c3daeb821381e20
Fixed
0b8906fb48b99e993d6e8a12539f618f4854dd26
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
71dc9ec9ac7d3eee785cdc986c3daeb821381e20
Fixed
34c4effacfc329aeca5635a69fd9e0f6c90b4101

Affected versions

v6.*

v6.2
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1

Database specific 

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "205832898410540121370676918858468126763",
                    "133039733394806888711301040834758718942",
                    "172332815663264325673591201888001736962",
                    "66983844755247090177752111869465252857"
                ]
            },
            "signature_version": "v1",
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0b8906fb48b99e993d6e8a12539f618f4854dd26",
            "target": {
                "file": "net/vmw_vsock/virtio_transport_common.c"
            },
            "id": "CVE-2023-52842-22a60bf9",
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 475.0,
                "function_hash": "284266477680107137253747874027767702064"
            },
            "signature_version": "v1",
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@34c4effacfc329aeca5635a69fd9e0f6c90b4101",
            "target": {
                "file": "net/vmw_vsock/virtio_transport_common.c",
                "function": "virtio_transport_init_hdr"
            },
            "id": "CVE-2023-52842-3af3faa0",
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "205832898410540121370676918858468126763",
                    "133039733394806888711301040834758718942",
                    "172332815663264325673591201888001736962",
                    "66983844755247090177752111869465252857"
                ]
            },
            "signature_version": "v1",
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cd12535b97dd7d18cf655ec78ce1cf1f29a576be",
            "target": {
                "file": "net/vmw_vsock/virtio_transport_common.c"
            },
            "id": "CVE-2023-52842-6f28dcf1",
            "signature_type": "Line"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "239803371778515613659164226984434344227",
                    "7143066306307847505686511415845841647",
                    "280120426654024245984901612827929501933",
                    "165736858969813817546893731609270410539"
                ]
            },
            "signature_version": "v1",
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@34c4effacfc329aeca5635a69fd9e0f6c90b4101",
            "target": {
                "file": "net/vmw_vsock/virtio_transport_common.c"
            },
            "id": "CVE-2023-52842-71b82187",
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 1357.0,
                "function_hash": "260602456420829581093405427056589821783"
            },
            "signature_version": "v1",
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cd12535b97dd7d18cf655ec78ce1cf1f29a576be",
            "target": {
                "file": "net/vmw_vsock/virtio_transport_common.c",
                "function": "virtio_transport_alloc_skb"
            },
            "id": "CVE-2023-52842-a7c6c004",
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 1357.0,
                "function_hash": "260602456420829581093405427056589821783"
            },
            "signature_version": "v1",
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0b8906fb48b99e993d6e8a12539f618f4854dd26",
            "target": {
                "file": "net/vmw_vsock/virtio_transport_common.c",
                "function": "virtio_transport_alloc_skb"
            },
            "id": "CVE-2023-52842-fd82acda",
            "signature_type": "Function"
        }
    ]
}

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.3.0
Fixed
6.6.2