CVE-2023-52903

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-52903
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-52903.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-52903
Related
Published
2024-08-21T07:15:06Z
Modified
2024-09-18T03:24:40.882764Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

io_uring: lock overflowing for IOPOLL

syzbot reports an issue with overflow filling for IOPOLL:

WARNING: CPU: 0 PID: 28 at iouring/iouring.c:734 iocqringeventoverflow+0x1c0/0x230 iouring/iouring.c:734 CPU: 0 PID: 28 Comm: kworker/u4:1 Not tainted 6.2.0-rc3-syzkaller-16369-g358a161a6a9e #0 Workqueue: eventsunbound ioringexitwork Call trace:  iocqringeventoverflow+0x1c0/0x230 iouring/iouring.c:734  ioreqcqeoverflow+0x5c/0x70 iouring/iouring.c:773  iofillcqereq iouring/iouring.h:168 [inline]  iodoiopoll+0x474/0x62c iouring/rw.c:1065  ioiopolltryreapevents+0x6c/0x108 iouring/iouring.c:1513  iouringtrycancelrequests+0x13c/0x258 iouring/iouring.c:3056  ioringexitwork+0xec/0x390 iouring/iouring.c:2869  processonework+0x2d8/0x504 kernel/workqueue.c:2289  workerthread+0x340/0x610 kernel/workqueue.c:2436  kthread+0x12c/0x158 kernel/kthread.c:376  retfrom_fork+0x10/0x20 arch/arm64/kernel/entry.S:863

There is no real problem for normal IOPOLL as flush is also called with uringlock taken, but it's getting more complicated for IOPOLL|SQPOLL, for which _iocqringoverflow_flush() happens from the CQ waiting path.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.178-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1
5.10.148-1
5.10.149-1
5.10.149-2
5.10.158-1
5.10.158-2
5.10.162-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}