CVE-2023-52980

When validating drafted SPDK ublk target, in a case that assigning large queue depth to multiqueue ublk device, ublk target would run into a weird incorrect state. During rounds of review and debug, An overflow bug was found in ublk driver.

In ublkcmd.h, UBLKMAXQUEUEDEPTH is 4096 which means each ublk queue depth can be set as large as 4096. But when setting qd for a ublk device, sizeof(struct ublkqueue) + depth * sizeof(struct ublkio) will be larger than 65535 if qd is larger than 2728. Then queuesize is overflowed, and ublkgetqueue() references a wrong pointer position. The wrong content of ublkqueue elements will lead to out-of-bounds memory access.

Extend queuesize in ublkdevice as "unsigned int".

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

71f28f3136aff5890cd56de78abc673f8393cad9

Fixed

ee1e3fe4b4579f856997190a00ea4db0307b4332

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

71f28f3136aff5890cd56de78abc673f8393cad9

Fixed

29baef789c838bd5c02f50c88adbbc6b955aaf61

Affected versions

v5.*

v5.19

v5.19-rc5

v5.19-rc6

v5.19-rc7

v5.19-rc8

v6.*

v6.0

v6.0-rc1

v6.0-rc2

v6.0-rc3

v6.0-rc4

v6.0-rc5

v6.0-rc6

v6.0-rc7

v6.1

v6.1-rc1

v6.1-rc2

v6.1-rc3

v6.1-rc4

v6.1-rc5

v6.1-rc6

v6.1-rc7

v6.1-rc8

v6.1.1

v6.1.10

v6.1.2

v6.1.3

v6.1.4

v6.1.5

v6.1.6

v6.1.7

v6.1.8

v6.1.9

Database specific

{
    "vanir_signatures": [
        {
            "deprecated": false,
            "signature_type": "Line",
            "target": {
                "file": "drivers/block/ublk_drv.c"
            },
            "id": "CVE-2023-52980-084e5eb8",
            "digest": {
                "line_hashes": [
                    "36133957002069705702728410441705541582",
                    "129265880719326603401388096490435791176",
                    "17503304119524248954153258889049057074",
                    "249475897600195145339823604342241637783"
                ],
                "threshold": 0.9
            },
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ee1e3fe4b4579f856997190a00ea4db0307b4332"
        },
        {
            "deprecated": false,
            "signature_type": "Line",
            "target": {
                "file": "drivers/block/ublk_drv.c"
            },
            "id": "CVE-2023-52980-288ea292",
            "digest": {
                "line_hashes": [
                    "36133957002069705702728410441705541582",
                    "129265880719326603401388096490435791176",
                    "17503304119524248954153258889049057074",
                    "249475897600195145339823604342241637783"
                ],
                "threshold": 0.9
            },
            "signature_version": "v1",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@29baef789c838bd5c02f50c88adbbc6b955aaf61"
        }
    ]
}

CVE-2023-52980

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Affected versions

v5.*

v6.*

Database specific

Linux / Kernel

Package

Affected ranges