OpenCVE

In the Linux kernel, the following vulnerability has been resolved: tls: fix NULL deref on tls_sw_splice_eof() with empty record syzkaller discovered that if tls_sw_splice_eof() is executed as part of sendfile() when the plaintext/ciphertext sk_msg are empty, the send path gets confused because the empty ciphertext buffer does not have enough space for the encryption overhead. This causes tls_push_record() to go on the `split = true` path (which is only supposed to be used when interacting with an attached BPF program), and then get further confused and hit the tls_merge_open_record() path, which then assumes that there must be at least one populated buffer element, leading to a NULL deref. It is possible to have empty plaintext/ciphertext buffers if we previously bailed from tls_sw_sendmsg_locked() via the tls_trim_both_msgs() path. tls_sw_push_pending_record() already handles this case correctly; let's do the same check in tls_sw_splice_eof().

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/2214e2bb5489145aba944874d0ee1652a0a63dc8
https://git.kernel.org/stable/c/53f2cb491b500897a619ff6abd72f565933760f0
https://git.kernel.org/stable/c/944900fe2736c07288efe2d9394db4d3ca23f2c9
https://lore.kernel.org/linux-cve-announce/2024052149-CVE-2023-52767-1f5b@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2023-52767
https://www.cve.org/CVERecord?id=CVE-2023-52767

History

Mon, 04 Nov 2024 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-05-21T15:30:50.993Z

Updated: 2024-11-04T14:52:18.239Z

Reserved: 2024-05-21T15:19:24.238Z

Link: CVE-2023-52767

Vulnrichment

Updated: 2024-08-02T23:11:35.999Z

NVD

Status : Awaiting Analysis

Published: 2024-05-21T16:15:15.917

Modified: 2024-11-21T08:40:32.643

Link: CVE-2023-52767

Redhat

Severity : Moderate

Publid Date: 2024-05-21T00:00:00Z

Links: CVE-2023-52767 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-52767", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-21T15:19:24.238Z", "datePublished": "2024-05-21T15:30:50.993Z", "dateUpdated": "2024-11-04T14:52:18.239Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T14:52:18.239Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix NULL deref on tls_sw_splice_eof() with empty record\n\nsyzkaller discovered that if tls_sw_splice_eof() is executed as part of\nsendfile() when the plaintext/ciphertext sk_msg are empty, the send path\ngets confused because the empty ciphertext buffer does not have enough\nspace for the encryption overhead. This causes tls_push_record() to go on\nthe `split = true` path (which is only supposed to be used when interacting\nwith an attached BPF program), and then get further confused and hit the\ntls_merge_open_record() path, which then assumes that there must be at\nleast one populated buffer element, leading to a NULL deref.\n\nIt is possible to have empty plaintext/ciphertext buffers if we previously\nbailed from tls_sw_sendmsg_locked() via the tls_trim_both_msgs() path.\ntls_sw_push_pending_record() already handles this case correctly; let's do\nthe same check in tls_sw_splice_eof()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/tls/tls_sw.c"], "versions": [{"version": "5ad627faed13", "lessThan": "944900fe2736", "status": "affected", "versionType": "git"}, {"version": "df720d288dbb", "lessThan": "2214e2bb5489", "status": "affected", "versionType": "git"}, {"version": "df720d288dbb", "lessThan": "53f2cb491b50", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/tls/tls_sw.c"], "versions": [{"version": "6.5", "status": "affected"}, {"version": "0", "lessThan": "6.5", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.4", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.7", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/944900fe2736c07288efe2d9394db4d3ca23f2c9"}, {"url": "https://git.kernel.org/stable/c/2214e2bb5489145aba944874d0ee1652a0a63dc8"}, {"url": "https://git.kernel.org/stable/c/53f2cb491b500897a619ff6abd72f565933760f0"}], "title": "tls: fix NULL deref on tls_sw_splice_eof() with empty record", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52767", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-21T18:35:50.400144Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:23:42.766Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:11:35.999Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/944900fe2736c07288efe2d9394db4d3ca23f2c9", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/2214e2bb5489145aba944874d0ee1652a0a63dc8", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/53f2cb491b500897a619ff6abd72f565933760f0", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/944900fe2736c07288efe2d9394db4d3ca23f2c9", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/2214e2bb5489145aba944874d0ee1652a0a63dc8", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/53f2cb491b500897a619ff6abd72f565933760f0", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:11:35.999Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-52767", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-21T18:35:50.400144Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:25.456Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "tls: fix NULL deref on tls_sw_splice_eof() with empty record", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5ad627faed13", "lessThan": "944900fe2736", "versionType": "git"}, {"status": "affected", "version": "df720d288dbb", "lessThan": "2214e2bb5489", "versionType": "git"}, {"status": "affected", "version": "df720d288dbb", "lessThan": "53f2cb491b50", "versionType": "git"}], "programFiles": ["net/tls/tls_sw.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.5"}, {"status": "unaffected", "version": "0", "lessThan": "6.5", "versionType": "semver"}, {"status": "unaffected", "version": "6.6.4", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.7", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["net/tls/tls_sw.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/944900fe2736c07288efe2d9394db4d3ca23f2c9"}, {"url": "https://git.kernel.org/stable/c/2214e2bb5489145aba944874d0ee1652a0a63dc8"}, {"url": "https://git.kernel.org/stable/c/53f2cb491b500897a619ff6abd72f565933760f0"}], "x_generator": {"engine": "bippy-9e1c9544281a"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix NULL deref on tls_sw_splice_eof() with empty record\n\nsyzkaller discovered that if tls_sw_splice_eof() is executed as part of\nsendfile() when the plaintext/ciphertext sk_msg are empty, the send path\ngets confused because the empty ciphertext buffer does not have enough\nspace for the encryption overhead. This causes tls_push_record() to go on\nthe `split = true` path (which is only supposed to be used when interacting\nwith an attached BPF program), and then get further confused and hit the\ntls_merge_open_record() path, which then assumes that there must be at\nleast one populated buffer element, leading to a NULL deref.\n\nIt is possible to have empty plaintext/ciphertext buffers if we previously\nbailed from tls_sw_sendmsg_locked() via the tls_trim_both_msgs() path.\ntls_sw_push_pending_record() already handles this case correctly; let's do\nthe same check in tls_sw_splice_eof()."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T14:52:18.239Z"}}}, "cveMetadata": {"cveId": "CVE-2023-52767", "state": "PUBLISHED", "dateUpdated": "2024-11-04T14:52:18.239Z", "dateReserved": "2024-05-21T15:19:24.238Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-21T15:30:50.993Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix NULL deref on tls_sw_splice_eof() with empty record\n\nsyzkaller discovered that if tls_sw_splice_eof() is executed as part of\nsendfile() when the plaintext/ciphertext sk_msg are empty, the send path\ngets confused because the empty ciphertext buffer does not have enough\nspace for the encryption overhead. This causes tls_push_record() to go on\nthe `split = true` path (which is only supposed to be used when interacting\nwith an attached BPF program), and then get further confused and hit the\ntls_merge_open_record() path, which then assumes that there must be at\nleast one populated buffer element, leading to a NULL deref.\n\nIt is possible to have empty plaintext/ciphertext buffers if we previously\nbailed from tls_sw_sendmsg_locked() via the tls_trim_both_msgs() path.\ntls_sw_push_pending_record() already handles this case correctly; let's do\nthe same check in tls_sw_splice_eof()."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: tls: corrige NULL deref en tls_sw_splice_eof() con registro vac\u00edo syzkaller descubri\u00f3 que si tls_sw_splice_eof() se ejecuta como parte de sendfile() cuando el texto plano/texto cifrado sk_msg est\u00e1 vac\u00edo, el env\u00edo La ruta se confunde porque el b\u00fafer de texto cifrado vac\u00edo no tiene suficiente espacio para la sobrecarga de cifrado. Esto hace que tls_push_record() vaya a la ruta `split = true` (que se supone que solo debe usarse al interactuar con un programa BPF adjunto), y luego se confunda a\u00fan m\u00e1s y acceda a la ruta tls_merge_open_record(), que luego supone que hay debe haber al menos un elemento de b\u00fafer poblado, lo que lleva a una deref NULL. Es posible tener buffers de texto plano/texto cifrado vac\u00edos si previamente salimos de tls_sw_sendmsg_locked() a trav\u00e9s de la ruta tls_trim_both_msgs(). tls_sw_push_pending_record() ya maneja este caso correctamente; hagamos la misma verificaci\u00f3n en tls_sw_splice_eof()."}], "id": "CVE-2023-52767", "lastModified": "2024-11-21T08:40:32.643", "metrics": {}, "published": "2024-05-21T16:15:15.917", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2214e2bb5489145aba944874d0ee1652a0a63dc8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/53f2cb491b500897a619ff6abd72f565933760f0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/944900fe2736c07288efe2d9394db4d3ca23f2c9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/2214e2bb5489145aba944874d0ee1652a0a63dc8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/53f2cb491b500897a619ff6abd72f565933760f0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/944900fe2736c07288efe2d9394db4d3ca23f2c9"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: tls: fix NULL deref on tls_sw_splice_eof() with empty record", "id": "2282784", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2282784"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["In the Linux kernel, the following vulnerability has been resolved:\ntls: fix NULL deref on tls_sw_splice_eof() with empty record\nsyzkaller discovered that if tls_sw_splice_eof() is executed as part of\nsendfile() when the plaintext/ciphertext sk_msg are empty, the send path\ngets confused because the empty ciphertext buffer does not have enough\nspace for the encryption overhead. This causes tls_push_record() to go on\nthe `split = true` path (which is only supposed to be used when interacting\nwith an attached BPF program), and then get further confused and hit the\ntls_merge_open_record() path, which then assumes that there must be at\nleast one populated buffer element, leading to a NULL deref.\nIt is possible to have empty plaintext/ciphertext buffers if we previously\nbailed from tls_sw_sendmsg_locked() via the tls_trim_both_msgs() path.\ntls_sw_push_pending_record() already handles this case correctly; let's do\nthe same check in tls_sw_splice_eof()."], "name": "CVE-2023-52767", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-52767\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-52767\nhttps://lore.kernel.org/linux-cve-announce/2024052149-CVE-2023-52767-1f5b@gregkh/T"], "threat_severity": "Moderate", "upstream_fix": "kernel 6.6.4, kernel 6.7"}