CVE-2023-52895

In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: don't reissue in case of poll race on multishot request A previous commit fixed a poll race that can occur, but it's only applicable for multishot requests. For a multishot request, we can safely ignore a spurious wakeup, as we never leave the waitqueue to begin with. A blunt reissue of a multishot armed request can cause us to leak a buffer, if they are ring provided. While this seems like a bug in itself, it's not really defined behavior to reissue a multishot request directly. It's less efficient to do so as well, and not required to rearm anything like it is for singleshot poll requests.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/36fc7317cdb16cfeae0f879916995037bb615ac4	Patch
https://git.kernel.org/stable/c/8caa03f10bf92cb8657408a6ece6a8a73f96ce13	Patch

Configurations

Configuration 1 (hide)

cpe:2.3:o:linux:linux_kernel:6.1.7:*:*:*:*:*:*:*

History

11 Sep 2024, 16:31

Type	Values Removed	Values Added
References	~~() https://git.kernel.org/stable/c/36fc7317cdb16cfeae0f879916995037bb615ac4 -~~	() https://git.kernel.org/stable/c/36fc7317cdb16cfeae0f879916995037bb615ac4 - Patch
References	~~() https://git.kernel.org/stable/c/8caa03f10bf92cb8657408a6ece6a8a73f96ce13 -~~	() https://git.kernel.org/stable/c/8caa03f10bf92cb8657408a6ece6a8a73f96ce13 - Patch
CPE		cpe:2.3:o:linux:linux_kernel:6.1.7:::::::*
First Time		Linux linux Kernel Linux
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
CWE		CWE-401

21 Aug 2024, 12:30

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-21 07:15

Updated : 2024-09-11 16:31

NVD link : CVE-2023-52895

Mitre link : CVE-2023-52895

CVE.ORG link : CVE-2023-52895

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-401

Missing Release of Memory after Effective Lifetime

{"id": "CVE-2023-52895", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-08-21T07:15:06.007", "references": [{"url": "https://git.kernel.org/stable/c/36fc7317cdb16cfeae0f879916995037bb615ac4", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8caa03f10bf92cb8657408a6ece6a8a73f96ce13", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-401"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/poll: don't reissue in case of poll race on multishot request\n\nA previous commit fixed a poll race that can occur, but it's only\napplicable for multishot requests. For a multishot request, we can safely\nignore a spurious wakeup, as we never leave the waitqueue to begin with.\n\nA blunt reissue of a multishot armed request can cause us to leak a\nbuffer, if they are ring provided. While this seems like a bug in itself,\nit's not really defined behavior to reissue a multishot request directly.\nIt's less efficient to do so as well, and not required to rearm anything\nlike it is for singleshot poll requests."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: io_uring/poll: no volver a emitir en caso de ejecuci\u00f3n de sondeo en solicitud de m\u00faltiples disparos. Una confirmaci\u00f3n anterior solucion\u00f3 una ejecuci\u00f3n de sondeo que puede ocurrir, pero solo se aplica a solicitudes de m\u00faltiples disparos. Para una solicitud de disparo m\u00faltiple, podemos ignorar con seguridad una activaci\u00f3n espuria, ya que, para empezar, nunca salimos de la cola de espera. Una reemisi\u00f3n contundente de una solicitud de armado de m\u00faltiples disparos puede hacer que perdamos un b\u00fafer, si se proporciona en anillo. Si bien esto parece un error en s\u00ed mismo, en realidad no es un comportamiento definido volver a emitir una solicitud multidisparo directamente. Tambi\u00e9n es menos eficiente hacerlo y no es necesario rearmar nada como lo es para solicitudes de sondeo de un solo disparo."}], "lastModified": "2024-09-11T16:31:31.597", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:6.1.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6E5E3E6D-B23E-4B23-9819-3DEB8963E4E3"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}