CVE-2023-52895

In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: don't reissue in case of poll race on multishot request A previous commit fixed a poll race that can occur, but it's only applicable for multishot requests. For a multishot request, we can safely ignore a spurious wakeup, as we never leave the waitqueue to begin with. A blunt reissue of a multishot armed request can cause us to leak a buffer, if they are ring provided. While this seems like a bug in itself, it's not really defined behavior to reissue a multishot request directly. It's less efficient to do so as well, and not required to rearm anything like it is for singleshot poll requests.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/36fc7317cdb16cfeae0f879916995037bb615ac4	Patch
https://git.kernel.org/stable/c/8caa03f10bf92cb8657408a6ece6a8a73f96ce13	Patch

Configurations

Configuration 1 (hide)

cpe:2.3:o:linux:linux_kernel:6.1.7:*:*:*:*:*:*:*

History

11 Sep 2024, 16:31

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
CPE		cpe:2.3:o:linux:linux_kernel:6.1.7:::::::*
First Time		Linux linux Kernel Linux
CWE		CWE-401
References	~~() https://git.kernel.org/stable/c/36fc7317cdb16cfeae0f879916995037bb615ac4 -~~	() https://git.kernel.org/stable/c/36fc7317cdb16cfeae0f879916995037bb615ac4 - Patch
References	~~() https://git.kernel.org/stable/c/8caa03f10bf92cb8657408a6ece6a8a73f96ce13 -~~	() https://git.kernel.org/stable/c/8caa03f10bf92cb8657408a6ece6a8a73f96ce13 - Patch

21 Aug 2024, 12:30

Type	Values Removed	Values Added
Summary		(es) En el kernel de Linux, se resolvió la siguiente vulnerabilidad: io_uring/poll: no volver a emitir en caso de ejecución de sondeo en solicitud de múltiples disparos. Una confirmación anterior solucionó una ejecución de sondeo que puede ocurrir, pero solo se aplica a solicitudes de múltiples disparos. Para una solicitud de disparo múltiple, podemos ignorar con seguridad una activación espuria, ya que, para empezar, nunca salimos de la cola de espera. Una reemisión contundente de una solicitud de armado de múltiples disparos puede hacer que perdamos un búfer, si se proporciona en anillo. Si bien esto parece un error en sí mismo, en realidad no es un comportamiento definido volver a emitir una solicitud multidisparo directamente. También es menos eficiente hacerlo y no es necesario rearmar nada como lo es para solicitudes de sondeo de un solo disparo.

21 Aug 2024, 07:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-21 07:15

Updated : 2024-09-11 16:31

NVD link : CVE-2023-52895

Mitre link : CVE-2023-52895

CVE.ORG link : CVE-2023-52895

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-401

Missing Release of Memory after Effective Lifetime

5.5 /10