| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025100127-CVE-2023-53502-aa6a@gregkh> Date: Wed, 1 Oct 2025 13:45:54 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2023-53502: xen/netback: Fix buffer overrun triggered by unusual packet From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: xen/netback: Fix buffer overrun triggered by unusual packet It is possible that a guest can send a packet that contains a head + 18 slots and yet has a len <= XEN_NETBACK_TX_COPY_LEN. This causes nr_slots to underflow in xenvif_get_requests() which then causes the subsequent loop's termination condition to be wrong, causing a buffer overrun of queue->tx_map_ops. Rework the code to account for the extra frag_overflow slots. This is CVE-2023-34319 / XSA-432. The Linux kernel CVE team has assigned CVE-2023-53502 to this issue. Affected and fixed versions =========================== Issue introduced in 4.14.302 with commit e173cefc814dec81e9836ecc866cdba154e693cd and fixed in 4.14.321 with commit e1142d87c185c7d7bbf05d175754638b5b9dbf16 Issue introduced in 4.19.269 with commit 44dfdecc288b8d5932e09f5e6a597a089d5a82b2 and fixed in 4.19.290 with commit 11e6919ae028b5de1fc48007354ea07069561b31 Issue introduced in 5.4.227 with commit 8fe1bf6f32cd5b96ddcd2a38110603fe34753e52 and fixed in 5.4.252 with commit bc7b9a6c2ca42b116b0f24dbaa52b5a07d96d1d6 Issue introduced in 5.10.159 with commit 49e07c0768dbebff672ee1834eff9680fc6277bf and fixed in 5.10.189 with commit f9167a2d6b943f30743de6ff8163d1981c34f9a9 Issue introduced in 5.15.83 with commit 0fe29bd92594a747a2561589bd452c259451929e and fixed in 5.15.125 with commit b14a3924c2675c22e07a5a190223b6b6cdc2867d Issue introduced in 6.1 with commit ad7f402ae4f466647c3a669b8a6f3e5d4271c84a and fixed in 6.1.44 with commit fa5b932b77c815d0e416612859d5899424bb4212 Issue introduced in 6.1 with commit ad7f402ae4f466647c3a669b8a6f3e5d4271c84a and fixed in 6.4.9 with commit cf482893f721f76ac60c0a43482a59b2f194156b Issue introduced in 6.1 with commit ad7f402ae4f466647c3a669b8a6f3e5d4271c84a and fixed in 6.5 with commit 534fc31d09b706a16d83533e16b5dc855caf7576 Issue introduced in 4.9.336 with commit 1a1d9be7b36ee6cbdeb9d160038834d707256e88 Issue introduced in 6.0.13 with commit e8851d841fe4f29b613a00de45f39c80dbfdb975 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-53502 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/xen-netback/netback.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/e1142d87c185c7d7bbf05d175754638b5b9dbf16 https://git.kernel.org/stable/c/11e6919ae028b5de1fc48007354ea07069561b31 https://git.kernel.org/stable/c/bc7b9a6c2ca42b116b0f24dbaa52b5a07d96d1d6 https://git.kernel.org/stable/c/f9167a2d6b943f30743de6ff8163d1981c34f9a9 https://git.kernel.org/stable/c/b14a3924c2675c22e07a5a190223b6b6cdc2867d https://git.kernel.org/stable/c/fa5b932b77c815d0e416612859d5899424bb4212 https://git.kernel.org/stable/c/cf482893f721f76ac60c0a43482a59b2f194156b https://git.kernel.org/stable/c/534fc31d09b706a16d83533e16b5dc855caf7576
Powered by blists - more mailing lists