| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025120957-CVE-2023-53840-797d@gregkh> Date: Tue, 9 Dec 2025 10:31:24 +0900 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2023-53840: usb: early: xhci-dbc: Fix a potential out-of-bound memory access From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: usb: early: xhci-dbc: Fix a potential out-of-bound memory access If xdbc_bulk_write() fails, the values in 'buf' can be anything. So the string is not guaranteed to be NULL terminated when xdbc_trace() is called. Reserve an extra byte, which will be zeroed automatically because 'buf' is a static variable, in order to avoid troubles, should it happen. The Linux kernel CVE team has assigned CVE-2023-53840 to this issue. Affected and fixed versions =========================== Issue introduced in 4.12 with commit aeb9dd1de98c1a5f2007ea5d2a154c1244caf8a0 and fixed in 5.15.99 with commit e8fb0f13e45cf361fd06593d3cb2d89915cd3bd0 Issue introduced in 4.12 with commit aeb9dd1de98c1a5f2007ea5d2a154c1244caf8a0 and fixed in 6.1.16 with commit 351c8d8650d1ccc006255fa01f98b6c6496a02e5 Issue introduced in 4.12 with commit aeb9dd1de98c1a5f2007ea5d2a154c1244caf8a0 and fixed in 6.2.3 with commit df7c8aba7309f4dc55df94e06b67f576c0f52406 Issue introduced in 4.12 with commit aeb9dd1de98c1a5f2007ea5d2a154c1244caf8a0 and fixed in 6.3 with commit a4a97ab3db5c081eb6e7dba91306adefb461e0bd Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-53840 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/usb/early/xhci-dbc.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/e8fb0f13e45cf361fd06593d3cb2d89915cd3bd0 https://git.kernel.org/stable/c/351c8d8650d1ccc006255fa01f98b6c6496a02e5 https://git.kernel.org/stable/c/df7c8aba7309f4dc55df94e06b67f576c0f52406 https://git.kernel.org/stable/c/a4a97ab3db5c081eb6e7dba91306adefb461e0bd
Powered by blists - more mailing lists