CVE-2023-52980

In the Linux kernel, the following vulnerability has been resolved: block: ublk: extending queue_size to fix overflow When validating drafted SPDK ublk target, in a case that assigning large queue depth to multiqueue ublk device, ublk target would run into a weird incorrect state. During rounds of review and debug, An overflow bug was found in ublk driver. In ublk_cmd.h, UBLK_MAX_QUEUE_DEPTH is 4096 which means each ublk queue depth can be set as large as 4096. But when setting qd for a ublk device, sizeof(struct ublk_queue) + depth * sizeof(struct ublk_io) will be larger than 65535 if qd is larger than 2728. Then queue_size is overflowed, and ublk_get_queue() references a wrong pointer position. The wrong content of ublk_queue elements will lead to out-of-bounds memory access. Extend queue_size in ublk_device as "unsigned int".

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/29baef789c838bd5c02f50c88adbbc6b955aaf61	Patch
https://git.kernel.org/stable/c/ee1e3fe4b4579f856997190a00ea4db0307b4332	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.2:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.2:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.2:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.2:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.2:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.2:rc6::::::

History

No history.

Information

Published : 2025-03-27 17:15

Updated : 2025-10-28 18:23

NVD link : CVE-2023-52980

Mitre link : CVE-2023-52980

CVE.ORG link : CVE-2023-52980

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-787

Out-of-bounds Write

{"id": "CVE-2023-52980", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-03-27T17:15:45.183", "references": [{"url": "https://git.kernel.org/stable/c/29baef789c838bd5c02f50c88adbbc6b955aaf61", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ee1e3fe4b4579f856997190a00ea4db0307b4332", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: ublk: extending queue_size to fix overflow\n\nWhen validating drafted SPDK ublk target, in a case that\nassigning large queue depth to multiqueue ublk device,\nublk target would run into a weird incorrect state. During\nrounds of review and debug, An overflow bug was found\nin ublk driver.\n\nIn ublk_cmd.h, UBLK_MAX_QUEUE_DEPTH is 4096 which means\neach ublk queue depth can be set as large as 4096. But\nwhen setting qd for a ublk device,\nsizeof(struct ublk_queue) + depth * sizeof(struct ublk_io)\nwill be larger than 65535 if qd is larger than 2728.\nThen queue_size is overflowed, and ublk_get_queue()\nreferences a wrong pointer position. The wrong content of\nublk_queue elements will lead to out-of-bounds memory\naccess.\n\nExtend queue_size in ublk_device as \"unsigned int\"."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bloque: ublk: extensi\u00f3n de queue_size para corregir el desbordamiento Al validar el borrador del objetivo ublk de SPDK, en un caso en el que se asigna una gran profundidad de cola al dispositivo ublk de m\u00faltiples colas, el objetivo ublk se ejecutar\u00eda en un estado incorrecto extra\u00f1o. Durante las rondas de revisi\u00f3n y depuraci\u00f3n, se encontr\u00f3 un error de desbordamiento en el controlador ublk. En ublk_cmd.h, UBLK_MAX_QUEUE_DEPTH es 4096, lo que significa que cada profundidad de cola ublk se puede configurar tan grande como 4096. Pero al configurar qd para un dispositivo ublk, sizeof(struct ublk_queue) + profundidad * sizeof(struct ublk_io) ser\u00e1 mayor que 65535 si qd es mayor que 2728. Entonces queue_size se desborda y ublk_get_queue() hace referencia a una posici\u00f3n de puntero incorrecta. El contenido incorrecto de los elementos ublk_queue provocar\u00e1 un acceso a memoria fuera de los l\u00edmites. Extienda queue_size en ublk_device como \"unsigned int\"."}], "lastModified": "2025-10-28T18:23:45.827", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "45B4BA06-A459-4473-8903-3AE63DA4B625", "versionEndExcluding": "6.1.11", "versionStartIncluding": "6.0"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FF501633-2F44-4913-A8EE-B021929F49F6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2BDA597B-CAC1-4DF0-86F0-42E142C654E9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "725C78C9-12CE-406F-ABE8-0813A01D66E8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A127C155-689C-4F67-B146-44A57F4BFD85"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D34127CC-68F5-4703-A5F6-5006F803E4AE"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4AB8D555-648E-4F2F-98BD-3E7F45BD12A8"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}