CVE-2023-52980 Information

Description

In the Linux kernel the following vulnerability has been resolved:

block: ublk: extending queue_size to fix overflow

When validating drafted SPDK ublk target in a case that assigning large queue depth to multiqueue ublk device ublk target would run into a weird incorrect state. During rounds of review and debug An overflow bug was found in ublk driver.

In ublk_cmd.h UBLK_MAX_QUEUE_DEPTH is 4096 which means each ublk queue depth can be set as large as 4096. But when setting qd for a ublk device sizeof(struct ublk_queue) + depth sizeof(struct ublk_io) will be larger than 65535 if qd is larger than 2728. Then queue_size is overflowed and ublk_get_queue() references a wrong pointer position. The wrong content of ublk_queue elements will lead to out-of-bounds memory access.

Extend queue_size in ublk_device as �nsigned int.

Reference

https://git.kernel.org/stable/c/29baef789c838bd5c02f50c88adbbc6b955aaf61 https://git.kernel.org/stable/c/ee1e3fe4b4579f856997190a00ea4db0307b4332