Re: CVE-2023-52596: sysctl: Fix out of bounds access for empty sysctl registers

From: Pavel Machek
Date: Wed Mar 20 2024 - 14:59:49 EST


Hi!

> > I have tried to argue before that it's up to the core kernel code to Do
> > The Right Thing, even in the face of crappy out-of-tree code, so to me,
> > since this is a (very very very limited) weakness in the core kernel
> > code, give it a CVE.
> >
> > My attempt at a CVSS for it yields a 3.4 overall:
> > AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:X
> > https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:X&version=3.1
>
> Thank you Luis and Kees for your input. Your efforts are very much
> appreciated. I have read and digested everyone's points.
>
> Since no one (including myself) is willing to conclude that this
> represents _zero_ risk, the allocation will not be rescinded. In our

Well, if you insist this is real risk (it is not) would you be so kind
at at least fix the "vulnerability" description?

"Module can trigger BUG_ON in kernel" would be suitable, according to
the discussion. Current description is copy/paste nonsense :-(.

Best regards,
Pavel

https://nvd.nist.gov/vuln/detail/CVE-2023-52596
Description
In the Linux kernel, the following vulnerability has been resolved:
sysctl: Fix out of bounds access for empty sysctl registers When
registering tables to the sysctl subsystem there is a check to see if
header is a permanently empty directory (used for mounts). This check
evaluates the first element of the ctl_table. This results in an out
of bounds evaluation when registering empty directories. The function
register_sysctl_mount_point now passes a ctl_table of size 1 instead
of size 0. It now relies solely on the type to identify a permanently
empty register. Make sure that the ctl_table has at least one element
before testing for permanent emptiness.


--
People of Russia, stop Putin before his war on Ukraine escalates.

Attachment: signature.asc
Description: PGP signature