CVE-2023-52672

2024-05-1714:15:10

CWE-400

Linux

web.nvd.nist.gov

(linux kernel

pipe vulnerability

pipe resizing)

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

6.7

Confidence

Low

EPSS

Percentile

10.3%

JSON

In the Linux kernel, the following vulnerability has been resolved:

pipe: wakeup wr_wait after setting max_usage

Commit c73be61cede5 (“pipe: Add general notification queue support”) a
regression was introduced that would lock up resized pipes under certain
conditions. See the reproducer in [1].

The commit resizing the pipe ring size was moved to a different
function, doing that moved the wakeup for pipe->wr_wait before actually
raising pipe->max_usage. If a pipe was full before the resize occured it
would result in the wakeup never actually triggering pipe_write.

Set @max_usage and @nr_accounted before waking writers if this isn’t a
watch queue.

[Christian Brauner <[email protected]>: rewrite to account for watch queues]

Affected configurations

Vulners

Node

linuxlinux_kernelRange5.8–5.10.210

linuxlinux_kernelRange5.11.0–5.15.149

linuxlinux_kernelRange5.16.0–6.1.76

linuxlinux_kernelRange6.2.0–6.6.15

linuxlinux_kernelRange6.7.0–6.7.3

linuxlinux_kernelRange6.8.0≥

VendorProductVersionCPE
linuxlinux_kernel*cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
linux	linux_kernel	*	cpe:2.3:o:linux:linux_kernel::::::::

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "fs/pipe.c"
    ],
    "versions": [
      {
        "version": "c73be61cede5",
        "lessThan": "162ae0e78bda",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "c73be61cede5",
        "lessThan": "3efbd114b915",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "c73be61cede5",
        "lessThan": "b87a1229d866",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "c73be61cede5",
        "lessThan": "68e51bdb1194",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "c73be61cede5",
        "lessThan": "6fb70694f8d1",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "c73be61cede5",
        "lessThan": "e95aada4cb93",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "fs/pipe.c"
    ],
    "versions": [
      {
        "version": "5.8",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "5.8",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.210",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.149",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.1.76",
        "lessThanOrEqual": "6.1.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.15",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.7.3",
        "lessThanOrEqual": "6.7.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.8",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]