CVE-2023-52767 tls: fix NULL deref on tls_sw_splice_eof() with empty record

2024-05-2115:30:50

Linux

www.cve.org

linux kernel

vulnerability

resolved

tls_sw_splice_eof()

sendfile()

plaintext

ciphertext

sk_msg

encryption overhead

tls_push_record()

split

bpf program

tls_merge_open_record()

null deref

tls_sw_sendmsg_locked()

AI Score

6.6

Confidence

High

EPSS

Percentile

15.5%

JSON

In the Linux kernel, the following vulnerability has been resolved:

tls: fix NULL deref on tls_sw_splice_eof() with empty record

syzkaller discovered that if tls_sw_splice_eof() is executed as part of
sendfile() when the plaintext/ciphertext sk_msg are empty, the send path
gets confused because the empty ciphertext buffer does not have enough
space for the encryption overhead. This causes tls_push_record() to go on
the split = true path (which is only supposed to be used when interacting
with an attached BPF program), and then get further confused and hit the
tls_merge_open_record() path, which then assumes that there must be at
least one populated buffer element, leading to a NULL deref.

It is possible to have empty plaintext/ciphertext buffers if we previously
bailed from tls_sw_sendmsg_locked() via the tls_trim_both_msgs() path.
tls_sw_push_pending_record() already handles this case correctly; let’s do
the same check in tls_sw_splice_eof().

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/tls/tls_sw.c"
    ],
    "versions": [
      {
        "version": "5ad627faed13",
        "lessThan": "944900fe2736",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "df720d288dbb",
        "lessThan": "2214e2bb5489",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "df720d288dbb",
        "lessThan": "53f2cb491b50",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/tls/tls_sw.c"
    ],
    "versions": [
      {
        "version": "6.5",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "6.5",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.4",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.7",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]