CVE-2023-52636

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libceph: just wait for more data to be available on the socket<br /> <br /> A short read may occur while reading the message footer from the<br /> socket. Later, when the socket is ready for another read, the<br /> messenger invokes all read_partial_*() handlers, including<br /> read_partial_sparse_msg_data(). The expectation is that<br /> read_partial_sparse_msg_data() would bail, allowing the messenger to<br /> invoke read_partial() for the footer and pick up where it left off.<br /> <br /> However read_partial_sparse_msg_data() violates that and ends up<br /> calling into the state machine in the OSD client. The sparse-read<br /> state machine assumes that it&amp;#39;s a new op and interprets some piece of<br /> the footer as the sparse-read header and returns bogus extents/data<br /> length, etc.<br /> <br /> To determine whether read_partial_sparse_msg_data() should bail, let&amp;#39;s<br /> reuse cursor-&gt;total_resid. Because once it reaches to zero that means<br /> all the extents and data have been successfully received in last read,<br /> else it could break out when partially reading any of the extents and<br /> data. And then osd_sparse_read() could continue where it left off.<br /> <br /> [ idryomov: changelog ]