CVE-2023-52980

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> block: ublk: extending queue_size to fix overflow<br /> <br /> When validating drafted SPDK ublk target, in a case that<br /> assigning large queue depth to multiqueue ublk device,<br /> ublk target would run into a weird incorrect state. During<br /> rounds of review and debug, An overflow bug was found<br /> in ublk driver.<br /> <br /> In ublk_cmd.h, UBLK_MAX_QUEUE_DEPTH is 4096 which means<br /> each ublk queue depth can be set as large as 4096. But<br /> when setting qd for a ublk device,<br /> sizeof(struct ublk_queue) + depth * sizeof(struct ublk_io)<br /> will be larger than 65535 if qd is larger than 2728.<br /> Then queue_size is overflowed, and ublk_get_queue()<br /> references a wrong pointer position. The wrong content of<br /> ublk_queue elements will lead to out-of-bounds memory<br /> access.<br /> <br /> Extend queue_size in ublk_device as "unsigned int".