Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

017 - Ir a la línea de ayuda en Ciberseguridad    Ir a Agenda     Ir a Sala de prensa     Ir a suscripción de boletines

Ir al buscador

CVE-2023-53513

Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
01/10/2025
Última modificación:
02/10/2025

Descripción

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nbd: fix incomplete validation of ioctl arg<br /> <br /> We tested and found an alarm caused by nbd_ioctl arg without verification.<br /> The UBSAN warning calltrace like below:<br /> <br /> UBSAN: Undefined behaviour in fs/buffer.c:1709:35<br /> signed integer overflow:<br /> -9223372036854775808 - 1 cannot be represented in type &amp;#39;long long int&amp;#39;<br /> CPU: 3 PID: 2523 Comm: syz-executor.0 Not tainted 4.19.90 #1<br /> Hardware name: linux,dummy-virt (DT)<br /> Call trace:<br /> dump_backtrace+0x0/0x3f0 arch/arm64/kernel/time.c:78<br /> show_stack+0x28/0x38 arch/arm64/kernel/traps.c:158<br /> __dump_stack lib/dump_stack.c:77 [inline]<br /> dump_stack+0x170/0x1dc lib/dump_stack.c:118<br /> ubsan_epilogue+0x18/0xb4 lib/ubsan.c:161<br /> handle_overflow+0x188/0x1dc lib/ubsan.c:192<br /> __ubsan_handle_sub_overflow+0x34/0x44 lib/ubsan.c:206<br /> __block_write_full_page+0x94c/0xa20 fs/buffer.c:1709<br /> block_write_full_page+0x1f0/0x280 fs/buffer.c:2934<br /> blkdev_writepage+0x34/0x40 fs/block_dev.c:607<br /> __writepage+0x68/0xe8 mm/page-writeback.c:2305<br /> write_cache_pages+0x44c/0xc70 mm/page-writeback.c:2240<br /> generic_writepages+0xdc/0x148 mm/page-writeback.c:2329<br /> blkdev_writepages+0x2c/0x38 fs/block_dev.c:2114<br /> do_writepages+0xd4/0x250 mm/page-writeback.c:2344<br /> <br /> The reason for triggering this warning is __block_write_full_page()<br /> -&gt; i_size_read(inode) - 1 overflow.<br /> inode-&gt;i_size is assigned in __nbd_ioctl() -&gt; nbd_set_size() -&gt; bytesize.<br /> We think it is necessary to limit the size of arg to prevent errors.<br /> <br /> Moreover, __nbd_ioctl() -&gt; nbd_add_socket(), arg will be cast to int.<br /> Assuming the value of arg is 0x80000000000000001) (on a 64-bit machine),<br /> it will become 1 after the coercion, which will return unexpected results.<br /> <br /> Fix it by adding checks to prevent passing in too large numbers.

Impacto

Referencias a soluciones, herramientas e información