CVE-2023-52767

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tls: fix NULL deref on tls_sw_splice_eof() with empty record<br /> <br /> syzkaller discovered that if tls_sw_splice_eof() is executed as part of<br /> sendfile() when the plaintext/ciphertext sk_msg are empty, the send path<br /> gets confused because the empty ciphertext buffer does not have enough<br /> space for the encryption overhead. This causes tls_push_record() to go on<br /> the `split = true` path (which is only supposed to be used when interacting<br /> with an attached BPF program), and then get further confused and hit the<br /> tls_merge_open_record() path, which then assumes that there must be at<br /> least one populated buffer element, leading to a NULL deref.<br /> <br /> It is possible to have empty plaintext/ciphertext buffers if we previously<br /> bailed from tls_sw_sendmsg_locked() via the tls_trim_both_msgs() path.<br /> tls_sw_push_pending_record() already handles this case correctly; let&amp;#39;s do<br /> the same check in tls_sw_splice_eof().