Bug 1211895 (CVE-2023-34256)

Summary: VUL-0: DISPUTED: CVE-2023-34256: kernel: potential slab-out-of-bounds in ext4_group_desc_csum
Product: [Novell Products] SUSE Security Incidents Reporter: Gabriele Sonnu <gabriele.sonnu>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: chester.lin, gabriele.sonnu, rfrohl, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/368048/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-34256:4.0:(AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gabriele Sonnu 2023-06-01 09:03:25 UTC 
CVE-2023-34256

An issue was discovered in the Linux kernel before 6.3.3. There is an
out-of-bounds read in crc16 in lib/crc16.c when called from fs/ext4/super.c
because ext4_group_desc_csum does not properly check an offset.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-34256
https://www.cve.org/CVERecord?id=CVE-2023-34256
https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.3.3
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f04351888a83e595571de672e0a4a8b74f4fb31
https://syzkaller.appspot.com/bug?extid=8785e41224a3afd04321
Comment 1 Gabriele Sonnu 2023-06-01 09:04:45 UTC 
Tracking as affected:

 - SLE12-SP5
 - SLE15-SP4
 - SLE15-SP5
 - SLE15-SP5-GA
 - cve/linux-4.12
 - cve/linux-4.4
 - cve/linux-5.3

Fixing commit:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f04351888a83e595571de672e0a4a8b74f4fb31
Comment 3 Jan Kara 2023-06-01 09:56:23 UTC 
Gabriele, can you please dispute this CVE? Whoever filed it didn't think much about it... The changelog has in its first lines:

    When modifying the block device while it is mounted by the filesystem,
    syzbot reported the following:

So yes, if you have write access to the buffer cache of a block device and can make kernel mount such device, you can crash the kernel. But this is not something the kernel ever tried to protect against because there is no practical 
protection - such access is pretty much equivalent to write access to any other kernel memory.

In this particular case we have accepted the fix to ext4:
a) because it was actually cleaning up the code
b) because it silenced some syzbot reports

but by no means this is relevant to security or even fixing any bug.
Comment 5 Jan Kara 2023-06-05 14:53:09 UTC 
Thanks! So nothing to be done here, reassigning back to security team.
Comment 6 Robert Frohl 2024-05-14 10:51:41 UTC 
done, closing