Bug 1224938 (CVE-2023-52700) - VUL-0: CVE-2023-52700: kernel: tipc: fix kernel warning when sending SYN message
Summary: VUL-0: CVE-2023-52700: kernel: tipc: fix kernel warning when sending SYN message
Status: RESOLVED INVALID
Alias: CVE-2023-52700
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/407172/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-52700:3.3:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-05-22 11:57 UTC by SMASH SMASH
Modified: 2024-07-12 13:31 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-05-22 11:57:33 UTC 
In the Linux kernel, the following vulnerability has been resolved:

tipc: fix kernel warning when sending SYN message

When sending a SYN message, this kernel stack trace is observed:

...
[   13.396352] RIP: 0010:_copy_from_iter+0xb4/0x550
...
[   13.398494] Call Trace:
[   13.398630]  <TASK>
[   13.398630]  ? __alloc_skb+0xed/0x1a0
[   13.398630]  tipc_msg_build+0x12c/0x670 [tipc]
[   13.398630]  ? shmem_add_to_page_cache.isra.71+0x151/0x290
[   13.398630]  __tipc_sendmsg+0x2d1/0x710 [tipc]
[   13.398630]  ? tipc_connect+0x1d9/0x230 [tipc]
[   13.398630]  ? __local_bh_enable_ip+0x37/0x80
[   13.398630]  tipc_connect+0x1d9/0x230 [tipc]
[   13.398630]  ? __sys_connect+0x9f/0xd0
[   13.398630]  __sys_connect+0x9f/0xd0
[   13.398630]  ? preempt_count_add+0x4d/0xa0
[   13.398630]  ? fpregs_assert_state_consistent+0x22/0x50
[   13.398630]  __x64_sys_connect+0x16/0x20
[   13.398630]  do_syscall_64+0x42/0x90
[   13.398630]  entry_SYSCALL_64_after_hwframe+0x63/0xcd

It is because commit a41dad905e5a ("iov_iter: saner checks for attempt
to copy to/from iterator") has introduced sanity check for copying
from/to iov iterator. Lacking of copy direction from the iterator
viewpoint would lead to kernel stack trace like above.

This commit fixes this issue by initializing the iov iterator with
the correct copy direction when sending SYN or ACK without data.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52700
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2023/CVE-2023-52700.mbox
https://git.kernel.org/stable/c/54b6082aec178f16ad6d193b4ecdc9c4823d9a32
https://git.kernel.org/stable/c/11a4d6f67cf55883dc78e31c247d1903ed7feccc
https://www.cve.org/CVERecord?id=CVE-2023-52700
Comment 5 Jan Kara 2024-06-11 12:35:21 UTC 
OK, so after some detailed checking:

SLE15-SP6 is unaffected as it has a fix (merged in 6.2)
SLE15-SP5 and older are unaffected as the warning has been introduced by commit a41dad905e5a in 6.2 as well. Reassigning back to security team.