Bugzilla – Bug 1225039
VUL-0: REJECTED: CVE-2023-52823: kernel: kernel: kexec: copy user-array safely
Last modified: 2024-05-24 14:50:15 UTC
In the Linux kernel, the following vulnerability has been resolved: kernel: kexec: copy user-array safely Currently, there is no overflow-check with memdup_user(). Use the new function memdup_array_user() instead of memdup_user() for duplicating the user-space array safely. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52823 https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2023/CVE-2023-52823.mbox https://git.kernel.org/stable/c/d4f2c09d4672f0e997ba4b1b589cc376be7ec938 https://git.kernel.org/stable/c/8332523b13dbfcce60f631dfb34ac90df021b4bd https://git.kernel.org/stable/c/b0ed017a2b9735753eb95798d9f60176480424ca https://git.kernel.org/stable/c/4fc857cc5cb9b7ce6940898857d773564973a584 https://git.kernel.org/stable/c/569c8d82f95eb5993c84fb61a649a9c4ddd208b3 https://www.cve.org/CVERecord?id=CVE-2023-52823
This is not a security issue but rather a hardening. Considering that kexec is a privileged operation I do not think we need this fix. What do you think Jiri?
This CVE is invalid. The overflow check is in the kexec_load_check() function called shortly before the memdup_user() call: SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, struct kexec_segment __user *, segments, unsigned long, flags) { result = kexec_load_check(nr_segments, flags); if (result) return result; ... ksegments = memdup_user(segments, nr_segments * sizeof(ksegments[0])); ... } #define KEXEC_SEGMENT_MAX 16 static inline int kexec_load_check(unsigned long nr_segments, unsigned long flags) { ... if (nr_segments > KEXEC_SEGMENT_MAX) return -EINVAL; }
Disputed: https://lore.kernel.org/lkml/ZlBlorsBMPK0RdnR@dwarf.suse.cz/
CVE Revoked: https://lore.kernel.org/linux-cve-announce/2024052411-REJECTED-6dfe@gregkh/T/#u
Closing as CVE was rejected. Thanks all.