cve/2023/CVE-2023-52618.md

### [CVE-2023-52618](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52618)
![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=1da177e4c3f4%3C%2095bc866c1197%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

In the Linux kernel, the following vulnerability has been resolved:block/rnbd-srv: Check for unlikely string overflowSince "dev_search_path" can technically be as large as PATH_MAX,there was a risk of truncation when copying it and a second stringinto "full_path" since it was also PATH_MAX sized. The W=1 builds werereporting this warning:drivers/block/rnbd/rnbd-srv.c: In function 'process_msg_open.isra':drivers/block/rnbd/rnbd-srv.c:616:51: warning: '%s' directive output may be truncated writing up to 254 bytes into a region of size between 0 and 4095 [-Wformat-truncation=]  616 |                 snprintf(full_path, PATH_MAX, "%s/%s",      |                                                   ^~In function 'rnbd_srv_get_full_path',    inlined from 'process_msg_open.isra' at drivers/block/rnbd/rnbd-srv.c:721:14: drivers/block/rnbd/rnbd-srv.c:616:17: note: 'snprintf' output between 2 and 4351 bytes into a destination of size 4096  616 |                 snprintf(full_path, PATH_MAX, "%s/%s",      |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  617 |                          dev_search_path, dev_name);      |                          ~~~~~~~~~~~~~~~~~~~~~~~~~~To fix this, unconditionally check for truncation (as was already donefor the case where "%SESSNAME%" was present).

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/NaInSec/CVE-LIST
Update CVE sources 2024-05-28 08:49 2024-05-28 08:49:17 +00:00			`### [CVE-2023-52618](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52618)`
			`![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=1da177e4c3f4%3C%2095bc866c1197%20&color=brighgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)`

			`### Description`

			In the Linux kernel, the following vulnerability has been resolved:block/rnbd-srv: Check for unlikely string overflowSince "dev_search_path" can technically be as large as PATH_MAX,there was a risk of truncation when copying it and a second stringinto "full_path" since it was also PATH_MAX sized. The W=1 builds werereporting this warning:drivers/block/rnbd/rnbd-srv.c: In function 'process_msg_open.isra':drivers/block/rnbd/rnbd-srv.c:616:51: warning: '%s' directive output may be truncated writing up to 254 bytes into a region of size between 0 and 4095 [-Wformat-truncation=] 616 \| snprintf(full_path, PATH_MAX, "%s/%s", \| ^~In function 'rnbd_srv_get_full_path', inlined from 'process_msg_open.isra' at drivers/block/rnbd/rnbd-srv.c:721:14: drivers/block/rnbd/rnbd-srv.c:616:17: note: 'snprintf' output between 2 and 4351 bytes into a destination of size 4096 616 \| snprintf(full_path, PATH_MAX, "%s/%s", \| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 617 \| dev_search_path, dev_name); \| ~~~~~~~~~~~~~~~~~~~~~~~~~~To fix this, unconditionally check for truncation (as was already donefor the case where "%SESSNAME%" was present).

			`### POC`

			`#### Reference`
			`No PoCs from references.`

			`#### Github`
			`- https://github.com/NaInSec/CVE-LIST`