{
  "id": "CVE-2023-52501",
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "published": "2024-03-02T22:15:47.153",
  "lastModified": "2024-03-04T13:58:23.447",
  "vulnStatus": "Awaiting Analysis",
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nring-buffer: Do not attempt to read past \"commit\"\n\nWhen iterating over the ring buffer while the ring buffer is active, the\nwriter can corrupt the reader. There's barriers to help detect this and\nhandle it, but that code missed the case where the last event was at the\nvery end of the page and has only 4 bytes left.\n\nThe checks to detect the corruption by the writer to reads needs to see the\nlength of the event. If the length in the first 4 bytes is zero then the\nlength is stored in the second 4 bytes. But if the writer is in the process\nof updating that code, there's a small window where the length in the first\n4 bytes could be zero even though the length is only 4 bytes. That will\ncause rb_event_length() to read the next 4 bytes which could happen to be off the\nallocated page.\n\nTo protect against this, fail immediately if the next event pointer is\nless than 8 bytes from the end of the commit (last byte of data), as all\nevents must be a minimum of 8 bytes anyway."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ring-buffer: no intente leer m\u00e1s all\u00e1 del \"commit\" Al iterar sobre el b\u00fafer de anillo mientras el b\u00fafer de anillo est\u00e1 activo, el escritor puede da\u00f1ar al lector. Existen barreras para ayudar a detectar esto y manejarlo, pero ese c\u00f3digo omiti\u00f3 el caso en el que el \u00faltimo evento estaba al final de la p\u00e1gina y solo le quedan 4 bytes. Las comprobaciones para detectar la corrupci\u00f3n por parte del escritor en las lecturas deben ver la duraci\u00f3n del evento. Si la longitud de los primeros 4 bytes es cero, entonces la longitud se almacena en los segundos 4 bytes. Pero si el escritor est\u00e1 en el proceso de actualizar ese c\u00f3digo, hay una peque\u00f1a ventana donde la longitud de los primeros 4 bytes podr\u00eda ser cero aunque la longitud sea solo de 4 bytes. Eso har\u00e1 que rb_event_length() lea los siguientes 4 bytes que podr\u00edan estar fuera de la p\u00e1gina asignada. Para protegerse contra esto, falle inmediatamente si el siguiente puntero de evento est\u00e1 a menos de 8 bytes del final de el commit (\u00faltimo byte de datos), ya que todos los eventos deben tener un m\u00ednimo de 8 bytes de todos modos."
    }
  ],
  "metrics": {},
  "references": [
    {
      "url": "https://git.kernel.org/stable/c/344f2f3e61a90f0150c754796ec9a17fcaeec03d",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/75fc9e99b3a71006720ad1e029db11a4b5c32d4a",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/95a404bd60af6c4d9d8db01ad14fe8957ece31ca",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/b08a4938229dbb530a35c41b83002a1457c6ff49",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/cee5151c5410e868826b8afecfb356f3799ebea3",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    }
  ]
}