CVE-2023-52980

HIGH

Linux Kernel < 6.1.11 - Out-of-bounds Write in ublk Queue Size Validation

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: block: ublk: extending queue_size to fix overflow When validating drafted SPDK ublk target, in a case that assigning large queue depth to multiqueue ublk device, ublk target would run into a weird incorrect state. During rounds of review and debug, An overflow bug was found in ublk driver. In ublk_cmd.h, UBLK_MAX_QUEUE_DEPTH is 4096 which means each ublk queue depth can be set as large as 4096. But when setting qd for a ublk device, sizeof(struct ublk_queue) + depth * sizeof(struct ublk_io) will be larger than 65535 if qd is larger than 2728. Then queue_size is overflowed, and ublk_get_queue() references a wrong pointer position. The wrong content of ublk_queue elements will lead to out-of-bounds memory access. Extend queue_size in ublk_device as "unsigned int".

References (2)

Core 2

Core References

Patch

https://git.kernel.org/stable/c/ee1e3fe4b4579f856997190a00ea4db0307b4332

Patch

https://git.kernel.org/stable/c/29baef789c838bd5c02f50c88adbbc6b955aaf61

Scores

CVSS v3 7.8

EPSS 0.0023

EPSS Percentile 13.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-787

Status published

Products (8)

Linux/Linux < 6.0

Linux/Linux 6.0

Linux/Linux 6.1.11 - 6.1.*

Linux/Linux 6.2

Linux/Linux 71f28f3136aff5890cd56de78abc673f8393cad9 - 29baef789c838bd5c02f50c88adbbc6b955aaf61

Linux/Linux 71f28f3136aff5890cd56de78abc673f8393cad9 - ee1e3fe4b4579f856997190a00ea4db0307b4332

linux/linux_kernel 6.2 rc1 (6 CPE variants)

linux/linux_kernel 6.0 - 6.1.11

Published Mar 27, 2025

Tracked Since Feb 18, 2026