Bug 2215502 (CVE-2023-3268) - CVE-2023-3268 kernel: out-of-bounds access in relay_file_read
Summary: CVE-2023-3268 kernel: out-of-bounds access in relay_file_read
Keywords:
Status: NEW
Alias: CVE-2023-3268
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2215508 2215509 2215510 2215511
Blocks: 2203740
TreeView+ depends on / blocked
 
Reported: 2023-06-16 09:07 UTC by Rohit Keshri
Modified: 2023-08-08 05:45 UTC (History)
47 users (show)

Fixed In Version: Kernel 6.4-rc1
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw allows a local attacker to crash the system or leak kernel internal information.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Rohit Keshri 2023-06-16 09:07:33 UTC 
An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information.

The crash is in relay_file_read, as the var from point to the end of last subbuf.

The oops looks something like:

pc : __arch_copy_to_user+0x180/0x310
lr : relay_file_read+0x20c/0x2c8
Call trace:
__arch_copy_to_user+0x180/0x310
full_proxy_read+0x68/0x98
vfs_read+0xb0/0x1d0
ksys_read+0x6c/0xf0
__arm64_sys_read+0x20/0x28
el0_svc_common.constprop.3+0x84/0x108
do_el0_svc+0x74/0x90
el0_svc+0x1c/0x28
el0_sync_handler+0x88/0xb0
el0_sync+0x148/0x180

Refer:
https://lore.kernel.org/lkml/1682238502-1892-1-git-send-email-yangpc@wangsu.com/T/
Note You need to log in before you can comment on or make changes to this bug.