CVE-2023-52845: tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING

Published May 21, 2024
·
Updated

In the Linux kernel, the following vulnerability has been resolved:

tipc: Change nlapolicy for bearer-related names to NLANULSTRING

syzbot reported the following uninit-value access issue [1]:

===================================================== BUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline] BUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756 strlen lib/string.c:418 [inline] strstr+0xb8/0x2f0 lib/string.c:756 tipcnlnoderesetlinkstats+0x3ea/0xb50 net/tipc/node.c:2595 genlfamilyrcvmsgdoit net/netlink/genetlink.c:971 [inline] genlfamilyrcvmsg net/netlink/genetlink.c:1051 [inline] genlrcvmsg+0x11ec/0x1290 net/netlink/genetlink.c:1066 netlinkrcvskb+0x371/0x650 net/netlink/afnetlink.c:2545 genlrcv+0x40/0x60 net/netlink/genetlink.c:1075 netlinkunicastkernel net/netlink/afnetlink.c:1342 [inline] netlinkunicast+0xf47/0x1250 net/netlink/afnetlink.c:1368 netlinksendmsg+0x1238/0x13d0 net/netlink/afnetlink.c:1910 socksendmsgnosec net/socket.c:730 [inline] socksendmsg net/socket.c:753 [inline] syssendmsg+0x9c2/0xd60 net/socket.c:2541 syssendmsg+0x28d/0x3c0 net/socket.c:2595 syssendmsg net/socket.c:2624 [inline] dosyssendmsg net/socket.c:2633 [inline] sesyssendmsg net/socket.c:2631 [inline] x64syssendmsg+0x307/0x490 net/socket.c:2631 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x41/0xc0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd

Uninit was created at: slabpostallochook+0x12f/0xb70 mm/slab.h:767 slaballocnode mm/slub.c:3478 [inline] kmemcacheallocnode+0x577/0xa80 mm/slub.c:3523 kmallocreserve+0x13d/0x4a0 net/core/skbuff.c:559 allocskb+0x318/0x740 net/core/skbuff.c:650 allocskb include/linux/skbuff.h:1286 [inline] netlinkalloclargeskb net/netlink/afnetlink.c:1214 [inline] netlinksendmsg+0xb34/0x13d0 net/netlink/afnetlink.c:1885 socksendmsgnosec net/socket.c:730 [inline] socksendmsg net/socket.c:753 [inline] syssendmsg+0x9c2/0xd60 net/socket.c:2541 syssendmsg+0x28d/0x3c0 net/socket.c:2595 syssendmsg net/socket.c:2624 [inline] dosyssendmsg net/socket.c:2633 [inline] sesyssendmsg net/socket.c:2631 [inline] x64syssendmsg+0x307/0x490 net/socket.c:2631 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x41/0xc0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd

TIPC bearer-related names including link names must be null-terminated strings. If a link name which is not null-terminated is passed through netlink, strstr() and similar functions can cause buffer overrun. This causes the above issue.

This patch changes the nlapolicy for bearer-related names from NLASTRING to NLANULSTRING. This resolves the issue by ensuring that only null-terminated strings are accepted as bearer-related names.

syzbot reported similar uninit-value issue related to bearer names [2]. The root cause of this issue is that a non-null-terminated bearer name was passed. This patch also resolved this issue.

Other sources

In the Linux kernel, the following vulnerability has been resolved:

tipc: Change nlapolicy for bearer-related names to NLANULSTRING

The Linux kernel CVE team has assigned CVE-2023-52845 to this issue.

Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024052112-CVE-2023-52845-0245@gregkh/T

Red Hat

Affected Software

21 affected componentsFixes available
redhat/kernel<4.14.330
4.14.330
redhat/kernel<4.19.299
4.19.299
redhat/kernel<5.4.261
5.4.261
redhat/kernel<5.10.201
5.10.201
redhat/kernel<5.15.139
5.15.139
redhat/kernel<6.1.63
6.1.63
redhat/kernel<6.5.12
6.5.12
redhat/kernel<6.6.2
6.6.2
redhat/kernel<6.7
6.7
Linux Linux kernel>=3.19<4.14.330
Linux Linux kernel>=4.15<4.19.299
Linux Linux kernel>=4.20<5.4.261
Linux Linux kernel>=5.5<5.10.201
Linux Linux kernel>=5.11<5.15.139
Linux Linux kernel>=5.16<6.1.63
Linux Linux kernel>=6.2<6.5.12
Linux Linux kernel>=6.6<6.6.2
IBM Security Verify Governance<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Software Stack<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Virtual Appliance<=ISVG 10.0.2
IBM Security Verify Governance Identity Manager Container<=ISVG 10.0.2

Remediation

Patch Available

https://git.kernel.org/stable/c/19b3f72a41a8751e26bffc093bb7e1cef29ad579

Patch Available

https://git.kernel.org/stable/c/2199260c42e6fbc5af8adae3bf78e623407c91b0

Patch Available

https://git.kernel.org/stable/c/2426425d686b43adbc4f2f4a367b494f06f159d6

Patch Available

https://git.kernel.org/stable/c/3907b89cd17fcc23e9a80789c36856f00ece0ba8

Patch Available

https://git.kernel.org/stable/c/4c731e98fe4d678e87ba3e4d45d3cf0a5a193dc4

Patch Available

https://git.kernel.org/stable/c/560992f41c0cea44b7603bc9e6c73bffbf6b5709

Patch Available

https://git.kernel.org/stable/c/6744008c354bca2e4686a5b6056ee6b535d9f67d

Patch Available

https://git.kernel.org/stable/c/abc1582119e8c4af14cedb0db6541fd603f45a04

Patch Available

https://git.kernel.org/stable/c/b33d130f07f1decd756b849ab03c23d11d4dd294

Event History

May 21, 2024
CVE Published
via MITRE·03:31 PM
Data Sourced
via MITRE·03:31 PM
Description
May 22, 2024
Data Sourced
via Red Hat·09:02 PM
DescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2023-52845?

CVE-2023-52845 is considered a significant vulnerability due to the potential for uninitialized value access in the Linux kernel.

2

How do I fix CVE-2023-52845?

To fix CVE-2023-52845, update to the latest kernel versions specified, such as 4.14.330, 4.19.299, or newer versions.

3

Which Linux kernel versions are affected by CVE-2023-52845?

CVE-2023-52845 affects multiple Linux kernel versions before 4.14.330, 4.19.299, 5.4.261, 5.10.201, 5.15.139, 6.1.63, 6.5.12, 6.6.2, and 6.7.

4

Does CVE-2023-52845 impact Red Hat Linux distributions?

Yes, CVE-2023-52845 impacts various Red Hat kernel packages that fall below the specified remedied versions.

5

What types of systems are vulnerable to CVE-2023-52845?

CVE-2023-52845 can affect any system running vulnerable versions of the Linux kernel, including servers and workstations.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203