In the Linux kernel, the following vulnerability has been resolved: erofs:
fix lz4 inplace decompression Currently EROFS can map another compressed
buffer for inplace decompression, that was used to handle the cases that
some pages of compressed data are actually not in-place I/O. However, like
most simple LZ77 algorithms, LZ4 expects the compressed data is arranged at
the end of the decompressed buffer and it explicitly uses memmove() to
handle overlapping:
__________________________________________________________ |_ direction of
decompression –> ____ |_ compressed data _| Although EROFS arranges
compressed data like this, it typically maps two individual virtual buffers
so the relative order is uncertain. Previously, it was hardly observed
since LZ4 only uses memmove() for short overlapped literals and x86/arm64
memmove implementations seem to completely cover it up and they don’t have
this issue. Juhyung reported that EROFS data corruption can be found on a
new Intel x86 processor. After some analysis, it seems that recent x86
processors with the new FSRM feature expose this issue with “rep movsb”.
Let’s strictly use the decompressed buffer for lz4 inplace decompression
for now. Later, as an useful improvement, we could try to tie up these two
buffers together in the correct order.
Author | Note |
---|---|
rodrigo-zaiden | USN-6765-1 for linux-oem-6.5 wrongly stated that this CVE was fixed in version 6.5.0-1022.23. The mentioned notice was revoked and the state of the fix for linux-oem-6.5 was recovered to the previous state. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < 5.15.0-112.122 | UNKNOWN |
ubuntu | 23.10 | noarch | linux | < 6.5.0-41.41 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < 5.15.0-1063.69 | UNKNOWN |
ubuntu | 23.10 | noarch | linux-aws | < 6.5.0-1021.21 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < 5.15.0-1063.69~20.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure | < 5.15.0-1066.75 | UNKNOWN |
git.kernel.org/linus/3c12466b6b7bf1e56f9b32c366a3d83d87afb4de (6.8-rc1)
launchpad.net/bugs/cve/CVE-2023-52497
nvd.nist.gov/vuln/detail/CVE-2023-52497
security-tracker.debian.org/tracker/CVE-2023-52497
ubuntu.com/security/notices/USN-6818-1
ubuntu.com/security/notices/USN-6818-2
ubuntu.com/security/notices/USN-6818-3
ubuntu.com/security/notices/USN-6818-4
ubuntu.com/security/notices/USN-6819-1
ubuntu.com/security/notices/USN-6819-2
ubuntu.com/security/notices/USN-6819-3
ubuntu.com/security/notices/USN-6819-4
ubuntu.com/security/notices/USN-6820-1
ubuntu.com/security/notices/USN-6820-2
ubuntu.com/security/notices/USN-6821-1
ubuntu.com/security/notices/USN-6821-2
ubuntu.com/security/notices/USN-6821-3
ubuntu.com/security/notices/USN-6821-4
ubuntu.com/security/notices/USN-6828-1
ubuntu.com/security/notices/USN-6871-1
ubuntu.com/security/notices/USN-6892-1
ubuntu.com/security/notices/USN-6919-1
www.cve.org/CVERecord?id=CVE-2023-52497