CVE-2023-52767 tls: fix NULL deref on tls_sw_splice_eof() with empty record

2024-05-2115:30:50

Linux

github.com

linux kernel

tls vulnerability

null deref

sendfile

plaintext

ciphertext

sk_msg

encryption overhead

send path

bpf program

tls_push_record

split

tls_merge_open_record

tls_sw_sendmsg_locked

tls_sw_push_pending_record

AI Score

6.9

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

In the Linux kernel, the following vulnerability has been resolved:

tls: fix NULL deref on tls_sw_splice_eof() with empty record

syzkaller discovered that if tls_sw_splice_eof() is executed as part of
sendfile() when the plaintext/ciphertext sk_msg are empty, the send path
gets confused because the empty ciphertext buffer does not have enough
space for the encryption overhead. This causes tls_push_record() to go on
the split = true path (which is only supposed to be used when interacting
with an attached BPF program), and then get further confused and hit the
tls_merge_open_record() path, which then assumes that there must be at
least one populated buffer element, leading to a NULL deref.

It is possible to have empty plaintext/ciphertext buffers if we previously
bailed from tls_sw_sendmsg_locked() via the tls_trim_both_msgs() path.
tls_sw_push_pending_record() already handles this case correctly; let’s do
the same check in tls_sw_splice_eof().

CNA Affected

[
  {
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "vendor": "Linux",
    "product": "Linux",
    "versions": [
      {
        "status": "affected",
        "version": "5ad627faed13",
        "lessThan": "944900fe2736",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "df720d288dbb",
        "lessThan": "2214e2bb5489",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "df720d288dbb",
        "lessThan": "53f2cb491b50",
        "versionType": "git"
      }
    ],
    "programFiles": [
      "net/tls/tls_sw.c"
    ],
    "defaultStatus": "unaffected"
  },
  {
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "vendor": "Linux",
    "product": "Linux",
    "versions": [
      {
        "status": "affected",
        "version": "6.5"
      },
      {
        "status": "unaffected",
        "version": "0",
        "lessThan": "6.5",
        "versionType": "custom"
      },
      {
        "status": "unaffected",
        "version": "6.6.4",
        "versionType": "custom",
        "lessThanOrEqual": "6.6.*"
      },
      {
        "status": "unaffected",
        "version": "6.7",
        "versionType": "original_commit_for_fix",
        "lessThanOrEqual": "*"
      }
    ],
    "programFiles": [
      "net/tls/tls_sw.c"
    ],
    "defaultStatus": "affected"
  }
]