PT-2023-9486 · Linux+5 · Linux Kernel+5

Juhyung Park

·

Published

2023-12-15

·

Updated

2025-01-14

·

CVE-2023-52497

CVSS v3.1

6.1

Medium

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)
Description The issue is related to the erofs component in the Linux kernel, specifically with the lz4 inplace decompression. The problem arises because the LZ4 algorithm expects the compressed data to be arranged at the end of the decompressed buffer, but erofs typically maps two individual virtual buffers, making the relative order uncertain. This uncertainty can lead to data corruption, particularly on new Intel x86 processors with the FSRM feature, which exposes the issue with "rep movsb". The solution involves strictly using the decompressed buffer for lz4 inplace decompression.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Resource Exhaustion

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-787

Related Identifiers

BDU:2024-07840
CVE-2023-52497
DLA-3842-1
DSA-5681-1
OPENSUSE-SU-2024_1321-1
OPENSUSE-SU-2024_1322-1
OPENSUSE-SU-2024_1322-2
OPENSUSE-SU-2024_1332-1
OPENSUSE-SU-2024_1332-2
OPENSUSE-SU-2024_1466-1
OPENSUSE-SU-2024_1480-1
OPENSUSE-SU-2024_1490-1
SUSE-SU-2024:1320-1
SUSE-SU-2024:1321-1
SUSE-SU-2024:1466-1
SUSE-SU-2024:1480-1
SUSE-SU-2024:1490-1
USN-6765-1
USN-6818-1
USN-6818-2
USN-6818-3
USN-6818-4
USN-6819-1
USN-6819-2
USN-6819-3
USN-6819-4
USN-6820-1
USN-6820-2
USN-6821-1
USN-6821-2
USN-6821-3
USN-6821-4
USN-6828-1
USN-6871-1
USN-6892-1
USN-6919-1
USN-7159-1
USN-7159-2
USN-7159-3
USN-7159-4
USN-7159-5
USN-7195-1
USN-7195-2

Affected Products

Astra Linux
Linuxmint
Linux Kernel
Red Os
Suse
Ubuntu