{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-52980", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-03-27T16:40:15.740Z", "datePublished": "2025-03-27T16:43:19.493Z", "dateUpdated": "2025-05-04T07:46:45.012Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T07:46:45.012Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: ublk: extending queue_size to fix overflow\n\nWhen validating drafted SPDK ublk target, in a case that\nassigning large queue depth to multiqueue ublk device,\nublk target would run into a weird incorrect state. During\nrounds of review and debug, An overflow bug was found\nin ublk driver.\n\nIn ublk_cmd.h, UBLK_MAX_QUEUE_DEPTH is 4096 which means\neach ublk queue depth can be set as large as 4096. But\nwhen setting qd for a ublk device,\nsizeof(struct ublk_queue) + depth * sizeof(struct ublk_io)\nwill be larger than 65535 if qd is larger than 2728.\nThen queue_size is overflowed, and ublk_get_queue()\nreferences a wrong pointer position. The wrong content of\nublk_queue elements will lead to out-of-bounds memory\naccess.\n\nExtend queue_size in ublk_device as \"unsigned int\"."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/block/ublk_drv.c"], "versions": [{"version": "71f28f3136aff5890cd56de78abc673f8393cad9", "lessThan": "ee1e3fe4b4579f856997190a00ea4db0307b4332", "status": "affected", "versionType": "git"}, {"version": "71f28f3136aff5890cd56de78abc673f8393cad9", "lessThan": "29baef789c838bd5c02f50c88adbbc6b955aaf61", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/block/ublk_drv.c"], "versions": [{"version": "6.0", "status": "affected"}, {"version": "0", "lessThan": "6.0", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.11", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.1.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/ee1e3fe4b4579f856997190a00ea4db0307b4332"}, {"url": "https://git.kernel.org/stable/c/29baef789c838bd5c02f50c88adbbc6b955aaf61"}], "title": "block: ublk: extending queue_size to fix overflow", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "45B4BA06-A459-4473-8903-3AE63DA4B625", "versionEndExcluding": "6.1.11", "versionStartIncluding": "6.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:*", "matchCriteriaId": "FF501633-2F44-4913-A8EE-B021929F49F6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:*", "matchCriteriaId": "2BDA597B-CAC1-4DF0-86F0-42E142C654E9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:*", "matchCriteriaId": "725C78C9-12CE-406F-ABE8-0813A01D66E8", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc4:*:*:*:*:*:*", "matchCriteriaId": "A127C155-689C-4F67-B146-44A57F4BFD85", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc5:*:*:*:*:*:*", "matchCriteriaId": "D34127CC-68F5-4703-A5F6-5006F803E4AE", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc6:*:*:*:*:*:*", "matchCriteriaId": "4AB8D555-648E-4F2F-98BD-3E7F45BD12A8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: ublk: extending queue_size to fix overflow\n\nWhen validating drafted SPDK ublk target, in a case that\nassigning large queue depth to multiqueue ublk device,\nublk target would run into a weird incorrect state. During\nrounds of review and debug, An overflow bug was found\nin ublk driver.\n\nIn ublk_cmd.h, UBLK_MAX_QUEUE_DEPTH is 4096 which means\neach ublk queue depth can be set as large as 4096. But\nwhen setting qd for a ublk device,\nsizeof(struct ublk_queue) + depth * sizeof(struct ublk_io)\nwill be larger than 65535 if qd is larger than 2728.\nThen queue_size is overflowed, and ublk_get_queue()\nreferences a wrong pointer position. The wrong content of\nublk_queue elements will lead to out-of-bounds memory\naccess.\n\nExtend queue_size in ublk_device as \"unsigned int\"."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bloque: ublk: extensi\u00f3n de queue_size para corregir el desbordamiento Al validar el borrador del objetivo ublk de SPDK, en un caso en el que se asigna una gran profundidad de cola al dispositivo ublk de m\u00faltiples colas, el objetivo ublk se ejecutar\u00eda en un estado incorrecto extra\u00f1o. Durante las rondas de revisi\u00f3n y depuraci\u00f3n, se encontr\u00f3 un error de desbordamiento en el controlador ublk. En ublk_cmd.h, UBLK_MAX_QUEUE_DEPTH es 4096, lo que significa que cada profundidad de cola ublk se puede configurar tan grande como 4096. Pero al configurar qd para un dispositivo ublk, sizeof(struct ublk_queue) + profundidad * sizeof(struct ublk_io) ser\u00e1 mayor que 65535 si qd es mayor que 2728. Entonces queue_size se desborda y ublk_get_queue() hace referencia a una posici\u00f3n de puntero incorrecta. El contenido incorrecto de los elementos ublk_queue provocar\u00e1 un acceso a memoria fuera de los l\u00edmites. Extienda queue_size en ublk_device como \"unsigned int\"."}], "id": "CVE-2023-52980", "lastModified": "2025-10-28T18:23:45.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-03-27T17:15:45.183", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/29baef789c838bd5c02f50c88adbbc6b955aaf61"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ee1e3fe4b4579f856997190a00ea4db0307b4332"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: block: ublk: extending queue_size to fix overflow", "id": "2355481", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2355481"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nblock: ublk: extending queue_size to fix overflow\nWhen validating drafted SPDK ublk target, in a case that\nassigning large queue depth to multiqueue ublk device,\nublk target would run into a weird incorrect state. During\nrounds of review and debug, An overflow bug was found\nin ublk driver.\nIn ublk_cmd.h, UBLK_MAX_QUEUE_DEPTH is 4096 which means\neach ublk queue depth can be set as large as 4096. But\nwhen setting qd for a ublk device,\nsizeof(struct ublk_queue) + depth * sizeof(struct ublk_io)\nwill be larger than 65535 if qd is larger than 2728.\nThen queue_size is overflowed, and ublk_get_queue()\nreferences a wrong pointer position. The wrong content of\nublk_queue elements will lead to out-of-bounds memory\naccess.\nExtend queue_size in ublk_device as \"unsigned int\"."], "name": "CVE-2023-52980", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-03-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-52980\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-52980\nhttps://lore.kernel.org/linux-cve-announce/2025032705-CVE-2023-52980-0fea@gregkh/T"], "statement": "This patch fixes an integer overflow in the ublk driver where queue_size, defined as unsigned short, could overflow for large queue depths, leading to out-of-bounds memory access via invalid queue pointer offsets.", "threat_severity": "Moderate"}