CVE-2023-52980

CVE-2023-52980 is an integer overflow vulnerability in the Linux kernel's block layer, specifically within the ublk (user block) driver. The issue arises when configuring a multiqueue ublk device with a large queue depth exceeding 2728, up to the maximum of 4096 defined by UBLK_MAX_QUEUE_DEPTH in ublk_cmd.h. The queue_size calculation, sizeof(struct ublk_queue) + depth * sizeof(struct ublk_io), exceeds 65535 and overflows, likely due to an underlying 16-bit type limit. This results in ublk_get_queue() accessing an incorrect pointer position, leading to out-of-bounds memory access classified under CWE-787.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity and no user interaction required (AV:L/AC:L/UI:N). Successful exploitation grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 7.8 in an unchanged scope (S:U). The attacker could potentially read or write arbitrary memory, execute arbitrary code, or cause system crashes by triggering the overflow during ublk device queue depth assignment.

Kernel patches addressing this issue are available in stable branches, as documented in the referenced commits. The fix extends the queue_size field in struct ublk_device from its original type to unsigned int, preventing the overflow and ensuring correct queue allocation. Security practitioners should update affected Linux kernels with these patches to mitigate the vulnerability.