oss-sec mailing list archives
CVE-2023-1075 - Linux Kernel: Type Confusion in tls_is_tx_ready()
From: Pietro Borrello <borrello () diag uniroma1 it>
Date: Wed, 1 Mar 2023 16:23:54 +0100
Hi all, I am disclosing a type confusion in the net/tls stack of the Linux Kernel. tls_is_tx_ready() checks that list_first_entry() does not return NULL. However, this condition can never happen. For an empty `tx_list`, list_first_entry() returns the list_entry() of the head, which, when used, is a type confusion. Thus, tls_is_tx_ready() may potentially use a type-confused entry to the list_head, leaking the last byte of the type confused field that overlaps with rec->tx_ready. The patch has been merged in the Linux tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=ffe2a22562444720b05bdfeb999c03e810d84cbb The issue has been assigned CVE-2023-1075. Best regards, Pietro Borrello
Current thread:
- CVE-2023-1075 - Linux Kernel: Type Confusion in tls_is_tx_ready() Pietro Borrello (Mar 01)