Linux Kernel Net/Mlx5 Driver Vulnerability Affecting Command Data Handling
CVE-2023-53340
What is CVE-2023-53340?
In the Linux kernel, a vulnerability exists within the net/mlx5 driver, which is responsible for handling command failures. Specifically, when a command is issued from DEVX that is not recognized by the mlx5 driver, an attempt to collect failure data occurs. Since the mlx5 driver does not utilize this unknown command, it does not allocate storage for it, leading to an array-index-out-of-bounds error. To mitigate this risk, the implementation has been updated to include a verification step that checks if the command is known before proceeding to collect any associated failure data. This enhancement ensures greater stability and security within the affected driver.
Affected Version(s)
Linux 34f46ae0d4b38e83cfb26fb6f06b5b5efea47fdc < 411e4d6caa7f7169192b8dacc8421ac4fd64a354
Linux 34f46ae0d4b38e83cfb26fb6f06b5b5efea47fdc
Linux 34f46ae0d4b38e83cfb26fb6f06b5b5efea47fdc < 2a0a935fb64ee8af253b9c6133bb6702fb152ac2