cve/published/2021/CVE-2021-46984.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-46984: kyber: fix out of bounds access when preempted

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 kyber: fix out of bounds access when preempted

 __blk_mq_sched_bio_merge() gets the ctx and hctx for the current CPU and
 passes the hctx to ->bio_merge(). kyber_bio_merge() then gets the ctx
 for the current CPU again and uses that to get the corresponding Kyber
 context in the passed hctx. However, the thread may be preempted between
 the two calls to blk_mq_get_ctx(), and the ctx returned the second time
 may no longer correspond to the passed hctx. This "works" accidentally
 most of the time, but it can cause us to read garbage if the second ctx
 came from an hctx with more ctx's than the first one (i.e., if
 ctx->index_hw[hctx->type] > hctx->nr_ctx).

 This manifested as this UBSAN array index out of bounds error reported
 by Jakub:

 UBSAN: array-index-out-of-bounds in ../kernel/locking/qspinlock.c:130:9
 index 13106 is out of range for type 'long unsigned int [128]'
 Call Trace:
  dump_stack+0xa4/0xe5
  ubsan_epilogue+0x5/0x40
  __ubsan_handle_out_of_bounds.cold.13+0x2a/0x34
  queued_spin_lock_slowpath+0x476/0x480
  do_raw_spin_lock+0x1c2/0x1d0
  kyber_bio_merge+0x112/0x180
  blk_mq_submit_bio+0x1f5/0x1100
  submit_bio_noacct+0x7b0/0x870
  submit_bio+0xc2/0x3a0
  btrfs_map_bio+0x4f0/0x9d0
  btrfs_submit_data_bio+0x24e/0x310
  submit_one_bio+0x7f/0xb0
  submit_extent_page+0xc4/0x440
  __extent_writepage_io+0x2b8/0x5e0
  __extent_writepage+0x28d/0x6e0
  extent_write_cache_pages+0x4d7/0x7a0
  extent_writepages+0xa2/0x110
  do_writepages+0x8f/0x180
  __writeback_single_inode+0x99/0x7f0
  writeback_sb_inodes+0x34e/0x790
  __writeback_inodes_wb+0x9e/0x120
  wb_writeback+0x4d2/0x660
  wb_workfn+0x64d/0xa10
  process_one_work+0x53a/0xa80
  worker_thread+0x69/0x5b0
  kthread+0x20b/0x240
  ret_from_fork+0x1f/0x30

 Only Kyber uses the hctx, so fix it by passing the request_queue to
 ->bio_merge() instead. BFQ and mq-deadline just use that, and Kyber can
 map the queues itself to avoid the mismatch.

 The Linux kernel CVE team has assigned CVE-2021-46984 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.18 with commit a6088845c2bf754d6cb2572b484180680b037804 and fixed in 5.4.120 with commit 0b6b4b90b74c27bea968c214d820ba4254b903a5
 	Issue introduced in 4.18 with commit a6088845c2bf754d6cb2572b484180680b037804 and fixed in 5.10.38 with commit 54dbe2d2c1fcabf650c7a8b747601da355cd7f9f
 	Issue introduced in 4.18 with commit a6088845c2bf754d6cb2572b484180680b037804 and fixed in 5.11.22 with commit a287cd84e047045f5a4d4da793414e848de627c6
 	Issue introduced in 4.18 with commit a6088845c2bf754d6cb2572b484180680b037804 and fixed in 5.12.5 with commit 2ef3c76540c49167a0bc3d5f80d00fd1fc4586df
 	Issue introduced in 4.18 with commit a6088845c2bf754d6cb2572b484180680b037804 and fixed in 5.13 with commit efed9a3337e341bd0989161b97453b52567bc59d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-46984
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	block/bfq-iosched.c
 	block/blk-mq-sched.c
 	block/kyber-iosched.c
 	block/mq-deadline.c
 	include/linux/elevator.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/0b6b4b90b74c27bea968c214d820ba4254b903a5
 	https://git.kernel.org/stable/c/54dbe2d2c1fcabf650c7a8b747601da355cd7f9f
 	https://git.kernel.org/stable/c/a287cd84e047045f5a4d4da793414e848de627c6
 	https://git.kernel.org/stable/c/2ef3c76540c49167a0bc3d5f80d00fd1fc4586df
 	https://git.kernel.org/stable/c/efed9a3337e341bd0989161b97453b52567bc59d
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-46984: kyber: fix out of bounds access when preempted

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	kyber: fix out of bounds access when preempted

	__blk_mq_sched_bio_merge() gets the ctx and hctx for the current CPU and
	passes the hctx to ->bio_merge(). kyber_bio_merge() then gets the ctx
	for the current CPU again and uses that to get the corresponding Kyber
	context in the passed hctx. However, the thread may be preempted between
	the two calls to blk_mq_get_ctx(), and the ctx returned the second time
	may no longer correspond to the passed hctx. This "works" accidentally
	most of the time, but it can cause us to read garbage if the second ctx
	came from an hctx with more ctx's than the first one (i.e., if
	ctx->index_hw[hctx->type] > hctx->nr_ctx).

	This manifested as this UBSAN array index out of bounds error reported
	by Jakub:

	UBSAN: array-index-out-of-bounds in ../kernel/locking/qspinlock.c:130:9
	index 13106 is out of range for type 'long unsigned int [128]'
	Call Trace:
	dump_stack+0xa4/0xe5
	ubsan_epilogue+0x5/0x40
	__ubsan_handle_out_of_bounds.cold.13+0x2a/0x34
	queued_spin_lock_slowpath+0x476/0x480
	do_raw_spin_lock+0x1c2/0x1d0
	kyber_bio_merge+0x112/0x180
	blk_mq_submit_bio+0x1f5/0x1100
	submit_bio_noacct+0x7b0/0x870
	submit_bio+0xc2/0x3a0
	btrfs_map_bio+0x4f0/0x9d0
	btrfs_submit_data_bio+0x24e/0x310
	submit_one_bio+0x7f/0xb0
	submit_extent_page+0xc4/0x440
	__extent_writepage_io+0x2b8/0x5e0
	__extent_writepage+0x28d/0x6e0
	extent_write_cache_pages+0x4d7/0x7a0
	extent_writepages+0xa2/0x110
	do_writepages+0x8f/0x180
	__writeback_single_inode+0x99/0x7f0
	writeback_sb_inodes+0x34e/0x790
	__writeback_inodes_wb+0x9e/0x120
	wb_writeback+0x4d2/0x660
	wb_workfn+0x64d/0xa10
	process_one_work+0x53a/0xa80
	worker_thread+0x69/0x5b0
	kthread+0x20b/0x240
	ret_from_fork+0x1f/0x30

	Only Kyber uses the hctx, so fix it by passing the request_queue to
	->bio_merge() instead. BFQ and mq-deadline just use that, and Kyber can
	map the queues itself to avoid the mismatch.

	The Linux kernel CVE team has assigned CVE-2021-46984 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.18 with commit a6088845c2bf754d6cb2572b484180680b037804 and fixed in 5.4.120 with commit 0b6b4b90b74c27bea968c214d820ba4254b903a5
	Issue introduced in 4.18 with commit a6088845c2bf754d6cb2572b484180680b037804 and fixed in 5.10.38 with commit 54dbe2d2c1fcabf650c7a8b747601da355cd7f9f
	Issue introduced in 4.18 with commit a6088845c2bf754d6cb2572b484180680b037804 and fixed in 5.11.22 with commit a287cd84e047045f5a4d4da793414e848de627c6
	Issue introduced in 4.18 with commit a6088845c2bf754d6cb2572b484180680b037804 and fixed in 5.12.5 with commit 2ef3c76540c49167a0bc3d5f80d00fd1fc4586df
	Issue introduced in 4.18 with commit a6088845c2bf754d6cb2572b484180680b037804 and fixed in 5.13 with commit efed9a3337e341bd0989161b97453b52567bc59d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-46984
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	block/bfq-iosched.c
	block/blk-mq-sched.c
	block/kyber-iosched.c
	block/mq-deadline.c
	include/linux/elevator.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/0b6b4b90b74c27bea968c214d820ba4254b903a5
	https://git.kernel.org/stable/c/54dbe2d2c1fcabf650c7a8b747601da355cd7f9f
	https://git.kernel.org/stable/c/a287cd84e047045f5a4d4da793414e848de627c6
	https://git.kernel.org/stable/c/2ef3c76540c49167a0bc3d5f80d00fd1fc4586df
	https://git.kernel.org/stable/c/efed9a3337e341bd0989161b97453b52567bc59d