cve/published/2021/CVE-2021-47346.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47346: coresight: tmc-etf: Fix global-out-of-bounds in tmc_update_etf_buffer()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 coresight: tmc-etf: Fix global-out-of-bounds in tmc_update_etf_buffer()

 commit 6f755e85c332 ("coresight: Add helper for inserting synchronization
 packets") removed trailing '\0' from barrier_pkt array and updated the
 call sites like etb_update_buffer() to have proper checks for barrier_pkt
 size before read but missed updating tmc_update_etf_buffer() which still
 reads barrier_pkt past the array size resulting in KASAN out-of-bounds
 bug. Fix this by adding a check for barrier_pkt size before accessing
 like it is done in etb_update_buffer().

  BUG: KASAN: global-out-of-bounds in tmc_update_etf_buffer+0x4b8/0x698
  Read of size 4 at addr ffffffd05b7d1030 by task perf/2629

  Call trace:
   dump_backtrace+0x0/0x27c
   show_stack+0x20/0x2c
   dump_stack+0x11c/0x188
   print_address_description+0x3c/0x4a4
   __kasan_report+0x140/0x164
   kasan_report+0x10/0x18
   __asan_report_load4_noabort+0x1c/0x24
   tmc_update_etf_buffer+0x4b8/0x698
   etm_event_stop+0x248/0x2d8
   etm_event_del+0x20/0x2c
   event_sched_out+0x214/0x6f0
   group_sched_out+0xd0/0x270
   ctx_sched_out+0x2ec/0x518
   __perf_event_task_sched_out+0x4fc/0xe6c
   __schedule+0x1094/0x16a0
   preempt_schedule_irq+0x88/0x170
   arm64_preempt_schedule_irq+0xf0/0x18c
   el1_irq+0xe8/0x180
   perf_event_exec+0x4d8/0x56c
   setup_new_exec+0x204/0x400
   load_elf_binary+0x72c/0x18c0
   search_binary_handler+0x13c/0x420
   load_script+0x500/0x6c4
   search_binary_handler+0x13c/0x420
   exec_binprm+0x118/0x654
   __do_execve_file+0x77c/0xba4
   __arm64_compat_sys_execve+0x98/0xac
   el0_svc_common+0x1f8/0x5e0
   el0_svc_compat_handler+0x84/0xb0
   el0_svc_compat+0x10/0x50

  The buggy address belongs to the variable:
   barrier_pkt+0x10/0x40

  Memory state around the buggy address:
   ffffffd05b7d0f00: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00
   ffffffd05b7d0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  >ffffffd05b7d1000: 00 00 00 00 00 00 fa fa fa fa fa fa 00 00 00 03
                                       ^
   ffffffd05b7d1080: fa fa fa fa 00 02 fa fa fa fa fa fa 03 fa fa fa
   ffffffd05b7d1100: fa fa fa fa 00 00 00 00 05 fa fa fa fa fa fa fa
  ==================================================================

 The Linux kernel CVE team has assigned CVE-2021-47346 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.14 with commit 0c3fc4d5fa26092853278145aca9b21fa52a3e93 and fixed in 4.19.198 with commit 04bd77ef4f4d9fc6102023b85f4590fc2130aac5
 	Issue introduced in 4.14 with commit 0c3fc4d5fa26092853278145aca9b21fa52a3e93 and fixed in 5.4.133 with commit ef0a06acc6b16388640ad367eedfa2a17f1945db
 	Issue introduced in 4.14 with commit 0c3fc4d5fa26092853278145aca9b21fa52a3e93 and fixed in 5.10.51 with commit 35c1c4bd2d59ad734129d4e232af9d1098023918
 	Issue introduced in 4.14 with commit 0c3fc4d5fa26092853278145aca9b21fa52a3e93 and fixed in 5.12.18 with commit 733d4d95c0101d5f277b8e4910411d016e49a9dc
 	Issue introduced in 4.14 with commit 0c3fc4d5fa26092853278145aca9b21fa52a3e93 and fixed in 5.13.3 with commit 0115687be7b13993066aef602253a53d55f5b11f
 	Issue introduced in 4.14 with commit 0c3fc4d5fa26092853278145aca9b21fa52a3e93 and fixed in 5.14 with commit 5fae8a946ac2df879caf3f79a193d4766d00239b

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47346
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/hwtracing/coresight/coresight-tmc-etf.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/04bd77ef4f4d9fc6102023b85f4590fc2130aac5
 	https://git.kernel.org/stable/c/ef0a06acc6b16388640ad367eedfa2a17f1945db
 	https://git.kernel.org/stable/c/35c1c4bd2d59ad734129d4e232af9d1098023918
 	https://git.kernel.org/stable/c/733d4d95c0101d5f277b8e4910411d016e49a9dc
 	https://git.kernel.org/stable/c/0115687be7b13993066aef602253a53d55f5b11f
 	https://git.kernel.org/stable/c/5fae8a946ac2df879caf3f79a193d4766d00239b
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47346: coresight: tmc-etf: Fix global-out-of-bounds in tmc_update_etf_buffer()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	coresight: tmc-etf: Fix global-out-of-bounds in tmc_update_etf_buffer()

	commit 6f755e85c332 ("coresight: Add helper for inserting synchronization
	packets") removed trailing '\0' from barrier_pkt array and updated the
	call sites like etb_update_buffer() to have proper checks for barrier_pkt
	size before read but missed updating tmc_update_etf_buffer() which still
	reads barrier_pkt past the array size resulting in KASAN out-of-bounds
	bug. Fix this by adding a check for barrier_pkt size before accessing
	like it is done in etb_update_buffer().

	BUG: KASAN: global-out-of-bounds in tmc_update_etf_buffer+0x4b8/0x698
	Read of size 4 at addr ffffffd05b7d1030 by task perf/2629

	Call trace:
	dump_backtrace+0x0/0x27c
	show_stack+0x20/0x2c
	dump_stack+0x11c/0x188
	print_address_description+0x3c/0x4a4
	__kasan_report+0x140/0x164
	kasan_report+0x10/0x18
	__asan_report_load4_noabort+0x1c/0x24
	tmc_update_etf_buffer+0x4b8/0x698
	etm_event_stop+0x248/0x2d8
	etm_event_del+0x20/0x2c
	event_sched_out+0x214/0x6f0
	group_sched_out+0xd0/0x270
	ctx_sched_out+0x2ec/0x518
	__perf_event_task_sched_out+0x4fc/0xe6c
	__schedule+0x1094/0x16a0
	preempt_schedule_irq+0x88/0x170
	arm64_preempt_schedule_irq+0xf0/0x18c
	el1_irq+0xe8/0x180
	perf_event_exec+0x4d8/0x56c
	setup_new_exec+0x204/0x400
	load_elf_binary+0x72c/0x18c0
	search_binary_handler+0x13c/0x420
	load_script+0x500/0x6c4
	search_binary_handler+0x13c/0x420
	exec_binprm+0x118/0x654
	__do_execve_file+0x77c/0xba4
	__arm64_compat_sys_execve+0x98/0xac
	el0_svc_common+0x1f8/0x5e0
	el0_svc_compat_handler+0x84/0xb0
	el0_svc_compat+0x10/0x50

	The buggy address belongs to the variable:
	barrier_pkt+0x10/0x40

	Memory state around the buggy address:
	ffffffd05b7d0f00: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00
	ffffffd05b7d0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	>ffffffd05b7d1000: 00 00 00 00 00 00 fa fa fa fa fa fa 00 00 00 03
	^
	ffffffd05b7d1080: fa fa fa fa 00 02 fa fa fa fa fa fa 03 fa fa fa
	ffffffd05b7d1100: fa fa fa fa 00 00 00 00 05 fa fa fa fa fa fa fa
	==================================================================

	The Linux kernel CVE team has assigned CVE-2021-47346 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.14 with commit 0c3fc4d5fa26092853278145aca9b21fa52a3e93 and fixed in 4.19.198 with commit 04bd77ef4f4d9fc6102023b85f4590fc2130aac5
	Issue introduced in 4.14 with commit 0c3fc4d5fa26092853278145aca9b21fa52a3e93 and fixed in 5.4.133 with commit ef0a06acc6b16388640ad367eedfa2a17f1945db
	Issue introduced in 4.14 with commit 0c3fc4d5fa26092853278145aca9b21fa52a3e93 and fixed in 5.10.51 with commit 35c1c4bd2d59ad734129d4e232af9d1098023918
	Issue introduced in 4.14 with commit 0c3fc4d5fa26092853278145aca9b21fa52a3e93 and fixed in 5.12.18 with commit 733d4d95c0101d5f277b8e4910411d016e49a9dc
	Issue introduced in 4.14 with commit 0c3fc4d5fa26092853278145aca9b21fa52a3e93 and fixed in 5.13.3 with commit 0115687be7b13993066aef602253a53d55f5b11f
	Issue introduced in 4.14 with commit 0c3fc4d5fa26092853278145aca9b21fa52a3e93 and fixed in 5.14 with commit 5fae8a946ac2df879caf3f79a193d4766d00239b

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47346
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/hwtracing/coresight/coresight-tmc-etf.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/04bd77ef4f4d9fc6102023b85f4590fc2130aac5
	https://git.kernel.org/stable/c/ef0a06acc6b16388640ad367eedfa2a17f1945db
	https://git.kernel.org/stable/c/35c1c4bd2d59ad734129d4e232af9d1098023918
	https://git.kernel.org/stable/c/733d4d95c0101d5f277b8e4910411d016e49a9dc
	https://git.kernel.org/stable/c/0115687be7b13993066aef602253a53d55f5b11f
	https://git.kernel.org/stable/c/5fae8a946ac2df879caf3f79a193d4766d00239b