cve/published/2021/CVE-2021-47393.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47393: hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs

 Fan speed minimum can be enforced from sysfs. For example, setting
 current fan speed to 20 is used to enforce fan speed to be at 100%
 speed, 19 - to be not below 90% speed, etcetera. This feature provides
 ability to limit fan speed according to some system wise
 considerations, like absence of some replaceable units or high system
 ambient temperature.

 Request for changing fan minimum speed is configuration request and can
 be set only through 'sysfs' write procedure. In this situation value of
 argument 'state' is above nominal fan speed maximum.

 Return non-zero code in this case to avoid
 thermal_cooling_device_stats_update() call, because in this case
 statistics update violates thermal statistics table range.
 The issues is observed in case kernel is configured with option
 CONFIG_THERMAL_STATISTICS.

 Here is the trace from KASAN:
 [  159.506659] BUG: KASAN: slab-out-of-bounds in thermal_cooling_device_stats_update+0x7d/0xb0
 [  159.516016] Read of size 4 at addr ffff888116163840 by task hw-management.s/7444
 [  159.545625] Call Trace:
 [  159.548366]  dump_stack+0x92/0xc1
 [  159.552084]  ? thermal_cooling_device_stats_update+0x7d/0xb0
 [  159.635869]  thermal_zone_device_update+0x345/0x780
 [  159.688711]  thermal_zone_device_set_mode+0x7d/0xc0
 [  159.694174]  mlxsw_thermal_modules_init+0x48f/0x590 [mlxsw_core]
 [  159.700972]  ? mlxsw_thermal_set_cur_state+0x5a0/0x5a0 [mlxsw_core]
 [  159.731827]  mlxsw_thermal_init+0x763/0x880 [mlxsw_core]
 [  160.070233] RIP: 0033:0x7fd995909970
 [  160.074239] Code: 73 01 c3 48 8b 0d 28 d5 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 99 2d 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ..
 [  160.095242] RSP: 002b:00007fff54f5d938 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
 [  160.103722] RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 00007fd995909970
 [  160.111710] RDX: 0000000000000013 RSI: 0000000001906008 RDI: 0000000000000001
 [  160.119699] RBP: 0000000001906008 R08: 00007fd995bc9760 R09: 00007fd996210700
 [  160.127687] R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000013
 [  160.135673] R13: 0000000000000001 R14: 00007fd995bc8600 R15: 0000000000000013
 [  160.143671]
 [  160.145338] Allocated by task 2924:
 [  160.149242]  kasan_save_stack+0x19/0x40
 [  160.153541]  __kasan_kmalloc+0x7f/0xa0
 [  160.157743]  __kmalloc+0x1a2/0x2b0
 [  160.161552]  thermal_cooling_device_setup_sysfs+0xf9/0x1a0
 [  160.167687]  __thermal_cooling_device_register+0x1b5/0x500
 [  160.173833]  devm_thermal_of_cooling_device_register+0x60/0xa0
 [  160.180356]  mlxreg_fan_probe+0x474/0x5e0 [mlxreg_fan]
 [  160.248140]
 [  160.249807] The buggy address belongs to the object at ffff888116163400
 [  160.249807]  which belongs to the cache kmalloc-1k of size 1024
 [  160.263814] The buggy address is located 64 bytes to the right of
 [  160.263814]  1024-byte region [ffff888116163400, ffff888116163800)
 [  160.277536] The buggy address belongs to the page:
 [  160.282898] page:0000000012275840 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888116167000 pfn:0x116160
 [  160.294872] head:0000000012275840 order:3 compound_mapcount:0 compound_pincount:0
 [  160.303251] flags: 0x200000000010200(slab|head|node=0|zone=2)
 [  160.309694] raw: 0200000000010200 ffffea00046f7208 ffffea0004928208 ffff88810004dbc0
 [  160.318367] raw: ffff888116167000 00000000000a0006 00000001ffffffff 0000000000000000
 [  160.327033] page dumped because: kasan: bad access detected
 [  160.333270]
 [  160.334937] Memory state around the buggy address:
 [  160.356469] >ffff888116163800: fc ..

 The Linux kernel CVE team has assigned CVE-2021-47393 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.19 with commit 65afb4c8e7e4e7e74b28efa1df62da503ca3e7a6 and fixed in 4.19.209 with commit 5c6e0bce647d9cb32a17d58ffa669b3421fcc6ca
 	Issue introduced in 4.19 with commit 65afb4c8e7e4e7e74b28efa1df62da503ca3e7a6 and fixed in 5.4.151 with commit a6c42ae1530f94724d3c42cf91fe3d3c5e394f8a
 	Issue introduced in 4.19 with commit 65afb4c8e7e4e7e74b28efa1df62da503ca3e7a6 and fixed in 5.10.71 with commit 76bbb482d33bfcd7e9070ecf594c9ec73e01c930
 	Issue introduced in 4.19 with commit 65afb4c8e7e4e7e74b28efa1df62da503ca3e7a6 and fixed in 5.14.10 with commit aa85fb7bde558bb2e364e85976b14b259c8b6fe8
 	Issue introduced in 4.19 with commit 65afb4c8e7e4e7e74b28efa1df62da503ca3e7a6 and fixed in 5.15 with commit e6fab7af6ba1bc77c78713a83876f60ca7a4a064

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47393
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/hwmon/mlxreg-fan.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5c6e0bce647d9cb32a17d58ffa669b3421fcc6ca
 	https://git.kernel.org/stable/c/a6c42ae1530f94724d3c42cf91fe3d3c5e394f8a
 	https://git.kernel.org/stable/c/76bbb482d33bfcd7e9070ecf594c9ec73e01c930
 	https://git.kernel.org/stable/c/aa85fb7bde558bb2e364e85976b14b259c8b6fe8
 	https://git.kernel.org/stable/c/e6fab7af6ba1bc77c78713a83876f60ca7a4a064
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47393: hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs

	Fan speed minimum can be enforced from sysfs. For example, setting
	current fan speed to 20 is used to enforce fan speed to be at 100%
	speed, 19 - to be not below 90% speed, etcetera. This feature provides
	ability to limit fan speed according to some system wise
	considerations, like absence of some replaceable units or high system
	ambient temperature.

	Request for changing fan minimum speed is configuration request and can
	be set only through 'sysfs' write procedure. In this situation value of
	argument 'state' is above nominal fan speed maximum.

	Return non-zero code in this case to avoid
	thermal_cooling_device_stats_update() call, because in this case
	statistics update violates thermal statistics table range.
	The issues is observed in case kernel is configured with option
	CONFIG_THERMAL_STATISTICS.

	Here is the trace from KASAN:
	[ 159.506659] BUG: KASAN: slab-out-of-bounds in thermal_cooling_device_stats_update+0x7d/0xb0
	[ 159.516016] Read of size 4 at addr ffff888116163840 by task hw-management.s/7444
	[ 159.545625] Call Trace:
	[ 159.548366] dump_stack+0x92/0xc1
	[ 159.552084] ? thermal_cooling_device_stats_update+0x7d/0xb0
	[ 159.635869] thermal_zone_device_update+0x345/0x780
	[ 159.688711] thermal_zone_device_set_mode+0x7d/0xc0
	[ 159.694174] mlxsw_thermal_modules_init+0x48f/0x590 [mlxsw_core]
	[ 159.700972] ? mlxsw_thermal_set_cur_state+0x5a0/0x5a0 [mlxsw_core]
	[ 159.731827] mlxsw_thermal_init+0x763/0x880 [mlxsw_core]
	[ 160.070233] RIP: 0033:0x7fd995909970
	[ 160.074239] Code: 73 01 c3 48 8b 0d 28 d5 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 99 2d 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ..
	[ 160.095242] RSP: 002b:00007fff54f5d938 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
	[ 160.103722] RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 00007fd995909970
	[ 160.111710] RDX: 0000000000000013 RSI: 0000000001906008 RDI: 0000000000000001
	[ 160.119699] RBP: 0000000001906008 R08: 00007fd995bc9760 R09: 00007fd996210700
	[ 160.127687] R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000013
	[ 160.135673] R13: 0000000000000001 R14: 00007fd995bc8600 R15: 0000000000000013
	[ 160.143671]
	[ 160.145338] Allocated by task 2924:
	[ 160.149242] kasan_save_stack+0x19/0x40
	[ 160.153541] __kasan_kmalloc+0x7f/0xa0
	[ 160.157743] __kmalloc+0x1a2/0x2b0
	[ 160.161552] thermal_cooling_device_setup_sysfs+0xf9/0x1a0
	[ 160.167687] __thermal_cooling_device_register+0x1b5/0x500
	[ 160.173833] devm_thermal_of_cooling_device_register+0x60/0xa0
	[ 160.180356] mlxreg_fan_probe+0x474/0x5e0 [mlxreg_fan]
	[ 160.248140]
	[ 160.249807] The buggy address belongs to the object at ffff888116163400
	[ 160.249807] which belongs to the cache kmalloc-1k of size 1024
	[ 160.263814] The buggy address is located 64 bytes to the right of
	[ 160.263814] 1024-byte region [ffff888116163400, ffff888116163800)
	[ 160.277536] The buggy address belongs to the page:
	[ 160.282898] page:0000000012275840 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888116167000 pfn:0x116160
	[ 160.294872] head:0000000012275840 order:3 compound_mapcount:0 compound_pincount:0
	[ 160.303251] flags: 0x200000000010200(slab\|head\|node=0\|zone=2)
	[ 160.309694] raw: 0200000000010200 ffffea00046f7208 ffffea0004928208 ffff88810004dbc0
	[ 160.318367] raw: ffff888116167000 00000000000a0006 00000001ffffffff 0000000000000000
	[ 160.327033] page dumped because: kasan: bad access detected
	[ 160.333270]
	[ 160.334937] Memory state around the buggy address:
	[ 160.356469] >ffff888116163800: fc ..

	The Linux kernel CVE team has assigned CVE-2021-47393 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.19 with commit 65afb4c8e7e4e7e74b28efa1df62da503ca3e7a6 and fixed in 4.19.209 with commit 5c6e0bce647d9cb32a17d58ffa669b3421fcc6ca
	Issue introduced in 4.19 with commit 65afb4c8e7e4e7e74b28efa1df62da503ca3e7a6 and fixed in 5.4.151 with commit a6c42ae1530f94724d3c42cf91fe3d3c5e394f8a
	Issue introduced in 4.19 with commit 65afb4c8e7e4e7e74b28efa1df62da503ca3e7a6 and fixed in 5.10.71 with commit 76bbb482d33bfcd7e9070ecf594c9ec73e01c930
	Issue introduced in 4.19 with commit 65afb4c8e7e4e7e74b28efa1df62da503ca3e7a6 and fixed in 5.14.10 with commit aa85fb7bde558bb2e364e85976b14b259c8b6fe8
	Issue introduced in 4.19 with commit 65afb4c8e7e4e7e74b28efa1df62da503ca3e7a6 and fixed in 5.15 with commit e6fab7af6ba1bc77c78713a83876f60ca7a4a064

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47393
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/hwmon/mlxreg-fan.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5c6e0bce647d9cb32a17d58ffa669b3421fcc6ca
	https://git.kernel.org/stable/c/a6c42ae1530f94724d3c42cf91fe3d3c5e394f8a
	https://git.kernel.org/stable/c/76bbb482d33bfcd7e9070ecf594c9ec73e01c930
	https://git.kernel.org/stable/c/aa85fb7bde558bb2e364e85976b14b259c8b6fe8
	https://git.kernel.org/stable/c/e6fab7af6ba1bc77c78713a83876f60ca7a4a064