cve/published/2021/CVE-2021-47441.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47441: mlxsw: thermal: Fix out-of-bounds memory accesses

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mlxsw: thermal: Fix out-of-bounds memory accesses

 Currently, mlxsw allows cooling states to be set above the maximum
 cooling state supported by the driver:

  # cat /sys/class/thermal/thermal_zone2/cdev0/type
  mlxsw_fan
  # cat /sys/class/thermal/thermal_zone2/cdev0/max_state
  10
  # echo 18 > /sys/class/thermal/thermal_zone2/cdev0/cur_state
  # echo $?
  0

 This results in out-of-bounds memory accesses when thermal state
 transition statistics are enabled (CONFIG_THERMAL_STATISTICS=y), as the
 transition table is accessed with a too large index (state) [1].

 According to the thermal maintainer, it is the responsibility of the
 driver to reject such operations [2].

 Therefore, return an error when the state to be set exceeds the maximum
 cooling state supported by the driver.

 To avoid dead code, as suggested by the thermal maintainer [3],
 partially revert commit a421ce088ac8 ("mlxsw: core: Extend cooling
 device with cooling levels") that tried to interpret these invalid
 cooling states (above the maximum) in a special way. The cooling levels
 array is not removed in order to prevent the fans going below 20% PWM,
 which would cause them to get stuck at 0% PWM.

 [1]
 BUG: KASAN: slab-out-of-bounds in thermal_cooling_device_stats_update+0x271/0x290
 Read of size 4 at addr ffff8881052f7bf8 by task kworker/0:0/5

 CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.15.0-rc3-custom-45935-gce1adf704b14 #122
 Hardware name: Mellanox Technologies Ltd. "MSN2410-CB2FO"/"SA000874", BIOS 4.6.5 03/08/2016
 Workqueue: events_freezable_power_ thermal_zone_device_check
 Call Trace:
  dump_stack_lvl+0x8b/0xb3
  print_address_description.constprop.0+0x1f/0x140
  kasan_report.cold+0x7f/0x11b
  thermal_cooling_device_stats_update+0x271/0x290
  __thermal_cdev_update+0x15e/0x4e0
  thermal_cdev_update+0x9f/0xe0
  step_wise_throttle+0x770/0xee0
  thermal_zone_device_update+0x3f6/0xdf0
  process_one_work+0xa42/0x1770
  worker_thread+0x62f/0x13e0
  kthread+0x3ee/0x4e0
  ret_from_fork+0x1f/0x30

 Allocated by task 1:
  kasan_save_stack+0x1b/0x40
  __kasan_kmalloc+0x7c/0x90
  thermal_cooling_device_setup_sysfs+0x153/0x2c0
  __thermal_cooling_device_register.part.0+0x25b/0x9c0
  thermal_cooling_device_register+0xb3/0x100
  mlxsw_thermal_init+0x5c5/0x7e0
  __mlxsw_core_bus_device_register+0xcb3/0x19c0
  mlxsw_core_bus_device_register+0x56/0xb0
  mlxsw_pci_probe+0x54f/0x710
  local_pci_probe+0xc6/0x170
  pci_device_probe+0x2b2/0x4d0
  really_probe+0x293/0xd10
  __driver_probe_device+0x2af/0x440
  driver_probe_device+0x51/0x1e0
  __driver_attach+0x21b/0x530
  bus_for_each_dev+0x14c/0x1d0
  bus_add_driver+0x3ac/0x650
  driver_register+0x241/0x3d0
  mlxsw_sp_module_init+0xa2/0x174
  do_one_initcall+0xee/0x5f0
  kernel_init_freeable+0x45a/0x4de
  kernel_init+0x1f/0x210
  ret_from_fork+0x1f/0x30

 The buggy address belongs to the object at ffff8881052f7800
  which belongs to the cache kmalloc-1k of size 1024
 The buggy address is located 1016 bytes inside of
  1024-byte region [ffff8881052f7800, ffff8881052f7c00)
 The buggy address belongs to the page:
 page:0000000052355272 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1052f0
 head:0000000052355272 order:3 compound_mapcount:0 compound_pincount:0
 flags: 0x200000000010200(slab|head|node=0|zone=2)
 raw: 0200000000010200 ffffea0005034800 0000000300000003 ffff888100041dc0
 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
 page dumped because: kasan: bad access detected

 Memory state around the buggy address:
  ffff8881052f7a80: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc
  ffff8881052f7b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 >ffff8881052f7b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                                 ^
  ffff8881052f7c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffff8881052f7c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

 [2] https://lore.kernel.org/linux-pm/9aca37cb-1629-5c67-1895-1fdc45c0244e@linaro.org/
 [3] https://lore.kernel.org/linux-pm/af9857f2-578e-de3a-e62b-6baff7e69fd4@linaro.org/

 The Linux kernel CVE team has assigned CVE-2021-47441 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.10 with commit a50c1e35650b929500bd89be61c89d95a267ce56 and fixed in 5.4.155 with commit ae0993739e14a102d506aa09e11b0065f3144f10
 	Issue introduced in 4.10 with commit a50c1e35650b929500bd89be61c89d95a267ce56 and fixed in 5.10.75 with commit e59d839743b50cb1d3f42a786bea48cc5621d254
 	Issue introduced in 4.10 with commit a50c1e35650b929500bd89be61c89d95a267ce56 and fixed in 5.14.14 with commit df8e58716afb3bee2b59de66b1ba1033f2e26303
 	Issue introduced in 4.10 with commit a50c1e35650b929500bd89be61c89d95a267ce56 and fixed in 5.15 with commit 332fdf951df8b870e3da86b122ae304e2aabe88c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47441
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/mellanox/mlxsw/core_thermal.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/ae0993739e14a102d506aa09e11b0065f3144f10
 	https://git.kernel.org/stable/c/e59d839743b50cb1d3f42a786bea48cc5621d254
 	https://git.kernel.org/stable/c/df8e58716afb3bee2b59de66b1ba1033f2e26303
 	https://git.kernel.org/stable/c/332fdf951df8b870e3da86b122ae304e2aabe88c
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47441: mlxsw: thermal: Fix out-of-bounds memory accesses

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mlxsw: thermal: Fix out-of-bounds memory accesses

	Currently, mlxsw allows cooling states to be set above the maximum
	cooling state supported by the driver:

	# cat /sys/class/thermal/thermal_zone2/cdev0/type
	mlxsw_fan
	# cat /sys/class/thermal/thermal_zone2/cdev0/max_state
	10
	# echo 18 > /sys/class/thermal/thermal_zone2/cdev0/cur_state
	# echo $?
	0

	This results in out-of-bounds memory accesses when thermal state
	transition statistics are enabled (CONFIG_THERMAL_STATISTICS=y), as the
	transition table is accessed with a too large index (state) [1].

	According to the thermal maintainer, it is the responsibility of the
	driver to reject such operations [2].

	Therefore, return an error when the state to be set exceeds the maximum
	cooling state supported by the driver.

	To avoid dead code, as suggested by the thermal maintainer [3],
	partially revert commit a421ce088ac8 ("mlxsw: core: Extend cooling
	device with cooling levels") that tried to interpret these invalid
	cooling states (above the maximum) in a special way. The cooling levels
	array is not removed in order to prevent the fans going below 20% PWM,
	which would cause them to get stuck at 0% PWM.

	[1]
	BUG: KASAN: slab-out-of-bounds in thermal_cooling_device_stats_update+0x271/0x290
	Read of size 4 at addr ffff8881052f7bf8 by task kworker/0:0/5

	CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.15.0-rc3-custom-45935-gce1adf704b14 #122
	Hardware name: Mellanox Technologies Ltd. "MSN2410-CB2FO"/"SA000874", BIOS 4.6.5 03/08/2016
	Workqueue: events_freezable_power_ thermal_zone_device_check
	Call Trace:
	dump_stack_lvl+0x8b/0xb3
	print_address_description.constprop.0+0x1f/0x140
	kasan_report.cold+0x7f/0x11b
	thermal_cooling_device_stats_update+0x271/0x290
	__thermal_cdev_update+0x15e/0x4e0
	thermal_cdev_update+0x9f/0xe0
	step_wise_throttle+0x770/0xee0
	thermal_zone_device_update+0x3f6/0xdf0
	process_one_work+0xa42/0x1770
	worker_thread+0x62f/0x13e0
	kthread+0x3ee/0x4e0
	ret_from_fork+0x1f/0x30

	Allocated by task 1:
	kasan_save_stack+0x1b/0x40
	__kasan_kmalloc+0x7c/0x90
	thermal_cooling_device_setup_sysfs+0x153/0x2c0
	__thermal_cooling_device_register.part.0+0x25b/0x9c0
	thermal_cooling_device_register+0xb3/0x100
	mlxsw_thermal_init+0x5c5/0x7e0
	__mlxsw_core_bus_device_register+0xcb3/0x19c0
	mlxsw_core_bus_device_register+0x56/0xb0
	mlxsw_pci_probe+0x54f/0x710
	local_pci_probe+0xc6/0x170
	pci_device_probe+0x2b2/0x4d0
	really_probe+0x293/0xd10
	__driver_probe_device+0x2af/0x440
	driver_probe_device+0x51/0x1e0
	__driver_attach+0x21b/0x530
	bus_for_each_dev+0x14c/0x1d0
	bus_add_driver+0x3ac/0x650
	driver_register+0x241/0x3d0
	mlxsw_sp_module_init+0xa2/0x174
	do_one_initcall+0xee/0x5f0
	kernel_init_freeable+0x45a/0x4de
	kernel_init+0x1f/0x210
	ret_from_fork+0x1f/0x30

	The buggy address belongs to the object at ffff8881052f7800
	which belongs to the cache kmalloc-1k of size 1024
	The buggy address is located 1016 bytes inside of
	1024-byte region [ffff8881052f7800, ffff8881052f7c00)
	The buggy address belongs to the page:
	page:0000000052355272 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1052f0
	head:0000000052355272 order:3 compound_mapcount:0 compound_pincount:0
	flags: 0x200000000010200(slab\|head\|node=0\|zone=2)
	raw: 0200000000010200 ffffea0005034800 0000000300000003 ffff888100041dc0
	raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
	page dumped because: kasan: bad access detected

	Memory state around the buggy address:
	ffff8881052f7a80: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc
	ffff8881052f7b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	>ffff8881052f7b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	^
	ffff8881052f7c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	ffff8881052f7c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

	[2] https://lore.kernel.org/linux-pm/9aca37cb-1629-5c67-1895-1fdc45c0244e@linaro.org/
	[3] https://lore.kernel.org/linux-pm/af9857f2-578e-de3a-e62b-6baff7e69fd4@linaro.org/

	The Linux kernel CVE team has assigned CVE-2021-47441 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.10 with commit a50c1e35650b929500bd89be61c89d95a267ce56 and fixed in 5.4.155 with commit ae0993739e14a102d506aa09e11b0065f3144f10
	Issue introduced in 4.10 with commit a50c1e35650b929500bd89be61c89d95a267ce56 and fixed in 5.10.75 with commit e59d839743b50cb1d3f42a786bea48cc5621d254
	Issue introduced in 4.10 with commit a50c1e35650b929500bd89be61c89d95a267ce56 and fixed in 5.14.14 with commit df8e58716afb3bee2b59de66b1ba1033f2e26303
	Issue introduced in 4.10 with commit a50c1e35650b929500bd89be61c89d95a267ce56 and fixed in 5.15 with commit 332fdf951df8b870e3da86b122ae304e2aabe88c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47441
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/mellanox/mlxsw/core_thermal.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/ae0993739e14a102d506aa09e11b0065f3144f10
	https://git.kernel.org/stable/c/e59d839743b50cb1d3f42a786bea48cc5621d254
	https://git.kernel.org/stable/c/df8e58716afb3bee2b59de66b1ba1033f2e26303
	https://git.kernel.org/stable/c/332fdf951df8b870e3da86b122ae304e2aabe88c