cve/published/2021/CVE-2021-47554.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47554: vdpa_sim: avoid putting an uninitialized iova_domain

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 vdpa_sim: avoid putting an uninitialized iova_domain

 The system will crash if we put an uninitialized iova_domain, this
 could happen when an error occurs before initializing the iova_domain
 in vdpasim_create().

 BUG: kernel NULL pointer dereference, address: 0000000000000000
 ...
 RIP: 0010:__cpuhp_state_remove_instance+0x96/0x1c0
 ...
 Call Trace:
  <TASK>
  put_iova_domain+0x29/0x220
  vdpasim_free+0xd1/0x120 [vdpa_sim]
  vdpa_release_dev+0x21/0x40 [vdpa]
  device_release+0x33/0x90
  kobject_release+0x63/0x160
  vdpasim_create+0x127/0x2a0 [vdpa_sim]
  vdpasim_net_dev_add+0x7d/0xfe [vdpa_sim_net]
  vdpa_nl_cmd_dev_add_set_doit+0xe1/0x1a0 [vdpa]
  genl_family_rcv_msg_doit+0x112/0x140
  genl_rcv_msg+0xdf/0x1d0
  ...

 So we must make sure the iova_domain is already initialized before
 put it.

 In addition, we may get the following warning in this case:
 WARNING: ... drivers/iommu/iova.c:344 iova_cache_put+0x58/0x70

 So we must make sure the iova_cache_put() is invoked only if the
 iova_cache_get() is already invoked. Let's fix it together.

 The Linux kernel CVE team has assigned CVE-2021-47554 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.13 with commit 4080fc1067501707b9693b8003feae7d50d14e35 and fixed in 5.15.6 with commit e4d58ac67e63727aa45a4a26185876f598e8b3dd
 	Issue introduced in 5.13 with commit 4080fc1067501707b9693b8003feae7d50d14e35 and fixed in 5.16 with commit bb93ce4b150dde79f58e34103cbd1fe829796649

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47554
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/vdpa/vdpa_sim/vdpa_sim.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e4d58ac67e63727aa45a4a26185876f598e8b3dd
 	https://git.kernel.org/stable/c/bb93ce4b150dde79f58e34103cbd1fe829796649
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47554: vdpa_sim: avoid putting an uninitialized iova_domain

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	vdpa_sim: avoid putting an uninitialized iova_domain

	The system will crash if we put an uninitialized iova_domain, this
	could happen when an error occurs before initializing the iova_domain
	in vdpasim_create().

	BUG: kernel NULL pointer dereference, address: 0000000000000000
	...
	RIP: 0010:__cpuhp_state_remove_instance+0x96/0x1c0
	...
	Call Trace:
	<TASK>
	put_iova_domain+0x29/0x220
	vdpasim_free+0xd1/0x120 [vdpa_sim]
	vdpa_release_dev+0x21/0x40 [vdpa]
	device_release+0x33/0x90
	kobject_release+0x63/0x160
	vdpasim_create+0x127/0x2a0 [vdpa_sim]
	vdpasim_net_dev_add+0x7d/0xfe [vdpa_sim_net]
	vdpa_nl_cmd_dev_add_set_doit+0xe1/0x1a0 [vdpa]
	genl_family_rcv_msg_doit+0x112/0x140
	genl_rcv_msg+0xdf/0x1d0
	...

	So we must make sure the iova_domain is already initialized before
	put it.

	In addition, we may get the following warning in this case:
	WARNING: ... drivers/iommu/iova.c:344 iova_cache_put+0x58/0x70

	So we must make sure the iova_cache_put() is invoked only if the
	iova_cache_get() is already invoked. Let's fix it together.

	The Linux kernel CVE team has assigned CVE-2021-47554 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.13 with commit 4080fc1067501707b9693b8003feae7d50d14e35 and fixed in 5.15.6 with commit e4d58ac67e63727aa45a4a26185876f598e8b3dd
	Issue introduced in 5.13 with commit 4080fc1067501707b9693b8003feae7d50d14e35 and fixed in 5.16 with commit bb93ce4b150dde79f58e34103cbd1fe829796649

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47554
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/vdpa/vdpa_sim/vdpa_sim.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e4d58ac67e63727aa45a4a26185876f598e8b3dd
	https://git.kernel.org/stable/c/bb93ce4b150dde79f58e34103cbd1fe829796649