cve/published/2023/CVE-2023-52488.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52488: serial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 serial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO

 The SC16IS7XX IC supports a burst mode to access the FIFOs where the
 initial register address is sent ($00), followed by all the FIFO data
 without having to resend the register address each time. In this mode, the
 IC doesn't increment the register address for each R/W byte.

 The regmap_raw_read() and regmap_raw_write() are functions which can
 perform IO over multiple registers. They are currently used to read/write
 from/to the FIFO, and although they operate correctly in this burst mode on
 the SPI bus, they would corrupt the regmap cache if it was not disabled
 manually. The reason is that when the R/W size is more than 1 byte, these
 functions assume that the register address is incremented and handle the
 cache accordingly.

 Convert FIFO R/W functions to use the regmap _noinc_ versions in order to
 remove the manual cache control which was a workaround when using the
 _raw_ versions. FIFO registers are properly declared as volatile so
 cache will not be used/updated for FIFO accesses.

 The Linux kernel CVE team has assigned CVE-2023-52488 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.16 with commit dfeae619d781dee61666d5551b93ba3be755a86b and fixed in 5.10.215 with commit 4e37416e4ee1b1bc17364a68973e0c63be89e611
 	Issue introduced in 3.16 with commit dfeae619d781dee61666d5551b93ba3be755a86b and fixed in 5.15.154 with commit e635f652696ef6f1230621cfd89c350cb5ec6169
 	Issue introduced in 3.16 with commit dfeae619d781dee61666d5551b93ba3be755a86b and fixed in 6.1.76 with commit 416b10d2817c94db86829fb92ad43ce7d002c573
 	Issue introduced in 3.16 with commit dfeae619d781dee61666d5551b93ba3be755a86b and fixed in 6.6.15 with commit 084c24e788d9cf29c55564de368bf5284f2bb5db
 	Issue introduced in 3.16 with commit dfeae619d781dee61666d5551b93ba3be755a86b and fixed in 6.7.3 with commit aa7cb4787698add9367b19f7afc667662c9bdb23
 	Issue introduced in 3.16 with commit dfeae619d781dee61666d5551b93ba3be755a86b and fixed in 6.8 with commit dbf4ab821804df071c8b566d9813083125e6d97b

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52488
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/tty/serial/sc16is7xx.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/4e37416e4ee1b1bc17364a68973e0c63be89e611
 	https://git.kernel.org/stable/c/e635f652696ef6f1230621cfd89c350cb5ec6169
 	https://git.kernel.org/stable/c/416b10d2817c94db86829fb92ad43ce7d002c573
 	https://git.kernel.org/stable/c/084c24e788d9cf29c55564de368bf5284f2bb5db
 	https://git.kernel.org/stable/c/aa7cb4787698add9367b19f7afc667662c9bdb23
 	https://git.kernel.org/stable/c/dbf4ab821804df071c8b566d9813083125e6d97b
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52488: serial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	serial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO

	The SC16IS7XX IC supports a burst mode to access the FIFOs where the
	initial register address is sent ($00), followed by all the FIFO data
	without having to resend the register address each time. In this mode, the
	IC doesn't increment the register address for each R/W byte.

	The regmap_raw_read() and regmap_raw_write() are functions which can
	perform IO over multiple registers. They are currently used to read/write
	from/to the FIFO, and although they operate correctly in this burst mode on
	the SPI bus, they would corrupt the regmap cache if it was not disabled
	manually. The reason is that when the R/W size is more than 1 byte, these
	functions assume that the register address is incremented and handle the
	cache accordingly.

	Convert FIFO R/W functions to use the regmap _noinc_ versions in order to
	remove the manual cache control which was a workaround when using the
	_raw_ versions. FIFO registers are properly declared as volatile so
	cache will not be used/updated for FIFO accesses.

	The Linux kernel CVE team has assigned CVE-2023-52488 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.16 with commit dfeae619d781dee61666d5551b93ba3be755a86b and fixed in 5.10.215 with commit 4e37416e4ee1b1bc17364a68973e0c63be89e611
	Issue introduced in 3.16 with commit dfeae619d781dee61666d5551b93ba3be755a86b and fixed in 5.15.154 with commit e635f652696ef6f1230621cfd89c350cb5ec6169
	Issue introduced in 3.16 with commit dfeae619d781dee61666d5551b93ba3be755a86b and fixed in 6.1.76 with commit 416b10d2817c94db86829fb92ad43ce7d002c573
	Issue introduced in 3.16 with commit dfeae619d781dee61666d5551b93ba3be755a86b and fixed in 6.6.15 with commit 084c24e788d9cf29c55564de368bf5284f2bb5db
	Issue introduced in 3.16 with commit dfeae619d781dee61666d5551b93ba3be755a86b and fixed in 6.7.3 with commit aa7cb4787698add9367b19f7afc667662c9bdb23
	Issue introduced in 3.16 with commit dfeae619d781dee61666d5551b93ba3be755a86b and fixed in 6.8 with commit dbf4ab821804df071c8b566d9813083125e6d97b

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52488
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/tty/serial/sc16is7xx.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/4e37416e4ee1b1bc17364a68973e0c63be89e611
	https://git.kernel.org/stable/c/e635f652696ef6f1230621cfd89c350cb5ec6169
	https://git.kernel.org/stable/c/416b10d2817c94db86829fb92ad43ce7d002c573
	https://git.kernel.org/stable/c/084c24e788d9cf29c55564de368bf5284f2bb5db
	https://git.kernel.org/stable/c/aa7cb4787698add9367b19f7afc667662c9bdb23
	https://git.kernel.org/stable/c/dbf4ab821804df071c8b566d9813083125e6d97b