cve/published/2023/CVE-2023-53108.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-53108: net/iucv: Fix size of interrupt data

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net/iucv: Fix size of interrupt data

 iucv_irq_data needs to be 4 bytes larger.
 These bytes are not used by the iucv module, but written by
 the z/VM hypervisor in case a CPU is deconfigured.

 Reported as:
 BUG dma-kmalloc-64 (Not tainted): kmalloc Redzone overwritten
 -----------------------------------------------------------------------------
 0x0000000000400564-0x0000000000400567 @offset=1380. First byte 0x80 instead of 0xcc
 Allocated in iucv_cpu_prepare+0x44/0xd0 age=167839 cpu=2 pid=1
 __kmem_cache_alloc_node+0x166/0x450
 kmalloc_node_trace+0x3a/0x70
 iucv_cpu_prepare+0x44/0xd0
 cpuhp_invoke_callback+0x156/0x2f0
 cpuhp_issue_call+0xf0/0x298
 __cpuhp_setup_state_cpuslocked+0x136/0x338
 __cpuhp_setup_state+0xf4/0x288
 iucv_init+0xf4/0x280
 do_one_initcall+0x78/0x390
 do_initcalls+0x11a/0x140
 kernel_init_freeable+0x25e/0x2a0
 kernel_init+0x2e/0x170
 __ret_from_fork+0x3c/0x58
 ret_from_fork+0xa/0x40
 Freed in iucv_init+0x92/0x280 age=167839 cpu=2 pid=1
 __kmem_cache_free+0x308/0x358
 iucv_init+0x92/0x280
 do_one_initcall+0x78/0x390
 do_initcalls+0x11a/0x140
 kernel_init_freeable+0x25e/0x2a0
 kernel_init+0x2e/0x170
 __ret_from_fork+0x3c/0x58
 ret_from_fork+0xa/0x40
 Slab 0x0000037200010000 objects=32 used=30 fp=0x0000000000400640 flags=0x1ffff00000010200(slab|head|node=0|zone=0|
 Object 0x0000000000400540 @offset=1344 fp=0x0000000000000000
 Redzone  0000000000400500: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
 Redzone  0000000000400510: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
 Redzone  0000000000400520: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
 Redzone  0000000000400530: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
 Object   0000000000400540: 00 01 00 03 00 00 00 00 00 00 00 00 00 00 00 00  ................
 Object   0000000000400550: f3 86 81 f2 f4 82 f8 82 f0 f0 f0 f0 f0 f0 f0 f2  ................
 Object   0000000000400560: 00 00 00 00 80 00 00 00 cc cc cc cc cc cc cc cc  ................
 Object   0000000000400570: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
 Redzone  0000000000400580: cc cc cc cc cc cc cc cc                          ........
 Padding  00000000004005d4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
 Padding  00000000004005e4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
 Padding  00000000004005f4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a              ZZZZZZZZZZZZ
 CPU: 6 PID: 121030 Comm: 116-pai-crypto. Not tainted 6.3.0-20230221.rc0.git4.99b8246b2d71.300.fc37.s390x+debug #1
 Hardware name: IBM 3931 A01 704 (z/VM 7.3.0)
 Call Trace:
 [<000000032aa034ec>] dump_stack_lvl+0xac/0x100
 [<0000000329f5a6cc>] check_bytes_and_report+0x104/0x140
 [<0000000329f5aa78>] check_object+0x370/0x3c0
 [<0000000329f5ede6>] free_debug_processing+0x15e/0x348
 [<0000000329f5f06a>] free_to_partial_list+0x9a/0x2f0
 [<0000000329f5f4a4>] __slab_free+0x1e4/0x3a8
 [<0000000329f61768>] __kmem_cache_free+0x308/0x358
 [<000000032a91465c>] iucv_cpu_dead+0x6c/0x88
 [<0000000329c2fc66>] cpuhp_invoke_callback+0x156/0x2f0
 [<000000032aa062da>] _cpu_down.constprop.0+0x22a/0x5e0
 [<0000000329c3243e>] cpu_device_down+0x4e/0x78
 [<000000032a61dee0>] device_offline+0xc8/0x118
 [<000000032a61e048>] online_store+0x60/0xe0
 [<000000032a08b6b0>] kernfs_fop_write_iter+0x150/0x1e8
 [<0000000329fab65c>] vfs_write+0x174/0x360
 [<0000000329fab9fc>] ksys_write+0x74/0x100
 [<000000032aa03a5a>] __do_syscall+0x1da/0x208
 [<000000032aa177b2>] system_call+0x82/0xb0
 INFO: lockdep is turned off.
 FIX dma-kmalloc-64: Restoring kmalloc Redzone 0x0000000000400564-0x0000000000400567=0xcc
 FIX dma-kmalloc-64: Object at 0x0000000000400540 not freed

 The Linux kernel CVE team has assigned CVE-2023-53108 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.21 with commit 2356f4cb191100a5e92d537f13e5efdbc697e9cb and fixed in 4.14.311 with commit a908eae0f71811afee86be7088692f1aa5855c3b
 	Issue introduced in 2.6.21 with commit 2356f4cb191100a5e92d537f13e5efdbc697e9cb and fixed in 4.19.279 with commit b0d2bb5e31a693ebc8888eb407f8a257a3680efa
 	Issue introduced in 2.6.21 with commit 2356f4cb191100a5e92d537f13e5efdbc697e9cb and fixed in 5.4.238 with commit 71da5991b6438ad6da13ceb25465ee2760a1c52f
 	Issue introduced in 2.6.21 with commit 2356f4cb191100a5e92d537f13e5efdbc697e9cb and fixed in 5.10.176 with commit bd2e78462ae18484e55ae4d285df2c86b86bdd12
 	Issue introduced in 2.6.21 with commit 2356f4cb191100a5e92d537f13e5efdbc697e9cb and fixed in 5.15.104 with commit 3cfdefdaaa4b2a77e84d0db5e0a47a7aa3bb615a
 	Issue introduced in 2.6.21 with commit 2356f4cb191100a5e92d537f13e5efdbc697e9cb and fixed in 6.1.21 with commit c78f1345db4e4b3b78f9b768f4074ebd60abe966
 	Issue introduced in 2.6.21 with commit 2356f4cb191100a5e92d537f13e5efdbc697e9cb and fixed in 6.2.8 with commit 93a970494881004c348d8feb38463ee72496e99a
 	Issue introduced in 2.6.21 with commit 2356f4cb191100a5e92d537f13e5efdbc697e9cb and fixed in 6.3 with commit 3d87debb8ed2649608ff432699e7c961c0c6f03b

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-53108
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/iucv/iucv.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/a908eae0f71811afee86be7088692f1aa5855c3b
 	https://git.kernel.org/stable/c/b0d2bb5e31a693ebc8888eb407f8a257a3680efa
 	https://git.kernel.org/stable/c/71da5991b6438ad6da13ceb25465ee2760a1c52f
 	https://git.kernel.org/stable/c/bd2e78462ae18484e55ae4d285df2c86b86bdd12
 	https://git.kernel.org/stable/c/3cfdefdaaa4b2a77e84d0db5e0a47a7aa3bb615a
 	https://git.kernel.org/stable/c/c78f1345db4e4b3b78f9b768f4074ebd60abe966
 	https://git.kernel.org/stable/c/93a970494881004c348d8feb38463ee72496e99a
 	https://git.kernel.org/stable/c/3d87debb8ed2649608ff432699e7c961c0c6f03b
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-53108: net/iucv: Fix size of interrupt data

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net/iucv: Fix size of interrupt data

	iucv_irq_data needs to be 4 bytes larger.
	These bytes are not used by the iucv module, but written by
	the z/VM hypervisor in case a CPU is deconfigured.

	Reported as:
	BUG dma-kmalloc-64 (Not tainted): kmalloc Redzone overwritten
	-----------------------------------------------------------------------------
	0x0000000000400564-0x0000000000400567 @offset=1380. First byte 0x80 instead of 0xcc
	Allocated in iucv_cpu_prepare+0x44/0xd0 age=167839 cpu=2 pid=1
	__kmem_cache_alloc_node+0x166/0x450
	kmalloc_node_trace+0x3a/0x70
	iucv_cpu_prepare+0x44/0xd0
	cpuhp_invoke_callback+0x156/0x2f0
	cpuhp_issue_call+0xf0/0x298
	__cpuhp_setup_state_cpuslocked+0x136/0x338
	__cpuhp_setup_state+0xf4/0x288
	iucv_init+0xf4/0x280
	do_one_initcall+0x78/0x390
	do_initcalls+0x11a/0x140
	kernel_init_freeable+0x25e/0x2a0
	kernel_init+0x2e/0x170
	__ret_from_fork+0x3c/0x58
	ret_from_fork+0xa/0x40
	Freed in iucv_init+0x92/0x280 age=167839 cpu=2 pid=1
	__kmem_cache_free+0x308/0x358
	iucv_init+0x92/0x280
	do_one_initcall+0x78/0x390
	do_initcalls+0x11a/0x140
	kernel_init_freeable+0x25e/0x2a0
	kernel_init+0x2e/0x170
	__ret_from_fork+0x3c/0x58
	ret_from_fork+0xa/0x40
	Slab 0x0000037200010000 objects=32 used=30 fp=0x0000000000400640 flags=0x1ffff00000010200(slab\|head\|node=0\|zone=0\|
	Object 0x0000000000400540 @offset=1344 fp=0x0000000000000000
	Redzone 0000000000400500: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
	Redzone 0000000000400510: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
	Redzone 0000000000400520: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
	Redzone 0000000000400530: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
	Object 0000000000400540: 00 01 00 03 00 00 00 00 00 00 00 00 00 00 00 00 ................
	Object 0000000000400550: f3 86 81 f2 f4 82 f8 82 f0 f0 f0 f0 f0 f0 f0 f2 ................
	Object 0000000000400560: 00 00 00 00 80 00 00 00 cc cc cc cc cc cc cc cc ................
	Object 0000000000400570: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ................
	Redzone 0000000000400580: cc cc cc cc cc cc cc cc ........
	Padding 00000000004005d4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
	Padding 00000000004005e4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
	Padding 00000000004005f4: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ
	CPU: 6 PID: 121030 Comm: 116-pai-crypto. Not tainted 6.3.0-20230221.rc0.git4.99b8246b2d71.300.fc37.s390x+debug #1
	Hardware name: IBM 3931 A01 704 (z/VM 7.3.0)
	Call Trace:
	[<000000032aa034ec>] dump_stack_lvl+0xac/0x100
	[<0000000329f5a6cc>] check_bytes_and_report+0x104/0x140
	[<0000000329f5aa78>] check_object+0x370/0x3c0
	[<0000000329f5ede6>] free_debug_processing+0x15e/0x348
	[<0000000329f5f06a>] free_to_partial_list+0x9a/0x2f0
	[<0000000329f5f4a4>] __slab_free+0x1e4/0x3a8
	[<0000000329f61768>] __kmem_cache_free+0x308/0x358
	[<000000032a91465c>] iucv_cpu_dead+0x6c/0x88
	[<0000000329c2fc66>] cpuhp_invoke_callback+0x156/0x2f0
	[<000000032aa062da>] _cpu_down.constprop.0+0x22a/0x5e0
	[<0000000329c3243e>] cpu_device_down+0x4e/0x78
	[<000000032a61dee0>] device_offline+0xc8/0x118
	[<000000032a61e048>] online_store+0x60/0xe0
	[<000000032a08b6b0>] kernfs_fop_write_iter+0x150/0x1e8
	[<0000000329fab65c>] vfs_write+0x174/0x360
	[<0000000329fab9fc>] ksys_write+0x74/0x100
	[<000000032aa03a5a>] __do_syscall+0x1da/0x208
	[<000000032aa177b2>] system_call+0x82/0xb0
	INFO: lockdep is turned off.
	FIX dma-kmalloc-64: Restoring kmalloc Redzone 0x0000000000400564-0x0000000000400567=0xcc
	FIX dma-kmalloc-64: Object at 0x0000000000400540 not freed

	The Linux kernel CVE team has assigned CVE-2023-53108 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.21 with commit 2356f4cb191100a5e92d537f13e5efdbc697e9cb and fixed in 4.14.311 with commit a908eae0f71811afee86be7088692f1aa5855c3b
	Issue introduced in 2.6.21 with commit 2356f4cb191100a5e92d537f13e5efdbc697e9cb and fixed in 4.19.279 with commit b0d2bb5e31a693ebc8888eb407f8a257a3680efa
	Issue introduced in 2.6.21 with commit 2356f4cb191100a5e92d537f13e5efdbc697e9cb and fixed in 5.4.238 with commit 71da5991b6438ad6da13ceb25465ee2760a1c52f
	Issue introduced in 2.6.21 with commit 2356f4cb191100a5e92d537f13e5efdbc697e9cb and fixed in 5.10.176 with commit bd2e78462ae18484e55ae4d285df2c86b86bdd12
	Issue introduced in 2.6.21 with commit 2356f4cb191100a5e92d537f13e5efdbc697e9cb and fixed in 5.15.104 with commit 3cfdefdaaa4b2a77e84d0db5e0a47a7aa3bb615a
	Issue introduced in 2.6.21 with commit 2356f4cb191100a5e92d537f13e5efdbc697e9cb and fixed in 6.1.21 with commit c78f1345db4e4b3b78f9b768f4074ebd60abe966
	Issue introduced in 2.6.21 with commit 2356f4cb191100a5e92d537f13e5efdbc697e9cb and fixed in 6.2.8 with commit 93a970494881004c348d8feb38463ee72496e99a
	Issue introduced in 2.6.21 with commit 2356f4cb191100a5e92d537f13e5efdbc697e9cb and fixed in 6.3 with commit 3d87debb8ed2649608ff432699e7c961c0c6f03b

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-53108
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/iucv/iucv.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/a908eae0f71811afee86be7088692f1aa5855c3b
	https://git.kernel.org/stable/c/b0d2bb5e31a693ebc8888eb407f8a257a3680efa
	https://git.kernel.org/stable/c/71da5991b6438ad6da13ceb25465ee2760a1c52f
	https://git.kernel.org/stable/c/bd2e78462ae18484e55ae4d285df2c86b86bdd12
	https://git.kernel.org/stable/c/3cfdefdaaa4b2a77e84d0db5e0a47a7aa3bb615a
	https://git.kernel.org/stable/c/c78f1345db4e4b3b78f9b768f4074ebd60abe966
	https://git.kernel.org/stable/c/93a970494881004c348d8feb38463ee72496e99a
	https://git.kernel.org/stable/c/3d87debb8ed2649608ff432699e7c961c0c6f03b