cve/published/2024/CVE-2024-26842.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26842: scsi: ufs: core: Fix shift issue in ufshcd_clear_cmd()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 scsi: ufs: core: Fix shift issue in ufshcd_clear_cmd()

 When task_tag >= 32 (in MCQ mode) and sizeof(unsigned int) == 4, 1U <<
 task_tag will out of bounds for a u32 mask. Fix this up to prevent
 SHIFT_ISSUE (bitwise shifts that are out of bounds for their data type).

 [name:debug_monitors&]Unexpected kernel BRK exception at EL1
 [name:traps&]Internal error: BRK handler: 00000000f2005514 [#1] PREEMPT SMP
 [name:mediatek_cpufreq_hw&]cpufreq stop DVFS log done
 [name:mrdump&]Kernel Offset: 0x1ba5800000 from 0xffffffc008000000
 [name:mrdump&]PHYS_OFFSET: 0x80000000
 [name:mrdump&]pstate: 22400005 (nzCv daif +PAN -UAO)
 [name:mrdump&]pc : [0xffffffdbaf52bb2c] ufshcd_clear_cmd+0x280/0x288
 [name:mrdump&]lr : [0xffffffdbaf52a774] ufshcd_wait_for_dev_cmd+0x3e4/0x82c
 [name:mrdump&]sp : ffffffc0081471b0
 <snip>
 Workqueue: ufs_eh_wq_0 ufshcd_err_handler
 Call trace:
  dump_backtrace+0xf8/0x144
  show_stack+0x18/0x24
  dump_stack_lvl+0x78/0x9c
  dump_stack+0x18/0x44
  mrdump_common_die+0x254/0x480 [mrdump]
  ipanic_die+0x20/0x30 [mrdump]
  notify_die+0x15c/0x204
  die+0x10c/0x5f8
  arm64_notify_die+0x74/0x13c
  do_debug_exception+0x164/0x26c
  el1_dbg+0x64/0x80
  el1h_64_sync_handler+0x3c/0x90
  el1h_64_sync+0x68/0x6c
  ufshcd_clear_cmd+0x280/0x288
  ufshcd_wait_for_dev_cmd+0x3e4/0x82c
  ufshcd_exec_dev_cmd+0x5bc/0x9ac
  ufshcd_verify_dev_init+0x84/0x1c8
  ufshcd_probe_hba+0x724/0x1ce0
  ufshcd_host_reset_and_restore+0x260/0x574
  ufshcd_reset_and_restore+0x138/0xbd0
  ufshcd_err_handler+0x1218/0x2f28
  process_one_work+0x5fc/0x1140
  worker_thread+0x7d8/0xe20
  kthread+0x25c/0x468
  ret_from_fork+0x10/0x20

 The Linux kernel CVE team has assigned CVE-2024-26842 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 6.6.19 with commit 7ac9e18f5d66087cd22751c5c5bf0090eb0038fe
 	Fixed in 6.7.7 with commit a992425d18e5f7c48931121993c6c69426f2a8fb
 	Fixed in 6.8 with commit b513d30d59bb383a6a5d6b533afcab2cee99a8f8

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26842
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/ufs/core/ufshcd.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/7ac9e18f5d66087cd22751c5c5bf0090eb0038fe
 	https://git.kernel.org/stable/c/a992425d18e5f7c48931121993c6c69426f2a8fb
 	https://git.kernel.org/stable/c/b513d30d59bb383a6a5d6b533afcab2cee99a8f8
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26842: scsi: ufs: core: Fix shift issue in ufshcd_clear_cmd()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	scsi: ufs: core: Fix shift issue in ufshcd_clear_cmd()

	When task_tag >= 32 (in MCQ mode) and sizeof(unsigned int) == 4, 1U <<
	task_tag will out of bounds for a u32 mask. Fix this up to prevent
	SHIFT_ISSUE (bitwise shifts that are out of bounds for their data type).

	[name:debug_monitors&]Unexpected kernel BRK exception at EL1
	[name:traps&]Internal error: BRK handler: 00000000f2005514 [#1] PREEMPT SMP
	[name:mediatek_cpufreq_hw&]cpufreq stop DVFS log done
	[name:mrdump&]Kernel Offset: 0x1ba5800000 from 0xffffffc008000000
	[name:mrdump&]PHYS_OFFSET: 0x80000000
	[name:mrdump&]pstate: 22400005 (nzCv daif +PAN -UAO)
	[name:mrdump&]pc : [0xffffffdbaf52bb2c] ufshcd_clear_cmd+0x280/0x288
	[name:mrdump&]lr : [0xffffffdbaf52a774] ufshcd_wait_for_dev_cmd+0x3e4/0x82c
	[name:mrdump&]sp : ffffffc0081471b0
	<snip>
	Workqueue: ufs_eh_wq_0 ufshcd_err_handler
	Call trace:
	dump_backtrace+0xf8/0x144
	show_stack+0x18/0x24
	dump_stack_lvl+0x78/0x9c
	dump_stack+0x18/0x44
	mrdump_common_die+0x254/0x480 [mrdump]
	ipanic_die+0x20/0x30 [mrdump]
	notify_die+0x15c/0x204
	die+0x10c/0x5f8
	arm64_notify_die+0x74/0x13c
	do_debug_exception+0x164/0x26c
	el1_dbg+0x64/0x80
	el1h_64_sync_handler+0x3c/0x90
	el1h_64_sync+0x68/0x6c
	ufshcd_clear_cmd+0x280/0x288
	ufshcd_wait_for_dev_cmd+0x3e4/0x82c
	ufshcd_exec_dev_cmd+0x5bc/0x9ac
	ufshcd_verify_dev_init+0x84/0x1c8
	ufshcd_probe_hba+0x724/0x1ce0
	ufshcd_host_reset_and_restore+0x260/0x574
	ufshcd_reset_and_restore+0x138/0xbd0
	ufshcd_err_handler+0x1218/0x2f28
	process_one_work+0x5fc/0x1140
	worker_thread+0x7d8/0xe20
	kthread+0x25c/0x468
	ret_from_fork+0x10/0x20

	The Linux kernel CVE team has assigned CVE-2024-26842 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 6.6.19 with commit 7ac9e18f5d66087cd22751c5c5bf0090eb0038fe
	Fixed in 6.7.7 with commit a992425d18e5f7c48931121993c6c69426f2a8fb
	Fixed in 6.8 with commit b513d30d59bb383a6a5d6b533afcab2cee99a8f8

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26842
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/ufs/core/ufshcd.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/7ac9e18f5d66087cd22751c5c5bf0090eb0038fe
	https://git.kernel.org/stable/c/a992425d18e5f7c48931121993c6c69426f2a8fb
	https://git.kernel.org/stable/c/b513d30d59bb383a6a5d6b533afcab2cee99a8f8