cve/published/2024/CVE-2024-40978.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-40978: scsi: qedi: Fix crash while reading debugfs attribute

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 scsi: qedi: Fix crash while reading debugfs attribute

 The qedi_dbg_do_not_recover_cmd_read() function invokes sprintf() directly
 on a __user pointer, which results into the crash.

 To fix this issue, use a small local stack buffer for sprintf() and then
 call simple_read_from_buffer(), which in turns make the copy_to_user()
 call.

 BUG: unable to handle page fault for address: 00007f4801111000
 PGD 8000000864df6067 P4D 8000000864df6067 PUD 864df7067 PMD 846028067 PTE 0
 Oops: 0002 [#1] PREEMPT SMP PTI
 Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 06/15/2023
 RIP: 0010:memcpy_orig+0xcd/0x130
 RSP: 0018:ffffb7a18c3ffc40 EFLAGS: 00010202
 RAX: 00007f4801111000 RBX: 00007f4801111000 RCX: 000000000000000f
 RDX: 000000000000000f RSI: ffffffffc0bfd7a0 RDI: 00007f4801111000
 RBP: ffffffffc0bfd7a0 R08: 725f746f6e5f6f64 R09: 3d7265766f636572
 R10: ffffb7a18c3ffd08 R11: 0000000000000000 R12: 00007f4881110fff
 R13: 000000007fffffff R14: ffffb7a18c3ffca0 R15: ffffffffc0bfd7af
 FS:  00007f480118a740(0000) GS:ffff98e38af00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007f4801111000 CR3: 0000000864b8e001 CR4: 00000000007706e0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 PKRU: 55555554
 Call Trace:
  <TASK>
  ? __die_body+0x1a/0x60
  ? page_fault_oops+0x183/0x510
  ? exc_page_fault+0x69/0x150
  ? asm_exc_page_fault+0x22/0x30
  ? memcpy_orig+0xcd/0x130
  vsnprintf+0x102/0x4c0
  sprintf+0x51/0x80
  qedi_dbg_do_not_recover_cmd_read+0x2f/0x50 [qedi 6bcfdeeecdea037da47069eca2ba717c84a77324]
  full_proxy_read+0x50/0x80
  vfs_read+0xa5/0x2e0
  ? folio_add_new_anon_rmap+0x44/0xa0
  ? set_pte_at+0x15/0x30
  ? do_pte_missing+0x426/0x7f0
  ksys_read+0xa5/0xe0
  do_syscall_64+0x58/0x80
  ? __count_memcg_events+0x46/0x90
  ? count_memcg_event_mm+0x3d/0x60
  ? handle_mm_fault+0x196/0x2f0
  ? do_user_addr_fault+0x267/0x890
  ? exc_page_fault+0x69/0x150
  entry_SYSCALL_64_after_hwframe+0x72/0xdc
 RIP: 0033:0x7f4800f20b4d

 The Linux kernel CVE team has assigned CVE-2024-40978 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.19.317 with commit 56bec63a7fc87ad50b3373a87517dc9770eef9e0
 	Fixed in 5.4.279 with commit 21c963de2e86e88f6a8ca556bcebb8e62ab8e901
 	Fixed in 5.10.221 with commit 144d76a676b630e321556965011b00e2de0b40a7
 	Fixed in 5.15.162 with commit 397a8990c377ee4b61d6df768e61dff9e316d46b
 	Fixed in 6.1.96 with commit eaddb86637669f6bad89245ee63f8fb2bfb50241
 	Fixed in 6.6.36 with commit fa85b016a56b9775a3fe41e5d26e666945963b46
 	Fixed in 6.9.7 with commit e2f433ea7d0ff77998766a088a287337fb43ad75
 	Fixed in 6.10 with commit 28027ec8e32ecbadcd67623edb290dad61e735b5

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-40978
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/scsi/qedi/qedi_debugfs.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/56bec63a7fc87ad50b3373a87517dc9770eef9e0
 	https://git.kernel.org/stable/c/21c963de2e86e88f6a8ca556bcebb8e62ab8e901
 	https://git.kernel.org/stable/c/144d76a676b630e321556965011b00e2de0b40a7
 	https://git.kernel.org/stable/c/397a8990c377ee4b61d6df768e61dff9e316d46b
 	https://git.kernel.org/stable/c/eaddb86637669f6bad89245ee63f8fb2bfb50241
 	https://git.kernel.org/stable/c/fa85b016a56b9775a3fe41e5d26e666945963b46
 	https://git.kernel.org/stable/c/e2f433ea7d0ff77998766a088a287337fb43ad75
 	https://git.kernel.org/stable/c/28027ec8e32ecbadcd67623edb290dad61e735b5
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-40978: scsi: qedi: Fix crash while reading debugfs attribute

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	scsi: qedi: Fix crash while reading debugfs attribute

	The qedi_dbg_do_not_recover_cmd_read() function invokes sprintf() directly
	on a __user pointer, which results into the crash.

	To fix this issue, use a small local stack buffer for sprintf() and then
	call simple_read_from_buffer(), which in turns make the copy_to_user()
	call.

	BUG: unable to handle page fault for address: 00007f4801111000
	PGD 8000000864df6067 P4D 8000000864df6067 PUD 864df7067 PMD 846028067 PTE 0
	Oops: 0002 [#1] PREEMPT SMP PTI
	Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 06/15/2023
	RIP: 0010:memcpy_orig+0xcd/0x130
	RSP: 0018:ffffb7a18c3ffc40 EFLAGS: 00010202
	RAX: 00007f4801111000 RBX: 00007f4801111000 RCX: 000000000000000f
	RDX: 000000000000000f RSI: ffffffffc0bfd7a0 RDI: 00007f4801111000
	RBP: ffffffffc0bfd7a0 R08: 725f746f6e5f6f64 R09: 3d7265766f636572
	R10: ffffb7a18c3ffd08 R11: 0000000000000000 R12: 00007f4881110fff
	R13: 000000007fffffff R14: ffffb7a18c3ffca0 R15: ffffffffc0bfd7af
	FS: 00007f480118a740(0000) GS:ffff98e38af00000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00007f4801111000 CR3: 0000000864b8e001 CR4: 00000000007706e0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
	PKRU: 55555554
	Call Trace:
	<TASK>
	? __die_body+0x1a/0x60
	? page_fault_oops+0x183/0x510
	? exc_page_fault+0x69/0x150
	? asm_exc_page_fault+0x22/0x30
	? memcpy_orig+0xcd/0x130
	vsnprintf+0x102/0x4c0
	sprintf+0x51/0x80
	qedi_dbg_do_not_recover_cmd_read+0x2f/0x50 [qedi 6bcfdeeecdea037da47069eca2ba717c84a77324]
	full_proxy_read+0x50/0x80
	vfs_read+0xa5/0x2e0
	? folio_add_new_anon_rmap+0x44/0xa0
	? set_pte_at+0x15/0x30
	? do_pte_missing+0x426/0x7f0
	ksys_read+0xa5/0xe0
	do_syscall_64+0x58/0x80
	? __count_memcg_events+0x46/0x90
	? count_memcg_event_mm+0x3d/0x60
	? handle_mm_fault+0x196/0x2f0
	? do_user_addr_fault+0x267/0x890
	? exc_page_fault+0x69/0x150
	entry_SYSCALL_64_after_hwframe+0x72/0xdc
	RIP: 0033:0x7f4800f20b4d

	The Linux kernel CVE team has assigned CVE-2024-40978 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.19.317 with commit 56bec63a7fc87ad50b3373a87517dc9770eef9e0
	Fixed in 5.4.279 with commit 21c963de2e86e88f6a8ca556bcebb8e62ab8e901
	Fixed in 5.10.221 with commit 144d76a676b630e321556965011b00e2de0b40a7
	Fixed in 5.15.162 with commit 397a8990c377ee4b61d6df768e61dff9e316d46b
	Fixed in 6.1.96 with commit eaddb86637669f6bad89245ee63f8fb2bfb50241
	Fixed in 6.6.36 with commit fa85b016a56b9775a3fe41e5d26e666945963b46
	Fixed in 6.9.7 with commit e2f433ea7d0ff77998766a088a287337fb43ad75
	Fixed in 6.10 with commit 28027ec8e32ecbadcd67623edb290dad61e735b5

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-40978
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/scsi/qedi/qedi_debugfs.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/56bec63a7fc87ad50b3373a87517dc9770eef9e0
	https://git.kernel.org/stable/c/21c963de2e86e88f6a8ca556bcebb8e62ab8e901
	https://git.kernel.org/stable/c/144d76a676b630e321556965011b00e2de0b40a7
	https://git.kernel.org/stable/c/397a8990c377ee4b61d6df768e61dff9e316d46b
	https://git.kernel.org/stable/c/eaddb86637669f6bad89245ee63f8fb2bfb50241
	https://git.kernel.org/stable/c/fa85b016a56b9775a3fe41e5d26e666945963b46
	https://git.kernel.org/stable/c/e2f433ea7d0ff77998766a088a287337fb43ad75
	https://git.kernel.org/stable/c/28027ec8e32ecbadcd67623edb290dad61e735b5