| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-46743: of/irq: Prevent device address out-of-bounds read in interrupt map walk |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| of/irq: Prevent device address out-of-bounds read in interrupt map walk |
| |
| When of_irq_parse_raw() is invoked with a device address smaller than |
| the interrupt parent node (from #address-cells property), KASAN detects |
| the following out-of-bounds read when populating the initial match table |
| (dyndbg="func of_irq_parse_* +p"): |
| |
| OF: of_irq_parse_one: dev=/soc@0/picasso/watchdog, index=0 |
| OF: parent=/soc@0/pci@878000000000/gpio0@17,0, intsize=2 |
| OF: intspec=4 |
| OF: of_irq_parse_raw: ipar=/soc@0/pci@878000000000/gpio0@17,0, size=2 |
| OF: -> addrsize=3 |
| ================================================================== |
| BUG: KASAN: slab-out-of-bounds in of_irq_parse_raw+0x2b8/0x8d0 |
| Read of size 4 at addr ffffff81beca5608 by task bash/764 |
| |
| CPU: 1 PID: 764 Comm: bash Tainted: G O 6.1.67-484c613561-nokia_sm_arm64 #1 |
| Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.01-12.24.03-dirty 01/01/2023 |
| Call trace: |
| dump_backtrace+0xdc/0x130 |
| show_stack+0x1c/0x30 |
| dump_stack_lvl+0x6c/0x84 |
| print_report+0x150/0x448 |
| kasan_report+0x98/0x140 |
| __asan_load4+0x78/0xa0 |
| of_irq_parse_raw+0x2b8/0x8d0 |
| of_irq_parse_one+0x24c/0x270 |
| parse_interrupts+0xc0/0x120 |
| of_fwnode_add_links+0x100/0x2d0 |
| fw_devlink_parse_fwtree+0x64/0xc0 |
| device_add+0xb38/0xc30 |
| of_device_add+0x64/0x90 |
| of_platform_device_create_pdata+0xd0/0x170 |
| of_platform_bus_create+0x244/0x600 |
| of_platform_notify+0x1b0/0x254 |
| blocking_notifier_call_chain+0x9c/0xd0 |
| __of_changeset_entry_notify+0x1b8/0x230 |
| __of_changeset_apply_notify+0x54/0xe4 |
| of_overlay_fdt_apply+0xc04/0xd94 |
| ... |
| |
| The buggy address belongs to the object at ffffff81beca5600 |
| which belongs to the cache kmalloc-128 of size 128 |
| The buggy address is located 8 bytes inside of |
| 128-byte region [ffffff81beca5600, ffffff81beca5680) |
| |
| The buggy address belongs to the physical page: |
| page:00000000230d3d03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1beca4 |
| head:00000000230d3d03 order:1 compound_mapcount:0 compound_pincount:0 |
| flags: 0x8000000000010200(slab|head|zone=2) |
| raw: 8000000000010200 0000000000000000 dead000000000122 ffffff810000c300 |
| raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 |
| page dumped because: kasan: bad access detected |
| |
| Memory state around the buggy address: |
| ffffff81beca5500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc |
| ffffff81beca5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc |
| >ffffff81beca5600: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc |
| ^ |
| ffffff81beca5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc |
| ffffff81beca5700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc |
| ================================================================== |
| OF: -> got it ! |
| |
| Prevent the out-of-bounds read by copying the device address into a |
| buffer of sufficient size. |
| |
| The Linux kernel CVE team has assigned CVE-2024-46743 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Fixed in 4.19.322 with commit d2a79494d8a5262949736fb2c3ac44d20a51b0d8 |
| Fixed in 5.4.284 with commit defcaa426ba0bc89ffdafb799d2e50b52f74ffc4 |
| Fixed in 5.10.226 with commit 9d1e9f0876b03d74d44513a0ed3ed15ef8f2fed5 |
| Fixed in 5.15.167 with commit baaf26723beab3a04da578d3008be3544f83758f |
| Fixed in 6.1.110 with commit 8ff351ea12e918db1373b915c4c268815929cbe5 |
| Fixed in 6.6.51 with commit 7ead730af11ee7da107f16fc77995613c58d292d |
| Fixed in 6.10.10 with commit bf68acd840b6a5bfd3777e0d5aaa204db6b461a9 |
| Fixed in 6.11 with commit b739dffa5d570b411d4bdf4bb9b8dfd6b7d72305 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-46743 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/of/irq.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/d2a79494d8a5262949736fb2c3ac44d20a51b0d8 |
| https://git.kernel.org/stable/c/defcaa426ba0bc89ffdafb799d2e50b52f74ffc4 |
| https://git.kernel.org/stable/c/9d1e9f0876b03d74d44513a0ed3ed15ef8f2fed5 |
| https://git.kernel.org/stable/c/baaf26723beab3a04da578d3008be3544f83758f |
| https://git.kernel.org/stable/c/8ff351ea12e918db1373b915c4c268815929cbe5 |
| https://git.kernel.org/stable/c/7ead730af11ee7da107f16fc77995613c58d292d |
| https://git.kernel.org/stable/c/bf68acd840b6a5bfd3777e0d5aaa204db6b461a9 |
| https://git.kernel.org/stable/c/b739dffa5d570b411d4bdf4bb9b8dfd6b7d72305 |
