cve/published/2022/CVE-2022-48630.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48630: crypto: qcom-rng - fix infinite loop on requests not multiple of WORD_SZ

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 crypto: qcom-rng - fix infinite loop on requests not multiple of WORD_SZ

 The commit referenced in the Fixes tag removed the 'break' from the else
 branch in qcom_rng_read(), causing an infinite loop whenever 'max' is
 not a multiple of WORD_SZ. This can be reproduced e.g. by running:

     kcapi-rng -b 67 >/dev/null

 There are many ways to fix this without adding back the 'break', but
 they all seem more awkward than simply adding it back, so do just that.

 Tested on a machine with Qualcomm Amberwing processor.

 The Linux kernel CVE team has assigned CVE-2022-48630 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.19.236 with commit a8e32bbb96c25b7ab29b1894dcd45e0b3b08fd9d and fixed in 4.19.245 with commit 71a89789552b7faf3ef27969b9bc783fa0df3550
 	Issue introduced in 5.4.187 with commit 184f7bd08ce56f003530fc19f160d54e75bf5c9d and fixed in 5.4.196 with commit 8be06f62b426801dba43ddf8893952a0e62ab6ae
 	Issue introduced in 5.10.108 with commit 0f9b7b8df17525e464294c916acc8194ce38446b and fixed in 5.10.118 with commit 233a3cc60e7a8fe0be8cf9934ae7b67ba25a866c
 	Issue introduced in 5.15.31 with commit ab9337c7cb6f875b6286440b1adfbeeef2b2b2bd and fixed in 5.15.42 with commit 8a06f25f5941c145773204f2f7abef95b4ffb8ce
 	Issue introduced in 5.17 with commit a680b1832ced3b5fa7c93484248fd221ea0d614b and fixed in 5.17.10 with commit 05d4d17475d8d094c519bb51658bc47899c175e3
 	Issue introduced in 5.17 with commit a680b1832ced3b5fa7c93484248fd221ea0d614b and fixed in 5.18 with commit 16287397ec5c08aa58db6acf7dbc55470d78087d
 	Issue introduced in 5.16.17 with commit 485995cbc98a4f77cfd4f8ed4dd7ff8ab262964d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48630
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/crypto/qcom-rng.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/71a89789552b7faf3ef27969b9bc783fa0df3550
 	https://git.kernel.org/stable/c/8be06f62b426801dba43ddf8893952a0e62ab6ae
 	https://git.kernel.org/stable/c/233a3cc60e7a8fe0be8cf9934ae7b67ba25a866c
 	https://git.kernel.org/stable/c/8a06f25f5941c145773204f2f7abef95b4ffb8ce
 	https://git.kernel.org/stable/c/05d4d17475d8d094c519bb51658bc47899c175e3
 	https://git.kernel.org/stable/c/16287397ec5c08aa58db6acf7dbc55470d78087d
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48630: crypto: qcom-rng - fix infinite loop on requests not multiple of WORD_SZ

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	crypto: qcom-rng - fix infinite loop on requests not multiple of WORD_SZ

	The commit referenced in the Fixes tag removed the 'break' from the else
	branch in qcom_rng_read(), causing an infinite loop whenever 'max' is
	not a multiple of WORD_SZ. This can be reproduced e.g. by running:

	kcapi-rng -b 67 >/dev/null

	There are many ways to fix this without adding back the 'break', but
	they all seem more awkward than simply adding it back, so do just that.

	Tested on a machine with Qualcomm Amberwing processor.

	The Linux kernel CVE team has assigned CVE-2022-48630 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.19.236 with commit a8e32bbb96c25b7ab29b1894dcd45e0b3b08fd9d and fixed in 4.19.245 with commit 71a89789552b7faf3ef27969b9bc783fa0df3550
	Issue introduced in 5.4.187 with commit 184f7bd08ce56f003530fc19f160d54e75bf5c9d and fixed in 5.4.196 with commit 8be06f62b426801dba43ddf8893952a0e62ab6ae
	Issue introduced in 5.10.108 with commit 0f9b7b8df17525e464294c916acc8194ce38446b and fixed in 5.10.118 with commit 233a3cc60e7a8fe0be8cf9934ae7b67ba25a866c
	Issue introduced in 5.15.31 with commit ab9337c7cb6f875b6286440b1adfbeeef2b2b2bd and fixed in 5.15.42 with commit 8a06f25f5941c145773204f2f7abef95b4ffb8ce
	Issue introduced in 5.17 with commit a680b1832ced3b5fa7c93484248fd221ea0d614b and fixed in 5.17.10 with commit 05d4d17475d8d094c519bb51658bc47899c175e3
	Issue introduced in 5.17 with commit a680b1832ced3b5fa7c93484248fd221ea0d614b and fixed in 5.18 with commit 16287397ec5c08aa58db6acf7dbc55470d78087d
	Issue introduced in 5.16.17 with commit 485995cbc98a4f77cfd4f8ed4dd7ff8ab262964d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48630
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/crypto/qcom-rng.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/71a89789552b7faf3ef27969b9bc783fa0df3550
	https://git.kernel.org/stable/c/8be06f62b426801dba43ddf8893952a0e62ab6ae
	https://git.kernel.org/stable/c/233a3cc60e7a8fe0be8cf9934ae7b67ba25a866c
	https://git.kernel.org/stable/c/8a06f25f5941c145773204f2f7abef95b4ffb8ce
	https://git.kernel.org/stable/c/05d4d17475d8d094c519bb51658bc47899c175e3
	https://git.kernel.org/stable/c/16287397ec5c08aa58db6acf7dbc55470d78087d