cve/published/2022/CVE-2022-48645.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48645: net: enetc: deny offload of tc-based TSN features on VF interfaces

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: enetc: deny offload of tc-based TSN features on VF interfaces

 TSN features on the ENETC (taprio, cbs, gate, police) are configured
 through a mix of command BD ring messages and port registers:
 enetc_port_rd(), enetc_port_wr().

 Port registers are a region of the ENETC memory map which are only
 accessible from the PCIe Physical Function. They are not accessible from
 the Virtual Functions.

 Moreover, attempting to access these registers crashes the kernel:

 $ echo 1 > /sys/bus/pci/devices/0000\:00\:00.0/sriov_numvfs
 pci 0000:00:01.0: [1957:ef00] type 00 class 0x020001
 fsl_enetc_vf 0000:00:01.0: Adding to iommu group 15
 fsl_enetc_vf 0000:00:01.0: enabling device (0000 -> 0002)
 fsl_enetc_vf 0000:00:01.0 eno0vf0: renamed from eth0
 $ tc qdisc replace dev eno0vf0 root taprio num_tc 8 map 0 1 2 3 4 5 6 7 \
 	queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 base-time 0 \
 	sched-entry S 0x7f 900000 sched-entry S 0x80 100000 flags 0x2
 Unable to handle kernel paging request at virtual address ffff800009551a08
 Internal error: Oops: 96000007 [#1] PREEMPT SMP
 pc : enetc_setup_tc_taprio+0x170/0x47c
 lr : enetc_setup_tc_taprio+0x16c/0x47c
 Call trace:
  enetc_setup_tc_taprio+0x170/0x47c
  enetc_setup_tc+0x38/0x2dc
  taprio_change+0x43c/0x970
  taprio_init+0x188/0x1e0
  qdisc_create+0x114/0x470
  tc_modify_qdisc+0x1fc/0x6c0
  rtnetlink_rcv_msg+0x12c/0x390

 Split enetc_setup_tc() into separate functions for the PF and for the
 VF drivers. Also remove enetc_qos.o from being included into
 enetc-vf.ko, since it serves absolutely no purpose there.

 The Linux kernel CVE team has assigned CVE-2022-48645 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.5 with commit 34c6adf1977b611fca3b824ad12a2a415e1e420e and fixed in 5.15.71 with commit 510e703e4ed0e011db860bc21228aff48fc9eea7
 	Issue introduced in 5.5 with commit 34c6adf1977b611fca3b824ad12a2a415e1e420e and fixed in 5.19.12 with commit 23022b74b1a23bed044f6bc96cf92f6ca5f3e75f
 	Issue introduced in 5.5 with commit 34c6adf1977b611fca3b824ad12a2a415e1e420e and fixed in 6.0 with commit 5641c751fe2f92d3d9e8a8e03c1263ac8caa0b42

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48645
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/freescale/enetc/Makefile
 	drivers/net/ethernet/freescale/enetc/enetc.c
 	drivers/net/ethernet/freescale/enetc/enetc.h
 	drivers/net/ethernet/freescale/enetc/enetc_pf.c
 	drivers/net/ethernet/freescale/enetc/enetc_vf.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/510e703e4ed0e011db860bc21228aff48fc9eea7
 	https://git.kernel.org/stable/c/23022b74b1a23bed044f6bc96cf92f6ca5f3e75f
 	https://git.kernel.org/stable/c/5641c751fe2f92d3d9e8a8e03c1263ac8caa0b42
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48645: net: enetc: deny offload of tc-based TSN features on VF interfaces

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: enetc: deny offload of tc-based TSN features on VF interfaces

	TSN features on the ENETC (taprio, cbs, gate, police) are configured
	through a mix of command BD ring messages and port registers:
	enetc_port_rd(), enetc_port_wr().

	Port registers are a region of the ENETC memory map which are only
	accessible from the PCIe Physical Function. They are not accessible from
	the Virtual Functions.

	Moreover, attempting to access these registers crashes the kernel:

	$ echo 1 > /sys/bus/pci/devices/0000\:00\:00.0/sriov_numvfs
	pci 0000:00:01.0: [1957:ef00] type 00 class 0x020001
	fsl_enetc_vf 0000:00:01.0: Adding to iommu group 15
	fsl_enetc_vf 0000:00:01.0: enabling device (0000 -> 0002)
	fsl_enetc_vf 0000:00:01.0 eno0vf0: renamed from eth0
	$ tc qdisc replace dev eno0vf0 root taprio num_tc 8 map 0 1 2 3 4 5 6 7 \
	queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 base-time 0 \
	sched-entry S 0x7f 900000 sched-entry S 0x80 100000 flags 0x2
	Unable to handle kernel paging request at virtual address ffff800009551a08
	Internal error: Oops: 96000007 [#1] PREEMPT SMP
	pc : enetc_setup_tc_taprio+0x170/0x47c
	lr : enetc_setup_tc_taprio+0x16c/0x47c
	Call trace:
	enetc_setup_tc_taprio+0x170/0x47c
	enetc_setup_tc+0x38/0x2dc
	taprio_change+0x43c/0x970
	taprio_init+0x188/0x1e0
	qdisc_create+0x114/0x470
	tc_modify_qdisc+0x1fc/0x6c0
	rtnetlink_rcv_msg+0x12c/0x390

	Split enetc_setup_tc() into separate functions for the PF and for the
	VF drivers. Also remove enetc_qos.o from being included into
	enetc-vf.ko, since it serves absolutely no purpose there.

	The Linux kernel CVE team has assigned CVE-2022-48645 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.5 with commit 34c6adf1977b611fca3b824ad12a2a415e1e420e and fixed in 5.15.71 with commit 510e703e4ed0e011db860bc21228aff48fc9eea7
	Issue introduced in 5.5 with commit 34c6adf1977b611fca3b824ad12a2a415e1e420e and fixed in 5.19.12 with commit 23022b74b1a23bed044f6bc96cf92f6ca5f3e75f
	Issue introduced in 5.5 with commit 34c6adf1977b611fca3b824ad12a2a415e1e420e and fixed in 6.0 with commit 5641c751fe2f92d3d9e8a8e03c1263ac8caa0b42

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48645
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/freescale/enetc/Makefile
	drivers/net/ethernet/freescale/enetc/enetc.c
	drivers/net/ethernet/freescale/enetc/enetc.h
	drivers/net/ethernet/freescale/enetc/enetc_pf.c
	drivers/net/ethernet/freescale/enetc/enetc_vf.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/510e703e4ed0e011db860bc21228aff48fc9eea7
	https://git.kernel.org/stable/c/23022b74b1a23bed044f6bc96cf92f6ca5f3e75f
	https://git.kernel.org/stable/c/5641c751fe2f92d3d9e8a8e03c1263ac8caa0b42