cve/published/2022/CVE-2022-48796.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48796: iommu: Fix potential use-after-free during probe

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 iommu: Fix potential use-after-free during probe

 Kasan has reported the following use after free on dev->iommu.
 when a device probe fails and it is in process of freeing dev->iommu
 in dev_iommu_free function, a deferred_probe_work_func runs in parallel
 and tries to access dev->iommu->fwspec in of_iommu_configure path thus
 causing use after free.

 BUG: KASAN: use-after-free in of_iommu_configure+0xb4/0x4a4
 Read of size 8 at addr ffffff87a2f1acb8 by task kworker/u16:2/153

 Workqueue: events_unbound deferred_probe_work_func
 Call trace:
  dump_backtrace+0x0/0x33c
  show_stack+0x18/0x24
  dump_stack_lvl+0x16c/0x1e0
  print_address_description+0x84/0x39c
  __kasan_report+0x184/0x308
  kasan_report+0x50/0x78
  __asan_load8+0xc0/0xc4
  of_iommu_configure+0xb4/0x4a4
  of_dma_configure_id+0x2fc/0x4d4
  platform_dma_configure+0x40/0x5c
  really_probe+0x1b4/0xb74
  driver_probe_device+0x11c/0x228
  __device_attach_driver+0x14c/0x304
  bus_for_each_drv+0x124/0x1b0
  __device_attach+0x25c/0x334
  device_initial_probe+0x24/0x34
  bus_probe_device+0x78/0x134
  deferred_probe_work_func+0x130/0x1a8
  process_one_work+0x4c8/0x970
  worker_thread+0x5c8/0xaec
  kthread+0x1f8/0x220
  ret_from_fork+0x10/0x18

 Allocated by task 1:
  ____kasan_kmalloc+0xd4/0x114
  __kasan_kmalloc+0x10/0x1c
  kmem_cache_alloc_trace+0xe4/0x3d4
  __iommu_probe_device+0x90/0x394
  probe_iommu_group+0x70/0x9c
  bus_for_each_dev+0x11c/0x19c
  bus_iommu_probe+0xb8/0x7d4
  bus_set_iommu+0xcc/0x13c
  arm_smmu_bus_init+0x44/0x130 [arm_smmu]
  arm_smmu_device_probe+0xb88/0xc54 [arm_smmu]
  platform_drv_probe+0xe4/0x13c
  really_probe+0x2c8/0xb74
  driver_probe_device+0x11c/0x228
  device_driver_attach+0xf0/0x16c
  __driver_attach+0x80/0x320
  bus_for_each_dev+0x11c/0x19c
  driver_attach+0x38/0x48
  bus_add_driver+0x1dc/0x3a4
  driver_register+0x18c/0x244
  __platform_driver_register+0x88/0x9c
  init_module+0x64/0xff4 [arm_smmu]
  do_one_initcall+0x17c/0x2f0
  do_init_module+0xe8/0x378
  load_module+0x3f80/0x4a40
  __se_sys_finit_module+0x1a0/0x1e4
  __arm64_sys_finit_module+0x44/0x58
  el0_svc_common+0x100/0x264
  do_el0_svc+0x38/0xa4
  el0_svc+0x20/0x30
  el0_sync_handler+0x68/0xac
  el0_sync+0x160/0x180

 Freed by task 1:
  kasan_set_track+0x4c/0x84
  kasan_set_free_info+0x28/0x4c
  ____kasan_slab_free+0x120/0x15c
  __kasan_slab_free+0x18/0x28
  slab_free_freelist_hook+0x204/0x2fc
  kfree+0xfc/0x3a4
  __iommu_probe_device+0x284/0x394
  probe_iommu_group+0x70/0x9c
  bus_for_each_dev+0x11c/0x19c
  bus_iommu_probe+0xb8/0x7d4
  bus_set_iommu+0xcc/0x13c
  arm_smmu_bus_init+0x44/0x130 [arm_smmu]
  arm_smmu_device_probe+0xb88/0xc54 [arm_smmu]
  platform_drv_probe+0xe4/0x13c
  really_probe+0x2c8/0xb74
  driver_probe_device+0x11c/0x228
  device_driver_attach+0xf0/0x16c
  __driver_attach+0x80/0x320
  bus_for_each_dev+0x11c/0x19c
  driver_attach+0x38/0x48
  bus_add_driver+0x1dc/0x3a4
  driver_register+0x18c/0x244
  __platform_driver_register+0x88/0x9c
  init_module+0x64/0xff4 [arm_smmu]
  do_one_initcall+0x17c/0x2f0
  do_init_module+0xe8/0x378
  load_module+0x3f80/0x4a40
  __se_sys_finit_module+0x1a0/0x1e4
  __arm64_sys_finit_module+0x44/0x58
  el0_svc_common+0x100/0x264
  do_el0_svc+0x38/0xa4
  el0_svc+0x20/0x30
  el0_sync_handler+0x68/0xac
  el0_sync+0x160/0x180

 Fix this by setting dev->iommu to NULL first and
 then freeing dev_iommu structure in dev_iommu_free
 function.

 The Linux kernel CVE team has assigned CVE-2022-48796 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.3 with commit 0c830e6b32826311fc2b9ea1f4679be0f4ef0933 and fixed in 5.10.101 with commit cb86e511e78e796de6947b8f3acca1b7c76fb2ff
 	Issue introduced in 5.3 with commit 0c830e6b32826311fc2b9ea1f4679be0f4ef0933 and fixed in 5.15.24 with commit 65ab30f6a6952fa9ee13009862736cf8d110e6e5
 	Issue introduced in 5.3 with commit 0c830e6b32826311fc2b9ea1f4679be0f4ef0933 and fixed in 5.16.10 with commit f74fc4b5bd533ea3d30ce47cccb8ef8d21fda85a
 	Issue introduced in 5.3 with commit 0c830e6b32826311fc2b9ea1f4679be0f4ef0933 and fixed in 5.17 with commit b54240ad494300ff0994c4539a531727874381f4

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48796
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/iommu/iommu.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/cb86e511e78e796de6947b8f3acca1b7c76fb2ff
 	https://git.kernel.org/stable/c/65ab30f6a6952fa9ee13009862736cf8d110e6e5
 	https://git.kernel.org/stable/c/f74fc4b5bd533ea3d30ce47cccb8ef8d21fda85a
 	https://git.kernel.org/stable/c/b54240ad494300ff0994c4539a531727874381f4
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48796: iommu: Fix potential use-after-free during probe

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	iommu: Fix potential use-after-free during probe

	Kasan has reported the following use after free on dev->iommu.
	when a device probe fails and it is in process of freeing dev->iommu
	in dev_iommu_free function, a deferred_probe_work_func runs in parallel
	and tries to access dev->iommu->fwspec in of_iommu_configure path thus
	causing use after free.

	BUG: KASAN: use-after-free in of_iommu_configure+0xb4/0x4a4
	Read of size 8 at addr ffffff87a2f1acb8 by task kworker/u16:2/153

	Workqueue: events_unbound deferred_probe_work_func
	Call trace:
	dump_backtrace+0x0/0x33c
	show_stack+0x18/0x24
	dump_stack_lvl+0x16c/0x1e0
	print_address_description+0x84/0x39c
	__kasan_report+0x184/0x308
	kasan_report+0x50/0x78
	__asan_load8+0xc0/0xc4
	of_iommu_configure+0xb4/0x4a4
	of_dma_configure_id+0x2fc/0x4d4
	platform_dma_configure+0x40/0x5c
	really_probe+0x1b4/0xb74
	driver_probe_device+0x11c/0x228
	__device_attach_driver+0x14c/0x304
	bus_for_each_drv+0x124/0x1b0
	__device_attach+0x25c/0x334
	device_initial_probe+0x24/0x34
	bus_probe_device+0x78/0x134
	deferred_probe_work_func+0x130/0x1a8
	process_one_work+0x4c8/0x970
	worker_thread+0x5c8/0xaec
	kthread+0x1f8/0x220
	ret_from_fork+0x10/0x18

	Allocated by task 1:
	____kasan_kmalloc+0xd4/0x114
	__kasan_kmalloc+0x10/0x1c
	kmem_cache_alloc_trace+0xe4/0x3d4
	__iommu_probe_device+0x90/0x394
	probe_iommu_group+0x70/0x9c
	bus_for_each_dev+0x11c/0x19c
	bus_iommu_probe+0xb8/0x7d4
	bus_set_iommu+0xcc/0x13c
	arm_smmu_bus_init+0x44/0x130 [arm_smmu]
	arm_smmu_device_probe+0xb88/0xc54 [arm_smmu]
	platform_drv_probe+0xe4/0x13c
	really_probe+0x2c8/0xb74
	driver_probe_device+0x11c/0x228
	device_driver_attach+0xf0/0x16c
	__driver_attach+0x80/0x320
	bus_for_each_dev+0x11c/0x19c
	driver_attach+0x38/0x48
	bus_add_driver+0x1dc/0x3a4
	driver_register+0x18c/0x244
	__platform_driver_register+0x88/0x9c
	init_module+0x64/0xff4 [arm_smmu]
	do_one_initcall+0x17c/0x2f0
	do_init_module+0xe8/0x378
	load_module+0x3f80/0x4a40
	__se_sys_finit_module+0x1a0/0x1e4
	__arm64_sys_finit_module+0x44/0x58
	el0_svc_common+0x100/0x264
	do_el0_svc+0x38/0xa4
	el0_svc+0x20/0x30
	el0_sync_handler+0x68/0xac
	el0_sync+0x160/0x180

	Freed by task 1:
	kasan_set_track+0x4c/0x84
	kasan_set_free_info+0x28/0x4c
	____kasan_slab_free+0x120/0x15c
	__kasan_slab_free+0x18/0x28
	slab_free_freelist_hook+0x204/0x2fc
	kfree+0xfc/0x3a4
	__iommu_probe_device+0x284/0x394
	probe_iommu_group+0x70/0x9c
	bus_for_each_dev+0x11c/0x19c
	bus_iommu_probe+0xb8/0x7d4
	bus_set_iommu+0xcc/0x13c
	arm_smmu_bus_init+0x44/0x130 [arm_smmu]
	arm_smmu_device_probe+0xb88/0xc54 [arm_smmu]
	platform_drv_probe+0xe4/0x13c
	really_probe+0x2c8/0xb74
	driver_probe_device+0x11c/0x228
	device_driver_attach+0xf0/0x16c
	__driver_attach+0x80/0x320
	bus_for_each_dev+0x11c/0x19c
	driver_attach+0x38/0x48
	bus_add_driver+0x1dc/0x3a4
	driver_register+0x18c/0x244
	__platform_driver_register+0x88/0x9c
	init_module+0x64/0xff4 [arm_smmu]
	do_one_initcall+0x17c/0x2f0
	do_init_module+0xe8/0x378
	load_module+0x3f80/0x4a40
	__se_sys_finit_module+0x1a0/0x1e4
	__arm64_sys_finit_module+0x44/0x58
	el0_svc_common+0x100/0x264
	do_el0_svc+0x38/0xa4
	el0_svc+0x20/0x30
	el0_sync_handler+0x68/0xac
	el0_sync+0x160/0x180

	Fix this by setting dev->iommu to NULL first and
	then freeing dev_iommu structure in dev_iommu_free
	function.

	The Linux kernel CVE team has assigned CVE-2022-48796 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.3 with commit 0c830e6b32826311fc2b9ea1f4679be0f4ef0933 and fixed in 5.10.101 with commit cb86e511e78e796de6947b8f3acca1b7c76fb2ff
	Issue introduced in 5.3 with commit 0c830e6b32826311fc2b9ea1f4679be0f4ef0933 and fixed in 5.15.24 with commit 65ab30f6a6952fa9ee13009862736cf8d110e6e5
	Issue introduced in 5.3 with commit 0c830e6b32826311fc2b9ea1f4679be0f4ef0933 and fixed in 5.16.10 with commit f74fc4b5bd533ea3d30ce47cccb8ef8d21fda85a
	Issue introduced in 5.3 with commit 0c830e6b32826311fc2b9ea1f4679be0f4ef0933 and fixed in 5.17 with commit b54240ad494300ff0994c4539a531727874381f4

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48796
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/iommu/iommu.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/cb86e511e78e796de6947b8f3acca1b7c76fb2ff
	https://git.kernel.org/stable/c/65ab30f6a6952fa9ee13009862736cf8d110e6e5
	https://git.kernel.org/stable/c/f74fc4b5bd533ea3d30ce47cccb8ef8d21fda85a
	https://git.kernel.org/stable/c/b54240ad494300ff0994c4539a531727874381f4