cve/published/2022/CVE-2022-48811.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48811: ibmvnic: don't release napi in __ibmvnic_open()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ibmvnic: don't release napi in __ibmvnic_open()

 If __ibmvnic_open() encounters an error such as when setting link state,
 it calls release_resources() which frees the napi structures needlessly.
 Instead, have __ibmvnic_open() only clean up the work it did so far (i.e.
 disable napi and irqs) and leave the rest to the callers.

 If caller of __ibmvnic_open() is ibmvnic_open(), it should release the
 resources immediately. If the caller is do_reset() or do_hard_reset(),
 they will release the resources on the next reset.

 This fixes following crash that occurred when running the drmgr command
 several times to add/remove a vnic interface:

 	[102056] ibmvnic 30000003 env3: Disabling rx_scrq[6] irq
 	[102056] ibmvnic 30000003 env3: Disabling rx_scrq[7] irq
 	[102056] ibmvnic 30000003 env3: Replenished 8 pools
 	Kernel attempted to read user page (10) - exploit attempt? (uid: 0)
 	BUG: Kernel NULL pointer dereference on read at 0x00000010
 	Faulting instruction address: 0xc000000000a3c840
 	Oops: Kernel access of bad area, sig: 11 [#1]
 	LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries
 	...
 	CPU: 9 PID: 102056 Comm: kworker/9:2 Kdump: loaded Not tainted 5.16.0-rc5-autotest-g6441998e2e37 #1
 	Workqueue: events_long __ibmvnic_reset [ibmvnic]
 	NIP:  c000000000a3c840 LR: c0080000029b5378 CTR: c000000000a3c820
 	REGS: c0000000548e37e0 TRAP: 0300   Not tainted  (5.16.0-rc5-autotest-g6441998e2e37)
 	MSR:  8000000000009033 <SF,EE,ME,IR,DR,RI,LE>  CR: 28248484  XER: 00000004
 	CFAR: c0080000029bdd24 DAR: 0000000000000010 DSISR: 40000000 IRQMASK: 0
 	GPR00: c0080000029b55d0 c0000000548e3a80 c0000000028f0200 0000000000000000
 	...
 	NIP [c000000000a3c840] napi_enable+0x20/0xc0
 	LR [c0080000029b5378] __ibmvnic_open+0xf0/0x430 [ibmvnic]
 	Call Trace:
 	[c0000000548e3a80] [0000000000000006] 0x6 (unreliable)
 	[c0000000548e3ab0] [c0080000029b55d0] __ibmvnic_open+0x348/0x430 [ibmvnic]
 	[c0000000548e3b40] [c0080000029bcc28] __ibmvnic_reset+0x500/0xdf0 [ibmvnic]
 	[c0000000548e3c60] [c000000000176228] process_one_work+0x288/0x570
 	[c0000000548e3d00] [c000000000176588] worker_thread+0x78/0x660
 	[c0000000548e3da0] [c0000000001822f0] kthread+0x1c0/0x1d0
 	[c0000000548e3e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64
 	Instruction dump:
 	7d2948f8 792307e0 4e800020 60000000 3c4c01eb 384239e0 f821ffd1 39430010
 	38a0fff6 e92d1100 f9210028 39200000 <e9030010> f9010020 60420000 e9210020
 	---[ end trace 5f8033b08fd27706 ]---

 The Linux kernel CVE team has assigned CVE-2022-48811 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.12 with commit ed651a10875f13135a5f59c1bae4d51b377b3925 and fixed in 5.15.27 with commit 960dfaf3b578dd23af012590e809ae2d58ba1827
 	Issue introduced in 4.12 with commit ed651a10875f13135a5f59c1bae4d51b377b3925 and fixed in 5.16.10 with commit e08cb9056fb2564d1f6bad789bdf79ab09bf2f81
 	Issue introduced in 4.12 with commit ed651a10875f13135a5f59c1bae4d51b377b3925 and fixed in 5.17 with commit 61772b0908c640d0309c40f7d41d062ca4e979fa

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48811
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/ibm/ibmvnic.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/960dfaf3b578dd23af012590e809ae2d58ba1827
 	https://git.kernel.org/stable/c/e08cb9056fb2564d1f6bad789bdf79ab09bf2f81
 	https://git.kernel.org/stable/c/61772b0908c640d0309c40f7d41d062ca4e979fa
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48811: ibmvnic: don't release napi in __ibmvnic_open()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ibmvnic: don't release napi in __ibmvnic_open()

	If __ibmvnic_open() encounters an error such as when setting link state,
	it calls release_resources() which frees the napi structures needlessly.
	Instead, have __ibmvnic_open() only clean up the work it did so far (i.e.
	disable napi and irqs) and leave the rest to the callers.

	If caller of __ibmvnic_open() is ibmvnic_open(), it should release the
	resources immediately. If the caller is do_reset() or do_hard_reset(),
	they will release the resources on the next reset.

	This fixes following crash that occurred when running the drmgr command
	several times to add/remove a vnic interface:

	[102056] ibmvnic 30000003 env3: Disabling rx_scrq[6] irq
	[102056] ibmvnic 30000003 env3: Disabling rx_scrq[7] irq
	[102056] ibmvnic 30000003 env3: Replenished 8 pools
	Kernel attempted to read user page (10) - exploit attempt? (uid: 0)
	BUG: Kernel NULL pointer dereference on read at 0x00000010
	Faulting instruction address: 0xc000000000a3c840
	Oops: Kernel access of bad area, sig: 11 [#1]
	LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries
	...
	CPU: 9 PID: 102056 Comm: kworker/9:2 Kdump: loaded Not tainted 5.16.0-rc5-autotest-g6441998e2e37 #1
	Workqueue: events_long __ibmvnic_reset [ibmvnic]
	NIP: c000000000a3c840 LR: c0080000029b5378 CTR: c000000000a3c820
	REGS: c0000000548e37e0 TRAP: 0300 Not tainted (5.16.0-rc5-autotest-g6441998e2e37)
	MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 28248484 XER: 00000004
	CFAR: c0080000029bdd24 DAR: 0000000000000010 DSISR: 40000000 IRQMASK: 0
	GPR00: c0080000029b55d0 c0000000548e3a80 c0000000028f0200 0000000000000000
	...
	NIP [c000000000a3c840] napi_enable+0x20/0xc0
	LR [c0080000029b5378] __ibmvnic_open+0xf0/0x430 [ibmvnic]
	Call Trace:
	[c0000000548e3a80] [0000000000000006] 0x6 (unreliable)
	[c0000000548e3ab0] [c0080000029b55d0] __ibmvnic_open+0x348/0x430 [ibmvnic]
	[c0000000548e3b40] [c0080000029bcc28] __ibmvnic_reset+0x500/0xdf0 [ibmvnic]
	[c0000000548e3c60] [c000000000176228] process_one_work+0x288/0x570
	[c0000000548e3d00] [c000000000176588] worker_thread+0x78/0x660
	[c0000000548e3da0] [c0000000001822f0] kthread+0x1c0/0x1d0
	[c0000000548e3e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64
	Instruction dump:
	7d2948f8 792307e0 4e800020 60000000 3c4c01eb 384239e0 f821ffd1 39430010
	38a0fff6 e92d1100 f9210028 39200000 <e9030010> f9010020 60420000 e9210020
	---[ end trace 5f8033b08fd27706 ]---

	The Linux kernel CVE team has assigned CVE-2022-48811 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.12 with commit ed651a10875f13135a5f59c1bae4d51b377b3925 and fixed in 5.15.27 with commit 960dfaf3b578dd23af012590e809ae2d58ba1827
	Issue introduced in 4.12 with commit ed651a10875f13135a5f59c1bae4d51b377b3925 and fixed in 5.16.10 with commit e08cb9056fb2564d1f6bad789bdf79ab09bf2f81
	Issue introduced in 4.12 with commit ed651a10875f13135a5f59c1bae4d51b377b3925 and fixed in 5.17 with commit 61772b0908c640d0309c40f7d41d062ca4e979fa

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48811
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/ibm/ibmvnic.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/960dfaf3b578dd23af012590e809ae2d58ba1827
	https://git.kernel.org/stable/c/e08cb9056fb2564d1f6bad789bdf79ab09bf2f81
	https://git.kernel.org/stable/c/61772b0908c640d0309c40f7d41d062ca4e979fa