cve/published/2022/CVE-2022-48850.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48850: net-sysfs: add check for netdevice being present to speed_show

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net-sysfs: add check for netdevice being present to speed_show

 When bringing down the netdevice or system shutdown, a panic can be
 triggered while accessing the sysfs path because the device is already
 removed.

     [  755.549084] mlx5_core 0000:12:00.1: Shutdown was called
     [  756.404455] mlx5_core 0000:12:00.0: Shutdown was called
     ...
     [  757.937260] BUG: unable to handle kernel NULL pointer dereference at           (null)
     [  758.031397] IP: [<ffffffff8ee11acb>] dma_pool_alloc+0x1ab/0x280

     crash> bt
     ...
     PID: 12649  TASK: ffff8924108f2100  CPU: 1   COMMAND: "amsd"
     ...
      #9 [ffff89240e1a38b0] page_fault at ffffffff8f38c778
         [exception RIP: dma_pool_alloc+0x1ab]
         RIP: ffffffff8ee11acb  RSP: ffff89240e1a3968  RFLAGS: 00010046
         RAX: 0000000000000246  RBX: ffff89243d874100  RCX: 0000000000001000
         RDX: 0000000000000000  RSI: 0000000000000246  RDI: ffff89243d874090
         RBP: ffff89240e1a39c0   R8: 000000000001f080   R9: ffff8905ffc03c00
         R10: ffffffffc04680d4  R11: ffffffff8edde9fd  R12: 00000000000080d0
         R13: ffff89243d874090  R14: ffff89243d874080  R15: 0000000000000000
         ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
     #10 [ffff89240e1a39c8] mlx5_alloc_cmd_msg at ffffffffc04680f3 [mlx5_core]
     #11 [ffff89240e1a3a18] cmd_exec at ffffffffc046ad62 [mlx5_core]
     #12 [ffff89240e1a3ab8] mlx5_cmd_exec at ffffffffc046b4fb [mlx5_core]
     #13 [ffff89240e1a3ae8] mlx5_core_access_reg at ffffffffc0475434 [mlx5_core]
     #14 [ffff89240e1a3b40] mlx5e_get_fec_caps at ffffffffc04a7348 [mlx5_core]
     #15 [ffff89240e1a3bb0] get_fec_supported_advertised at ffffffffc04992bf [mlx5_core]
     #16 [ffff89240e1a3c08] mlx5e_get_link_ksettings at ffffffffc049ab36 [mlx5_core]
     #17 [ffff89240e1a3ce8] __ethtool_get_link_ksettings at ffffffff8f25db46
     #18 [ffff89240e1a3d48] speed_show at ffffffff8f277208
     #19 [ffff89240e1a3dd8] dev_attr_show at ffffffff8f0b70e3
     #20 [ffff89240e1a3df8] sysfs_kf_seq_show at ffffffff8eedbedf
     #21 [ffff89240e1a3e18] kernfs_seq_show at ffffffff8eeda596
     #22 [ffff89240e1a3e28] seq_read at ffffffff8ee76d10
     #23 [ffff89240e1a3e98] kernfs_fop_read at ffffffff8eedaef5
     #24 [ffff89240e1a3ed8] vfs_read at ffffffff8ee4e3ff
     #25 [ffff89240e1a3f08] sys_read at ffffffff8ee4f27f
     #26 [ffff89240e1a3f50] system_call_fastpath at ffffffff8f395f92

     crash> net_device.state ffff89443b0c0000
       state = 0x5  (__LINK_STATE_START| __LINK_STATE_NOCARRIER)

 To prevent this scenario, we also make sure that the netdevice is present.

 The Linux kernel CVE team has assigned CVE-2022-48850 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.9.307 with commit a7b9ab04c5932dee7ec95e0abc58b0df350c0dd2
 	Fixed in 4.14.272 with commit 081369ad088a76429984483b8a5f7e967a125aad
 	Fixed in 4.19.235 with commit 75fc8363227a999e8f3d17e2eb28dce5600dcd3f
 	Fixed in 5.4.185 with commit 8879b5313e9fa5e0c6d6812a0d25d83aed0110e2
 	Fixed in 5.10.106 with commit d15c9f6e3335002fea1c33bc8f71a705fa96976c
 	Fixed in 5.15.29 with commit 8d5e69d8fbf3a35ab4fbe56b8f092802b43f3ef6
 	Fixed in 5.16.15 with commit 3a79f380b3e10edf6caa9aac90163a5d7a282204
 	Fixed in 5.17 with commit 4224cfd7fb6523f7a9d1c8bb91bb5df1e38eb624

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48850
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/core/net-sysfs.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/a7b9ab04c5932dee7ec95e0abc58b0df350c0dd2
 	https://git.kernel.org/stable/c/081369ad088a76429984483b8a5f7e967a125aad
 	https://git.kernel.org/stable/c/75fc8363227a999e8f3d17e2eb28dce5600dcd3f
 	https://git.kernel.org/stable/c/8879b5313e9fa5e0c6d6812a0d25d83aed0110e2
 	https://git.kernel.org/stable/c/d15c9f6e3335002fea1c33bc8f71a705fa96976c
 	https://git.kernel.org/stable/c/8d5e69d8fbf3a35ab4fbe56b8f092802b43f3ef6
 	https://git.kernel.org/stable/c/3a79f380b3e10edf6caa9aac90163a5d7a282204
 	https://git.kernel.org/stable/c/4224cfd7fb6523f7a9d1c8bb91bb5df1e38eb624
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48850: net-sysfs: add check for netdevice being present to speed_show

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net-sysfs: add check for netdevice being present to speed_show

	When bringing down the netdevice or system shutdown, a panic can be
	triggered while accessing the sysfs path because the device is already
	removed.

	[ 755.549084] mlx5_core 0000:12:00.1: Shutdown was called
	[ 756.404455] mlx5_core 0000:12:00.0: Shutdown was called
	...
	[ 757.937260] BUG: unable to handle kernel NULL pointer dereference at (null)
	[ 758.031397] IP: [<ffffffff8ee11acb>] dma_pool_alloc+0x1ab/0x280

	crash> bt
	...
	PID: 12649 TASK: ffff8924108f2100 CPU: 1 COMMAND: "amsd"
	...
	#9 [ffff89240e1a38b0] page_fault at ffffffff8f38c778
	[exception RIP: dma_pool_alloc+0x1ab]
	RIP: ffffffff8ee11acb RSP: ffff89240e1a3968 RFLAGS: 00010046
	RAX: 0000000000000246 RBX: ffff89243d874100 RCX: 0000000000001000
	RDX: 0000000000000000 RSI: 0000000000000246 RDI: ffff89243d874090
	RBP: ffff89240e1a39c0 R8: 000000000001f080 R9: ffff8905ffc03c00
	R10: ffffffffc04680d4 R11: ffffffff8edde9fd R12: 00000000000080d0
	R13: ffff89243d874090 R14: ffff89243d874080 R15: 0000000000000000
	ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
	#10 [ffff89240e1a39c8] mlx5_alloc_cmd_msg at ffffffffc04680f3 [mlx5_core]
	#11 [ffff89240e1a3a18] cmd_exec at ffffffffc046ad62 [mlx5_core]
	#12 [ffff89240e1a3ab8] mlx5_cmd_exec at ffffffffc046b4fb [mlx5_core]
	#13 [ffff89240e1a3ae8] mlx5_core_access_reg at ffffffffc0475434 [mlx5_core]
	#14 [ffff89240e1a3b40] mlx5e_get_fec_caps at ffffffffc04a7348 [mlx5_core]
	#15 [ffff89240e1a3bb0] get_fec_supported_advertised at ffffffffc04992bf [mlx5_core]
	#16 [ffff89240e1a3c08] mlx5e_get_link_ksettings at ffffffffc049ab36 [mlx5_core]
	#17 [ffff89240e1a3ce8] __ethtool_get_link_ksettings at ffffffff8f25db46
	#18 [ffff89240e1a3d48] speed_show at ffffffff8f277208
	#19 [ffff89240e1a3dd8] dev_attr_show at ffffffff8f0b70e3
	#20 [ffff89240e1a3df8] sysfs_kf_seq_show at ffffffff8eedbedf
	#21 [ffff89240e1a3e18] kernfs_seq_show at ffffffff8eeda596
	#22 [ffff89240e1a3e28] seq_read at ffffffff8ee76d10
	#23 [ffff89240e1a3e98] kernfs_fop_read at ffffffff8eedaef5
	#24 [ffff89240e1a3ed8] vfs_read at ffffffff8ee4e3ff
	#25 [ffff89240e1a3f08] sys_read at ffffffff8ee4f27f
	#26 [ffff89240e1a3f50] system_call_fastpath at ffffffff8f395f92

	crash> net_device.state ffff89443b0c0000
	state = 0x5 (__LINK_STATE_START\| __LINK_STATE_NOCARRIER)

	To prevent this scenario, we also make sure that the netdevice is present.

	The Linux kernel CVE team has assigned CVE-2022-48850 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.9.307 with commit a7b9ab04c5932dee7ec95e0abc58b0df350c0dd2
	Fixed in 4.14.272 with commit 081369ad088a76429984483b8a5f7e967a125aad
	Fixed in 4.19.235 with commit 75fc8363227a999e8f3d17e2eb28dce5600dcd3f
	Fixed in 5.4.185 with commit 8879b5313e9fa5e0c6d6812a0d25d83aed0110e2
	Fixed in 5.10.106 with commit d15c9f6e3335002fea1c33bc8f71a705fa96976c
	Fixed in 5.15.29 with commit 8d5e69d8fbf3a35ab4fbe56b8f092802b43f3ef6
	Fixed in 5.16.15 with commit 3a79f380b3e10edf6caa9aac90163a5d7a282204
	Fixed in 5.17 with commit 4224cfd7fb6523f7a9d1c8bb91bb5df1e38eb624

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48850
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/core/net-sysfs.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/a7b9ab04c5932dee7ec95e0abc58b0df350c0dd2
	https://git.kernel.org/stable/c/081369ad088a76429984483b8a5f7e967a125aad
	https://git.kernel.org/stable/c/75fc8363227a999e8f3d17e2eb28dce5600dcd3f
	https://git.kernel.org/stable/c/8879b5313e9fa5e0c6d6812a0d25d83aed0110e2
	https://git.kernel.org/stable/c/d15c9f6e3335002fea1c33bc8f71a705fa96976c
	https://git.kernel.org/stable/c/8d5e69d8fbf3a35ab4fbe56b8f092802b43f3ef6
	https://git.kernel.org/stable/c/3a79f380b3e10edf6caa9aac90163a5d7a282204
	https://git.kernel.org/stable/c/4224cfd7fb6523f7a9d1c8bb91bb5df1e38eb624