cve/published/2022/CVE-2022-48871.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48871: tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer

 Driver's probe allocates memory for RX FIFO (port->rx_fifo) based on
 default RX FIFO depth, e.g. 16.  Later during serial startup the
 qcom_geni_serial_port_setup() updates the RX FIFO depth
 (port->rx_fifo_depth) to match real device capabilities, e.g. to 32.

 The RX UART handle code will read "port->rx_fifo_depth" number of words
 into "port->rx_fifo" buffer, thus exceeding the bounds.  This can be
 observed in certain configurations with Qualcomm Bluetooth HCI UART
 device and KASAN:

   Bluetooth: hci0: QCA Product ID   :0x00000010
   Bluetooth: hci0: QCA SOC Version  :0x400a0200
   Bluetooth: hci0: QCA ROM Version  :0x00000200
   Bluetooth: hci0: QCA Patch Version:0x00000d2b
   Bluetooth: hci0: QCA controller version 0x02000200
   Bluetooth: hci0: QCA Downloading qca/htbtfw20.tlv
   bluetooth hci0: Direct firmware load for qca/htbtfw20.tlv failed with error -2
   Bluetooth: hci0: QCA Failed to request file: qca/htbtfw20.tlv (-2)
   Bluetooth: hci0: QCA Failed to download patch (-2)
   ==================================================================
   BUG: KASAN: slab-out-of-bounds in handle_rx_uart+0xa8/0x18c
   Write of size 4 at addr ffff279347d578c0 by task swapper/0/0

   CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rt5-00350-gb2450b7e00be-dirty #26
   Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)
   Call trace:
    dump_backtrace.part.0+0xe0/0xf0
    show_stack+0x18/0x40
    dump_stack_lvl+0x8c/0xb8
    print_report+0x188/0x488
    kasan_report+0xb4/0x100
    __asan_store4+0x80/0xa4
    handle_rx_uart+0xa8/0x18c
    qcom_geni_serial_handle_rx+0x84/0x9c
    qcom_geni_serial_isr+0x24c/0x760
    __handle_irq_event_percpu+0x108/0x500
    handle_irq_event+0x6c/0x110
    handle_fasteoi_irq+0x138/0x2cc
    generic_handle_domain_irq+0x48/0x64

 If the RX FIFO depth changes after probe, be sure to resize the buffer.

 The Linux kernel CVE team has assigned CVE-2022-48871 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.7 with commit f9d690b6ece7ec9a6ff6b588df95a010ab2d66f9 and fixed in 5.10.165 with commit 894681682dbefdad917b88f86cde1069140a047a
 	Issue introduced in 5.7 with commit f9d690b6ece7ec9a6ff6b588df95a010ab2d66f9 and fixed in 5.15.90 with commit cb53a3366eb28fed67850c80afa52075bb71a38a
 	Issue introduced in 5.7 with commit f9d690b6ece7ec9a6ff6b588df95a010ab2d66f9 and fixed in 6.1.8 with commit fd524ca7fe45b8a06dca2dd546d62684a9768f95
 	Issue introduced in 5.7 with commit f9d690b6ece7ec9a6ff6b588df95a010ab2d66f9 and fixed in 6.2 with commit b8caf69a6946e18ffebad49847e258f5b6d52ac2

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48871
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/tty/serial/qcom_geni_serial.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/894681682dbefdad917b88f86cde1069140a047a
 	https://git.kernel.org/stable/c/cb53a3366eb28fed67850c80afa52075bb71a38a
 	https://git.kernel.org/stable/c/fd524ca7fe45b8a06dca2dd546d62684a9768f95
 	https://git.kernel.org/stable/c/b8caf69a6946e18ffebad49847e258f5b6d52ac2
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48871: tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer

	Driver's probe allocates memory for RX FIFO (port->rx_fifo) based on
	default RX FIFO depth, e.g. 16. Later during serial startup the
	qcom_geni_serial_port_setup() updates the RX FIFO depth
	(port->rx_fifo_depth) to match real device capabilities, e.g. to 32.

	The RX UART handle code will read "port->rx_fifo_depth" number of words
	into "port->rx_fifo" buffer, thus exceeding the bounds. This can be
	observed in certain configurations with Qualcomm Bluetooth HCI UART
	device and KASAN:

	Bluetooth: hci0: QCA Product ID :0x00000010
	Bluetooth: hci0: QCA SOC Version :0x400a0200
	Bluetooth: hci0: QCA ROM Version :0x00000200
	Bluetooth: hci0: QCA Patch Version:0x00000d2b
	Bluetooth: hci0: QCA controller version 0x02000200
	Bluetooth: hci0: QCA Downloading qca/htbtfw20.tlv
	bluetooth hci0: Direct firmware load for qca/htbtfw20.tlv failed with error -2
	Bluetooth: hci0: QCA Failed to request file: qca/htbtfw20.tlv (-2)
	Bluetooth: hci0: QCA Failed to download patch (-2)
	==================================================================
	BUG: KASAN: slab-out-of-bounds in handle_rx_uart+0xa8/0x18c
	Write of size 4 at addr ffff279347d578c0 by task swapper/0/0

	CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rt5-00350-gb2450b7e00be-dirty #26
	Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)
	Call trace:
	dump_backtrace.part.0+0xe0/0xf0
	show_stack+0x18/0x40
	dump_stack_lvl+0x8c/0xb8
	print_report+0x188/0x488
	kasan_report+0xb4/0x100
	__asan_store4+0x80/0xa4
	handle_rx_uart+0xa8/0x18c
	qcom_geni_serial_handle_rx+0x84/0x9c
	qcom_geni_serial_isr+0x24c/0x760
	__handle_irq_event_percpu+0x108/0x500
	handle_irq_event+0x6c/0x110
	handle_fasteoi_irq+0x138/0x2cc
	generic_handle_domain_irq+0x48/0x64

	If the RX FIFO depth changes after probe, be sure to resize the buffer.

	The Linux kernel CVE team has assigned CVE-2022-48871 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.7 with commit f9d690b6ece7ec9a6ff6b588df95a010ab2d66f9 and fixed in 5.10.165 with commit 894681682dbefdad917b88f86cde1069140a047a
	Issue introduced in 5.7 with commit f9d690b6ece7ec9a6ff6b588df95a010ab2d66f9 and fixed in 5.15.90 with commit cb53a3366eb28fed67850c80afa52075bb71a38a
	Issue introduced in 5.7 with commit f9d690b6ece7ec9a6ff6b588df95a010ab2d66f9 and fixed in 6.1.8 with commit fd524ca7fe45b8a06dca2dd546d62684a9768f95
	Issue introduced in 5.7 with commit f9d690b6ece7ec9a6ff6b588df95a010ab2d66f9 and fixed in 6.2 with commit b8caf69a6946e18ffebad49847e258f5b6d52ac2

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48871
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/tty/serial/qcom_geni_serial.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/894681682dbefdad917b88f86cde1069140a047a
	https://git.kernel.org/stable/c/cb53a3366eb28fed67850c80afa52075bb71a38a
	https://git.kernel.org/stable/c/fd524ca7fe45b8a06dca2dd546d62684a9768f95
	https://git.kernel.org/stable/c/b8caf69a6946e18ffebad49847e258f5b6d52ac2