cve/published/2022/CVE-2022-48954.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48954: s390/qeth: fix use-after-free in hsci

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 s390/qeth: fix use-after-free in hsci

 KASAN found that addr was dereferenced after br2dev_event_work was freed.

 ==================================================================
 BUG: KASAN: use-after-free in qeth_l2_br2dev_worker+0x5ba/0x6b0
 Read of size 1 at addr 00000000fdcea440 by task kworker/u760:4/540
 CPU: 17 PID: 540 Comm: kworker/u760:4 Tainted: G            E      6.1.0-20221128.rc7.git1.5aa3bed4ce83.300.fc36.s390x+kasan #1
 Hardware name: IBM 8561 T01 703 (LPAR)
 Workqueue: 0.0.8000_event qeth_l2_br2dev_worker
 Call Trace:
  [<000000016944d4ce>] dump_stack_lvl+0xc6/0xf8
  [<000000016942cd9c>] print_address_description.constprop.0+0x34/0x2a0
  [<000000016942d118>] print_report+0x110/0x1f8
  [<0000000167a7bd04>] kasan_report+0xfc/0x128
  [<000000016938d79a>] qeth_l2_br2dev_worker+0x5ba/0x6b0
  [<00000001673edd1e>] process_one_work+0x76e/0x1128
  [<00000001673ee85c>] worker_thread+0x184/0x1098
  [<000000016740718a>] kthread+0x26a/0x310
  [<00000001672c606a>] __ret_from_fork+0x8a/0xe8
  [<00000001694711da>] ret_from_fork+0xa/0x40
 Allocated by task 108338:
  kasan_save_stack+0x40/0x68
  kasan_set_track+0x36/0x48
  __kasan_kmalloc+0xa0/0xc0
  qeth_l2_switchdev_event+0x25a/0x738
  atomic_notifier_call_chain+0x9c/0xf8
  br_switchdev_fdb_notify+0xf4/0x110
  fdb_notify+0x122/0x180
  fdb_add_entry.constprop.0.isra.0+0x312/0x558
  br_fdb_add+0x59e/0x858
  rtnl_fdb_add+0x58a/0x928
  rtnetlink_rcv_msg+0x5f8/0x8d8
  netlink_rcv_skb+0x1f2/0x408
  netlink_unicast+0x570/0x790
  netlink_sendmsg+0x752/0xbe0
  sock_sendmsg+0xca/0x110
  ____sys_sendmsg+0x510/0x6a8
  ___sys_sendmsg+0x12a/0x180
  __sys_sendmsg+0xe6/0x168
  __do_sys_socketcall+0x3c8/0x468
  do_syscall+0x22c/0x328
  __do_syscall+0x94/0xf0
  system_call+0x82/0xb0
 Freed by task 540:
  kasan_save_stack+0x40/0x68
  kasan_set_track+0x36/0x48
  kasan_save_free_info+0x4c/0x68
  ____kasan_slab_free+0x14e/0x1a8
  __kasan_slab_free+0x24/0x30
  __kmem_cache_free+0x168/0x338
  qeth_l2_br2dev_worker+0x154/0x6b0
  process_one_work+0x76e/0x1128
  worker_thread+0x184/0x1098
  kthread+0x26a/0x310
  __ret_from_fork+0x8a/0xe8
  ret_from_fork+0xa/0x40
 Last potentially related work creation:
  kasan_save_stack+0x40/0x68
  __kasan_record_aux_stack+0xbe/0xd0
  insert_work+0x56/0x2e8
  __queue_work+0x4ce/0xd10
  queue_work_on+0xf4/0x100
  qeth_l2_switchdev_event+0x520/0x738
  atomic_notifier_call_chain+0x9c/0xf8
  br_switchdev_fdb_notify+0xf4/0x110
  fdb_notify+0x122/0x180
  fdb_add_entry.constprop.0.isra.0+0x312/0x558
  br_fdb_add+0x59e/0x858
  rtnl_fdb_add+0x58a/0x928
  rtnetlink_rcv_msg+0x5f8/0x8d8
  netlink_rcv_skb+0x1f2/0x408
  netlink_unicast+0x570/0x790
  netlink_sendmsg+0x752/0xbe0
  sock_sendmsg+0xca/0x110
  ____sys_sendmsg+0x510/0x6a8
  ___sys_sendmsg+0x12a/0x180
  __sys_sendmsg+0xe6/0x168
  __do_sys_socketcall+0x3c8/0x468
  do_syscall+0x22c/0x328
  __do_syscall+0x94/0xf0
  system_call+0x82/0xb0
 Second to last potentially related work creation:
  kasan_save_stack+0x40/0x68
  __kasan_record_aux_stack+0xbe/0xd0
  kvfree_call_rcu+0xb2/0x760
  kernfs_unlink_open_file+0x348/0x430
  kernfs_fop_release+0xc2/0x320
  __fput+0x1ae/0x768
  task_work_run+0x1bc/0x298
  exit_to_user_mode_prepare+0x1a0/0x1a8
  __do_syscall+0x94/0xf0
  system_call+0x82/0xb0
 The buggy address belongs to the object at 00000000fdcea400
  which belongs to the cache kmalloc-96 of size 96
 The buggy address is located 64 bytes inside of
  96-byte region [00000000fdcea400, 00000000fdcea460)
 The buggy address belongs to the physical page:
 page:000000005a9c26e8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xfdcea
 flags: 0x3ffff00000000200(slab|node=0|zone=1|lastcpupid=0x1ffff)
 raw: 3ffff00000000200 0000000000000000 0000000100000122 000000008008cc00
 raw: 0000000000000000 0020004100000000 ffffffff00000001 0000000000000000
 page dumped because: kasan: bad access detected
 Memory state around the buggy address:
  00000000fdcea300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
  00000000fdcea380: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 >00000000fdcea400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                                            ^
  00000000fdcea480: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
  00000000fdcea500: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ==================================================================

 The Linux kernel CVE team has assigned CVE-2022-48954 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.15 with commit f7936b7b2663c99a096a5c432ba96ab1e91a6c0f and fixed in 5.15.83 with commit db6343a5b0d9661f2dd76f653c6d274d38234d2b
 	Issue introduced in 5.15 with commit f7936b7b2663c99a096a5c432ba96ab1e91a6c0f and fixed in 6.0.13 with commit bde0dfc7c4569406a6ddeec363d04a1df7b3073f
 	Issue introduced in 5.15 with commit f7936b7b2663c99a096a5c432ba96ab1e91a6c0f and fixed in 6.1 with commit ebaaadc332cd21e9df4dcf9ce12552d9354bbbe4

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48954
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/s390/net/qeth_l2_main.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/db6343a5b0d9661f2dd76f653c6d274d38234d2b
 	https://git.kernel.org/stable/c/bde0dfc7c4569406a6ddeec363d04a1df7b3073f
 	https://git.kernel.org/stable/c/ebaaadc332cd21e9df4dcf9ce12552d9354bbbe4
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48954: s390/qeth: fix use-after-free in hsci

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	s390/qeth: fix use-after-free in hsci

	KASAN found that addr was dereferenced after br2dev_event_work was freed.

	==================================================================
	BUG: KASAN: use-after-free in qeth_l2_br2dev_worker+0x5ba/0x6b0
	Read of size 1 at addr 00000000fdcea440 by task kworker/u760:4/540
	CPU: 17 PID: 540 Comm: kworker/u760:4 Tainted: G E 6.1.0-20221128.rc7.git1.5aa3bed4ce83.300.fc36.s390x+kasan #1
	Hardware name: IBM 8561 T01 703 (LPAR)
	Workqueue: 0.0.8000_event qeth_l2_br2dev_worker
	Call Trace:
	[<000000016944d4ce>] dump_stack_lvl+0xc6/0xf8
	[<000000016942cd9c>] print_address_description.constprop.0+0x34/0x2a0
	[<000000016942d118>] print_report+0x110/0x1f8
	[<0000000167a7bd04>] kasan_report+0xfc/0x128
	[<000000016938d79a>] qeth_l2_br2dev_worker+0x5ba/0x6b0
	[<00000001673edd1e>] process_one_work+0x76e/0x1128
	[<00000001673ee85c>] worker_thread+0x184/0x1098
	[<000000016740718a>] kthread+0x26a/0x310
	[<00000001672c606a>] __ret_from_fork+0x8a/0xe8
	[<00000001694711da>] ret_from_fork+0xa/0x40
	Allocated by task 108338:
	kasan_save_stack+0x40/0x68
	kasan_set_track+0x36/0x48
	__kasan_kmalloc+0xa0/0xc0
	qeth_l2_switchdev_event+0x25a/0x738
	atomic_notifier_call_chain+0x9c/0xf8
	br_switchdev_fdb_notify+0xf4/0x110
	fdb_notify+0x122/0x180
	fdb_add_entry.constprop.0.isra.0+0x312/0x558
	br_fdb_add+0x59e/0x858
	rtnl_fdb_add+0x58a/0x928
	rtnetlink_rcv_msg+0x5f8/0x8d8
	netlink_rcv_skb+0x1f2/0x408
	netlink_unicast+0x570/0x790
	netlink_sendmsg+0x752/0xbe0
	sock_sendmsg+0xca/0x110
	____sys_sendmsg+0x510/0x6a8
	___sys_sendmsg+0x12a/0x180
	__sys_sendmsg+0xe6/0x168
	__do_sys_socketcall+0x3c8/0x468
	do_syscall+0x22c/0x328
	__do_syscall+0x94/0xf0
	system_call+0x82/0xb0
	Freed by task 540:
	kasan_save_stack+0x40/0x68
	kasan_set_track+0x36/0x48
	kasan_save_free_info+0x4c/0x68
	____kasan_slab_free+0x14e/0x1a8
	__kasan_slab_free+0x24/0x30
	__kmem_cache_free+0x168/0x338
	qeth_l2_br2dev_worker+0x154/0x6b0
	process_one_work+0x76e/0x1128
	worker_thread+0x184/0x1098
	kthread+0x26a/0x310
	__ret_from_fork+0x8a/0xe8
	ret_from_fork+0xa/0x40
	Last potentially related work creation:
	kasan_save_stack+0x40/0x68
	__kasan_record_aux_stack+0xbe/0xd0
	insert_work+0x56/0x2e8
	__queue_work+0x4ce/0xd10
	queue_work_on+0xf4/0x100
	qeth_l2_switchdev_event+0x520/0x738
	atomic_notifier_call_chain+0x9c/0xf8
	br_switchdev_fdb_notify+0xf4/0x110
	fdb_notify+0x122/0x180
	fdb_add_entry.constprop.0.isra.0+0x312/0x558
	br_fdb_add+0x59e/0x858
	rtnl_fdb_add+0x58a/0x928
	rtnetlink_rcv_msg+0x5f8/0x8d8
	netlink_rcv_skb+0x1f2/0x408
	netlink_unicast+0x570/0x790
	netlink_sendmsg+0x752/0xbe0
	sock_sendmsg+0xca/0x110
	____sys_sendmsg+0x510/0x6a8
	___sys_sendmsg+0x12a/0x180
	__sys_sendmsg+0xe6/0x168
	__do_sys_socketcall+0x3c8/0x468
	do_syscall+0x22c/0x328
	__do_syscall+0x94/0xf0
	system_call+0x82/0xb0
	Second to last potentially related work creation:
	kasan_save_stack+0x40/0x68
	__kasan_record_aux_stack+0xbe/0xd0
	kvfree_call_rcu+0xb2/0x760
	kernfs_unlink_open_file+0x348/0x430
	kernfs_fop_release+0xc2/0x320
	__fput+0x1ae/0x768
	task_work_run+0x1bc/0x298
	exit_to_user_mode_prepare+0x1a0/0x1a8
	__do_syscall+0x94/0xf0
	system_call+0x82/0xb0
	The buggy address belongs to the object at 00000000fdcea400
	which belongs to the cache kmalloc-96 of size 96
	The buggy address is located 64 bytes inside of
	96-byte region [00000000fdcea400, 00000000fdcea460)
	The buggy address belongs to the physical page:
	page:000000005a9c26e8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xfdcea
	flags: 0x3ffff00000000200(slab\|node=0\|zone=1\|lastcpupid=0x1ffff)
	raw: 3ffff00000000200 0000000000000000 0000000100000122 000000008008cc00
	raw: 0000000000000000 0020004100000000 ffffffff00000001 0000000000000000
	page dumped because: kasan: bad access detected
	Memory state around the buggy address:
	00000000fdcea300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
	00000000fdcea380: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
	>00000000fdcea400: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
	^
	00000000fdcea480: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
	00000000fdcea500: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
	==================================================================

	The Linux kernel CVE team has assigned CVE-2022-48954 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.15 with commit f7936b7b2663c99a096a5c432ba96ab1e91a6c0f and fixed in 5.15.83 with commit db6343a5b0d9661f2dd76f653c6d274d38234d2b
	Issue introduced in 5.15 with commit f7936b7b2663c99a096a5c432ba96ab1e91a6c0f and fixed in 6.0.13 with commit bde0dfc7c4569406a6ddeec363d04a1df7b3073f
	Issue introduced in 5.15 with commit f7936b7b2663c99a096a5c432ba96ab1e91a6c0f and fixed in 6.1 with commit ebaaadc332cd21e9df4dcf9ce12552d9354bbbe4

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48954
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/s390/net/qeth_l2_main.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/db6343a5b0d9661f2dd76f653c6d274d38234d2b
	https://git.kernel.org/stable/c/bde0dfc7c4569406a6ddeec363d04a1df7b3073f
	https://git.kernel.org/stable/c/ebaaadc332cd21e9df4dcf9ce12552d9354bbbe4