cve/published/2022/CVE-2022-49395.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49395: um: Fix out-of-bounds read in LDT setup

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 um: Fix out-of-bounds read in LDT setup

 syscall_stub_data() expects the data_count parameter to be the number of
 longs, not bytes.

  ==================================================================
  BUG: KASAN: stack-out-of-bounds in syscall_stub_data+0x70/0xe0
  Read of size 128 at addr 000000006411f6f0 by task swapper/1

  CPU: 0 PID: 1 Comm: swapper Not tainted 5.18.0+ #18
  Call Trace:
   show_stack.cold+0x166/0x2a7
   __dump_stack+0x3a/0x43
   dump_stack_lvl+0x1f/0x27
   print_report.cold+0xdb/0xf81
   kasan_report+0x119/0x1f0
   kasan_check_range+0x3a3/0x440
   memcpy+0x52/0x140
   syscall_stub_data+0x70/0xe0
   write_ldt_entry+0xac/0x190
   init_new_ldt+0x515/0x960
   init_new_context+0x2c4/0x4d0
   mm_init.constprop.0+0x5ed/0x760
   mm_alloc+0x118/0x170
   0x60033f48
   do_one_initcall+0x1d7/0x860
   0x60003e7b
   kernel_init+0x6e/0x3d4
   new_thread_handler+0x1e7/0x2c0

  The buggy address belongs to stack of task swapper/1
   and is located at offset 64 in frame:
   init_new_ldt+0x0/0x960

  This frame has 2 objects:
   [32, 40) 'addr'
   [64, 80) 'desc'
  ==================================================================

 The Linux kernel CVE team has assigned CVE-2022-49395 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.15 with commit 858259cf7d1c443c836a2022b78cb281f0a9b95e and fixed in 4.9.318 with commit 668ca34a428d6ffc0f99a1a6a9b661a288d4183b
 	Issue introduced in 2.6.15 with commit 858259cf7d1c443c836a2022b78cb281f0a9b95e and fixed in 4.14.283 with commit ef1dc929a1e5fa1b2d842256db9fb8710d3be910
 	Issue introduced in 2.6.15 with commit 858259cf7d1c443c836a2022b78cb281f0a9b95e and fixed in 4.19.247 with commit 3549ab4b962cf619e8c55484a0d870a34b3f845f
 	Issue introduced in 2.6.15 with commit 858259cf7d1c443c836a2022b78cb281f0a9b95e and fixed in 5.4.198 with commit 9caad70819aef3431abaf73ba5163b55b161aba0
 	Issue introduced in 2.6.15 with commit 858259cf7d1c443c836a2022b78cb281f0a9b95e and fixed in 5.10.121 with commit cf0dabc37446c5ee538ae7b4c467ab0e53fa5463
 	Issue introduced in 2.6.15 with commit 858259cf7d1c443c836a2022b78cb281f0a9b95e and fixed in 5.15.46 with commit 10995a382271254bd276627ec74136da4a23c4a6
 	Issue introduced in 2.6.15 with commit 858259cf7d1c443c836a2022b78cb281f0a9b95e and fixed in 5.17.14 with commit 24ca648bf5f72ed8878cf09b5d4431935779681e
 	Issue introduced in 2.6.15 with commit 858259cf7d1c443c836a2022b78cb281f0a9b95e and fixed in 5.18.3 with commit 91e5ba2af2d729d5126aefd5aa3eadc69b8426e5
 	Issue introduced in 2.6.15 with commit 858259cf7d1c443c836a2022b78cb281f0a9b95e and fixed in 5.19 with commit 2a4a62a14be1947fa945c5c11ebf67326381a568

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49395
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/x86/um/ldt.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/668ca34a428d6ffc0f99a1a6a9b661a288d4183b
 	https://git.kernel.org/stable/c/ef1dc929a1e5fa1b2d842256db9fb8710d3be910
 	https://git.kernel.org/stable/c/3549ab4b962cf619e8c55484a0d870a34b3f845f
 	https://git.kernel.org/stable/c/9caad70819aef3431abaf73ba5163b55b161aba0
 	https://git.kernel.org/stable/c/cf0dabc37446c5ee538ae7b4c467ab0e53fa5463
 	https://git.kernel.org/stable/c/10995a382271254bd276627ec74136da4a23c4a6
 	https://git.kernel.org/stable/c/24ca648bf5f72ed8878cf09b5d4431935779681e
 	https://git.kernel.org/stable/c/91e5ba2af2d729d5126aefd5aa3eadc69b8426e5
 	https://git.kernel.org/stable/c/2a4a62a14be1947fa945c5c11ebf67326381a568
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49395: um: Fix out-of-bounds read in LDT setup

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	um: Fix out-of-bounds read in LDT setup

	syscall_stub_data() expects the data_count parameter to be the number of
	longs, not bytes.

	==================================================================
	BUG: KASAN: stack-out-of-bounds in syscall_stub_data+0x70/0xe0
	Read of size 128 at addr 000000006411f6f0 by task swapper/1

	CPU: 0 PID: 1 Comm: swapper Not tainted 5.18.0+ #18
	Call Trace:
	show_stack.cold+0x166/0x2a7
	__dump_stack+0x3a/0x43
	dump_stack_lvl+0x1f/0x27
	print_report.cold+0xdb/0xf81
	kasan_report+0x119/0x1f0
	kasan_check_range+0x3a3/0x440
	memcpy+0x52/0x140
	syscall_stub_data+0x70/0xe0
	write_ldt_entry+0xac/0x190
	init_new_ldt+0x515/0x960
	init_new_context+0x2c4/0x4d0
	mm_init.constprop.0+0x5ed/0x760
	mm_alloc+0x118/0x170
	0x60033f48
	do_one_initcall+0x1d7/0x860
	0x60003e7b
	kernel_init+0x6e/0x3d4
	new_thread_handler+0x1e7/0x2c0

	The buggy address belongs to stack of task swapper/1
	and is located at offset 64 in frame:
	init_new_ldt+0x0/0x960

	This frame has 2 objects:
	[32, 40) 'addr'
	[64, 80) 'desc'
	==================================================================

	The Linux kernel CVE team has assigned CVE-2022-49395 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.15 with commit 858259cf7d1c443c836a2022b78cb281f0a9b95e and fixed in 4.9.318 with commit 668ca34a428d6ffc0f99a1a6a9b661a288d4183b
	Issue introduced in 2.6.15 with commit 858259cf7d1c443c836a2022b78cb281f0a9b95e and fixed in 4.14.283 with commit ef1dc929a1e5fa1b2d842256db9fb8710d3be910
	Issue introduced in 2.6.15 with commit 858259cf7d1c443c836a2022b78cb281f0a9b95e and fixed in 4.19.247 with commit 3549ab4b962cf619e8c55484a0d870a34b3f845f
	Issue introduced in 2.6.15 with commit 858259cf7d1c443c836a2022b78cb281f0a9b95e and fixed in 5.4.198 with commit 9caad70819aef3431abaf73ba5163b55b161aba0
	Issue introduced in 2.6.15 with commit 858259cf7d1c443c836a2022b78cb281f0a9b95e and fixed in 5.10.121 with commit cf0dabc37446c5ee538ae7b4c467ab0e53fa5463
	Issue introduced in 2.6.15 with commit 858259cf7d1c443c836a2022b78cb281f0a9b95e and fixed in 5.15.46 with commit 10995a382271254bd276627ec74136da4a23c4a6
	Issue introduced in 2.6.15 with commit 858259cf7d1c443c836a2022b78cb281f0a9b95e and fixed in 5.17.14 with commit 24ca648bf5f72ed8878cf09b5d4431935779681e
	Issue introduced in 2.6.15 with commit 858259cf7d1c443c836a2022b78cb281f0a9b95e and fixed in 5.18.3 with commit 91e5ba2af2d729d5126aefd5aa3eadc69b8426e5
	Issue introduced in 2.6.15 with commit 858259cf7d1c443c836a2022b78cb281f0a9b95e and fixed in 5.19 with commit 2a4a62a14be1947fa945c5c11ebf67326381a568

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49395
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/x86/um/ldt.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/668ca34a428d6ffc0f99a1a6a9b661a288d4183b
	https://git.kernel.org/stable/c/ef1dc929a1e5fa1b2d842256db9fb8710d3be910
	https://git.kernel.org/stable/c/3549ab4b962cf619e8c55484a0d870a34b3f845f
	https://git.kernel.org/stable/c/9caad70819aef3431abaf73ba5163b55b161aba0
	https://git.kernel.org/stable/c/cf0dabc37446c5ee538ae7b4c467ab0e53fa5463
	https://git.kernel.org/stable/c/10995a382271254bd276627ec74136da4a23c4a6
	https://git.kernel.org/stable/c/24ca648bf5f72ed8878cf09b5d4431935779681e
	https://git.kernel.org/stable/c/91e5ba2af2d729d5126aefd5aa3eadc69b8426e5
	https://git.kernel.org/stable/c/2a4a62a14be1947fa945c5c11ebf67326381a568