cve/published/2023/CVE-2023-52449.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52449: mtd: Fix gluebi NULL pointer dereference caused by ftl notifier

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mtd: Fix gluebi NULL pointer dereference caused by ftl notifier

 If both ftl.ko and gluebi.ko are loaded, the notifier of ftl
 triggers NULL pointer dereference when trying to access
 ‘gluebi->desc’ in gluebi_read().

 ubi_gluebi_init
   ubi_register_volume_notifier
     ubi_enumerate_volumes
       ubi_notify_all
         gluebi_notify    nb->notifier_call()
           gluebi_create
             mtd_device_register
               mtd_device_parse_register
                 add_mtd_device
                   blktrans_notify_add   not->add()
                     ftl_add_mtd         tr->add_mtd()
                       scan_header
                         mtd_read
                           mtd_read_oob
                             mtd_read_oob_std
                               gluebi_read   mtd->read()
                                 gluebi->desc - NULL

 Detailed reproduction information available at the Link [1],

 In the normal case, obtain gluebi->desc in the gluebi_get_device(),
 and access gluebi->desc in the gluebi_read(). However,
 gluebi_get_device() is not executed in advance in the
 ftl_add_mtd() process, which leads to NULL pointer dereference.

 The solution for the gluebi module is to run jffs2 on the UBI
 volume without considering working with ftl or mtdblock [2].
 Therefore, this problem can be avoided by preventing gluebi from
 creating the mtdblock device after creating mtd partition of the
 type MTD_UBIVOLUME.

 The Linux kernel CVE team has assigned CVE-2023-52449 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.31 with commit 2ba3d76a1e29f2ba64fbc762875cf9fb2d4ba2ba and fixed in 4.19.306 with commit aeba358bcc8ffddf9b4a9bd0e5ec9eb338d46022
 	Issue introduced in 2.6.31 with commit 2ba3d76a1e29f2ba64fbc762875cf9fb2d4ba2ba and fixed in 5.4.268 with commit 1bf4fe14e97cda621522eb2f28b0a4e87c5b0745
 	Issue introduced in 2.6.31 with commit 2ba3d76a1e29f2ba64fbc762875cf9fb2d4ba2ba and fixed in 5.10.209 with commit 001a3f59d8c914ef8273461d4bf495df384cc5f8
 	Issue introduced in 2.6.31 with commit 2ba3d76a1e29f2ba64fbc762875cf9fb2d4ba2ba and fixed in 5.15.148 with commit d8ac2537763b54d278b80b2b080e1652523c7d4c
 	Issue introduced in 2.6.31 with commit 2ba3d76a1e29f2ba64fbc762875cf9fb2d4ba2ba and fixed in 6.1.75 with commit 5389407bba1eab1266c6d83e226fb0840cb98dd5
 	Issue introduced in 2.6.31 with commit 2ba3d76a1e29f2ba64fbc762875cf9fb2d4ba2ba and fixed in 6.6.14 with commit cfd7c9d260dc0a3baaea05a122a19ab91e193c65
 	Issue introduced in 2.6.31 with commit 2ba3d76a1e29f2ba64fbc762875cf9fb2d4ba2ba and fixed in 6.7.2 with commit b36aaa64d58aaa2f2cbc8275e89bae76a2b6c3dc
 	Issue introduced in 2.6.31 with commit 2ba3d76a1e29f2ba64fbc762875cf9fb2d4ba2ba and fixed in 6.8 with commit a43bdc376deab5fff1ceb93dca55bcab8dbdc1d6

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52449
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/mtd/mtd_blkdevs.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/aeba358bcc8ffddf9b4a9bd0e5ec9eb338d46022
 	https://git.kernel.org/stable/c/1bf4fe14e97cda621522eb2f28b0a4e87c5b0745
 	https://git.kernel.org/stable/c/001a3f59d8c914ef8273461d4bf495df384cc5f8
 	https://git.kernel.org/stable/c/d8ac2537763b54d278b80b2b080e1652523c7d4c
 	https://git.kernel.org/stable/c/5389407bba1eab1266c6d83e226fb0840cb98dd5
 	https://git.kernel.org/stable/c/cfd7c9d260dc0a3baaea05a122a19ab91e193c65
 	https://git.kernel.org/stable/c/b36aaa64d58aaa2f2cbc8275e89bae76a2b6c3dc
 	https://git.kernel.org/stable/c/a43bdc376deab5fff1ceb93dca55bcab8dbdc1d6
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52449: mtd: Fix gluebi NULL pointer dereference caused by ftl notifier

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mtd: Fix gluebi NULL pointer dereference caused by ftl notifier

	If both ftl.ko and gluebi.ko are loaded, the notifier of ftl
	triggers NULL pointer dereference when trying to access
	‘gluebi->desc’ in gluebi_read().

	ubi_gluebi_init
	ubi_register_volume_notifier
	ubi_enumerate_volumes
	ubi_notify_all
	gluebi_notify nb->notifier_call()
	gluebi_create
	mtd_device_register
	mtd_device_parse_register
	add_mtd_device
	blktrans_notify_add not->add()
	ftl_add_mtd tr->add_mtd()
	scan_header
	mtd_read
	mtd_read_oob
	mtd_read_oob_std
	gluebi_read mtd->read()
	gluebi->desc - NULL

	Detailed reproduction information available at the Link [1],

	In the normal case, obtain gluebi->desc in the gluebi_get_device(),
	and access gluebi->desc in the gluebi_read(). However,
	gluebi_get_device() is not executed in advance in the
	ftl_add_mtd() process, which leads to NULL pointer dereference.

	The solution for the gluebi module is to run jffs2 on the UBI
	volume without considering working with ftl or mtdblock [2].
	Therefore, this problem can be avoided by preventing gluebi from
	creating the mtdblock device after creating mtd partition of the
	type MTD_UBIVOLUME.

	The Linux kernel CVE team has assigned CVE-2023-52449 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.31 with commit 2ba3d76a1e29f2ba64fbc762875cf9fb2d4ba2ba and fixed in 4.19.306 with commit aeba358bcc8ffddf9b4a9bd0e5ec9eb338d46022
	Issue introduced in 2.6.31 with commit 2ba3d76a1e29f2ba64fbc762875cf9fb2d4ba2ba and fixed in 5.4.268 with commit 1bf4fe14e97cda621522eb2f28b0a4e87c5b0745
	Issue introduced in 2.6.31 with commit 2ba3d76a1e29f2ba64fbc762875cf9fb2d4ba2ba and fixed in 5.10.209 with commit 001a3f59d8c914ef8273461d4bf495df384cc5f8
	Issue introduced in 2.6.31 with commit 2ba3d76a1e29f2ba64fbc762875cf9fb2d4ba2ba and fixed in 5.15.148 with commit d8ac2537763b54d278b80b2b080e1652523c7d4c
	Issue introduced in 2.6.31 with commit 2ba3d76a1e29f2ba64fbc762875cf9fb2d4ba2ba and fixed in 6.1.75 with commit 5389407bba1eab1266c6d83e226fb0840cb98dd5
	Issue introduced in 2.6.31 with commit 2ba3d76a1e29f2ba64fbc762875cf9fb2d4ba2ba and fixed in 6.6.14 with commit cfd7c9d260dc0a3baaea05a122a19ab91e193c65
	Issue introduced in 2.6.31 with commit 2ba3d76a1e29f2ba64fbc762875cf9fb2d4ba2ba and fixed in 6.7.2 with commit b36aaa64d58aaa2f2cbc8275e89bae76a2b6c3dc
	Issue introduced in 2.6.31 with commit 2ba3d76a1e29f2ba64fbc762875cf9fb2d4ba2ba and fixed in 6.8 with commit a43bdc376deab5fff1ceb93dca55bcab8dbdc1d6

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52449
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/mtd/mtd_blkdevs.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/aeba358bcc8ffddf9b4a9bd0e5ec9eb338d46022
	https://git.kernel.org/stable/c/1bf4fe14e97cda621522eb2f28b0a4e87c5b0745
	https://git.kernel.org/stable/c/001a3f59d8c914ef8273461d4bf495df384cc5f8
	https://git.kernel.org/stable/c/d8ac2537763b54d278b80b2b080e1652523c7d4c
	https://git.kernel.org/stable/c/5389407bba1eab1266c6d83e226fb0840cb98dd5
	https://git.kernel.org/stable/c/cfd7c9d260dc0a3baaea05a122a19ab91e193c65
	https://git.kernel.org/stable/c/b36aaa64d58aaa2f2cbc8275e89bae76a2b6c3dc
	https://git.kernel.org/stable/c/a43bdc376deab5fff1ceb93dca55bcab8dbdc1d6