cve/published/2023/CVE-2023-52451.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52451: powerpc/pseries/memhp: Fix access beyond end of drmem array

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 powerpc/pseries/memhp: Fix access beyond end of drmem array

 dlpar_memory_remove_by_index() may access beyond the bounds of the
 drmem lmb array when the LMB lookup fails to match an entry with the
 given DRC index. When the search fails, the cursor is left pointing to
 &drmem_info->lmbs[drmem_info->n_lmbs], which is one element past the
 last valid entry in the array. The debug message at the end of the
 function then dereferences this pointer:

         pr_debug("Failed to hot-remove memory at %llx\n",
                  lmb->base_addr);

 This was found by inspection and confirmed with KASAN:

   pseries-hotplug-mem: Attempting to hot-remove LMB, drc index 1234
   ==================================================================
   BUG: KASAN: slab-out-of-bounds in dlpar_memory+0x298/0x1658
   Read of size 8 at addr c000000364e97fd0 by task bash/949

   dump_stack_lvl+0xa4/0xfc (unreliable)
   print_report+0x214/0x63c
   kasan_report+0x140/0x2e0
   __asan_load8+0xa8/0xe0
   dlpar_memory+0x298/0x1658
   handle_dlpar_errorlog+0x130/0x1d0
   dlpar_store+0x18c/0x3e0
   kobj_attr_store+0x68/0xa0
   sysfs_kf_write+0xc4/0x110
   kernfs_fop_write_iter+0x26c/0x390
   vfs_write+0x2d4/0x4e0
   ksys_write+0xac/0x1a0
   system_call_exception+0x268/0x530
   system_call_vectored_common+0x15c/0x2ec

   Allocated by task 1:
    kasan_save_stack+0x48/0x80
    kasan_set_track+0x34/0x50
    kasan_save_alloc_info+0x34/0x50
    __kasan_kmalloc+0xd0/0x120
    __kmalloc+0x8c/0x320
    kmalloc_array.constprop.0+0x48/0x5c
    drmem_init+0x2a0/0x41c
    do_one_initcall+0xe0/0x5c0
    kernel_init_freeable+0x4ec/0x5a0
    kernel_init+0x30/0x1e0
    ret_from_kernel_user_thread+0x14/0x1c

   The buggy address belongs to the object at c000000364e80000
    which belongs to the cache kmalloc-128k of size 131072
   The buggy address is located 0 bytes to the right of
    allocated 98256-byte region [c000000364e80000, c000000364e97fd0)

   ==================================================================
   pseries-hotplug-mem: Failed to hot-remove memory at 0

 Log failed lookups with a separate message and dereference the
 cursor only when it points to a valid entry.

 The Linux kernel CVE team has assigned CVE-2023-52451 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.1 with commit 51925fb3c5c901aa06cdc853268a6e19e19bcdc7 and fixed in 4.19.306 with commit bb79613a9a704469ddb8d6c6029d532a5cea384c
 	Issue introduced in 4.1 with commit 51925fb3c5c901aa06cdc853268a6e19e19bcdc7 and fixed in 5.4.268 with commit 9b5f03500bc5b083c0df696d7dd169d7ef3dd0c7
 	Issue introduced in 4.1 with commit 51925fb3c5c901aa06cdc853268a6e19e19bcdc7 and fixed in 5.10.209 with commit b582aa1f66411d4adcc1aa55b8c575683fb4687e
 	Issue introduced in 4.1 with commit 51925fb3c5c901aa06cdc853268a6e19e19bcdc7 and fixed in 5.15.148 with commit 999a27b3ce9a69d54ccd5db000ec3a447bc43e6d
 	Issue introduced in 4.1 with commit 51925fb3c5c901aa06cdc853268a6e19e19bcdc7 and fixed in 6.1.75 with commit 026fd977dc50ff4a5e09bfb0603557f104d3f3a0
 	Issue introduced in 4.1 with commit 51925fb3c5c901aa06cdc853268a6e19e19bcdc7 and fixed in 6.6.14 with commit df16afba2378d985359812c865a15c05c70a967e
 	Issue introduced in 4.1 with commit 51925fb3c5c901aa06cdc853268a6e19e19bcdc7 and fixed in 6.7.2 with commit 708a4b59baad96c4718dc0bd3a3427d3ab22fedc
 	Issue introduced in 4.1 with commit 51925fb3c5c901aa06cdc853268a6e19e19bcdc7 and fixed in 6.8 with commit bd68ffce69f6cf8ddd3a3c32549d1d2275e49fc5

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52451
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/powerpc/platforms/pseries/hotplug-memory.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/bb79613a9a704469ddb8d6c6029d532a5cea384c
 	https://git.kernel.org/stable/c/9b5f03500bc5b083c0df696d7dd169d7ef3dd0c7
 	https://git.kernel.org/stable/c/b582aa1f66411d4adcc1aa55b8c575683fb4687e
 	https://git.kernel.org/stable/c/999a27b3ce9a69d54ccd5db000ec3a447bc43e6d
 	https://git.kernel.org/stable/c/026fd977dc50ff4a5e09bfb0603557f104d3f3a0
 	https://git.kernel.org/stable/c/df16afba2378d985359812c865a15c05c70a967e
 	https://git.kernel.org/stable/c/708a4b59baad96c4718dc0bd3a3427d3ab22fedc
 	https://git.kernel.org/stable/c/bd68ffce69f6cf8ddd3a3c32549d1d2275e49fc5
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52451: powerpc/pseries/memhp: Fix access beyond end of drmem array

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	powerpc/pseries/memhp: Fix access beyond end of drmem array

	dlpar_memory_remove_by_index() may access beyond the bounds of the
	drmem lmb array when the LMB lookup fails to match an entry with the
	given DRC index. When the search fails, the cursor is left pointing to
	&drmem_info->lmbs[drmem_info->n_lmbs], which is one element past the
	last valid entry in the array. The debug message at the end of the
	function then dereferences this pointer:

	pr_debug("Failed to hot-remove memory at %llx\n",
	lmb->base_addr);

	This was found by inspection and confirmed with KASAN:

	pseries-hotplug-mem: Attempting to hot-remove LMB, drc index 1234
	==================================================================
	BUG: KASAN: slab-out-of-bounds in dlpar_memory+0x298/0x1658
	Read of size 8 at addr c000000364e97fd0 by task bash/949

	dump_stack_lvl+0xa4/0xfc (unreliable)
	print_report+0x214/0x63c
	kasan_report+0x140/0x2e0
	__asan_load8+0xa8/0xe0
	dlpar_memory+0x298/0x1658
	handle_dlpar_errorlog+0x130/0x1d0
	dlpar_store+0x18c/0x3e0
	kobj_attr_store+0x68/0xa0
	sysfs_kf_write+0xc4/0x110
	kernfs_fop_write_iter+0x26c/0x390
	vfs_write+0x2d4/0x4e0
	ksys_write+0xac/0x1a0
	system_call_exception+0x268/0x530
	system_call_vectored_common+0x15c/0x2ec

	Allocated by task 1:
	kasan_save_stack+0x48/0x80
	kasan_set_track+0x34/0x50
	kasan_save_alloc_info+0x34/0x50
	__kasan_kmalloc+0xd0/0x120
	__kmalloc+0x8c/0x320
	kmalloc_array.constprop.0+0x48/0x5c
	drmem_init+0x2a0/0x41c
	do_one_initcall+0xe0/0x5c0
	kernel_init_freeable+0x4ec/0x5a0
	kernel_init+0x30/0x1e0
	ret_from_kernel_user_thread+0x14/0x1c

	The buggy address belongs to the object at c000000364e80000
	which belongs to the cache kmalloc-128k of size 131072
	The buggy address is located 0 bytes to the right of
	allocated 98256-byte region [c000000364e80000, c000000364e97fd0)

	==================================================================
	pseries-hotplug-mem: Failed to hot-remove memory at 0

	Log failed lookups with a separate message and dereference the
	cursor only when it points to a valid entry.

	The Linux kernel CVE team has assigned CVE-2023-52451 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.1 with commit 51925fb3c5c901aa06cdc853268a6e19e19bcdc7 and fixed in 4.19.306 with commit bb79613a9a704469ddb8d6c6029d532a5cea384c
	Issue introduced in 4.1 with commit 51925fb3c5c901aa06cdc853268a6e19e19bcdc7 and fixed in 5.4.268 with commit 9b5f03500bc5b083c0df696d7dd169d7ef3dd0c7
	Issue introduced in 4.1 with commit 51925fb3c5c901aa06cdc853268a6e19e19bcdc7 and fixed in 5.10.209 with commit b582aa1f66411d4adcc1aa55b8c575683fb4687e
	Issue introduced in 4.1 with commit 51925fb3c5c901aa06cdc853268a6e19e19bcdc7 and fixed in 5.15.148 with commit 999a27b3ce9a69d54ccd5db000ec3a447bc43e6d
	Issue introduced in 4.1 with commit 51925fb3c5c901aa06cdc853268a6e19e19bcdc7 and fixed in 6.1.75 with commit 026fd977dc50ff4a5e09bfb0603557f104d3f3a0
	Issue introduced in 4.1 with commit 51925fb3c5c901aa06cdc853268a6e19e19bcdc7 and fixed in 6.6.14 with commit df16afba2378d985359812c865a15c05c70a967e
	Issue introduced in 4.1 with commit 51925fb3c5c901aa06cdc853268a6e19e19bcdc7 and fixed in 6.7.2 with commit 708a4b59baad96c4718dc0bd3a3427d3ab22fedc
	Issue introduced in 4.1 with commit 51925fb3c5c901aa06cdc853268a6e19e19bcdc7 and fixed in 6.8 with commit bd68ffce69f6cf8ddd3a3c32549d1d2275e49fc5

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52451
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/powerpc/platforms/pseries/hotplug-memory.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/bb79613a9a704469ddb8d6c6029d532a5cea384c
	https://git.kernel.org/stable/c/9b5f03500bc5b083c0df696d7dd169d7ef3dd0c7
	https://git.kernel.org/stable/c/b582aa1f66411d4adcc1aa55b8c575683fb4687e
	https://git.kernel.org/stable/c/999a27b3ce9a69d54ccd5db000ec3a447bc43e6d
	https://git.kernel.org/stable/c/026fd977dc50ff4a5e09bfb0603557f104d3f3a0
	https://git.kernel.org/stable/c/df16afba2378d985359812c865a15c05c70a967e
	https://git.kernel.org/stable/c/708a4b59baad96c4718dc0bd3a3427d3ab22fedc
	https://git.kernel.org/stable/c/bd68ffce69f6cf8ddd3a3c32549d1d2275e49fc5