cve/published/2023/CVE-2023-52455.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52455: iommu: Don't reserve 0-length IOVA region

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 iommu: Don't reserve 0-length IOVA region

 When the bootloader/firmware doesn't setup the framebuffers, their
 address and size are 0 in "iommu-addresses" property. If IOVA region is
 reserved with 0 length, then it ends up corrupting the IOVA rbtree with
 an entry which has pfn_hi < pfn_lo.
 If we intend to use display driver in kernel without framebuffer then
 it's causing the display IOMMU mappings to fail as entire valid IOVA
 space is reserved when address and length are passed as 0.
 An ideal solution would be firmware removing the "iommu-addresses"
 property and corresponding "memory-region" if display is not present.
 But the kernel should be able to handle this by checking for size of
 IOVA region and skipping the IOVA reservation if size is 0. Also, add
 a warning if firmware is requesting 0-length IOVA region reservation.

 The Linux kernel CVE team has assigned CVE-2023-52455 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.3 with commit a5bf3cfce8cb77d9d24613ab52d520896f83dd48 and fixed in 6.6.14 with commit 98b8a550da83cc392a14298c4b3eaaf0332ae6ad
 	Issue introduced in 6.3 with commit a5bf3cfce8cb77d9d24613ab52d520896f83dd48 and fixed in 6.7.2 with commit 5e23e283910c9f30248732ae0770bcb0c9438abf
 	Issue introduced in 6.3 with commit a5bf3cfce8cb77d9d24613ab52d520896f83dd48 and fixed in 6.8 with commit bb57f6705960bebeb832142ce9abf43220c3eab1

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52455
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/iommu/of_iommu.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/98b8a550da83cc392a14298c4b3eaaf0332ae6ad
 	https://git.kernel.org/stable/c/5e23e283910c9f30248732ae0770bcb0c9438abf
 	https://git.kernel.org/stable/c/bb57f6705960bebeb832142ce9abf43220c3eab1
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52455: iommu: Don't reserve 0-length IOVA region

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	iommu: Don't reserve 0-length IOVA region

	When the bootloader/firmware doesn't setup the framebuffers, their
	address and size are 0 in "iommu-addresses" property. If IOVA region is
	reserved with 0 length, then it ends up corrupting the IOVA rbtree with
	an entry which has pfn_hi < pfn_lo.
	If we intend to use display driver in kernel without framebuffer then
	it's causing the display IOMMU mappings to fail as entire valid IOVA
	space is reserved when address and length are passed as 0.
	An ideal solution would be firmware removing the "iommu-addresses"
	property and corresponding "memory-region" if display is not present.
	But the kernel should be able to handle this by checking for size of
	IOVA region and skipping the IOVA reservation if size is 0. Also, add
	a warning if firmware is requesting 0-length IOVA region reservation.

	The Linux kernel CVE team has assigned CVE-2023-52455 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.3 with commit a5bf3cfce8cb77d9d24613ab52d520896f83dd48 and fixed in 6.6.14 with commit 98b8a550da83cc392a14298c4b3eaaf0332ae6ad
	Issue introduced in 6.3 with commit a5bf3cfce8cb77d9d24613ab52d520896f83dd48 and fixed in 6.7.2 with commit 5e23e283910c9f30248732ae0770bcb0c9438abf
	Issue introduced in 6.3 with commit a5bf3cfce8cb77d9d24613ab52d520896f83dd48 and fixed in 6.8 with commit bb57f6705960bebeb832142ce9abf43220c3eab1

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52455
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/iommu/of_iommu.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/98b8a550da83cc392a14298c4b3eaaf0332ae6ad
	https://git.kernel.org/stable/c/5e23e283910c9f30248732ae0770bcb0c9438abf
	https://git.kernel.org/stable/c/bb57f6705960bebeb832142ce9abf43220c3eab1