| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2023-52501: ring-buffer: Do not attempt to read past "commit" |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| ring-buffer: Do not attempt to read past "commit" |
| |
| When iterating over the ring buffer while the ring buffer is active, the |
| writer can corrupt the reader. There's barriers to help detect this and |
| handle it, but that code missed the case where the last event was at the |
| very end of the page and has only 4 bytes left. |
| |
| The checks to detect the corruption by the writer to reads needs to see the |
| length of the event. If the length in the first 4 bytes is zero then the |
| length is stored in the second 4 bytes. But if the writer is in the process |
| of updating that code, there's a small window where the length in the first |
| 4 bytes could be zero even though the length is only 4 bytes. That will |
| cause rb_event_length() to read the next 4 bytes which could happen to be off the |
| allocated page. |
| |
| To protect against this, fail immediately if the next event pointer is |
| less than 8 bytes from the end of the commit (last byte of data), as all |
| events must be a minimum of 8 bytes anyway. |
| |
| The Linux kernel CVE team has assigned CVE-2023-52501 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Fixed in 5.10.198 with commit cee5151c5410e868826b8afecfb356f3799ebea3 |
| Fixed in 5.15.134 with commit 344f2f3e61a90f0150c754796ec9a17fcaeec03d |
| Fixed in 6.1.56 with commit b08a4938229dbb530a35c41b83002a1457c6ff49 |
| Fixed in 6.5.6 with commit 75fc9e99b3a71006720ad1e029db11a4b5c32d4a |
| Fixed in 6.6 with commit 95a404bd60af6c4d9d8db01ad14fe8957ece31ca |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2023-52501 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| kernel/trace/ring_buffer.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/cee5151c5410e868826b8afecfb356f3799ebea3 |
| https://git.kernel.org/stable/c/344f2f3e61a90f0150c754796ec9a17fcaeec03d |
| https://git.kernel.org/stable/c/b08a4938229dbb530a35c41b83002a1457c6ff49 |
| https://git.kernel.org/stable/c/75fc9e99b3a71006720ad1e029db11a4b5c32d4a |
| https://git.kernel.org/stable/c/95a404bd60af6c4d9d8db01ad14fe8957ece31ca |
