cve/published/2023/CVE-2023-52570.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52570: vfio/mdev: Fix a null-ptr-deref bug for mdev_unregister_parent()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 vfio/mdev: Fix a null-ptr-deref bug for mdev_unregister_parent()

 Inject fault while probing mdpy.ko, if kstrdup() of create_dir() fails in
 kobject_add_internal() in kobject_init_and_add() in mdev_type_add()
 in parent_create_sysfs_files(), it will return 0 and probe successfully.
 And when rmmod mdpy.ko, the mdpy_dev_exit() will call
 mdev_unregister_parent(), the mdev_type_remove() may traverse uninitialized
 parent->types[i] in parent_remove_sysfs_files(), and it will cause
 below null-ptr-deref.

 If mdev_type_add() fails, return the error code and kset_unregister()
 to fix the issue.

  general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN
  KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
  CPU: 2 PID: 10215 Comm: rmmod Tainted: G        W        N 6.6.0-rc2+ #20
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
  RIP: 0010:__kobject_del+0x62/0x1c0
  Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8
  RSP: 0018:ffff88810695fd30 EFLAGS: 00010202
  RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 0000000000000000
  RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010
  RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1
  R10: ffff888119d2778b R11: 0000000063666572 R12: 0000000000000000
  R13: fffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660
  FS:  00007fbc81981540(0000) GS:ffff888119d00000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00007fc14a142dc0 CR3: 0000000110a62003 CR4: 0000000000770ee0
  DR0: ffffffff8fb0bce8 DR1: ffffffff8fb0bce9 DR2: ffffffff8fb0bcea
  DR3: ffffffff8fb0bceb DR6: 00000000fffe0ff0 DR7: 0000000000000600
  PKRU: 55555554
  Call Trace:
   <TASK>
   ? die_addr+0x3d/0xa0
   ? exc_general_protection+0x144/0x220
   ? asm_exc_general_protection+0x22/0x30
   ? __kobject_del+0x62/0x1c0
   kobject_del+0x32/0x50
   parent_remove_sysfs_files+0xd6/0x170 [mdev]
   mdev_unregister_parent+0xfb/0x190 [mdev]
   ? mdev_register_parent+0x270/0x270 [mdev]
   ? find_module_all+0x9d/0xe0
   mdpy_dev_exit+0x17/0x63 [mdpy]
   __do_sys_delete_module.constprop.0+0x2fa/0x4b0
   ? module_flags+0x300/0x300
   ? __fput+0x4e7/0xa00
   do_syscall_64+0x35/0x80
   entry_SYSCALL_64_after_hwframe+0x46/0xb0
  RIP: 0033:0x7fbc813221b7
  Code: 73 01 c3 48 8b 0d d1 8c 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a1 8c 2c 00 f7 d8 64 89 01 48
  RSP: 002b:00007ffe780e0648 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
  RAX: ffffffffffffffda RBX: 00007ffe780e06a8 RCX: 00007fbc813221b7
  RDX: 000000000000000a RSI: 0000000000000800 RDI: 000055e214df9b58
  RBP: 000055e214df9af0 R08: 00007ffe780df5c1 R09: 0000000000000000
  R10: 00007fbc8139ecc0 R11: 0000000000000206 R12: 00007ffe780e0870
  R13: 00007ffe780e0ed0 R14: 000055e214df9260 R15: 000055e214df9af0
   </TASK>
  Modules linked in: mdpy(-) mdev vfio_iommu_type1 vfio [last unloaded: mdpy]
  Dumping ftrace buffer:
     (ftrace buffer empty)
  ---[ end trace 0000000000000000 ]---
  RIP: 0010:__kobject_del+0x62/0x1c0
  Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8
  RSP: 0018:ffff88810695fd30 EFLAGS: 00010202
  RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 0000000000000000
  RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010
  RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1
  R10: ffff888119d2778b R11: 0000000063666572 R12: 0000000000000000
  R13: fffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660
  FS:  00007fbc81981540(0000) GS:ffff888119d00000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00007fc14a142dc0 CR3: 0000000110a62003 CR4: 0000000000770ee0
  DR0: ffffffff8fb0bce8 DR1: ffffffff8fb0bce9 DR2: ffffffff8fb0bcea
  DR3: ffffffff8fb0bceb DR6: 00000000fffe0ff0 DR7: 0000000000000600
  PKRU: 55555554
  Kernel panic - not syncing: Fatal exception
  Dumping ftrace buffer:
     (ftrace buffer empty)
  Kernel Offset: disabled
  Rebooting in 1 seconds..

 The Linux kernel CVE team has assigned CVE-2023-52570 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.1 with commit da44c340c4fe9d9653ae84fa6a60f406bafcffce and fixed in 6.1.56 with commit c01b2e0ee22ef8b4dd7509a93aecc0ac0826bae4
 	Issue introduced in 6.1 with commit da44c340c4fe9d9653ae84fa6a60f406bafcffce and fixed in 6.5.6 with commit 52093779b1830ac184a23848d971f06404cf513e
 	Issue introduced in 6.1 with commit da44c340c4fe9d9653ae84fa6a60f406bafcffce and fixed in 6.6 with commit c777b11d34e0f47dbbc4b018ef65ad030f2b283a

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52570
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/vfio/mdev/mdev_sysfs.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/c01b2e0ee22ef8b4dd7509a93aecc0ac0826bae4
 	https://git.kernel.org/stable/c/52093779b1830ac184a23848d971f06404cf513e
 	https://git.kernel.org/stable/c/c777b11d34e0f47dbbc4b018ef65ad030f2b283a
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52570: vfio/mdev: Fix a null-ptr-deref bug for mdev_unregister_parent()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	vfio/mdev: Fix a null-ptr-deref bug for mdev_unregister_parent()

	Inject fault while probing mdpy.ko, if kstrdup() of create_dir() fails in
	kobject_add_internal() in kobject_init_and_add() in mdev_type_add()
	in parent_create_sysfs_files(), it will return 0 and probe successfully.
	And when rmmod mdpy.ko, the mdpy_dev_exit() will call
	mdev_unregister_parent(), the mdev_type_remove() may traverse uninitialized
	parent->types[i] in parent_remove_sysfs_files(), and it will cause
	below null-ptr-deref.

	If mdev_type_add() fails, return the error code and kset_unregister()
	to fix the issue.

	general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN
	KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
	CPU: 2 PID: 10215 Comm: rmmod Tainted: G W N 6.6.0-rc2+ #20
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
	RIP: 0010:__kobject_del+0x62/0x1c0
	Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8
	RSP: 0018:ffff88810695fd30 EFLAGS: 00010202
	RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 0000000000000000
	RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010
	RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1
	R10: ffff888119d2778b R11: 0000000063666572 R12: 0000000000000000
	R13: fffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660
	FS: 00007fbc81981540(0000) GS:ffff888119d00000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00007fc14a142dc0 CR3: 0000000110a62003 CR4: 0000000000770ee0
	DR0: ffffffff8fb0bce8 DR1: ffffffff8fb0bce9 DR2: ffffffff8fb0bcea
	DR3: ffffffff8fb0bceb DR6: 00000000fffe0ff0 DR7: 0000000000000600
	PKRU: 55555554
	Call Trace:
	<TASK>
	? die_addr+0x3d/0xa0
	? exc_general_protection+0x144/0x220
	? asm_exc_general_protection+0x22/0x30
	? __kobject_del+0x62/0x1c0
	kobject_del+0x32/0x50
	parent_remove_sysfs_files+0xd6/0x170 [mdev]
	mdev_unregister_parent+0xfb/0x190 [mdev]
	? mdev_register_parent+0x270/0x270 [mdev]
	? find_module_all+0x9d/0xe0
	mdpy_dev_exit+0x17/0x63 [mdpy]
	__do_sys_delete_module.constprop.0+0x2fa/0x4b0
	? module_flags+0x300/0x300
	? __fput+0x4e7/0xa00
	do_syscall_64+0x35/0x80
	entry_SYSCALL_64_after_hwframe+0x46/0xb0
	RIP: 0033:0x7fbc813221b7
	Code: 73 01 c3 48 8b 0d d1 8c 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a1 8c 2c 00 f7 d8 64 89 01 48
	RSP: 002b:00007ffe780e0648 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
	RAX: ffffffffffffffda RBX: 00007ffe780e06a8 RCX: 00007fbc813221b7
	RDX: 000000000000000a RSI: 0000000000000800 RDI: 000055e214df9b58
	RBP: 000055e214df9af0 R08: 00007ffe780df5c1 R09: 0000000000000000
	R10: 00007fbc8139ecc0 R11: 0000000000000206 R12: 00007ffe780e0870
	R13: 00007ffe780e0ed0 R14: 000055e214df9260 R15: 000055e214df9af0
	</TASK>
	Modules linked in: mdpy(-) mdev vfio_iommu_type1 vfio [last unloaded: mdpy]
	Dumping ftrace buffer:
	(ftrace buffer empty)
	---[ end trace 0000000000000000 ]---
	RIP: 0010:__kobject_del+0x62/0x1c0
	Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 51 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8b 6b 28 48 8d 7d 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 24 01 00 00 48 8b 75 10 48 89 df 48 8d 6b 3c e8
	RSP: 0018:ffff88810695fd30 EFLAGS: 00010202
	RAX: dffffc0000000000 RBX: ffffffffa0270268 RCX: 0000000000000000
	RDX: 0000000000000002 RSI: 0000000000000004 RDI: 0000000000000010
	RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed10233a4ef1
	R10: ffff888119d2778b R11: 0000000063666572 R12: 0000000000000000
	R13: fffffbfff404e2d4 R14: dffffc0000000000 R15: ffffffffa0271660
	FS: 00007fbc81981540(0000) GS:ffff888119d00000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00007fc14a142dc0 CR3: 0000000110a62003 CR4: 0000000000770ee0
	DR0: ffffffff8fb0bce8 DR1: ffffffff8fb0bce9 DR2: ffffffff8fb0bcea
	DR3: ffffffff8fb0bceb DR6: 00000000fffe0ff0 DR7: 0000000000000600
	PKRU: 55555554
	Kernel panic - not syncing: Fatal exception
	Dumping ftrace buffer:
	(ftrace buffer empty)
	Kernel Offset: disabled
	Rebooting in 1 seconds..

	The Linux kernel CVE team has assigned CVE-2023-52570 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.1 with commit da44c340c4fe9d9653ae84fa6a60f406bafcffce and fixed in 6.1.56 with commit c01b2e0ee22ef8b4dd7509a93aecc0ac0826bae4
	Issue introduced in 6.1 with commit da44c340c4fe9d9653ae84fa6a60f406bafcffce and fixed in 6.5.6 with commit 52093779b1830ac184a23848d971f06404cf513e
	Issue introduced in 6.1 with commit da44c340c4fe9d9653ae84fa6a60f406bafcffce and fixed in 6.6 with commit c777b11d34e0f47dbbc4b018ef65ad030f2b283a

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52570
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/vfio/mdev/mdev_sysfs.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/c01b2e0ee22ef8b4dd7509a93aecc0ac0826bae4
	https://git.kernel.org/stable/c/52093779b1830ac184a23848d971f06404cf513e
	https://git.kernel.org/stable/c/c777b11d34e0f47dbbc4b018ef65ad030f2b283a