cve/published/2023/CVE-2023-52617.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52617: PCI: switchtec: Fix stdev_release() crash after surprise hot remove

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 PCI: switchtec: Fix stdev_release() crash after surprise hot remove

 A PCI device hot removal may occur while stdev->cdev is held open. The call
 to stdev_release() then happens during close or exit, at a point way past
 switchtec_pci_remove(). Otherwise the last ref would vanish with the
 trailing put_device(), just before return.

 At that later point in time, the devm cleanup has already removed the
 stdev->mmio_mrpc mapping. Also, the stdev->pdev reference was not a counted
 one. Therefore, in DMA mode, the iowrite32() in stdev_release() will cause
 a fatal page fault, and the subsequent dma_free_coherent(), if reached,
 would pass a stale &stdev->pdev->dev pointer.

 Fix by moving MRPC DMA shutdown into switchtec_pci_remove(), after
 stdev_kill(). Counting the stdev->pdev ref is now optional, but may prevent
 future accidents.

 Reproducible via the script at
 https://lore.kernel.org/r/20231113212150.96410-1-dns@arista.com

 The Linux kernel CVE team has assigned CVE-2023-52617 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.4.269 with commit d8c293549946ee5078ed0ab77793cec365559355
 	Fixed in 5.10.210 with commit 4a5d0528cf19dbf060313dffbe047bc11c90c24c
 	Fixed in 5.15.149 with commit ff1c7e2fb9e9c3f53715fbe04d3ac47b80be7eb8
 	Fixed in 6.1.77 with commit 1d83c85922647758c1f1e4806a4c5c3cf591a20a
 	Fixed in 6.6.16 with commit 0233b836312e39a3c763fb53512b3fa455b473b3
 	Fixed in 6.7.4 with commit e129c7fa7070fbce57feb0bfc5eaa65eef44b693
 	Fixed in 6.8 with commit df25461119d987b8c81d232cfe4411e91dcabe66

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52617
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/pci/switch/switchtec.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/d8c293549946ee5078ed0ab77793cec365559355
 	https://git.kernel.org/stable/c/4a5d0528cf19dbf060313dffbe047bc11c90c24c
 	https://git.kernel.org/stable/c/ff1c7e2fb9e9c3f53715fbe04d3ac47b80be7eb8
 	https://git.kernel.org/stable/c/1d83c85922647758c1f1e4806a4c5c3cf591a20a
 	https://git.kernel.org/stable/c/0233b836312e39a3c763fb53512b3fa455b473b3
 	https://git.kernel.org/stable/c/e129c7fa7070fbce57feb0bfc5eaa65eef44b693
 	https://git.kernel.org/stable/c/df25461119d987b8c81d232cfe4411e91dcabe66
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52617: PCI: switchtec: Fix stdev_release() crash after surprise hot remove

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	PCI: switchtec: Fix stdev_release() crash after surprise hot remove

	A PCI device hot removal may occur while stdev->cdev is held open. The call
	to stdev_release() then happens during close or exit, at a point way past
	switchtec_pci_remove(). Otherwise the last ref would vanish with the
	trailing put_device(), just before return.

	At that later point in time, the devm cleanup has already removed the
	stdev->mmio_mrpc mapping. Also, the stdev->pdev reference was not a counted
	one. Therefore, in DMA mode, the iowrite32() in stdev_release() will cause
	a fatal page fault, and the subsequent dma_free_coherent(), if reached,
	would pass a stale &stdev->pdev->dev pointer.

	Fix by moving MRPC DMA shutdown into switchtec_pci_remove(), after
	stdev_kill(). Counting the stdev->pdev ref is now optional, but may prevent
	future accidents.

	Reproducible via the script at
	https://lore.kernel.org/r/20231113212150.96410-1-dns@arista.com

	The Linux kernel CVE team has assigned CVE-2023-52617 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.4.269 with commit d8c293549946ee5078ed0ab77793cec365559355
	Fixed in 5.10.210 with commit 4a5d0528cf19dbf060313dffbe047bc11c90c24c
	Fixed in 5.15.149 with commit ff1c7e2fb9e9c3f53715fbe04d3ac47b80be7eb8
	Fixed in 6.1.77 with commit 1d83c85922647758c1f1e4806a4c5c3cf591a20a
	Fixed in 6.6.16 with commit 0233b836312e39a3c763fb53512b3fa455b473b3
	Fixed in 6.7.4 with commit e129c7fa7070fbce57feb0bfc5eaa65eef44b693
	Fixed in 6.8 with commit df25461119d987b8c81d232cfe4411e91dcabe66

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52617
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/pci/switch/switchtec.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/d8c293549946ee5078ed0ab77793cec365559355
	https://git.kernel.org/stable/c/4a5d0528cf19dbf060313dffbe047bc11c90c24c
	https://git.kernel.org/stable/c/ff1c7e2fb9e9c3f53715fbe04d3ac47b80be7eb8
	https://git.kernel.org/stable/c/1d83c85922647758c1f1e4806a4c5c3cf591a20a
	https://git.kernel.org/stable/c/0233b836312e39a3c763fb53512b3fa455b473b3
	https://git.kernel.org/stable/c/e129c7fa7070fbce57feb0bfc5eaa65eef44b693
	https://git.kernel.org/stable/c/df25461119d987b8c81d232cfe4411e91dcabe66