cve/published/2023/CVE-2023-52635.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52635: PM / devfreq: Synchronize devfreq_monitor_[start/stop]

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 PM / devfreq: Synchronize devfreq_monitor_[start/stop]

 There is a chance if a frequent switch of the governor
 done in a loop result in timer list corruption where
 timer cancel being done from two place one from
 cancel_delayed_work_sync() and followed by expire_timers()
 can be seen from the traces[1].

 while true
 do
         echo "simple_ondemand" > /sys/class/devfreq/1d84000.ufshc/governor
         echo "performance" > /sys/class/devfreq/1d84000.ufshc/governor
 done

 It looks to be issue with devfreq driver where
 device_monitor_[start/stop] need to synchronized so that
 delayed work should get corrupted while it is either
 being queued or running or being cancelled.

 Let's use polling flag and devfreq lock to synchronize the
 queueing the timer instance twice and work data being
 corrupted.

 [1]
 ...
 ..
 <idle>-0    [003]   9436.209662:  timer_cancel   timer=0xffffff80444f0428
 <idle>-0    [003]   9436.209664:  timer_expire_entry   timer=0xffffff80444f0428  now=0x10022da1c  function=__typeid__ZTSFvP10timer_listE_global_addr  baseclk=0x10022da1c
 <idle>-0    [003]   9436.209718:  timer_expire_exit   timer=0xffffff80444f0428
 kworker/u16:6-14217    [003]   9436.209863:  timer_start   timer=0xffffff80444f0428  function=__typeid__ZTSFvP10timer_listE_global_addr  expires=0x10022da2b  now=0x10022da1c  flags=182452227
 vendor.xxxyyy.ha-1593    [004]   9436.209888:  timer_cancel   timer=0xffffff80444f0428
 vendor.xxxyyy.ha-1593    [004]   9436.216390:  timer_init   timer=0xffffff80444f0428
 vendor.xxxyyy.ha-1593    [004]   9436.216392:  timer_start   timer=0xffffff80444f0428  function=__typeid__ZTSFvP10timer_listE_global_addr  expires=0x10022da2c  now=0x10022da1d  flags=186646532
 vendor.xxxyyy.ha-1593    [005]   9436.220992:  timer_cancel   timer=0xffffff80444f0428
 xxxyyyTraceManag-7795    [004]   9436.261641:  timer_cancel   timer=0xffffff80444f0428

 [2]

  9436.261653][    C4] Unable to handle kernel paging request at virtual address dead00000000012a
 [ 9436.261664][    C4] Mem abort info:
 [ 9436.261666][    C4]   ESR = 0x96000044
 [ 9436.261669][    C4]   EC = 0x25: DABT (current EL), IL = 32 bits
 [ 9436.261671][    C4]   SET = 0, FnV = 0
 [ 9436.261673][    C4]   EA = 0, S1PTW = 0
 [ 9436.261675][    C4] Data abort info:
 [ 9436.261677][    C4]   ISV = 0, ISS = 0x00000044
 [ 9436.261680][    C4]   CM = 0, WnR = 1
 [ 9436.261682][    C4] [dead00000000012a] address between user and kernel address ranges
 [ 9436.261685][    C4] Internal error: Oops: 96000044 [#1] PREEMPT SMP
 [ 9436.261701][    C4] Skip md ftrace buffer dump for: 0x3a982d0
 ...

 [ 9436.262138][    C4] CPU: 4 PID: 7795 Comm: TraceManag Tainted: G S      W  O      5.10.149-android12-9-o-g17f915d29d0c #1
 [ 9436.262141][    C4] Hardware name: Qualcomm Technologies, Inc.  (DT)
 [ 9436.262144][    C4] pstate: 22400085 (nzCv daIf +PAN -UAO +TCO BTYPE=--)
 [ 9436.262161][    C4] pc : expire_timers+0x9c/0x438
 [ 9436.262164][    C4] lr : expire_timers+0x2a4/0x438
 [ 9436.262168][    C4] sp : ffffffc010023dd0
 [ 9436.262171][    C4] x29: ffffffc010023df0 x28: ffffffd0636fdc18
 [ 9436.262178][    C4] x27: ffffffd063569dd0 x26: ffffffd063536008
 [ 9436.262182][    C4] x25: 0000000000000001 x24: ffffff88f7c69280
 [ 9436.262185][    C4] x23: 00000000000000e0 x22: dead000000000122
 [ 9436.262188][    C4] x21: 000000010022da29 x20: ffffff8af72b4e80
 [ 9436.262191][    C4] x19: ffffffc010023e50 x18: ffffffc010025038
 [ 9436.262195][    C4] x17: 0000000000000240 x16: 0000000000000201
 [ 9436.262199][    C4] x15: ffffffffffffffff x14: ffffff889f3c3100
 [ 9436.262203][    C4] x13: ffffff889f3c3100 x12: 00000000049f56b8
 [ 9436.262207][    C4] x11: 00000000049f56b8 x10: 00000000ffffffff
 [ 9436.262212][    C4] x9 : ffffffc010023e50 x8 : dead000000000122
 [ 9436.262216][    C4] x7 : ffffffffffffffff x6 : ffffffc0100239d8
 [ 9436.262220][    C4] x5 : 0000000000000000 x4 : 0000000000000101
 [ 9436.262223][    C4] x3 : 0000000000000080 x2 : ffffff889edc155c
 [ 9436.262227][    C4] x1 : ffffff8001005200 x0 : ffffff80444f0428
 [ 9436.262232][    C4] Call trace:
 [ 9436.262236][    C4]  expire_timers+0x9c/0x438
 [ 9436.262240][    C4]  __run_timers+0x1f0/0x330
 [ 9436.262245][    C4]  run_timer_softirq+0x28/0x58
 [ 9436.262255][    C4]  efi_header_end+0x168/0x5ec
 [ 9436.262265][    C4]  __irq_exit_rcu+0x108/0x124
 [ 9436.262274][    C4]  __handle_domain_irq+0x118/0x1e4
 [ 9436.262282][    C4]  gic_handle_irq.30369+0x6c/0x2bc
 [ 9436.262286][    C4]  el0_irq_naked+0x60/0x6c

 The Linux kernel CVE team has assigned CVE-2023-52635 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.10.210 with commit 3399cc7013e761fee9d6eec795e9b31ab0cbe475
 	Fixed in 5.15.149 with commit 099f6a9edbe30b142c1d97fe9a4748601d995675
 	Fixed in 6.1.77 with commit 31569995fc65007b73a3fff605ec2b3401b435e9
 	Fixed in 6.6.16 with commit 0aedb319ef3ed39e9e5a7b7726c8264ca627bbd9
 	Fixed in 6.7.4 with commit ae815e2fdc284ab31651d52460698bd89c0fce22
 	Fixed in 6.8 with commit aed5ed595960c6d301dcd4ed31aeaa7a8054c0c6

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52635
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/devfreq/devfreq.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/3399cc7013e761fee9d6eec795e9b31ab0cbe475
 	https://git.kernel.org/stable/c/099f6a9edbe30b142c1d97fe9a4748601d995675
 	https://git.kernel.org/stable/c/31569995fc65007b73a3fff605ec2b3401b435e9
 	https://git.kernel.org/stable/c/0aedb319ef3ed39e9e5a7b7726c8264ca627bbd9
 	https://git.kernel.org/stable/c/ae815e2fdc284ab31651d52460698bd89c0fce22
 	https://git.kernel.org/stable/c/aed5ed595960c6d301dcd4ed31aeaa7a8054c0c6
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52635: PM / devfreq: Synchronize devfreq_monitor_[start/stop]

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	PM / devfreq: Synchronize devfreq_monitor_[start/stop]

	There is a chance if a frequent switch of the governor
	done in a loop result in timer list corruption where
	timer cancel being done from two place one from
	cancel_delayed_work_sync() and followed by expire_timers()
	can be seen from the traces[1].

	while true
	do
	echo "simple_ondemand" > /sys/class/devfreq/1d84000.ufshc/governor
	echo "performance" > /sys/class/devfreq/1d84000.ufshc/governor
	done

	It looks to be issue with devfreq driver where
	device_monitor_[start/stop] need to synchronized so that
	delayed work should get corrupted while it is either
	being queued or running or being cancelled.

	Let's use polling flag and devfreq lock to synchronize the
	queueing the timer instance twice and work data being
	corrupted.

	[1]
	...
	..
	<idle>-0 [003] 9436.209662: timer_cancel timer=0xffffff80444f0428
	<idle>-0 [003] 9436.209664: timer_expire_entry timer=0xffffff80444f0428 now=0x10022da1c function=__typeid__ZTSFvP10timer_listE_global_addr baseclk=0x10022da1c
	<idle>-0 [003] 9436.209718: timer_expire_exit timer=0xffffff80444f0428
	kworker/u16:6-14217 [003] 9436.209863: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2b now=0x10022da1c flags=182452227
	vendor.xxxyyy.ha-1593 [004] 9436.209888: timer_cancel timer=0xffffff80444f0428
	vendor.xxxyyy.ha-1593 [004] 9436.216390: timer_init timer=0xffffff80444f0428
	vendor.xxxyyy.ha-1593 [004] 9436.216392: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2c now=0x10022da1d flags=186646532
	vendor.xxxyyy.ha-1593 [005] 9436.220992: timer_cancel timer=0xffffff80444f0428
	xxxyyyTraceManag-7795 [004] 9436.261641: timer_cancel timer=0xffffff80444f0428

	[2]

	9436.261653][ C4] Unable to handle kernel paging request at virtual address dead00000000012a
	[ 9436.261664][ C4] Mem abort info:
	[ 9436.261666][ C4] ESR = 0x96000044
	[ 9436.261669][ C4] EC = 0x25: DABT (current EL), IL = 32 bits
	[ 9436.261671][ C4] SET = 0, FnV = 0
	[ 9436.261673][ C4] EA = 0, S1PTW = 0
	[ 9436.261675][ C4] Data abort info:
	[ 9436.261677][ C4] ISV = 0, ISS = 0x00000044
	[ 9436.261680][ C4] CM = 0, WnR = 1
	[ 9436.261682][ C4] [dead00000000012a] address between user and kernel address ranges
	[ 9436.261685][ C4] Internal error: Oops: 96000044 [#1] PREEMPT SMP
	[ 9436.261701][ C4] Skip md ftrace buffer dump for: 0x3a982d0
	...

	[ 9436.262138][ C4] CPU: 4 PID: 7795 Comm: TraceManag Tainted: G S W O 5.10.149-android12-9-o-g17f915d29d0c #1
	[ 9436.262141][ C4] Hardware name: Qualcomm Technologies, Inc. (DT)
	[ 9436.262144][ C4] pstate: 22400085 (nzCv daIf +PAN -UAO +TCO BTYPE=--)
	[ 9436.262161][ C4] pc : expire_timers+0x9c/0x438
	[ 9436.262164][ C4] lr : expire_timers+0x2a4/0x438
	[ 9436.262168][ C4] sp : ffffffc010023dd0
	[ 9436.262171][ C4] x29: ffffffc010023df0 x28: ffffffd0636fdc18
	[ 9436.262178][ C4] x27: ffffffd063569dd0 x26: ffffffd063536008
	[ 9436.262182][ C4] x25: 0000000000000001 x24: ffffff88f7c69280
	[ 9436.262185][ C4] x23: 00000000000000e0 x22: dead000000000122
	[ 9436.262188][ C4] x21: 000000010022da29 x20: ffffff8af72b4e80
	[ 9436.262191][ C4] x19: ffffffc010023e50 x18: ffffffc010025038
	[ 9436.262195][ C4] x17: 0000000000000240 x16: 0000000000000201
	[ 9436.262199][ C4] x15: ffffffffffffffff x14: ffffff889f3c3100
	[ 9436.262203][ C4] x13: ffffff889f3c3100 x12: 00000000049f56b8
	[ 9436.262207][ C4] x11: 00000000049f56b8 x10: 00000000ffffffff
	[ 9436.262212][ C4] x9 : ffffffc010023e50 x8 : dead000000000122
	[ 9436.262216][ C4] x7 : ffffffffffffffff x6 : ffffffc0100239d8
	[ 9436.262220][ C4] x5 : 0000000000000000 x4 : 0000000000000101
	[ 9436.262223][ C4] x3 : 0000000000000080 x2 : ffffff889edc155c
	[ 9436.262227][ C4] x1 : ffffff8001005200 x0 : ffffff80444f0428
	[ 9436.262232][ C4] Call trace:
	[ 9436.262236][ C4] expire_timers+0x9c/0x438
	[ 9436.262240][ C4] __run_timers+0x1f0/0x330
	[ 9436.262245][ C4] run_timer_softirq+0x28/0x58
	[ 9436.262255][ C4] efi_header_end+0x168/0x5ec
	[ 9436.262265][ C4] __irq_exit_rcu+0x108/0x124
	[ 9436.262274][ C4] __handle_domain_irq+0x118/0x1e4
	[ 9436.262282][ C4] gic_handle_irq.30369+0x6c/0x2bc
	[ 9436.262286][ C4] el0_irq_naked+0x60/0x6c

	The Linux kernel CVE team has assigned CVE-2023-52635 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.10.210 with commit 3399cc7013e761fee9d6eec795e9b31ab0cbe475
	Fixed in 5.15.149 with commit 099f6a9edbe30b142c1d97fe9a4748601d995675
	Fixed in 6.1.77 with commit 31569995fc65007b73a3fff605ec2b3401b435e9
	Fixed in 6.6.16 with commit 0aedb319ef3ed39e9e5a7b7726c8264ca627bbd9
	Fixed in 6.7.4 with commit ae815e2fdc284ab31651d52460698bd89c0fce22
	Fixed in 6.8 with commit aed5ed595960c6d301dcd4ed31aeaa7a8054c0c6

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52635
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/devfreq/devfreq.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/3399cc7013e761fee9d6eec795e9b31ab0cbe475
	https://git.kernel.org/stable/c/099f6a9edbe30b142c1d97fe9a4748601d995675
	https://git.kernel.org/stable/c/31569995fc65007b73a3fff605ec2b3401b435e9
	https://git.kernel.org/stable/c/0aedb319ef3ed39e9e5a7b7726c8264ca627bbd9
	https://git.kernel.org/stable/c/ae815e2fdc284ab31651d52460698bd89c0fce22
	https://git.kernel.org/stable/c/aed5ed595960c6d301dcd4ed31aeaa7a8054c0c6