cve/published/2023/CVE-2023-52792.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52792: cxl/region: Do not try to cleanup after cxl_region_setup_targets() fails

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 cxl/region: Do not try to cleanup after cxl_region_setup_targets() fails

 Commit 5e42bcbc3fef ("cxl/region: decrement ->nr_targets on error in
 cxl_region_attach()") tried to avoid 'eiw' initialization errors when
 ->nr_targets exceeded 16, by just decrementing ->nr_targets when
 cxl_region_setup_targets() failed.

 Commit 86987c766276 ("cxl/region: Cleanup target list on attach error")
 extended that cleanup to also clear cxled->pos and p->targets[pos]. The
 initialization error was incidentally fixed separately by:
 Commit 8d4285425714 ("cxl/region: Fix port setup uninitialized variable
 warnings") which was merged a few days after 5e42bcbc3fef.

 But now the original cleanup when cxl_region_setup_targets() fails
 prevents endpoint and switch decoder resources from being reused:

 1) the cleanup does not set the decoder's region to NULL, which results
    in future dpa_size_store() calls returning -EBUSY
 2) the decoder is not properly freed, which results in future commit
    errors associated with the upstream switch

 Now that the initialization errors were fixed separately, the proper
 cleanup for this case is to just return immediately. Then the resources
 associated with this target get cleanup up as normal when the failed
 region is deleted.

 The ->nr_targets decrement in the error case also helped prevent
 a p->targets[] array overflow, so add a new check to prevent against
 that overflow.

 Tested by trying to create an invalid region for a 2 switch * 2 endpoint
 topology, and then following up with creating a valid region.

 The Linux kernel CVE team has assigned CVE-2023-52792 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.0 with commit 5e42bcbc3fef6e759dfb4d3f4cfb394c382b4249 and fixed in 6.1.64 with commit 90db4c1d5ebaf574d3c3065c055977982c378a83
 	Issue introduced in 6.0 with commit 5e42bcbc3fef6e759dfb4d3f4cfb394c382b4249 and fixed in 6.5.13 with commit 9090c5537c93cd0811ab7bfbd925b57addfffb60
 	Issue introduced in 6.0 with commit 5e42bcbc3fef6e759dfb4d3f4cfb394c382b4249 and fixed in 6.6.3 with commit 07ffcd8ec79cf7383e1e45815f4842fd357991c2
 	Issue introduced in 6.0 with commit 5e42bcbc3fef6e759dfb4d3f4cfb394c382b4249 and fixed in 6.7 with commit 0718588c7aaa7a1510b4de972370535b61dddd0d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52792
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/cxl/core/region.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/90db4c1d5ebaf574d3c3065c055977982c378a83
 	https://git.kernel.org/stable/c/9090c5537c93cd0811ab7bfbd925b57addfffb60
 	https://git.kernel.org/stable/c/07ffcd8ec79cf7383e1e45815f4842fd357991c2
 	https://git.kernel.org/stable/c/0718588c7aaa7a1510b4de972370535b61dddd0d
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52792: cxl/region: Do not try to cleanup after cxl_region_setup_targets() fails

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	cxl/region: Do not try to cleanup after cxl_region_setup_targets() fails

	Commit 5e42bcbc3fef ("cxl/region: decrement ->nr_targets on error in
	cxl_region_attach()") tried to avoid 'eiw' initialization errors when
	->nr_targets exceeded 16, by just decrementing ->nr_targets when
	cxl_region_setup_targets() failed.

	Commit 86987c766276 ("cxl/region: Cleanup target list on attach error")
	extended that cleanup to also clear cxled->pos and p->targets[pos]. The
	initialization error was incidentally fixed separately by:
	Commit 8d4285425714 ("cxl/region: Fix port setup uninitialized variable
	warnings") which was merged a few days after 5e42bcbc3fef.

	But now the original cleanup when cxl_region_setup_targets() fails
	prevents endpoint and switch decoder resources from being reused:

	1) the cleanup does not set the decoder's region to NULL, which results
	in future dpa_size_store() calls returning -EBUSY
	2) the decoder is not properly freed, which results in future commit
	errors associated with the upstream switch

	Now that the initialization errors were fixed separately, the proper
	cleanup for this case is to just return immediately. Then the resources
	associated with this target get cleanup up as normal when the failed
	region is deleted.

	The ->nr_targets decrement in the error case also helped prevent
	a p->targets[] array overflow, so add a new check to prevent against
	that overflow.

	Tested by trying to create an invalid region for a 2 switch * 2 endpoint
	topology, and then following up with creating a valid region.

	The Linux kernel CVE team has assigned CVE-2023-52792 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.0 with commit 5e42bcbc3fef6e759dfb4d3f4cfb394c382b4249 and fixed in 6.1.64 with commit 90db4c1d5ebaf574d3c3065c055977982c378a83
	Issue introduced in 6.0 with commit 5e42bcbc3fef6e759dfb4d3f4cfb394c382b4249 and fixed in 6.5.13 with commit 9090c5537c93cd0811ab7bfbd925b57addfffb60
	Issue introduced in 6.0 with commit 5e42bcbc3fef6e759dfb4d3f4cfb394c382b4249 and fixed in 6.6.3 with commit 07ffcd8ec79cf7383e1e45815f4842fd357991c2
	Issue introduced in 6.0 with commit 5e42bcbc3fef6e759dfb4d3f4cfb394c382b4249 and fixed in 6.7 with commit 0718588c7aaa7a1510b4de972370535b61dddd0d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52792
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/cxl/core/region.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/90db4c1d5ebaf574d3c3065c055977982c378a83
	https://git.kernel.org/stable/c/9090c5537c93cd0811ab7bfbd925b57addfffb60
	https://git.kernel.org/stable/c/07ffcd8ec79cf7383e1e45815f4842fd357991c2
	https://git.kernel.org/stable/c/0718588c7aaa7a1510b4de972370535b61dddd0d