cve/published/2023/CVE-2023-52797.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52797: drivers: perf: Check find_first_bit() return value

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 drivers: perf: Check find_first_bit() return value

 We must check the return value of find_first_bit() before using the
 return value as an index array since it happens to overflow the array
 and then panic:

 [  107.318430] Kernel BUG [#1]
 [  107.319434] CPU: 3 PID: 1238 Comm: kill Tainted: G            E      6.6.0-rc6ubuntu-defconfig #2
 [  107.319465] Hardware name: riscv-virtio,qemu (DT)
 [  107.319551] epc : pmu_sbi_ovf_handler+0x3a4/0x3ae
 [  107.319840]  ra : pmu_sbi_ovf_handler+0x52/0x3ae
 [  107.319868] epc : ffffffff80a0a77c ra : ffffffff80a0a42a sp : ffffaf83fecda350
 [  107.319884]  gp : ffffffff823961a8 tp : ffffaf8083db1dc0 t0 : ffffaf83fecda480
 [  107.319899]  t1 : ffffffff80cafe62 t2 : 000000000000ff00 s0 : ffffaf83fecda520
 [  107.319921]  s1 : ffffaf83fecda380 a0 : 00000018fca29df0 a1 : ffffffffffffffff
 [  107.319936]  a2 : 0000000001073734 a3 : 0000000000000004 a4 : 0000000000000000
 [  107.319951]  a5 : 0000000000000040 a6 : 000000001d1c8774 a7 : 0000000000504d55
 [  107.319965]  s2 : ffffffff82451f10 s3 : ffffffff82724e70 s4 : 000000000000003f
 [  107.319980]  s5 : 0000000000000011 s6 : ffffaf8083db27c0 s7 : 0000000000000000
 [  107.319995]  s8 : 0000000000000001 s9 : 00007fffb45d6558 s10: 00007fffb45d81a0
 [  107.320009]  s11: ffffaf7ffff60000 t3 : 0000000000000004 t4 : 0000000000000000
 [  107.320023]  t5 : ffffaf7f80000000 t6 : ffffaf8000000000
 [  107.320037] status: 0000000200000100 badaddr: 0000000000000000 cause: 0000000000000003
 [  107.320081] [<ffffffff80a0a77c>] pmu_sbi_ovf_handler+0x3a4/0x3ae
 [  107.320112] [<ffffffff800b42d0>] handle_percpu_devid_irq+0x9e/0x1a0
 [  107.320131] [<ffffffff800ad92c>] generic_handle_domain_irq+0x28/0x36
 [  107.320148] [<ffffffff8065f9f8>] riscv_intc_irq+0x36/0x4e
 [  107.320166] [<ffffffff80caf4a0>] handle_riscv_irq+0x54/0x86
 [  107.320189] [<ffffffff80cb0036>] do_irq+0x64/0x96
 [  107.320271] Code: 85a6 855e b097 ff7f 80e7 9220 b709 9002 4501 bbd9 (9002) 6097
 [  107.320585] ---[ end trace 0000000000000000 ]---
 [  107.320704] Kernel panic - not syncing: Fatal exception in interrupt
 [  107.320775] SMP: stopping secondary CPUs
 [  107.321219] Kernel Offset: 0x0 from 0xffffffff80000000
 [  107.333051] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

 The Linux kernel CVE team has assigned CVE-2023-52797 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.18 with commit 4905ec2fb7e6421c14c9fb7276f5aa92f60f2b98 and fixed in 6.5.13 with commit 2c86b24095fcf72cf51bc72d12e4350163b4e11d
 	Issue introduced in 5.18 with commit 4905ec2fb7e6421c14c9fb7276f5aa92f60f2b98 and fixed in 6.6.3 with commit 45a0de41ec383c8b7c6d442734ba3852dd2fc4a7
 	Issue introduced in 5.18 with commit 4905ec2fb7e6421c14c9fb7276f5aa92f60f2b98 and fixed in 6.7 with commit c6e316ac05532febb0c966fa9b55f5258ed037be

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52797
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/perf/riscv_pmu_sbi.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/2c86b24095fcf72cf51bc72d12e4350163b4e11d
 	https://git.kernel.org/stable/c/45a0de41ec383c8b7c6d442734ba3852dd2fc4a7
 	https://git.kernel.org/stable/c/c6e316ac05532febb0c966fa9b55f5258ed037be
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52797: drivers: perf: Check find_first_bit() return value

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	drivers: perf: Check find_first_bit() return value

	We must check the return value of find_first_bit() before using the
	return value as an index array since it happens to overflow the array
	and then panic:

	[ 107.318430] Kernel BUG [#1]
	[ 107.319434] CPU: 3 PID: 1238 Comm: kill Tainted: G E 6.6.0-rc6ubuntu-defconfig #2
	[ 107.319465] Hardware name: riscv-virtio,qemu (DT)
	[ 107.319551] epc : pmu_sbi_ovf_handler+0x3a4/0x3ae
	[ 107.319840] ra : pmu_sbi_ovf_handler+0x52/0x3ae
	[ 107.319868] epc : ffffffff80a0a77c ra : ffffffff80a0a42a sp : ffffaf83fecda350
	[ 107.319884] gp : ffffffff823961a8 tp : ffffaf8083db1dc0 t0 : ffffaf83fecda480
	[ 107.319899] t1 : ffffffff80cafe62 t2 : 000000000000ff00 s0 : ffffaf83fecda520
	[ 107.319921] s1 : ffffaf83fecda380 a0 : 00000018fca29df0 a1 : ffffffffffffffff
	[ 107.319936] a2 : 0000000001073734 a3 : 0000000000000004 a4 : 0000000000000000
	[ 107.319951] a5 : 0000000000000040 a6 : 000000001d1c8774 a7 : 0000000000504d55
	[ 107.319965] s2 : ffffffff82451f10 s3 : ffffffff82724e70 s4 : 000000000000003f
	[ 107.319980] s5 : 0000000000000011 s6 : ffffaf8083db27c0 s7 : 0000000000000000
	[ 107.319995] s8 : 0000000000000001 s9 : 00007fffb45d6558 s10: 00007fffb45d81a0
	[ 107.320009] s11: ffffaf7ffff60000 t3 : 0000000000000004 t4 : 0000000000000000
	[ 107.320023] t5 : ffffaf7f80000000 t6 : ffffaf8000000000
	[ 107.320037] status: 0000000200000100 badaddr: 0000000000000000 cause: 0000000000000003
	[ 107.320081] [<ffffffff80a0a77c>] pmu_sbi_ovf_handler+0x3a4/0x3ae
	[ 107.320112] [<ffffffff800b42d0>] handle_percpu_devid_irq+0x9e/0x1a0
	[ 107.320131] [<ffffffff800ad92c>] generic_handle_domain_irq+0x28/0x36
	[ 107.320148] [<ffffffff8065f9f8>] riscv_intc_irq+0x36/0x4e
	[ 107.320166] [<ffffffff80caf4a0>] handle_riscv_irq+0x54/0x86
	[ 107.320189] [<ffffffff80cb0036>] do_irq+0x64/0x96
	[ 107.320271] Code: 85a6 855e b097 ff7f 80e7 9220 b709 9002 4501 bbd9 (9002) 6097
	[ 107.320585] ---[ end trace 0000000000000000 ]---
	[ 107.320704] Kernel panic - not syncing: Fatal exception in interrupt
	[ 107.320775] SMP: stopping secondary CPUs
	[ 107.321219] Kernel Offset: 0x0 from 0xffffffff80000000
	[ 107.333051] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

	The Linux kernel CVE team has assigned CVE-2023-52797 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.18 with commit 4905ec2fb7e6421c14c9fb7276f5aa92f60f2b98 and fixed in 6.5.13 with commit 2c86b24095fcf72cf51bc72d12e4350163b4e11d
	Issue introduced in 5.18 with commit 4905ec2fb7e6421c14c9fb7276f5aa92f60f2b98 and fixed in 6.6.3 with commit 45a0de41ec383c8b7c6d442734ba3852dd2fc4a7
	Issue introduced in 5.18 with commit 4905ec2fb7e6421c14c9fb7276f5aa92f60f2b98 and fixed in 6.7 with commit c6e316ac05532febb0c966fa9b55f5258ed037be

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52797
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/perf/riscv_pmu_sbi.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/2c86b24095fcf72cf51bc72d12e4350163b4e11d
	https://git.kernel.org/stable/c/45a0de41ec383c8b7c6d442734ba3852dd2fc4a7
	https://git.kernel.org/stable/c/c6e316ac05532febb0c966fa9b55f5258ed037be