cve/published/2023/CVE-2023-52835.mbox

From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2023-52835: perf/core: Bail out early if the request AUX area is out of bound

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

perf/core: Bail out early if the request AUX area is out of bound

When perf-record with a large AUX area, e.g 4GB, it fails with:

    #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1
    failed to mmap with 12 (Cannot allocate memory)

and it reveals a WARNING with __alloc_pages():

	------------[ cut here ]------------
	WARNING: CPU: 44 PID: 17573 at mm/page_alloc.c:5568 __alloc_pages+0x1ec/0x248
	Call trace:
	 __alloc_pages+0x1ec/0x248
	 __kmalloc_large_node+0xc0/0x1f8
	 __kmalloc_node+0x134/0x1e8
	 rb_alloc_aux+0xe0/0x298
	 perf_mmap+0x440/0x660
	 mmap_region+0x308/0x8a8
	 do_mmap+0x3c0/0x528
	 vm_mmap_pgoff+0xf4/0x1b8
	 ksys_mmap_pgoff+0x18c/0x218
	 __arm64_sys_mmap+0x38/0x58
	 invoke_syscall+0x50/0x128
	 el0_svc_common.constprop.0+0x58/0x188
	 do_el0_svc+0x34/0x50
	 el0_svc+0x34/0x108
	 el0t_64_sync_handler+0xb8/0xc0
	 el0t_64_sync+0x1a4/0x1a8

'rb->aux_pages' allocated by kcalloc() is a pointer array which is used to
maintains AUX trace pages. The allocated page for this array is physically
contiguous (and virtually contiguous) with an order of 0..MAX_ORDER. If the
size of pointer array crosses the limitation set by MAX_ORDER, it reveals a
WARNING.

So bail out early with -ENOMEM if the request AUX area is out of bound,
e.g.:

    #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1
    failed to mmap with 12 (Cannot allocate memory)

The Linux kernel CVE team has assigned CVE-2023-52835 to this issue.


Affected and fixed versions
===========================

	Fixed in 4.19.300 with commit 8c504f615d7ed60ae035c51d0c789137ced6797f
	Fixed in 5.4.262 with commit 788c0b3442ead737008934947730a6d1ff703734
	Fixed in 5.10.202 with commit 1a2a4202c60fcdffbf04f259002ce9bff39edece
	Fixed in 5.15.140 with commit fd0df3f8719201dbe61a4d39083d5aecd705399a
	Fixed in 6.1.64 with commit 9ce4e87a8efd37c85766ec08b15e885cab08553a
	Fixed in 6.5.13 with commit 2424410f94a94d91230ced094062d859714c984a
	Fixed in 6.6.3 with commit 2e905e608e38cf7f8dcddcf8a6036e91a78444cb
	Fixed in 6.7 with commit 54aee5f15b83437f23b2b2469bcf21bdd9823916

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52835
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	kernel/events/ring_buffer.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/8c504f615d7ed60ae035c51d0c789137ced6797f
	https://git.kernel.org/stable/c/788c0b3442ead737008934947730a6d1ff703734
	https://git.kernel.org/stable/c/1a2a4202c60fcdffbf04f259002ce9bff39edece
	https://git.kernel.org/stable/c/fd0df3f8719201dbe61a4d39083d5aecd705399a
	https://git.kernel.org/stable/c/9ce4e87a8efd37c85766ec08b15e885cab08553a
	https://git.kernel.org/stable/c/2424410f94a94d91230ced094062d859714c984a
	https://git.kernel.org/stable/c/2e905e608e38cf7f8dcddcf8a6036e91a78444cb
	https://git.kernel.org/stable/c/54aee5f15b83437f23b2b2469bcf21bdd9823916