cve/published/2023/CVE-2023-52864.mbox

From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2023-52864: platform/x86: wmi: Fix opening of char device

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

platform/x86: wmi: Fix opening of char device

Since commit fa1f68db6ca7 ("drivers: misc: pass miscdevice pointer via
file private data"), the miscdevice stores a pointer to itself inside
filp->private_data, which means that private_data will not be NULL when
wmi_char_open() is called. This might cause memory corruption should
wmi_char_open() be unable to find its driver, something which can
happen when the associated WMI device is deleted in wmi_free_devices().

Fix the problem by using the miscdevice pointer to retrieve the WMI
device data associated with a char device using container_of(). This
also avoids wmi_char_open() picking a wrong WMI device bound to a
driver with the same name as the original driver.

The Linux kernel CVE team has assigned CVE-2023-52864 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 4.15 with commit 44b6b7661132b1b0e5fd3147ded66f1e4a817ca9 and fixed in 4.19.299 with commit cf098e937dd125c0317a0d6f261ac2a950a233d6
	Issue introduced in 4.15 with commit 44b6b7661132b1b0e5fd3147ded66f1e4a817ca9 and fixed in 5.4.261 with commit 9fb0eed09e1470cd4021ff52b2b9dfcbcee4c203
	Issue introduced in 4.15 with commit 44b6b7661132b1b0e5fd3147ded66f1e4a817ca9 and fixed in 5.10.201 with commit d426a2955e45a95b2282764105fcfb110a540453
	Issue introduced in 4.15 with commit 44b6b7661132b1b0e5fd3147ded66f1e4a817ca9 and fixed in 5.15.139 with commit e0bf076b734a2fab92d8fddc2b8b03462eee7097
	Issue introduced in 4.15 with commit 44b6b7661132b1b0e5fd3147ded66f1e4a817ca9 and fixed in 6.1.63 with commit 44a96796d25809502c75771d40ee693c2e44724e
	Issue introduced in 4.15 with commit 44b6b7661132b1b0e5fd3147ded66f1e4a817ca9 and fixed in 6.5.12 with commit 36d85fa7ae0d6be651c1a745191fa7ef055db43e
	Issue introduced in 4.15 with commit 44b6b7661132b1b0e5fd3147ded66f1e4a817ca9 and fixed in 6.6.2 with commit fb7b06b59c6887659c6ed0ecd3110835eecbb6a3
	Issue introduced in 4.15 with commit 44b6b7661132b1b0e5fd3147ded66f1e4a817ca9 and fixed in 6.7 with commit eba9ac7abab91c8f6d351460239108bef5e7a0b6

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52864
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/platform/x86/wmi.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/cf098e937dd125c0317a0d6f261ac2a950a233d6
	https://git.kernel.org/stable/c/9fb0eed09e1470cd4021ff52b2b9dfcbcee4c203
	https://git.kernel.org/stable/c/d426a2955e45a95b2282764105fcfb110a540453
	https://git.kernel.org/stable/c/e0bf076b734a2fab92d8fddc2b8b03462eee7097
	https://git.kernel.org/stable/c/44a96796d25809502c75771d40ee693c2e44724e
	https://git.kernel.org/stable/c/36d85fa7ae0d6be651c1a745191fa7ef055db43e
	https://git.kernel.org/stable/c/fb7b06b59c6887659c6ed0ecd3110835eecbb6a3
	https://git.kernel.org/stable/c/eba9ac7abab91c8f6d351460239108bef5e7a0b6