cve/published/2023/CVE-2023-52910.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52910: iommu/iova: Fix alloc iova overflows issue

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 iommu/iova: Fix alloc iova overflows issue

 In __alloc_and_insert_iova_range, there is an issue that retry_pfn
 overflows. The value of iovad->anchor.pfn_hi is ~0UL, then when
 iovad->cached_node is iovad->anchor, curr_iova->pfn_hi + 1 will
 overflow. As a result, if the retry logic is executed, low_pfn is
 updated to 0, and then new_pfn < low_pfn returns false to make the
 allocation successful.

 This issue occurs in the following two situations:
 1. The first iova size exceeds the domain size. When initializing
 iova domain, iovad->cached_node is assigned as iovad->anchor. For
 example, the iova domain size is 10M, start_pfn is 0x1_F000_0000,
 and the iova size allocated for the first time is 11M. The
 following is the log information, new->pfn_lo is smaller than
 iovad->cached_node.

 Example log as follows:
 [  223.798112][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range
 start_pfn:0x1f0000,retry_pfn:0x0,size:0xb00,limit_pfn:0x1f0a00
 [  223.799590][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range
 success start_pfn:0x1f0000,new->pfn_lo:0x1efe00,new->pfn_hi:0x1f08ff

 2. The node with the largest iova->pfn_lo value in the iova domain
 is deleted, iovad->cached_node will be updated to iovad->anchor,
 and then the alloc iova size exceeds the maximum iova size that can
 be allocated in the domain.

 After judging that retry_pfn is less than limit_pfn, call retry_pfn+1
 to fix the overflow issue.

 The Linux kernel CVE team has assigned CVE-2023-52910 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.11 with commit 4e89dce725213d3d0b0475211b500eda4ef4bf2f and fixed in 5.15.89 with commit c929a230c84441e400c32e7b7b4ab763711fb63e
 	Issue introduced in 5.11 with commit 4e89dce725213d3d0b0475211b500eda4ef4bf2f and fixed in 6.1.7 with commit 61cbf790e7329ed78877560be7136f0b911bba7f
 	Issue introduced in 5.11 with commit 4e89dce725213d3d0b0475211b500eda4ef4bf2f and fixed in 6.2 with commit dcdb3ba7e2a8caae7bfefd603bc22fd0ce9a389c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52910
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/iommu/iova.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/c929a230c84441e400c32e7b7b4ab763711fb63e
 	https://git.kernel.org/stable/c/61cbf790e7329ed78877560be7136f0b911bba7f
 	https://git.kernel.org/stable/c/dcdb3ba7e2a8caae7bfefd603bc22fd0ce9a389c
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52910: iommu/iova: Fix alloc iova overflows issue

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	iommu/iova: Fix alloc iova overflows issue

	In __alloc_and_insert_iova_range, there is an issue that retry_pfn
	overflows. The value of iovad->anchor.pfn_hi is ~0UL, then when
	iovad->cached_node is iovad->anchor, curr_iova->pfn_hi + 1 will
	overflow. As a result, if the retry logic is executed, low_pfn is
	updated to 0, and then new_pfn < low_pfn returns false to make the
	allocation successful.

	This issue occurs in the following two situations:
	1. The first iova size exceeds the domain size. When initializing
	iova domain, iovad->cached_node is assigned as iovad->anchor. For
	example, the iova domain size is 10M, start_pfn is 0x1_F000_0000,
	and the iova size allocated for the first time is 11M. The
	following is the log information, new->pfn_lo is smaller than
	iovad->cached_node.

	Example log as follows:
	[ 223.798112][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range
	start_pfn:0x1f0000,retry_pfn:0x0,size:0xb00,limit_pfn:0x1f0a00
	[ 223.799590][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range
	success start_pfn:0x1f0000,new->pfn_lo:0x1efe00,new->pfn_hi:0x1f08ff

	2. The node with the largest iova->pfn_lo value in the iova domain
	is deleted, iovad->cached_node will be updated to iovad->anchor,
	and then the alloc iova size exceeds the maximum iova size that can
	be allocated in the domain.

	After judging that retry_pfn is less than limit_pfn, call retry_pfn+1
	to fix the overflow issue.

	The Linux kernel CVE team has assigned CVE-2023-52910 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.11 with commit 4e89dce725213d3d0b0475211b500eda4ef4bf2f and fixed in 5.15.89 with commit c929a230c84441e400c32e7b7b4ab763711fb63e
	Issue introduced in 5.11 with commit 4e89dce725213d3d0b0475211b500eda4ef4bf2f and fixed in 6.1.7 with commit 61cbf790e7329ed78877560be7136f0b911bba7f
	Issue introduced in 5.11 with commit 4e89dce725213d3d0b0475211b500eda4ef4bf2f and fixed in 6.2 with commit dcdb3ba7e2a8caae7bfefd603bc22fd0ce9a389c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52910
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/iommu/iova.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/c929a230c84441e400c32e7b7b4ab763711fb63e
	https://git.kernel.org/stable/c/61cbf790e7329ed78877560be7136f0b911bba7f
	https://git.kernel.org/stable/c/dcdb3ba7e2a8caae7bfefd603bc22fd0ce9a389c