cve/published/2023/CVE-2023-53034.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-53034: ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans

 There is a kernel API ntb_mw_clear_trans() would pass 0 to both addr and
 size. This would make xlate_pos negative.

 [   23.734156] switchtec switchtec0: MW 0: part 0 addr 0x0000000000000000 size 0x0000000000000000
 [   23.734158] ================================================================================
 [   23.734172] UBSAN: shift-out-of-bounds in drivers/ntb/hw/mscc/ntb_hw_switchtec.c:293:7
 [   23.734418] shift exponent -1 is negative

 Ensuring xlate_pos is a positive or zero before BIT.

 The Linux kernel CVE team has assigned CVE-2023-53034 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.16 with commit 1e2fd202f8593985cdadca32e0c322f98e7fe7cb and fixed in 5.4.292 with commit f56951f211f181410a383d305e8d370993e45294
 	Issue introduced in 4.16 with commit 1e2fd202f8593985cdadca32e0c322f98e7fe7cb and fixed in 5.10.236 with commit 5b6857bb3bfb0dae17fab1e42c1e82c204a508b1
 	Issue introduced in 4.16 with commit 1e2fd202f8593985cdadca32e0c322f98e7fe7cb and fixed in 5.15.180 with commit 2429bdf26a0f3950fdd996861e9c1a3873af1dbe
 	Issue introduced in 4.16 with commit 1e2fd202f8593985cdadca32e0c322f98e7fe7cb and fixed in 6.1.134 with commit 7ed22f8d8be26225a78cf5e85b2036421a6bf2d5
 	Issue introduced in 4.16 with commit 1e2fd202f8593985cdadca32e0c322f98e7fe7cb and fixed in 6.6.87 with commit c61a3f2df162ba424be0141649a9ef5f28eaccc1
 	Issue introduced in 4.16 with commit 1e2fd202f8593985cdadca32e0c322f98e7fe7cb and fixed in 6.12.23 with commit cb153bdc1812a3375639ed6ca5f147eaefb65349
 	Issue introduced in 4.16 with commit 1e2fd202f8593985cdadca32e0c322f98e7fe7cb and fixed in 6.13.11 with commit 36d32cfb00d42e865396424bb5d340fc0a28870d
 	Issue introduced in 4.16 with commit 1e2fd202f8593985cdadca32e0c322f98e7fe7cb and fixed in 6.14.2 with commit 0df2e03e4620548b41891b4e0d1bd9d2e0d8a39a
 	Issue introduced in 4.16 with commit 1e2fd202f8593985cdadca32e0c322f98e7fe7cb and fixed in 6.15 with commit de203da734fae00e75be50220ba5391e7beecdf9

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-53034
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/ntb/hw/mscc/ntb_hw_switchtec.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/f56951f211f181410a383d305e8d370993e45294
 	https://git.kernel.org/stable/c/5b6857bb3bfb0dae17fab1e42c1e82c204a508b1
 	https://git.kernel.org/stable/c/2429bdf26a0f3950fdd996861e9c1a3873af1dbe
 	https://git.kernel.org/stable/c/7ed22f8d8be26225a78cf5e85b2036421a6bf2d5
 	https://git.kernel.org/stable/c/c61a3f2df162ba424be0141649a9ef5f28eaccc1
 	https://git.kernel.org/stable/c/cb153bdc1812a3375639ed6ca5f147eaefb65349
 	https://git.kernel.org/stable/c/36d32cfb00d42e865396424bb5d340fc0a28870d
 	https://git.kernel.org/stable/c/0df2e03e4620548b41891b4e0d1bd9d2e0d8a39a
 	https://git.kernel.org/stable/c/de203da734fae00e75be50220ba5391e7beecdf9
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-53034: ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans

	There is a kernel API ntb_mw_clear_trans() would pass 0 to both addr and
	size. This would make xlate_pos negative.

	[ 23.734156] switchtec switchtec0: MW 0: part 0 addr 0x0000000000000000 size 0x0000000000000000
	[ 23.734158] ================================================================================
	[ 23.734172] UBSAN: shift-out-of-bounds in drivers/ntb/hw/mscc/ntb_hw_switchtec.c:293:7
	[ 23.734418] shift exponent -1 is negative

	Ensuring xlate_pos is a positive or zero before BIT.

	The Linux kernel CVE team has assigned CVE-2023-53034 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.16 with commit 1e2fd202f8593985cdadca32e0c322f98e7fe7cb and fixed in 5.4.292 with commit f56951f211f181410a383d305e8d370993e45294
	Issue introduced in 4.16 with commit 1e2fd202f8593985cdadca32e0c322f98e7fe7cb and fixed in 5.10.236 with commit 5b6857bb3bfb0dae17fab1e42c1e82c204a508b1
	Issue introduced in 4.16 with commit 1e2fd202f8593985cdadca32e0c322f98e7fe7cb and fixed in 5.15.180 with commit 2429bdf26a0f3950fdd996861e9c1a3873af1dbe
	Issue introduced in 4.16 with commit 1e2fd202f8593985cdadca32e0c322f98e7fe7cb and fixed in 6.1.134 with commit 7ed22f8d8be26225a78cf5e85b2036421a6bf2d5
	Issue introduced in 4.16 with commit 1e2fd202f8593985cdadca32e0c322f98e7fe7cb and fixed in 6.6.87 with commit c61a3f2df162ba424be0141649a9ef5f28eaccc1
	Issue introduced in 4.16 with commit 1e2fd202f8593985cdadca32e0c322f98e7fe7cb and fixed in 6.12.23 with commit cb153bdc1812a3375639ed6ca5f147eaefb65349
	Issue introduced in 4.16 with commit 1e2fd202f8593985cdadca32e0c322f98e7fe7cb and fixed in 6.13.11 with commit 36d32cfb00d42e865396424bb5d340fc0a28870d
	Issue introduced in 4.16 with commit 1e2fd202f8593985cdadca32e0c322f98e7fe7cb and fixed in 6.14.2 with commit 0df2e03e4620548b41891b4e0d1bd9d2e0d8a39a
	Issue introduced in 4.16 with commit 1e2fd202f8593985cdadca32e0c322f98e7fe7cb and fixed in 6.15 with commit de203da734fae00e75be50220ba5391e7beecdf9

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-53034
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/ntb/hw/mscc/ntb_hw_switchtec.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/f56951f211f181410a383d305e8d370993e45294
	https://git.kernel.org/stable/c/5b6857bb3bfb0dae17fab1e42c1e82c204a508b1
	https://git.kernel.org/stable/c/2429bdf26a0f3950fdd996861e9c1a3873af1dbe
	https://git.kernel.org/stable/c/7ed22f8d8be26225a78cf5e85b2036421a6bf2d5
	https://git.kernel.org/stable/c/c61a3f2df162ba424be0141649a9ef5f28eaccc1
	https://git.kernel.org/stable/c/cb153bdc1812a3375639ed6ca5f147eaefb65349
	https://git.kernel.org/stable/c/36d32cfb00d42e865396424bb5d340fc0a28870d
	https://git.kernel.org/stable/c/0df2e03e4620548b41891b4e0d1bd9d2e0d8a39a
	https://git.kernel.org/stable/c/de203da734fae00e75be50220ba5391e7beecdf9