cve/published/2023/CVE-2023-53048.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-53048: usb: typec: tcpm: fix warning when handle discover_identity message

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 usb: typec: tcpm: fix warning when handle discover_identity message

 Since both source and sink device can send discover_identity message in
 PD3, kernel may dump below warning:

 ------------[ cut here ]------------
 WARNING: CPU: 0 PID: 169 at drivers/usb/typec/tcpm/tcpm.c:1446 tcpm_queue_vdm+0xe0/0xf0
 Modules linked in:
 CPU: 0 PID: 169 Comm: 1-0050 Not tainted 6.1.1-00038-g6a3c36cf1da2-dirty #567
 Hardware name: NXP i.MX8MPlus EVK board (DT)
 pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
 pc : tcpm_queue_vdm+0xe0/0xf0
 lr : tcpm_queue_vdm+0x2c/0xf0
 sp : ffff80000c19bcd0
 x29: ffff80000c19bcd0 x28: 0000000000000001 x27: ffff0000d11c8ab8
 x26: ffff0000d11cc000 x25: 0000000000000000 x24: 00000000ff008081
 x23: 0000000000000001 x22: 00000000ff00a081 x21: ffff80000c19bdbc
 x20: 0000000000000000 x19: ffff0000d11c8080 x18: ffffffffffffffff
 x17: 0000000000000000 x16: 0000000000000000 x15: ffff0000d716f580
 x14: 0000000000000001 x13: ffff0000d716f507 x12: 0000000000000001
 x11: 0000000000000000 x10: 0000000000000020 x9 : 00000000000ee098
 x8 : 00000000ffffffff x7 : 000000000000001c x6 : ffff0000d716f580
 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
 x2 : ffff80000c19bdbc x1 : 00000000ff00a081 x0 : 0000000000000004
 Call trace:
 tcpm_queue_vdm+0xe0/0xf0
 tcpm_pd_rx_handler+0x340/0x1ab0
 kthread_worker_fn+0xcc/0x18c
 kthread+0x10c/0x110
 ret_from_fork+0x10/0x20
 ---[ end trace 0000000000000000 ]---

 Below sequences may trigger this warning:

 tcpm_send_discover_work(work)
   tcpm_send_vdm(port, USB_SID_PD, CMD_DISCOVER_IDENT, NULL, 0);
    tcpm_queue_vdm(port, header, data, count);
     port->vdm_state = VDM_STATE_READY;

 vdm_state_machine_work(work);
 			<-- received discover_identity from partner
  vdm_run_state_machine(port);
   port->vdm_state = VDM_STATE_SEND_MESSAGE;
    mod_vdm_delayed_work(port, x);

 tcpm_pd_rx_handler(work);
  tcpm_pd_data_request(port, msg);
   tcpm_handle_vdm_request(port, msg->payload, cnt);
    tcpm_queue_vdm(port, response[0], &response[1], rlen - 1);
 --> WARN_ON(port->vdm_state > VDM_STATE_DONE);

 For this case, the state machine could still send out discover
 identity message later if we skip current discover_identity message.
 So we should handle the received message firstly and override the pending
 discover_identity message without warning in this case. Then, a delayed
 send_discover work will send discover_identity message again.

 The Linux kernel CVE team has assigned CVE-2023-53048 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.13 with commit e00943e916782ae17ca05d654779a84f09481ab8 and fixed in 5.15.105 with commit bb579b3f75c60bf488a7c36e092e8be583407d53
 	Issue introduced in 5.13 with commit e00943e916782ae17ca05d654779a84f09481ab8 and fixed in 6.1.22 with commit d55ca2d2ea1a7ec553213986993fba8c0257381c
 	Issue introduced in 5.13 with commit e00943e916782ae17ca05d654779a84f09481ab8 and fixed in 6.2.9 with commit e37d2c489d71e94ed4a39529bc9520a7fd983d42
 	Issue introduced in 5.13 with commit e00943e916782ae17ca05d654779a84f09481ab8 and fixed in 6.3 with commit abfc4fa28f0160df61c7149567da4f6494dfb488

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-53048
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/usb/typec/tcpm/tcpm.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/bb579b3f75c60bf488a7c36e092e8be583407d53
 	https://git.kernel.org/stable/c/d55ca2d2ea1a7ec553213986993fba8c0257381c
 	https://git.kernel.org/stable/c/e37d2c489d71e94ed4a39529bc9520a7fd983d42
 	https://git.kernel.org/stable/c/abfc4fa28f0160df61c7149567da4f6494dfb488
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-53048: usb: typec: tcpm: fix warning when handle discover_identity message

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	usb: typec: tcpm: fix warning when handle discover_identity message

	Since both source and sink device can send discover_identity message in
	PD3, kernel may dump below warning:

	------------[ cut here ]------------
	WARNING: CPU: 0 PID: 169 at drivers/usb/typec/tcpm/tcpm.c:1446 tcpm_queue_vdm+0xe0/0xf0
	Modules linked in:
	CPU: 0 PID: 169 Comm: 1-0050 Not tainted 6.1.1-00038-g6a3c36cf1da2-dirty #567
	Hardware name: NXP i.MX8MPlus EVK board (DT)
	pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
	pc : tcpm_queue_vdm+0xe0/0xf0
	lr : tcpm_queue_vdm+0x2c/0xf0
	sp : ffff80000c19bcd0
	x29: ffff80000c19bcd0 x28: 0000000000000001 x27: ffff0000d11c8ab8
	x26: ffff0000d11cc000 x25: 0000000000000000 x24: 00000000ff008081
	x23: 0000000000000001 x22: 00000000ff00a081 x21: ffff80000c19bdbc
	x20: 0000000000000000 x19: ffff0000d11c8080 x18: ffffffffffffffff
	x17: 0000000000000000 x16: 0000000000000000 x15: ffff0000d716f580
	x14: 0000000000000001 x13: ffff0000d716f507 x12: 0000000000000001
	x11: 0000000000000000 x10: 0000000000000020 x9 : 00000000000ee098
	x8 : 00000000ffffffff x7 : 000000000000001c x6 : ffff0000d716f580
	x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
	x2 : ffff80000c19bdbc x1 : 00000000ff00a081 x0 : 0000000000000004
	Call trace:
	tcpm_queue_vdm+0xe0/0xf0
	tcpm_pd_rx_handler+0x340/0x1ab0
	kthread_worker_fn+0xcc/0x18c
	kthread+0x10c/0x110
	ret_from_fork+0x10/0x20
	---[ end trace 0000000000000000 ]---

	Below sequences may trigger this warning:

	tcpm_send_discover_work(work)
	tcpm_send_vdm(port, USB_SID_PD, CMD_DISCOVER_IDENT, NULL, 0);
	tcpm_queue_vdm(port, header, data, count);
	port->vdm_state = VDM_STATE_READY;

	vdm_state_machine_work(work);
	<-- received discover_identity from partner
	vdm_run_state_machine(port);
	port->vdm_state = VDM_STATE_SEND_MESSAGE;
	mod_vdm_delayed_work(port, x);

	tcpm_pd_rx_handler(work);
	tcpm_pd_data_request(port, msg);
	tcpm_handle_vdm_request(port, msg->payload, cnt);
	tcpm_queue_vdm(port, response[0], &response[1], rlen - 1);
	--> WARN_ON(port->vdm_state > VDM_STATE_DONE);

	For this case, the state machine could still send out discover
	identity message later if we skip current discover_identity message.
	So we should handle the received message firstly and override the pending
	discover_identity message without warning in this case. Then, a delayed
	send_discover work will send discover_identity message again.

	The Linux kernel CVE team has assigned CVE-2023-53048 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.13 with commit e00943e916782ae17ca05d654779a84f09481ab8 and fixed in 5.15.105 with commit bb579b3f75c60bf488a7c36e092e8be583407d53
	Issue introduced in 5.13 with commit e00943e916782ae17ca05d654779a84f09481ab8 and fixed in 6.1.22 with commit d55ca2d2ea1a7ec553213986993fba8c0257381c
	Issue introduced in 5.13 with commit e00943e916782ae17ca05d654779a84f09481ab8 and fixed in 6.2.9 with commit e37d2c489d71e94ed4a39529bc9520a7fd983d42
	Issue introduced in 5.13 with commit e00943e916782ae17ca05d654779a84f09481ab8 and fixed in 6.3 with commit abfc4fa28f0160df61c7149567da4f6494dfb488

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-53048
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/usb/typec/tcpm/tcpm.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/bb579b3f75c60bf488a7c36e092e8be583407d53
	https://git.kernel.org/stable/c/d55ca2d2ea1a7ec553213986993fba8c0257381c
	https://git.kernel.org/stable/c/e37d2c489d71e94ed4a39529bc9520a7fd983d42
	https://git.kernel.org/stable/c/abfc4fa28f0160df61c7149567da4f6494dfb488