cve/published/2023/CVE-2023-53112.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-53112: drm/i915/sseu: fix max_subslices array-index-out-of-bounds access

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 drm/i915/sseu: fix max_subslices array-index-out-of-bounds access

 It seems that commit bc3c5e0809ae ("drm/i915/sseu: Don't try to store EU
 mask internally in UAPI format") exposed a potential out-of-bounds
 access, reported by UBSAN as following on a laptop with a gen 11 i915
 card:

   UBSAN: array-index-out-of-bounds in drivers/gpu/drm/i915/gt/intel_sseu.c:65:27
   index 6 is out of range for type 'u16 [6]'
   CPU: 2 PID: 165 Comm: systemd-udevd Not tainted 6.2.0-9-generic #9-Ubuntu
   Hardware name: Dell Inc. XPS 13 9300/077Y9N, BIOS 1.11.0 03/22/2022
   Call Trace:
    <TASK>
    show_stack+0x4e/0x61
    dump_stack_lvl+0x4a/0x6f
    dump_stack+0x10/0x18
    ubsan_epilogue+0x9/0x3a
    __ubsan_handle_out_of_bounds.cold+0x42/0x47
    gen11_compute_sseu_info+0x121/0x130 [i915]
    intel_sseu_info_init+0x15d/0x2b0 [i915]
    intel_gt_init_mmio+0x23/0x40 [i915]
    i915_driver_mmio_probe+0x129/0x400 [i915]
    ? intel_gt_probe_all+0x91/0x2e0 [i915]
    i915_driver_probe+0xe1/0x3f0 [i915]
    ? drm_privacy_screen_get+0x16d/0x190 [drm]
    ? acpi_dev_found+0x64/0x80
    i915_pci_probe+0xac/0x1b0 [i915]
    ...

 According to the definition of sseu_dev_info, eu_mask->hsw is limited to
 a maximum of GEN_MAX_SS_PER_HSW_SLICE (6) sub-slices, but
 gen11_sseu_info_init() can potentially set 8 sub-slices, in the
 !IS_JSL_EHL(gt->i915) case.

 Fix this by reserving up to 8 slots for max_subslices in the eu_mask
 struct.

 (cherry picked from commit 3cba09a6ac86ea1d456909626eb2685596c07822)

 The Linux kernel CVE team has assigned CVE-2023-53112 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.0 with commit bc3c5e0809ae9faa039baf75547e8ee46ec124ef and fixed in 6.1.21 with commit 1a1682abf7399318ac074b1f2ac6a8c992b5b3da
 	Issue introduced in 6.0 with commit bc3c5e0809ae9faa039baf75547e8ee46ec124ef and fixed in 6.2.8 with commit 36b076ab6247cf0d2135b2ad6bb337617c3b5a1b
 	Issue introduced in 6.0 with commit bc3c5e0809ae9faa039baf75547e8ee46ec124ef and fixed in 6.3 with commit 193c41926d152761764894f46e23b53c00186a82

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-53112
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/gpu/drm/i915/gt/intel_sseu.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/1a1682abf7399318ac074b1f2ac6a8c992b5b3da
 	https://git.kernel.org/stable/c/36b076ab6247cf0d2135b2ad6bb337617c3b5a1b
 	https://git.kernel.org/stable/c/193c41926d152761764894f46e23b53c00186a82
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-53112: drm/i915/sseu: fix max_subslices array-index-out-of-bounds access

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	drm/i915/sseu: fix max_subslices array-index-out-of-bounds access

	It seems that commit bc3c5e0809ae ("drm/i915/sseu: Don't try to store EU
	mask internally in UAPI format") exposed a potential out-of-bounds
	access, reported by UBSAN as following on a laptop with a gen 11 i915
	card:

	UBSAN: array-index-out-of-bounds in drivers/gpu/drm/i915/gt/intel_sseu.c:65:27
	index 6 is out of range for type 'u16 [6]'
	CPU: 2 PID: 165 Comm: systemd-udevd Not tainted 6.2.0-9-generic #9-Ubuntu
	Hardware name: Dell Inc. XPS 13 9300/077Y9N, BIOS 1.11.0 03/22/2022
	Call Trace:
	<TASK>
	show_stack+0x4e/0x61
	dump_stack_lvl+0x4a/0x6f
	dump_stack+0x10/0x18
	ubsan_epilogue+0x9/0x3a
	__ubsan_handle_out_of_bounds.cold+0x42/0x47
	gen11_compute_sseu_info+0x121/0x130 [i915]
	intel_sseu_info_init+0x15d/0x2b0 [i915]
	intel_gt_init_mmio+0x23/0x40 [i915]
	i915_driver_mmio_probe+0x129/0x400 [i915]
	? intel_gt_probe_all+0x91/0x2e0 [i915]
	i915_driver_probe+0xe1/0x3f0 [i915]
	? drm_privacy_screen_get+0x16d/0x190 [drm]
	? acpi_dev_found+0x64/0x80
	i915_pci_probe+0xac/0x1b0 [i915]
	...

	According to the definition of sseu_dev_info, eu_mask->hsw is limited to
	a maximum of GEN_MAX_SS_PER_HSW_SLICE (6) sub-slices, but
	gen11_sseu_info_init() can potentially set 8 sub-slices, in the
	!IS_JSL_EHL(gt->i915) case.

	Fix this by reserving up to 8 slots for max_subslices in the eu_mask
	struct.

	(cherry picked from commit 3cba09a6ac86ea1d456909626eb2685596c07822)

	The Linux kernel CVE team has assigned CVE-2023-53112 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.0 with commit bc3c5e0809ae9faa039baf75547e8ee46ec124ef and fixed in 6.1.21 with commit 1a1682abf7399318ac074b1f2ac6a8c992b5b3da
	Issue introduced in 6.0 with commit bc3c5e0809ae9faa039baf75547e8ee46ec124ef and fixed in 6.2.8 with commit 36b076ab6247cf0d2135b2ad6bb337617c3b5a1b
	Issue introduced in 6.0 with commit bc3c5e0809ae9faa039baf75547e8ee46ec124ef and fixed in 6.3 with commit 193c41926d152761764894f46e23b53c00186a82

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-53112
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/gpu/drm/i915/gt/intel_sseu.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/1a1682abf7399318ac074b1f2ac6a8c992b5b3da
	https://git.kernel.org/stable/c/36b076ab6247cf0d2135b2ad6bb337617c3b5a1b
	https://git.kernel.org/stable/c/193c41926d152761764894f46e23b53c00186a82