cve/published/2023/CVE-2023-53123.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-53123: PCI: s390: Fix use-after-free of PCI resources with per-function hotplug

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 PCI: s390: Fix use-after-free of PCI resources with per-function hotplug

 On s390 PCI functions may be hotplugged individually even when they
 belong to a multi-function device. In particular on an SR-IOV device VFs
 may be removed and later re-added.

 In commit a50297cf8235 ("s390/pci: separate zbus creation from
 scanning") it was missed however that struct pci_bus and struct
 zpci_bus's resource list retained a reference to the PCI functions MMIO
 resources even though those resources are released and freed on
 hot-unplug. These stale resources may subsequently be claimed when the
 PCI function re-appears resulting in use-after-free.

 One idea of fixing this use-after-free in s390 specific code that was
 investigated was to simply keep resources around from the moment a PCI
 function first appeared until the whole virtual PCI bus created for
 a multi-function device disappears. The problem with this however is
 that due to the requirement of artificial MMIO addreesses (address
 cookies) extra logic is then needed to keep the address cookies
 compatible on re-plug. At the same time the MMIO resources semantically
 belong to the PCI function so tying their lifecycle to the function
 seems more logical.

 Instead a simpler approach is to remove the resources of an individually
 hot-unplugged PCI function from the PCI bus's resource list while
 keeping the resources of other PCI functions on the PCI bus untouched.

 This is done by introducing pci_bus_remove_resource() to remove an
 individual resource. Similarly the resource also needs to be removed
 from the struct zpci_bus's resource list. It turns out however, that
 there is really no need to add the MMIO resources to the struct
 zpci_bus's resource list at all and instead we can simply use the
 zpci_bar_struct's resource pointer directly.

 The Linux kernel CVE team has assigned CVE-2023-53123 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.13 with commit a50297cf8235b062bcdeaa8b1dad58e69d3e1b43 and fixed in 5.15.104 with commit 437bb839e36cc9f35adc6d2a2bf113b7a0fc9985
 	Issue introduced in 5.13 with commit a50297cf8235b062bcdeaa8b1dad58e69d3e1b43 and fixed in 6.1.21 with commit a2410d0c3d2d714ed968a135dfcbed6aa3ff7027
 	Issue introduced in 5.13 with commit a50297cf8235b062bcdeaa8b1dad58e69d3e1b43 and fixed in 6.2.8 with commit b99ebf4b62774e690e73a551cf5fbf6f219bdd96
 	Issue introduced in 5.13 with commit a50297cf8235b062bcdeaa8b1dad58e69d3e1b43 and fixed in 6.3 with commit ab909509850b27fd39b8ba99e44cda39dbc3858c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-53123
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/s390/pci/pci.c
 	arch/s390/pci/pci_bus.c
 	arch/s390/pci/pci_bus.h
 	drivers/pci/bus.c
 	include/linux/pci.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/437bb839e36cc9f35adc6d2a2bf113b7a0fc9985
 	https://git.kernel.org/stable/c/a2410d0c3d2d714ed968a135dfcbed6aa3ff7027
 	https://git.kernel.org/stable/c/b99ebf4b62774e690e73a551cf5fbf6f219bdd96
 	https://git.kernel.org/stable/c/ab909509850b27fd39b8ba99e44cda39dbc3858c
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-53123: PCI: s390: Fix use-after-free of PCI resources with per-function hotplug

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	PCI: s390: Fix use-after-free of PCI resources with per-function hotplug

	On s390 PCI functions may be hotplugged individually even when they
	belong to a multi-function device. In particular on an SR-IOV device VFs
	may be removed and later re-added.

	In commit a50297cf8235 ("s390/pci: separate zbus creation from
	scanning") it was missed however that struct pci_bus and struct
	zpci_bus's resource list retained a reference to the PCI functions MMIO
	resources even though those resources are released and freed on
	hot-unplug. These stale resources may subsequently be claimed when the
	PCI function re-appears resulting in use-after-free.

	One idea of fixing this use-after-free in s390 specific code that was
	investigated was to simply keep resources around from the moment a PCI
	function first appeared until the whole virtual PCI bus created for
	a multi-function device disappears. The problem with this however is
	that due to the requirement of artificial MMIO addreesses (address
	cookies) extra logic is then needed to keep the address cookies
	compatible on re-plug. At the same time the MMIO resources semantically
	belong to the PCI function so tying their lifecycle to the function
	seems more logical.

	Instead a simpler approach is to remove the resources of an individually
	hot-unplugged PCI function from the PCI bus's resource list while
	keeping the resources of other PCI functions on the PCI bus untouched.

	This is done by introducing pci_bus_remove_resource() to remove an
	individual resource. Similarly the resource also needs to be removed
	from the struct zpci_bus's resource list. It turns out however, that
	there is really no need to add the MMIO resources to the struct
	zpci_bus's resource list at all and instead we can simply use the
	zpci_bar_struct's resource pointer directly.

	The Linux kernel CVE team has assigned CVE-2023-53123 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.13 with commit a50297cf8235b062bcdeaa8b1dad58e69d3e1b43 and fixed in 5.15.104 with commit 437bb839e36cc9f35adc6d2a2bf113b7a0fc9985
	Issue introduced in 5.13 with commit a50297cf8235b062bcdeaa8b1dad58e69d3e1b43 and fixed in 6.1.21 with commit a2410d0c3d2d714ed968a135dfcbed6aa3ff7027
	Issue introduced in 5.13 with commit a50297cf8235b062bcdeaa8b1dad58e69d3e1b43 and fixed in 6.2.8 with commit b99ebf4b62774e690e73a551cf5fbf6f219bdd96
	Issue introduced in 5.13 with commit a50297cf8235b062bcdeaa8b1dad58e69d3e1b43 and fixed in 6.3 with commit ab909509850b27fd39b8ba99e44cda39dbc3858c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-53123
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/s390/pci/pci.c
	arch/s390/pci/pci_bus.c
	arch/s390/pci/pci_bus.h
	drivers/pci/bus.c
	include/linux/pci.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/437bb839e36cc9f35adc6d2a2bf113b7a0fc9985
	https://git.kernel.org/stable/c/a2410d0c3d2d714ed968a135dfcbed6aa3ff7027
	https://git.kernel.org/stable/c/b99ebf4b62774e690e73a551cf5fbf6f219bdd96
	https://git.kernel.org/stable/c/ab909509850b27fd39b8ba99e44cda39dbc3858c