cve/published/2024/CVE-2024-26738.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26738: powerpc/pseries/iommu: DLPAR add doesn't completely initialize pci_controller

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 powerpc/pseries/iommu: DLPAR add doesn't completely initialize pci_controller

 When a PCI device is dynamically added, the kernel oopses with a NULL
 pointer dereference:

   BUG: Kernel NULL pointer dereference on read at 0x00000030
   Faulting instruction address: 0xc0000000006bbe5c
   Oops: Kernel access of bad area, sig: 11 [#1]
   LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries
   Modules linked in: rpadlpar_io rpaphp rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs xsk_diag bonding nft_compat nf_tables nfnetlink rfkill binfmt_misc dm_multipath rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_umad ib_iser libiscsi scsi_transport_iscsi ib_ipoib rdma_cm iw_cm ib_cm mlx5_ib ib_uverbs ib_core pseries_rng drm drm_panel_orientation_quirks xfs libcrc32c mlx5_core mlxfw sd_mod t10_pi sg tls ibmvscsi ibmveth scsi_transport_srp vmx_crypto pseries_wdt psample dm_mirror dm_region_hash dm_log dm_mod fuse
   CPU: 17 PID: 2685 Comm: drmgr Not tainted 6.7.0-203405+ #66
   Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_008) hv:phyp pSeries
   NIP:  c0000000006bbe5c LR: c000000000a13e68 CTR: c0000000000579f8
   REGS: c00000009924f240 TRAP: 0300   Not tainted  (6.7.0-203405+)
   MSR:  8000000000009033 <SF,EE,ME,IR,DR,RI,LE>  CR: 24002220  XER: 20040006
   CFAR: c000000000a13e64 DAR: 0000000000000030 DSISR: 40000000 IRQMASK: 0
   ...
   NIP sysfs_add_link_to_group+0x34/0x94
   LR  iommu_device_link+0x5c/0x118
   Call Trace:
    iommu_init_device+0x26c/0x318 (unreliable)
    iommu_device_link+0x5c/0x118
    iommu_init_device+0xa8/0x318
    iommu_probe_device+0xc0/0x134
    iommu_bus_notifier+0x44/0x104
    notifier_call_chain+0xb8/0x19c
    blocking_notifier_call_chain+0x64/0x98
    bus_notify+0x50/0x7c
    device_add+0x640/0x918
    pci_device_add+0x23c/0x298
    of_create_pci_dev+0x400/0x884
    of_scan_pci_dev+0x124/0x1b0
    __of_scan_bus+0x78/0x18c
    pcibios_scan_phb+0x2a4/0x3b0
    init_phb_dynamic+0xb8/0x110
    dlpar_add_slot+0x170/0x3b8 [rpadlpar_io]
    add_slot_store.part.0+0xb4/0x130 [rpadlpar_io]
    kobj_attr_store+0x2c/0x48
    sysfs_kf_write+0x64/0x78
    kernfs_fop_write_iter+0x1b0/0x290
    vfs_write+0x350/0x4a0
    ksys_write+0x84/0x140
    system_call_exception+0x124/0x330
    system_call_vectored_common+0x15c/0x2ec

 Commit a940904443e4 ("powerpc/iommu: Add iommu_ops to report capabilities
 and allow blocking domains") broke DLPAR add of PCI devices.

 The above added iommu_device structure to pci_controller. During
 system boot, PCI devices are discovered and this newly added iommu_device
 structure is initialized by a call to iommu_device_register().

 During DLPAR add of a PCI device, a new pci_controller structure is
 allocated but there are no calls made to iommu_device_register()
 interface.

 Fix is to register the iommu device during DLPAR add as well.

 The Linux kernel CVE team has assigned CVE-2024-26738 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.4 with commit a940904443e432623579245babe63e2486ff327b and fixed in 6.6.19 with commit b8315b2e25b4e68e42fcb74630f824b9a5067765
 	Issue introduced in 6.4 with commit a940904443e432623579245babe63e2486ff327b and fixed in 6.7.7 with commit 46e36ebd5e00a148b67ed77c1d31675996f77c25
 	Issue introduced in 6.4 with commit a940904443e432623579245babe63e2486ff327b and fixed in 6.8 with commit a5c57fd2e9bd1c8ea8613a8f94fd0be5eccbf321

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26738
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/powerpc/include/asm/ppc-pci.h
 	arch/powerpc/kernel/iommu.c
 	arch/powerpc/platforms/pseries/pci_dlpar.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/b8315b2e25b4e68e42fcb74630f824b9a5067765
 	https://git.kernel.org/stable/c/46e36ebd5e00a148b67ed77c1d31675996f77c25
 	https://git.kernel.org/stable/c/a5c57fd2e9bd1c8ea8613a8f94fd0be5eccbf321
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26738: powerpc/pseries/iommu: DLPAR add doesn't completely initialize pci_controller

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	powerpc/pseries/iommu: DLPAR add doesn't completely initialize pci_controller

	When a PCI device is dynamically added, the kernel oopses with a NULL
	pointer dereference:

	BUG: Kernel NULL pointer dereference on read at 0x00000030
	Faulting instruction address: 0xc0000000006bbe5c
	Oops: Kernel access of bad area, sig: 11 [#1]
	LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries
	Modules linked in: rpadlpar_io rpaphp rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs xsk_diag bonding nft_compat nf_tables nfnetlink rfkill binfmt_misc dm_multipath rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_umad ib_iser libiscsi scsi_transport_iscsi ib_ipoib rdma_cm iw_cm ib_cm mlx5_ib ib_uverbs ib_core pseries_rng drm drm_panel_orientation_quirks xfs libcrc32c mlx5_core mlxfw sd_mod t10_pi sg tls ibmvscsi ibmveth scsi_transport_srp vmx_crypto pseries_wdt psample dm_mirror dm_region_hash dm_log dm_mod fuse
	CPU: 17 PID: 2685 Comm: drmgr Not tainted 6.7.0-203405+ #66
	Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_008) hv:phyp pSeries
	NIP: c0000000006bbe5c LR: c000000000a13e68 CTR: c0000000000579f8
	REGS: c00000009924f240 TRAP: 0300 Not tainted (6.7.0-203405+)
	MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 24002220 XER: 20040006
	CFAR: c000000000a13e64 DAR: 0000000000000030 DSISR: 40000000 IRQMASK: 0
	...
	NIP sysfs_add_link_to_group+0x34/0x94
	LR iommu_device_link+0x5c/0x118
	Call Trace:
	iommu_init_device+0x26c/0x318 (unreliable)
	iommu_device_link+0x5c/0x118
	iommu_init_device+0xa8/0x318
	iommu_probe_device+0xc0/0x134
	iommu_bus_notifier+0x44/0x104
	notifier_call_chain+0xb8/0x19c
	blocking_notifier_call_chain+0x64/0x98
	bus_notify+0x50/0x7c
	device_add+0x640/0x918
	pci_device_add+0x23c/0x298
	of_create_pci_dev+0x400/0x884
	of_scan_pci_dev+0x124/0x1b0
	__of_scan_bus+0x78/0x18c
	pcibios_scan_phb+0x2a4/0x3b0
	init_phb_dynamic+0xb8/0x110
	dlpar_add_slot+0x170/0x3b8 [rpadlpar_io]
	add_slot_store.part.0+0xb4/0x130 [rpadlpar_io]
	kobj_attr_store+0x2c/0x48
	sysfs_kf_write+0x64/0x78
	kernfs_fop_write_iter+0x1b0/0x290
	vfs_write+0x350/0x4a0
	ksys_write+0x84/0x140
	system_call_exception+0x124/0x330
	system_call_vectored_common+0x15c/0x2ec

	Commit a940904443e4 ("powerpc/iommu: Add iommu_ops to report capabilities
	and allow blocking domains") broke DLPAR add of PCI devices.

	The above added iommu_device structure to pci_controller. During
	system boot, PCI devices are discovered and this newly added iommu_device
	structure is initialized by a call to iommu_device_register().

	During DLPAR add of a PCI device, a new pci_controller structure is
	allocated but there are no calls made to iommu_device_register()
	interface.

	Fix is to register the iommu device during DLPAR add as well.

	The Linux kernel CVE team has assigned CVE-2024-26738 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.4 with commit a940904443e432623579245babe63e2486ff327b and fixed in 6.6.19 with commit b8315b2e25b4e68e42fcb74630f824b9a5067765
	Issue introduced in 6.4 with commit a940904443e432623579245babe63e2486ff327b and fixed in 6.7.7 with commit 46e36ebd5e00a148b67ed77c1d31675996f77c25
	Issue introduced in 6.4 with commit a940904443e432623579245babe63e2486ff327b and fixed in 6.8 with commit a5c57fd2e9bd1c8ea8613a8f94fd0be5eccbf321

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26738
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/powerpc/include/asm/ppc-pci.h
	arch/powerpc/kernel/iommu.c
	arch/powerpc/platforms/pseries/pci_dlpar.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/b8315b2e25b4e68e42fcb74630f824b9a5067765
	https://git.kernel.org/stable/c/46e36ebd5e00a148b67ed77c1d31675996f77c25
	https://git.kernel.org/stable/c/a5c57fd2e9bd1c8ea8613a8f94fd0be5eccbf321