cve/published/2024/CVE-2024-27008.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-27008: drm: nv04: Fix out of bounds access

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 drm: nv04: Fix out of bounds access

 When Output Resource (dcb->or) value is assigned in
 fabricate_dcb_output(), there may be out of bounds access to
 dac_users array in case dcb->or is zero because ffs(dcb->or) is
 used as index there.
 The 'or' argument of fabricate_dcb_output() must be interpreted as a
 number of bit to set, not value.

 Utilize macros from 'enum nouveau_or' in calls instead of hardcoding.

 Found by Linux Verification Center (linuxtesting.org) with SVACE.

 The Linux kernel CVE team has assigned CVE-2024-27008 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.38 with commit 2e5702aff39532662198459726c624d5eadbdd78 and fixed in 4.19.313 with commit c2b97f26f081ceec3298151481687071075a25cb
 	Issue introduced in 2.6.38 with commit 2e5702aff39532662198459726c624d5eadbdd78 and fixed in 5.4.275 with commit 5050ae879a828d752b439e3827aac126709da6d1
 	Issue introduced in 2.6.38 with commit 2e5702aff39532662198459726c624d5eadbdd78 and fixed in 5.10.216 with commit 097c7918fcfa1dee233acfd1f3029f00c3bc8062
 	Issue introduced in 2.6.38 with commit 2e5702aff39532662198459726c624d5eadbdd78 and fixed in 5.15.157 with commit df0991da7db846f7fa4ec6740350f743d3b69b04
 	Issue introduced in 2.6.38 with commit 2e5702aff39532662198459726c624d5eadbdd78 and fixed in 6.1.88 with commit 5fd4b090304e450aa0e7cc9cc2b4873285c6face
 	Issue introduced in 2.6.38 with commit 2e5702aff39532662198459726c624d5eadbdd78 and fixed in 6.6.29 with commit 6690cc2732e2a8d0eaca44dcbac032a4b0148042
 	Issue introduced in 2.6.38 with commit 2e5702aff39532662198459726c624d5eadbdd78 and fixed in 6.8.8 with commit 26212da39ee14a52c76a202c6ae5153a84f579a5
 	Issue introduced in 2.6.38 with commit 2e5702aff39532662198459726c624d5eadbdd78 and fixed in 6.9 with commit cf92bb778eda7830e79452c6917efa8474a30c1e

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-27008
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/gpu/drm/nouveau/nouveau_bios.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/c2b97f26f081ceec3298151481687071075a25cb
 	https://git.kernel.org/stable/c/5050ae879a828d752b439e3827aac126709da6d1
 	https://git.kernel.org/stable/c/097c7918fcfa1dee233acfd1f3029f00c3bc8062
 	https://git.kernel.org/stable/c/df0991da7db846f7fa4ec6740350f743d3b69b04
 	https://git.kernel.org/stable/c/5fd4b090304e450aa0e7cc9cc2b4873285c6face
 	https://git.kernel.org/stable/c/6690cc2732e2a8d0eaca44dcbac032a4b0148042
 	https://git.kernel.org/stable/c/26212da39ee14a52c76a202c6ae5153a84f579a5
 	https://git.kernel.org/stable/c/cf92bb778eda7830e79452c6917efa8474a30c1e
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-27008: drm: nv04: Fix out of bounds access

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	drm: nv04: Fix out of bounds access

	When Output Resource (dcb->or) value is assigned in
	fabricate_dcb_output(), there may be out of bounds access to
	dac_users array in case dcb->or is zero because ffs(dcb->or) is
	used as index there.
	The 'or' argument of fabricate_dcb_output() must be interpreted as a
	number of bit to set, not value.

	Utilize macros from 'enum nouveau_or' in calls instead of hardcoding.

	Found by Linux Verification Center (linuxtesting.org) with SVACE.

	The Linux kernel CVE team has assigned CVE-2024-27008 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.38 with commit 2e5702aff39532662198459726c624d5eadbdd78 and fixed in 4.19.313 with commit c2b97f26f081ceec3298151481687071075a25cb
	Issue introduced in 2.6.38 with commit 2e5702aff39532662198459726c624d5eadbdd78 and fixed in 5.4.275 with commit 5050ae879a828d752b439e3827aac126709da6d1
	Issue introduced in 2.6.38 with commit 2e5702aff39532662198459726c624d5eadbdd78 and fixed in 5.10.216 with commit 097c7918fcfa1dee233acfd1f3029f00c3bc8062
	Issue introduced in 2.6.38 with commit 2e5702aff39532662198459726c624d5eadbdd78 and fixed in 5.15.157 with commit df0991da7db846f7fa4ec6740350f743d3b69b04
	Issue introduced in 2.6.38 with commit 2e5702aff39532662198459726c624d5eadbdd78 and fixed in 6.1.88 with commit 5fd4b090304e450aa0e7cc9cc2b4873285c6face
	Issue introduced in 2.6.38 with commit 2e5702aff39532662198459726c624d5eadbdd78 and fixed in 6.6.29 with commit 6690cc2732e2a8d0eaca44dcbac032a4b0148042
	Issue introduced in 2.6.38 with commit 2e5702aff39532662198459726c624d5eadbdd78 and fixed in 6.8.8 with commit 26212da39ee14a52c76a202c6ae5153a84f579a5
	Issue introduced in 2.6.38 with commit 2e5702aff39532662198459726c624d5eadbdd78 and fixed in 6.9 with commit cf92bb778eda7830e79452c6917efa8474a30c1e

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-27008
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/gpu/drm/nouveau/nouveau_bios.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/c2b97f26f081ceec3298151481687071075a25cb
	https://git.kernel.org/stable/c/5050ae879a828d752b439e3827aac126709da6d1
	https://git.kernel.org/stable/c/097c7918fcfa1dee233acfd1f3029f00c3bc8062
	https://git.kernel.org/stable/c/df0991da7db846f7fa4ec6740350f743d3b69b04
	https://git.kernel.org/stable/c/5fd4b090304e450aa0e7cc9cc2b4873285c6face
	https://git.kernel.org/stable/c/6690cc2732e2a8d0eaca44dcbac032a4b0148042
	https://git.kernel.org/stable/c/26212da39ee14a52c76a202c6ae5153a84f579a5
	https://git.kernel.org/stable/c/cf92bb778eda7830e79452c6917efa8474a30c1e