cve/published/2024/CVE-2024-36965.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-36965: remoteproc: mediatek: Make sure IPI buffer fits in L2TCM

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 remoteproc: mediatek: Make sure IPI buffer fits in L2TCM

 The IPI buffer location is read from the firmware that we load to the
 System Companion Processor, and it's not granted that both the SRAM
 (L2TCM) size that is defined in the devicetree node is large enough
 for that, and while this is especially true for multi-core SCP, it's
 still useful to check on single-core variants as well.

 Failing to perform this check may make this driver perform R/W
 operations out of the L2TCM boundary, resulting (at best) in a
 kernel panic.

 To fix that, check that the IPI buffer fits, otherwise return a
 failure and refuse to boot the relevant SCP core (or the SCP at
 all, if this is single core).

 The Linux kernel CVE team has assigned CVE-2024-36965 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.11 with commit 3efa0ea743b77d1611501f7d8b4f320d032d73ae and fixed in 5.15.160 with commit 00548ac6b14428719c970ef90adae2b3b48c0cdf
 	Issue introduced in 5.11 with commit 3efa0ea743b77d1611501f7d8b4f320d032d73ae and fixed in 6.1.92 with commit 1d9e2de24533daca36cbf09e8d8596bf72b526b2
 	Issue introduced in 5.11 with commit 3efa0ea743b77d1611501f7d8b4f320d032d73ae and fixed in 6.6.32 with commit 26c6d7dc8c6a9fde9d362ab2eef6390efeff145e
 	Issue introduced in 5.11 with commit 3efa0ea743b77d1611501f7d8b4f320d032d73ae and fixed in 6.8.11 with commit 838b49e211d59fa827ff9df062d4020917cffbdf
 	Issue introduced in 5.11 with commit 3efa0ea743b77d1611501f7d8b4f320d032d73ae and fixed in 6.9.2 with commit 36c79eb4845551e9f6d28c663b38ce0ab03b84a9
 	Issue introduced in 5.11 with commit 3efa0ea743b77d1611501f7d8b4f320d032d73ae and fixed in 6.10 with commit 331f91d86f71d0bb89a44217cc0b2a22810bbd42

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-36965
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/remoteproc/mtk_scp.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/00548ac6b14428719c970ef90adae2b3b48c0cdf
 	https://git.kernel.org/stable/c/1d9e2de24533daca36cbf09e8d8596bf72b526b2
 	https://git.kernel.org/stable/c/26c6d7dc8c6a9fde9d362ab2eef6390efeff145e
 	https://git.kernel.org/stable/c/838b49e211d59fa827ff9df062d4020917cffbdf
 	https://git.kernel.org/stable/c/36c79eb4845551e9f6d28c663b38ce0ab03b84a9
 	https://git.kernel.org/stable/c/331f91d86f71d0bb89a44217cc0b2a22810bbd42
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-36965: remoteproc: mediatek: Make sure IPI buffer fits in L2TCM

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	remoteproc: mediatek: Make sure IPI buffer fits in L2TCM

	The IPI buffer location is read from the firmware that we load to the
	System Companion Processor, and it's not granted that both the SRAM
	(L2TCM) size that is defined in the devicetree node is large enough
	for that, and while this is especially true for multi-core SCP, it's
	still useful to check on single-core variants as well.

	Failing to perform this check may make this driver perform R/W
	operations out of the L2TCM boundary, resulting (at best) in a
	kernel panic.

	To fix that, check that the IPI buffer fits, otherwise return a
	failure and refuse to boot the relevant SCP core (or the SCP at
	all, if this is single core).

	The Linux kernel CVE team has assigned CVE-2024-36965 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.11 with commit 3efa0ea743b77d1611501f7d8b4f320d032d73ae and fixed in 5.15.160 with commit 00548ac6b14428719c970ef90adae2b3b48c0cdf
	Issue introduced in 5.11 with commit 3efa0ea743b77d1611501f7d8b4f320d032d73ae and fixed in 6.1.92 with commit 1d9e2de24533daca36cbf09e8d8596bf72b526b2
	Issue introduced in 5.11 with commit 3efa0ea743b77d1611501f7d8b4f320d032d73ae and fixed in 6.6.32 with commit 26c6d7dc8c6a9fde9d362ab2eef6390efeff145e
	Issue introduced in 5.11 with commit 3efa0ea743b77d1611501f7d8b4f320d032d73ae and fixed in 6.8.11 with commit 838b49e211d59fa827ff9df062d4020917cffbdf
	Issue introduced in 5.11 with commit 3efa0ea743b77d1611501f7d8b4f320d032d73ae and fixed in 6.9.2 with commit 36c79eb4845551e9f6d28c663b38ce0ab03b84a9
	Issue introduced in 5.11 with commit 3efa0ea743b77d1611501f7d8b4f320d032d73ae and fixed in 6.10 with commit 331f91d86f71d0bb89a44217cc0b2a22810bbd42

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-36965
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/remoteproc/mtk_scp.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/00548ac6b14428719c970ef90adae2b3b48c0cdf
	https://git.kernel.org/stable/c/1d9e2de24533daca36cbf09e8d8596bf72b526b2
	https://git.kernel.org/stable/c/26c6d7dc8c6a9fde9d362ab2eef6390efeff145e
	https://git.kernel.org/stable/c/838b49e211d59fa827ff9df062d4020917cffbdf
	https://git.kernel.org/stable/c/36c79eb4845551e9f6d28c663b38ce0ab03b84a9
	https://git.kernel.org/stable/c/331f91d86f71d0bb89a44217cc0b2a22810bbd42