cve/published/2024/CVE-2024-38606.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-38606: crypto: qat - validate slices count returned by FW

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 crypto: qat - validate slices count returned by FW

 The function adf_send_admin_tl_start() enables the telemetry (TL)
 feature on a QAT device by sending the ICP_QAT_FW_TL_START message to
 the firmware. This triggers the FW to start writing TL data to a DMA
 buffer in memory and returns an array containing the number of
 accelerators of each type (slices) supported by this HW.
 The pointer to this array is stored in the adf_tl_hw_data data
 structure called slice_cnt.

 The array slice_cnt is then used in the function tl_print_dev_data()
 to report in debugfs only statistics about the supported accelerators.
 An incorrect value of the elements in slice_cnt might lead to an out
 of bounds memory read.
 At the moment, there isn't an implementation of FW that returns a wrong
 value, but for robustness validate the slice count array returned by FW.

 The Linux kernel CVE team has assigned CVE-2024-38606 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.8 with commit 69e7649f7cc2aaa7889174456d39319a623c1a18 and fixed in 6.8.12 with commit e57ed345e2e6043629fc74aa5be051415dcc4f77
 	Issue introduced in 6.8 with commit 69e7649f7cc2aaa7889174456d39319a623c1a18 and fixed in 6.9.3 with commit 9b284b915e2a5e63ca133353f8c456eff4446f82
 	Issue introduced in 6.8 with commit 69e7649f7cc2aaa7889174456d39319a623c1a18 and fixed in 6.10 with commit 483fd65ce29317044d1d00757e3fd23503b6b04c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-38606
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/crypto/intel/qat/qat_common/adf_gen4_tl.c
 	drivers/crypto/intel/qat/qat_common/adf_telemetry.c
 	drivers/crypto/intel/qat/qat_common/adf_telemetry.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e57ed345e2e6043629fc74aa5be051415dcc4f77
 	https://git.kernel.org/stable/c/9b284b915e2a5e63ca133353f8c456eff4446f82
 	https://git.kernel.org/stable/c/483fd65ce29317044d1d00757e3fd23503b6b04c
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-38606: crypto: qat - validate slices count returned by FW

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	crypto: qat - validate slices count returned by FW

	The function adf_send_admin_tl_start() enables the telemetry (TL)
	feature on a QAT device by sending the ICP_QAT_FW_TL_START message to
	the firmware. This triggers the FW to start writing TL data to a DMA
	buffer in memory and returns an array containing the number of
	accelerators of each type (slices) supported by this HW.
	The pointer to this array is stored in the adf_tl_hw_data data
	structure called slice_cnt.

	The array slice_cnt is then used in the function tl_print_dev_data()
	to report in debugfs only statistics about the supported accelerators.
	An incorrect value of the elements in slice_cnt might lead to an out
	of bounds memory read.
	At the moment, there isn't an implementation of FW that returns a wrong
	value, but for robustness validate the slice count array returned by FW.

	The Linux kernel CVE team has assigned CVE-2024-38606 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.8 with commit 69e7649f7cc2aaa7889174456d39319a623c1a18 and fixed in 6.8.12 with commit e57ed345e2e6043629fc74aa5be051415dcc4f77
	Issue introduced in 6.8 with commit 69e7649f7cc2aaa7889174456d39319a623c1a18 and fixed in 6.9.3 with commit 9b284b915e2a5e63ca133353f8c456eff4446f82
	Issue introduced in 6.8 with commit 69e7649f7cc2aaa7889174456d39319a623c1a18 and fixed in 6.10 with commit 483fd65ce29317044d1d00757e3fd23503b6b04c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-38606
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/crypto/intel/qat/qat_common/adf_gen4_tl.c
	drivers/crypto/intel/qat/qat_common/adf_telemetry.c
	drivers/crypto/intel/qat/qat_common/adf_telemetry.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e57ed345e2e6043629fc74aa5be051415dcc4f77
	https://git.kernel.org/stable/c/9b284b915e2a5e63ca133353f8c456eff4446f82
	https://git.kernel.org/stable/c/483fd65ce29317044d1d00757e3fd23503b6b04c