cve/published/2024/CVE-2024-38661.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-38661: s390/ap: Fix crash in AP internal function modify_bitmap()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 s390/ap: Fix crash in AP internal function modify_bitmap()

 A system crash like this

   Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403
   Fault in home space mode while using kernel ASCE.
   AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d
   Oops: 0038 ilc:3 [#1] PREEMPT SMP
   Modules linked in: mlx5_ib ...
   CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8
   Hardware name: IBM 3931 A01 704 (LPAR)
   Krnl PSW : 0704e00180000000 0000014b75e7b606 (ap_parse_bitmap_str+0x10e/0x1f8)
   R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3
   Krnl GPRS: 0000000000000001 ffffffffffffffc0 0000000000000001 00000048f96b75d3
   000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7df6fce0
   000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff
   000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8
   Krnl Code: 0000014b75e7b5fc: a7840047            brc     8,0000014b75e7b68a
   0000014b75e7b600: 18b2                lr      %r11,%r2
   #0000014b75e7b602: a7f4000a            brc     15,0000014b75e7b616
   >0000014b75e7b606: eb22d00000e6        laog    %r2,%r2,0(%r13)
   0000014b75e7b60c: a7680001            lhi     %r6,1
   0000014b75e7b610: 187b                lr      %r7,%r11
   0000014b75e7b612: 84960021            brxh    %r9,%r6,0000014b75e7b654
   0000014b75e7b616: 18e9                lr      %r14,%r9
   Call Trace:
   [<0000014b75e7b606>] ap_parse_bitmap_str+0x10e/0x1f8
   ([<0000014b75e7b5dc>] ap_parse_bitmap_str+0xe4/0x1f8)
   [<0000014b75e7b758>] apmask_store+0x68/0x140
   [<0000014b75679196>] kernfs_fop_write_iter+0x14e/0x1e8
   [<0000014b75598524>] vfs_write+0x1b4/0x448
   [<0000014b7559894c>] ksys_write+0x74/0x100
   [<0000014b7618a440>] __do_syscall+0x268/0x328
   [<0000014b761a3558>] system_call+0x70/0x98
   INFO: lockdep is turned off.
   Last Breaking-Event-Address:
   [<0000014b75e7b636>] ap_parse_bitmap_str+0x13e/0x1f8
   Kernel panic - not syncing: Fatal exception: panic_on_oops

 occured when /sys/bus/ap/a[pq]mask was updated with a relative mask value
 (like +0x10-0x12,+60,-90) with one of the numeric values exceeding INT_MAX.

 The fix is simple: use unsigned long values for the internal variables. The
 correct checks are already in place in the function but a simple int for
 the internal variables was used with the possibility to overflow.

 The Linux kernel CVE team has assigned CVE-2024-38661 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.19.316 with commit 2062e3f1f2374102f8014d7ca286b9aa527bd558
 	Fixed in 5.4.278 with commit 7c72af16abf2ec7520407098360bbba312289e05
 	Fixed in 5.10.219 with commit 7360cef95aa1ea2b5efb7b5e2ed32e941664e1f0
 	Fixed in 5.15.161 with commit 67011123453b91ec03671d40712fa213e94a01b9
 	Fixed in 6.1.94 with commit 8c5f5911c1b13170d3404eb992c6a0deaa8d81ad
 	Fixed in 6.6.34 with commit 4c0bfb4e867c1ec6616a5049bd3618021e127056
 	Fixed in 6.9.5 with commit 7dabe54a016defe11bb2a278cd9f1ff6db3feba6
 	Fixed in 6.10 with commit d4f9d5a99a3fd1b1c691b7a1a6f8f3f25f4116c9

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-38661
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/s390/crypto/ap_bus.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/2062e3f1f2374102f8014d7ca286b9aa527bd558
 	https://git.kernel.org/stable/c/7c72af16abf2ec7520407098360bbba312289e05
 	https://git.kernel.org/stable/c/7360cef95aa1ea2b5efb7b5e2ed32e941664e1f0
 	https://git.kernel.org/stable/c/67011123453b91ec03671d40712fa213e94a01b9
 	https://git.kernel.org/stable/c/8c5f5911c1b13170d3404eb992c6a0deaa8d81ad
 	https://git.kernel.org/stable/c/4c0bfb4e867c1ec6616a5049bd3618021e127056
 	https://git.kernel.org/stable/c/7dabe54a016defe11bb2a278cd9f1ff6db3feba6
 	https://git.kernel.org/stable/c/d4f9d5a99a3fd1b1c691b7a1a6f8f3f25f4116c9
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-38661: s390/ap: Fix crash in AP internal function modify_bitmap()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	s390/ap: Fix crash in AP internal function modify_bitmap()

	A system crash like this

	Failing address: 200000cb7df6f000 TEID: 200000cb7df6f403
	Fault in home space mode while using kernel ASCE.
	AS:00000002d71bc007 R3:00000003fe5b8007 S:000000011a446000 P:000000015660c13d
	Oops: 0038 ilc:3 [#1] PREEMPT SMP
	Modules linked in: mlx5_ib ...
	CPU: 8 PID: 7556 Comm: bash Not tainted 6.9.0-rc7 #8
	Hardware name: IBM 3931 A01 704 (LPAR)
	Krnl PSW : 0704e00180000000 0000014b75e7b606 (ap_parse_bitmap_str+0x10e/0x1f8)
	R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3
	Krnl GPRS: 0000000000000001 ffffffffffffffc0 0000000000000001 00000048f96b75d3
	000000cb00000100 ffffffffffffffff ffffffffffffffff 000000cb7df6fce0
	000000cb7df6fce0 00000000ffffffff 000000000000002b 00000048ffffffff
	000003ff9b2dbc80 200000cb7df6fcd8 0000014bffffffc0 000000cb7df6fbc8
	Krnl Code: 0000014b75e7b5fc: a7840047 brc 8,0000014b75e7b68a
	0000014b75e7b600: 18b2 lr %r11,%r2
	#0000014b75e7b602: a7f4000a brc 15,0000014b75e7b616
	>0000014b75e7b606: eb22d00000e6 laog %r2,%r2,0(%r13)
	0000014b75e7b60c: a7680001 lhi %r6,1
	0000014b75e7b610: 187b lr %r7,%r11
	0000014b75e7b612: 84960021 brxh %r9,%r6,0000014b75e7b654
	0000014b75e7b616: 18e9 lr %r14,%r9
	Call Trace:
	[<0000014b75e7b606>] ap_parse_bitmap_str+0x10e/0x1f8
	([<0000014b75e7b5dc>] ap_parse_bitmap_str+0xe4/0x1f8)
	[<0000014b75e7b758>] apmask_store+0x68/0x140
	[<0000014b75679196>] kernfs_fop_write_iter+0x14e/0x1e8
	[<0000014b75598524>] vfs_write+0x1b4/0x448
	[<0000014b7559894c>] ksys_write+0x74/0x100
	[<0000014b7618a440>] __do_syscall+0x268/0x328
	[<0000014b761a3558>] system_call+0x70/0x98
	INFO: lockdep is turned off.
	Last Breaking-Event-Address:
	[<0000014b75e7b636>] ap_parse_bitmap_str+0x13e/0x1f8
	Kernel panic - not syncing: Fatal exception: panic_on_oops

	occured when /sys/bus/ap/a[pq]mask was updated with a relative mask value
	(like +0x10-0x12,+60,-90) with one of the numeric values exceeding INT_MAX.

	The fix is simple: use unsigned long values for the internal variables. The
	correct checks are already in place in the function but a simple int for
	the internal variables was used with the possibility to overflow.

	The Linux kernel CVE team has assigned CVE-2024-38661 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.19.316 with commit 2062e3f1f2374102f8014d7ca286b9aa527bd558
	Fixed in 5.4.278 with commit 7c72af16abf2ec7520407098360bbba312289e05
	Fixed in 5.10.219 with commit 7360cef95aa1ea2b5efb7b5e2ed32e941664e1f0
	Fixed in 5.15.161 with commit 67011123453b91ec03671d40712fa213e94a01b9
	Fixed in 6.1.94 with commit 8c5f5911c1b13170d3404eb992c6a0deaa8d81ad
	Fixed in 6.6.34 with commit 4c0bfb4e867c1ec6616a5049bd3618021e127056
	Fixed in 6.9.5 with commit 7dabe54a016defe11bb2a278cd9f1ff6db3feba6
	Fixed in 6.10 with commit d4f9d5a99a3fd1b1c691b7a1a6f8f3f25f4116c9

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-38661
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/s390/crypto/ap_bus.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/2062e3f1f2374102f8014d7ca286b9aa527bd558
	https://git.kernel.org/stable/c/7c72af16abf2ec7520407098360bbba312289e05
	https://git.kernel.org/stable/c/7360cef95aa1ea2b5efb7b5e2ed32e941664e1f0
	https://git.kernel.org/stable/c/67011123453b91ec03671d40712fa213e94a01b9
	https://git.kernel.org/stable/c/8c5f5911c1b13170d3404eb992c6a0deaa8d81ad
	https://git.kernel.org/stable/c/4c0bfb4e867c1ec6616a5049bd3618021e127056
	https://git.kernel.org/stable/c/7dabe54a016defe11bb2a278cd9f1ff6db3feba6
	https://git.kernel.org/stable/c/d4f9d5a99a3fd1b1c691b7a1a6f8f3f25f4116c9