cve/published/2024/CVE-2024-46853.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-46853: spi: nxp-fspi: fix the KASAN report out-of-bounds bug

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 spi: nxp-fspi: fix the KASAN report out-of-bounds bug

 Change the memcpy length to fix the out-of-bounds issue when writing the
 data that is not 4 byte aligned to TX FIFO.

 To reproduce the issue, write 3 bytes data to NOR chip.

 dd if=3b of=/dev/mtd0
 [   36.926103] ==================================================================
 [   36.933409] BUG: KASAN: slab-out-of-bounds in nxp_fspi_exec_op+0x26ec/0x2838
 [   36.940514] Read of size 4 at addr ffff00081037c2a0 by task dd/455
 [   36.946721]
 [   36.948235] CPU: 3 UID: 0 PID: 455 Comm: dd Not tainted 6.11.0-rc5-gc7b0e37c8434 #1070
 [   36.956185] Hardware name: Freescale i.MX8QM MEK (DT)
 [   36.961260] Call trace:
 [   36.963723]  dump_backtrace+0x90/0xe8
 [   36.967414]  show_stack+0x18/0x24
 [   36.970749]  dump_stack_lvl+0x78/0x90
 [   36.974451]  print_report+0x114/0x5cc
 [   36.978151]  kasan_report+0xa4/0xf0
 [   36.981670]  __asan_report_load_n_noabort+0x1c/0x28
 [   36.986587]  nxp_fspi_exec_op+0x26ec/0x2838
 [   36.990800]  spi_mem_exec_op+0x8ec/0xd30
 [   36.994762]  spi_mem_no_dirmap_read+0x190/0x1e0
 [   36.999323]  spi_mem_dirmap_write+0x238/0x32c
 [   37.003710]  spi_nor_write_data+0x220/0x374
 [   37.007932]  spi_nor_write+0x110/0x2e8
 [   37.011711]  mtd_write_oob_std+0x154/0x1f0
 [   37.015838]  mtd_write_oob+0x104/0x1d0
 [   37.019617]  mtd_write+0xb8/0x12c
 [   37.022953]  mtdchar_write+0x224/0x47c
 [   37.026732]  vfs_write+0x1e4/0x8c8
 [   37.030163]  ksys_write+0xec/0x1d0
 [   37.033586]  __arm64_sys_write+0x6c/0x9c
 [   37.037539]  invoke_syscall+0x6c/0x258
 [   37.041327]  el0_svc_common.constprop.0+0x160/0x22c
 [   37.046244]  do_el0_svc+0x44/0x5c
 [   37.049589]  el0_svc+0x38/0x78
 [   37.052681]  el0t_64_sync_handler+0x13c/0x158
 [   37.057077]  el0t_64_sync+0x190/0x194
 [   37.060775]
 [   37.062274] Allocated by task 455:
 [   37.065701]  kasan_save_stack+0x2c/0x54
 [   37.069570]  kasan_save_track+0x20/0x3c
 [   37.073438]  kasan_save_alloc_info+0x40/0x54
 [   37.077736]  __kasan_kmalloc+0xa0/0xb8
 [   37.081515]  __kmalloc_noprof+0x158/0x2f8
 [   37.085563]  mtd_kmalloc_up_to+0x120/0x154
 [   37.089690]  mtdchar_write+0x130/0x47c
 [   37.093469]  vfs_write+0x1e4/0x8c8
 [   37.096901]  ksys_write+0xec/0x1d0
 [   37.100332]  __arm64_sys_write+0x6c/0x9c
 [   37.104287]  invoke_syscall+0x6c/0x258
 [   37.108064]  el0_svc_common.constprop.0+0x160/0x22c
 [   37.112972]  do_el0_svc+0x44/0x5c
 [   37.116319]  el0_svc+0x38/0x78
 [   37.119401]  el0t_64_sync_handler+0x13c/0x158
 [   37.123788]  el0t_64_sync+0x190/0x194
 [   37.127474]
 [   37.128977] The buggy address belongs to the object at ffff00081037c2a0
 [   37.128977]  which belongs to the cache kmalloc-8 of size 8
 [   37.141177] The buggy address is located 0 bytes inside of
 [   37.141177]  allocated 3-byte region [ffff00081037c2a0, ffff00081037c2a3)
 [   37.153465]
 [   37.154971] The buggy address belongs to the physical page:
 [   37.160559] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x89037c
 [   37.168596] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
 [   37.175149] page_type: 0xfdffffff(slab)
 [   37.179021] raw: 0bfffe0000000000 ffff000800002500 dead000000000122 0000000000000000
 [   37.186788] raw: 0000000000000000 0000000080800080 00000001fdffffff 0000000000000000
 [   37.194553] page dumped because: kasan: bad access detected
 [   37.200144]
 [   37.201647] Memory state around the buggy address:
 [   37.206460]  ffff00081037c180: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
 [   37.213701]  ffff00081037c200: fa fc fc fc 05 fc fc fc 03 fc fc fc 02 fc fc fc
 [   37.220946] >ffff00081037c280: 06 fc fc fc 03 fc fc fc fc fc fc fc fc fc fc fc
 [   37.228186]                                ^
 [   37.232473]  ffff00081037c300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 [   37.239718]  ffff00081037c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 [   37.246962] ==================================================================
 [   37.254394] Disabling lock debugging due to kernel taint
 0+1 records in
 0+1 records out
 3 bytes copied, 0.335911 s, 0.0 kB/s

 The Linux kernel CVE team has assigned CVE-2024-46853 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.1 with commit a5356aef6a907c2e2aed0caaa2b88b6021394471 and fixed in 5.4.285 with commit aa05db44db5f409f6d91c27b5737efb49fb45d9f
 	Issue introduced in 5.1 with commit a5356aef6a907c2e2aed0caaa2b88b6021394471 and fixed in 5.10.227 with commit 609260542cf86b459c57618b8cdec8020394b7ad
 	Issue introduced in 5.1 with commit a5356aef6a907c2e2aed0caaa2b88b6021394471 and fixed in 5.15.168 with commit 491f9646f7ac31af5fca71be1a3e5eb8aa7663ad
 	Issue introduced in 5.1 with commit a5356aef6a907c2e2aed0caaa2b88b6021394471 and fixed in 6.1.111 with commit 09af8b0ba70072be831f3ec459f4063d570f9e24
 	Issue introduced in 5.1 with commit a5356aef6a907c2e2aed0caaa2b88b6021394471 and fixed in 6.6.52 with commit af9ca9ca3e44f48b2a191e100d452fbf850c3d87
 	Issue introduced in 5.1 with commit a5356aef6a907c2e2aed0caaa2b88b6021394471 and fixed in 6.10.11 with commit d1a1dfcec77c57b1181da93d11a3db1bc4eefa97
 	Issue introduced in 5.1 with commit a5356aef6a907c2e2aed0caaa2b88b6021394471 and fixed in 6.11 with commit 2a8787c1cdc7be24fdd8953ecd1a8743a1006235

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-46853
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/spi/spi-nxp-fspi.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/aa05db44db5f409f6d91c27b5737efb49fb45d9f
 	https://git.kernel.org/stable/c/609260542cf86b459c57618b8cdec8020394b7ad
 	https://git.kernel.org/stable/c/491f9646f7ac31af5fca71be1a3e5eb8aa7663ad
 	https://git.kernel.org/stable/c/09af8b0ba70072be831f3ec459f4063d570f9e24
 	https://git.kernel.org/stable/c/af9ca9ca3e44f48b2a191e100d452fbf850c3d87
 	https://git.kernel.org/stable/c/d1a1dfcec77c57b1181da93d11a3db1bc4eefa97
 	https://git.kernel.org/stable/c/2a8787c1cdc7be24fdd8953ecd1a8743a1006235
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-46853: spi: nxp-fspi: fix the KASAN report out-of-bounds bug

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	spi: nxp-fspi: fix the KASAN report out-of-bounds bug

	Change the memcpy length to fix the out-of-bounds issue when writing the
	data that is not 4 byte aligned to TX FIFO.

	To reproduce the issue, write 3 bytes data to NOR chip.

	dd if=3b of=/dev/mtd0
	[ 36.926103] ==================================================================
	[ 36.933409] BUG: KASAN: slab-out-of-bounds in nxp_fspi_exec_op+0x26ec/0x2838
	[ 36.940514] Read of size 4 at addr ffff00081037c2a0 by task dd/455
	[ 36.946721]
	[ 36.948235] CPU: 3 UID: 0 PID: 455 Comm: dd Not tainted 6.11.0-rc5-gc7b0e37c8434 #1070
	[ 36.956185] Hardware name: Freescale i.MX8QM MEK (DT)
	[ 36.961260] Call trace:
	[ 36.963723] dump_backtrace+0x90/0xe8
	[ 36.967414] show_stack+0x18/0x24
	[ 36.970749] dump_stack_lvl+0x78/0x90
	[ 36.974451] print_report+0x114/0x5cc
	[ 36.978151] kasan_report+0xa4/0xf0
	[ 36.981670] __asan_report_load_n_noabort+0x1c/0x28
	[ 36.986587] nxp_fspi_exec_op+0x26ec/0x2838
	[ 36.990800] spi_mem_exec_op+0x8ec/0xd30
	[ 36.994762] spi_mem_no_dirmap_read+0x190/0x1e0
	[ 36.999323] spi_mem_dirmap_write+0x238/0x32c
	[ 37.003710] spi_nor_write_data+0x220/0x374
	[ 37.007932] spi_nor_write+0x110/0x2e8
	[ 37.011711] mtd_write_oob_std+0x154/0x1f0
	[ 37.015838] mtd_write_oob+0x104/0x1d0
	[ 37.019617] mtd_write+0xb8/0x12c
	[ 37.022953] mtdchar_write+0x224/0x47c
	[ 37.026732] vfs_write+0x1e4/0x8c8
	[ 37.030163] ksys_write+0xec/0x1d0
	[ 37.033586] __arm64_sys_write+0x6c/0x9c
	[ 37.037539] invoke_syscall+0x6c/0x258
	[ 37.041327] el0_svc_common.constprop.0+0x160/0x22c
	[ 37.046244] do_el0_svc+0x44/0x5c
	[ 37.049589] el0_svc+0x38/0x78
	[ 37.052681] el0t_64_sync_handler+0x13c/0x158
	[ 37.057077] el0t_64_sync+0x190/0x194
	[ 37.060775]
	[ 37.062274] Allocated by task 455:
	[ 37.065701] kasan_save_stack+0x2c/0x54
	[ 37.069570] kasan_save_track+0x20/0x3c
	[ 37.073438] kasan_save_alloc_info+0x40/0x54
	[ 37.077736] __kasan_kmalloc+0xa0/0xb8
	[ 37.081515] __kmalloc_noprof+0x158/0x2f8
	[ 37.085563] mtd_kmalloc_up_to+0x120/0x154
	[ 37.089690] mtdchar_write+0x130/0x47c
	[ 37.093469] vfs_write+0x1e4/0x8c8
	[ 37.096901] ksys_write+0xec/0x1d0
	[ 37.100332] __arm64_sys_write+0x6c/0x9c
	[ 37.104287] invoke_syscall+0x6c/0x258
	[ 37.108064] el0_svc_common.constprop.0+0x160/0x22c
	[ 37.112972] do_el0_svc+0x44/0x5c
	[ 37.116319] el0_svc+0x38/0x78
	[ 37.119401] el0t_64_sync_handler+0x13c/0x158
	[ 37.123788] el0t_64_sync+0x190/0x194
	[ 37.127474]
	[ 37.128977] The buggy address belongs to the object at ffff00081037c2a0
	[ 37.128977] which belongs to the cache kmalloc-8 of size 8
	[ 37.141177] The buggy address is located 0 bytes inside of
	[ 37.141177] allocated 3-byte region [ffff00081037c2a0, ffff00081037c2a3)
	[ 37.153465]
	[ 37.154971] The buggy address belongs to the physical page:
	[ 37.160559] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x89037c
	[ 37.168596] flags: 0xbfffe0000000000(node=0\|zone=2\|lastcpupid=0x1ffff)
	[ 37.175149] page_type: 0xfdffffff(slab)
	[ 37.179021] raw: 0bfffe0000000000 ffff000800002500 dead000000000122 0000000000000000
	[ 37.186788] raw: 0000000000000000 0000000080800080 00000001fdffffff 0000000000000000
	[ 37.194553] page dumped because: kasan: bad access detected
	[ 37.200144]
	[ 37.201647] Memory state around the buggy address:
	[ 37.206460] ffff00081037c180: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
	[ 37.213701] ffff00081037c200: fa fc fc fc 05 fc fc fc 03 fc fc fc 02 fc fc fc
	[ 37.220946] >ffff00081037c280: 06 fc fc fc 03 fc fc fc fc fc fc fc fc fc fc fc
	[ 37.228186] ^
	[ 37.232473] ffff00081037c300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	[ 37.239718] ffff00081037c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
	[ 37.246962] ==================================================================
	[ 37.254394] Disabling lock debugging due to kernel taint
	0+1 records in
	0+1 records out
	3 bytes copied, 0.335911 s, 0.0 kB/s

	The Linux kernel CVE team has assigned CVE-2024-46853 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.1 with commit a5356aef6a907c2e2aed0caaa2b88b6021394471 and fixed in 5.4.285 with commit aa05db44db5f409f6d91c27b5737efb49fb45d9f
	Issue introduced in 5.1 with commit a5356aef6a907c2e2aed0caaa2b88b6021394471 and fixed in 5.10.227 with commit 609260542cf86b459c57618b8cdec8020394b7ad
	Issue introduced in 5.1 with commit a5356aef6a907c2e2aed0caaa2b88b6021394471 and fixed in 5.15.168 with commit 491f9646f7ac31af5fca71be1a3e5eb8aa7663ad
	Issue introduced in 5.1 with commit a5356aef6a907c2e2aed0caaa2b88b6021394471 and fixed in 6.1.111 with commit 09af8b0ba70072be831f3ec459f4063d570f9e24
	Issue introduced in 5.1 with commit a5356aef6a907c2e2aed0caaa2b88b6021394471 and fixed in 6.6.52 with commit af9ca9ca3e44f48b2a191e100d452fbf850c3d87
	Issue introduced in 5.1 with commit a5356aef6a907c2e2aed0caaa2b88b6021394471 and fixed in 6.10.11 with commit d1a1dfcec77c57b1181da93d11a3db1bc4eefa97
	Issue introduced in 5.1 with commit a5356aef6a907c2e2aed0caaa2b88b6021394471 and fixed in 6.11 with commit 2a8787c1cdc7be24fdd8953ecd1a8743a1006235

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-46853
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/spi/spi-nxp-fspi.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/aa05db44db5f409f6d91c27b5737efb49fb45d9f
	https://git.kernel.org/stable/c/609260542cf86b459c57618b8cdec8020394b7ad
	https://git.kernel.org/stable/c/491f9646f7ac31af5fca71be1a3e5eb8aa7663ad
	https://git.kernel.org/stable/c/09af8b0ba70072be831f3ec459f4063d570f9e24
	https://git.kernel.org/stable/c/af9ca9ca3e44f48b2a191e100d452fbf850c3d87
	https://git.kernel.org/stable/c/d1a1dfcec77c57b1181da93d11a3db1bc4eefa97
	https://git.kernel.org/stable/c/2a8787c1cdc7be24fdd8953ecd1a8743a1006235