cve/published/2024/CVE-2024-49933.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-49933: blk_iocost: fix more out of bound shifts

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 blk_iocost: fix more out of bound shifts

 Recently running UBSAN caught few out of bound shifts in the
 ioc_forgive_debts() function:

 UBSAN: shift-out-of-bounds in block/blk-iocost.c:2142:38
 shift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long
 long')
 ...
 UBSAN: shift-out-of-bounds in block/blk-iocost.c:2144:30
 shift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long
 long')
 ...
 Call Trace:
 <IRQ>
 dump_stack_lvl+0xca/0x130
 __ubsan_handle_shift_out_of_bounds+0x22c/0x280
 ? __lock_acquire+0x6441/0x7c10
 ioc_timer_fn+0x6cec/0x7750
 ? blk_iocost_init+0x720/0x720
 ? call_timer_fn+0x5d/0x470
 call_timer_fn+0xfa/0x470
 ? blk_iocost_init+0x720/0x720
 __run_timer_base+0x519/0x700
 ...

 Actual impact of this issue was not identified but I propose to fix the
 undefined behaviour.
 The proposed fix to prevent those out of bound shifts consist of
 precalculating exponent before using it the shift operations by taking
 min value from the actual exponent and maximum possible number of bits.

 The Linux kernel CVE team has assigned CVE-2024-49933 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.10 with commit bec02dbbafad534674309f8b948094900f456797 and fixed in 5.10.227 with commit 1f61d509257d6a05763d05bf37943b35306522b1
 	Issue introduced in 5.10 with commit bec02dbbafad534674309f8b948094900f456797 and fixed in 5.15.168 with commit f4ef9bef023d5c543cb0f3194ecacfd47ef590ec
 	Issue introduced in 5.10 with commit bec02dbbafad534674309f8b948094900f456797 and fixed in 6.1.113 with commit 59121bb38fdc01434ea3fe361ee02b59f036227f
 	Issue introduced in 5.10 with commit bec02dbbafad534674309f8b948094900f456797 and fixed in 6.6.55 with commit 1ab2cfe19700fb3dde4c7dfec392acff34db3120
 	Issue introduced in 5.10 with commit bec02dbbafad534674309f8b948094900f456797 and fixed in 6.10.14 with commit 1b120f151871eb47ce9f283c007af3f8ae1d990e
 	Issue introduced in 5.10 with commit bec02dbbafad534674309f8b948094900f456797 and fixed in 6.11.3 with commit 364022095bdd4108efdaaa68576afa4712a5d085
 	Issue introduced in 5.10 with commit bec02dbbafad534674309f8b948094900f456797 and fixed in 6.12 with commit 9bce8005ec0dcb23a58300e8522fe4a31da606fa

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-49933
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	block/blk-iocost.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/1f61d509257d6a05763d05bf37943b35306522b1
 	https://git.kernel.org/stable/c/f4ef9bef023d5c543cb0f3194ecacfd47ef590ec
 	https://git.kernel.org/stable/c/59121bb38fdc01434ea3fe361ee02b59f036227f
 	https://git.kernel.org/stable/c/1ab2cfe19700fb3dde4c7dfec392acff34db3120
 	https://git.kernel.org/stable/c/1b120f151871eb47ce9f283c007af3f8ae1d990e
 	https://git.kernel.org/stable/c/364022095bdd4108efdaaa68576afa4712a5d085
 	https://git.kernel.org/stable/c/9bce8005ec0dcb23a58300e8522fe4a31da606fa
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-49933: blk_iocost: fix more out of bound shifts

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	blk_iocost: fix more out of bound shifts

	Recently running UBSAN caught few out of bound shifts in the
	ioc_forgive_debts() function:

	UBSAN: shift-out-of-bounds in block/blk-iocost.c:2142:38
	shift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long
	long')
	...
	UBSAN: shift-out-of-bounds in block/blk-iocost.c:2144:30
	shift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long
	long')
	...
	Call Trace:
	<IRQ>
	dump_stack_lvl+0xca/0x130
	__ubsan_handle_shift_out_of_bounds+0x22c/0x280
	? __lock_acquire+0x6441/0x7c10
	ioc_timer_fn+0x6cec/0x7750
	? blk_iocost_init+0x720/0x720
	? call_timer_fn+0x5d/0x470
	call_timer_fn+0xfa/0x470
	? blk_iocost_init+0x720/0x720
	__run_timer_base+0x519/0x700
	...

	Actual impact of this issue was not identified but I propose to fix the
	undefined behaviour.
	The proposed fix to prevent those out of bound shifts consist of
	precalculating exponent before using it the shift operations by taking
	min value from the actual exponent and maximum possible number of bits.

	The Linux kernel CVE team has assigned CVE-2024-49933 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.10 with commit bec02dbbafad534674309f8b948094900f456797 and fixed in 5.10.227 with commit 1f61d509257d6a05763d05bf37943b35306522b1
	Issue introduced in 5.10 with commit bec02dbbafad534674309f8b948094900f456797 and fixed in 5.15.168 with commit f4ef9bef023d5c543cb0f3194ecacfd47ef590ec
	Issue introduced in 5.10 with commit bec02dbbafad534674309f8b948094900f456797 and fixed in 6.1.113 with commit 59121bb38fdc01434ea3fe361ee02b59f036227f
	Issue introduced in 5.10 with commit bec02dbbafad534674309f8b948094900f456797 and fixed in 6.6.55 with commit 1ab2cfe19700fb3dde4c7dfec392acff34db3120
	Issue introduced in 5.10 with commit bec02dbbafad534674309f8b948094900f456797 and fixed in 6.10.14 with commit 1b120f151871eb47ce9f283c007af3f8ae1d990e
	Issue introduced in 5.10 with commit bec02dbbafad534674309f8b948094900f456797 and fixed in 6.11.3 with commit 364022095bdd4108efdaaa68576afa4712a5d085
	Issue introduced in 5.10 with commit bec02dbbafad534674309f8b948094900f456797 and fixed in 6.12 with commit 9bce8005ec0dcb23a58300e8522fe4a31da606fa

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-49933
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	block/blk-iocost.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/1f61d509257d6a05763d05bf37943b35306522b1
	https://git.kernel.org/stable/c/f4ef9bef023d5c543cb0f3194ecacfd47ef590ec
	https://git.kernel.org/stable/c/59121bb38fdc01434ea3fe361ee02b59f036227f
	https://git.kernel.org/stable/c/1ab2cfe19700fb3dde4c7dfec392acff34db3120
	https://git.kernel.org/stable/c/1b120f151871eb47ce9f283c007af3f8ae1d990e
	https://git.kernel.org/stable/c/364022095bdd4108efdaaa68576afa4712a5d085
	https://git.kernel.org/stable/c/9bce8005ec0dcb23a58300e8522fe4a31da606fa