cve/published/2024/CVE-2024-50195.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50195: posix-clock: Fix missing timespec64 check in pc_clock_settime()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 posix-clock: Fix missing timespec64 check in pc_clock_settime()

 As Andrew pointed out, it will make sense that the PTP core
 checked timespec64 struct's tv_sec and tv_nsec range before calling
 ptp->info->settime64().

 As the man manual of clock_settime() said, if tp.tv_sec is negative or
 tp.tv_nsec is outside the range [0..999,999,999], it should return EINVAL,
 which include dynamic clocks which handles PTP clock, and the condition is
 consistent with timespec64_valid(). As Thomas suggested, timespec64_valid()
 only check the timespec is valid, but not ensure that the time is
 in a valid range, so check it ahead using timespec64_valid_strict()
 in pc_clock_settime() and return -EINVAL if not valid.

 There are some drivers that use tp->tv_sec and tp->tv_nsec directly to
 write registers without validity checks and assume that the higher layer
 has checked it, which is dangerous and will benefit from this, such as
 hclge_ptp_settime(), igb_ptp_settime_i210(), _rcar_gen4_ptp_settime(),
 and some drivers can remove the checks of itself.

 The Linux kernel CVE team has assigned CVE-2024-50195 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.39 with commit 0606f422b453f76c31ab2b1bd52943ff06a2dcf2 and fixed in 4.19.323 with commit 29f085345cde24566efb751f39e5d367c381c584
 	Issue introduced in 2.6.39 with commit 0606f422b453f76c31ab2b1bd52943ff06a2dcf2 and fixed in 5.4.285 with commit e0c966bd3e31911b57ef76cec4c5796ebd88e512
 	Issue introduced in 2.6.39 with commit 0606f422b453f76c31ab2b1bd52943ff06a2dcf2 and fixed in 5.10.228 with commit 673a1c5a2998acbd429d6286e6cad10f17f4f073
 	Issue introduced in 2.6.39 with commit 0606f422b453f76c31ab2b1bd52943ff06a2dcf2 and fixed in 5.15.169 with commit c8789fbe2bbf75845e45302cba6ffa44e1884d01
 	Issue introduced in 2.6.39 with commit 0606f422b453f76c31ab2b1bd52943ff06a2dcf2 and fixed in 6.1.114 with commit 27abbde44b6e71ee3891de13e1a228aa7ce95bfe
 	Issue introduced in 2.6.39 with commit 0606f422b453f76c31ab2b1bd52943ff06a2dcf2 and fixed in 6.6.58 with commit a3f169e398215e71361774d13bf91a0101283ac2
 	Issue introduced in 2.6.39 with commit 0606f422b453f76c31ab2b1bd52943ff06a2dcf2 and fixed in 6.11.5 with commit 1ff7247101af723731ea42ed565d54fb8f341264
 	Issue introduced in 2.6.39 with commit 0606f422b453f76c31ab2b1bd52943ff06a2dcf2 and fixed in 6.12 with commit d8794ac20a299b647ba9958f6d657051fc51a540

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50195
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/time/posix-clock.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/29f085345cde24566efb751f39e5d367c381c584
 	https://git.kernel.org/stable/c/e0c966bd3e31911b57ef76cec4c5796ebd88e512
 	https://git.kernel.org/stable/c/673a1c5a2998acbd429d6286e6cad10f17f4f073
 	https://git.kernel.org/stable/c/c8789fbe2bbf75845e45302cba6ffa44e1884d01
 	https://git.kernel.org/stable/c/27abbde44b6e71ee3891de13e1a228aa7ce95bfe
 	https://git.kernel.org/stable/c/a3f169e398215e71361774d13bf91a0101283ac2
 	https://git.kernel.org/stable/c/1ff7247101af723731ea42ed565d54fb8f341264
 	https://git.kernel.org/stable/c/d8794ac20a299b647ba9958f6d657051fc51a540
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50195: posix-clock: Fix missing timespec64 check in pc_clock_settime()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	posix-clock: Fix missing timespec64 check in pc_clock_settime()

	As Andrew pointed out, it will make sense that the PTP core
	checked timespec64 struct's tv_sec and tv_nsec range before calling
	ptp->info->settime64().

	As the man manual of clock_settime() said, if tp.tv_sec is negative or
	tp.tv_nsec is outside the range [0..999,999,999], it should return EINVAL,
	which include dynamic clocks which handles PTP clock, and the condition is
	consistent with timespec64_valid(). As Thomas suggested, timespec64_valid()
	only check the timespec is valid, but not ensure that the time is
	in a valid range, so check it ahead using timespec64_valid_strict()
	in pc_clock_settime() and return -EINVAL if not valid.

	There are some drivers that use tp->tv_sec and tp->tv_nsec directly to
	write registers without validity checks and assume that the higher layer
	has checked it, which is dangerous and will benefit from this, such as
	hclge_ptp_settime(), igb_ptp_settime_i210(), _rcar_gen4_ptp_settime(),
	and some drivers can remove the checks of itself.

	The Linux kernel CVE team has assigned CVE-2024-50195 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.39 with commit 0606f422b453f76c31ab2b1bd52943ff06a2dcf2 and fixed in 4.19.323 with commit 29f085345cde24566efb751f39e5d367c381c584
	Issue introduced in 2.6.39 with commit 0606f422b453f76c31ab2b1bd52943ff06a2dcf2 and fixed in 5.4.285 with commit e0c966bd3e31911b57ef76cec4c5796ebd88e512
	Issue introduced in 2.6.39 with commit 0606f422b453f76c31ab2b1bd52943ff06a2dcf2 and fixed in 5.10.228 with commit 673a1c5a2998acbd429d6286e6cad10f17f4f073
	Issue introduced in 2.6.39 with commit 0606f422b453f76c31ab2b1bd52943ff06a2dcf2 and fixed in 5.15.169 with commit c8789fbe2bbf75845e45302cba6ffa44e1884d01
	Issue introduced in 2.6.39 with commit 0606f422b453f76c31ab2b1bd52943ff06a2dcf2 and fixed in 6.1.114 with commit 27abbde44b6e71ee3891de13e1a228aa7ce95bfe
	Issue introduced in 2.6.39 with commit 0606f422b453f76c31ab2b1bd52943ff06a2dcf2 and fixed in 6.6.58 with commit a3f169e398215e71361774d13bf91a0101283ac2
	Issue introduced in 2.6.39 with commit 0606f422b453f76c31ab2b1bd52943ff06a2dcf2 and fixed in 6.11.5 with commit 1ff7247101af723731ea42ed565d54fb8f341264
	Issue introduced in 2.6.39 with commit 0606f422b453f76c31ab2b1bd52943ff06a2dcf2 and fixed in 6.12 with commit d8794ac20a299b647ba9958f6d657051fc51a540

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50195
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/time/posix-clock.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/29f085345cde24566efb751f39e5d367c381c584
	https://git.kernel.org/stable/c/e0c966bd3e31911b57ef76cec4c5796ebd88e512
	https://git.kernel.org/stable/c/673a1c5a2998acbd429d6286e6cad10f17f4f073
	https://git.kernel.org/stable/c/c8789fbe2bbf75845e45302cba6ffa44e1884d01
	https://git.kernel.org/stable/c/27abbde44b6e71ee3891de13e1a228aa7ce95bfe
	https://git.kernel.org/stable/c/a3f169e398215e71361774d13bf91a0101283ac2
	https://git.kernel.org/stable/c/1ff7247101af723731ea42ed565d54fb8f341264
	https://git.kernel.org/stable/c/d8794ac20a299b647ba9958f6d657051fc51a540