CVE-2023-52451
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
22/02/2024
Last modified:
04/11/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
powerpc/pseries/memhp: Fix access beyond end of drmem array<br />
<br />
dlpar_memory_remove_by_index() may access beyond the bounds of the<br />
drmem lmb array when the LMB lookup fails to match an entry with the<br />
given DRC index. When the search fails, the cursor is left pointing to<br />
&drmem_info->lmbs[drmem_info->n_lmbs], which is one element past the<br />
last valid entry in the array. The debug message at the end of the<br />
function then dereferences this pointer:<br />
<br />
pr_debug("Failed to hot-remove memory at %llx\n",<br />
lmb->base_addr);<br />
<br />
This was found by inspection and confirmed with KASAN:<br />
<br />
pseries-hotplug-mem: Attempting to hot-remove LMB, drc index 1234<br />
==================================================================<br />
BUG: KASAN: slab-out-of-bounds in dlpar_memory+0x298/0x1658<br />
Read of size 8 at addr c000000364e97fd0 by task bash/949<br />
<br />
dump_stack_lvl+0xa4/0xfc (unreliable)<br />
print_report+0x214/0x63c<br />
kasan_report+0x140/0x2e0<br />
__asan_load8+0xa8/0xe0<br />
dlpar_memory+0x298/0x1658<br />
handle_dlpar_errorlog+0x130/0x1d0<br />
dlpar_store+0x18c/0x3e0<br />
kobj_attr_store+0x68/0xa0<br />
sysfs_kf_write+0xc4/0x110<br />
kernfs_fop_write_iter+0x26c/0x390<br />
vfs_write+0x2d4/0x4e0<br />
ksys_write+0xac/0x1a0<br />
system_call_exception+0x268/0x530<br />
system_call_vectored_common+0x15c/0x2ec<br />
<br />
Allocated by task 1:<br />
kasan_save_stack+0x48/0x80<br />
kasan_set_track+0x34/0x50<br />
kasan_save_alloc_info+0x34/0x50<br />
__kasan_kmalloc+0xd0/0x120<br />
__kmalloc+0x8c/0x320<br />
kmalloc_array.constprop.0+0x48/0x5c<br />
drmem_init+0x2a0/0x41c<br />
do_one_initcall+0xe0/0x5c0<br />
kernel_init_freeable+0x4ec/0x5a0<br />
kernel_init+0x30/0x1e0<br />
ret_from_kernel_user_thread+0x14/0x1c<br />
<br />
The buggy address belongs to the object at c000000364e80000<br />
which belongs to the cache kmalloc-128k of size 131072<br />
The buggy address is located 0 bytes to the right of<br />
allocated 98256-byte region [c000000364e80000, c000000364e97fd0)<br />
<br />
==================================================================<br />
pseries-hotplug-mem: Failed to hot-remove memory at 0<br />
<br />
Log failed lookups with a separate message and dereference the<br />
cursor only when it points to a valid entry.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.1.0 (including) | 4.19.306 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20.0 (including) | 5.4.268 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5.0 (including) | 5.10.209 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11.0 (including) | 5.15.148 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16.0 (including) | 6.1.75 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2.0 (including) | 6.6.14 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7.0 (including) | 6.7.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/026fd977dc50ff4a5e09bfb0603557f104d3f3a0
- https://git.kernel.org/stable/c/708a4b59baad96c4718dc0bd3a3427d3ab22fedc
- https://git.kernel.org/stable/c/999a27b3ce9a69d54ccd5db000ec3a447bc43e6d
- https://git.kernel.org/stable/c/9b5f03500bc5b083c0df696d7dd169d7ef3dd0c7
- https://git.kernel.org/stable/c/b582aa1f66411d4adcc1aa55b8c575683fb4687e
- https://git.kernel.org/stable/c/bb79613a9a704469ddb8d6c6029d532a5cea384c
- https://git.kernel.org/stable/c/bd68ffce69f6cf8ddd3a3c32549d1d2275e49fc5
- https://git.kernel.org/stable/c/df16afba2378d985359812c865a15c05c70a967e