CVE-2023-53768

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> regmap-irq: Fix out-of-bounds access when allocating config buffers<br /> <br /> When allocating the 2D array for handling IRQ type registers in<br /> regmap_add_irq_chip_fwnode(), the intent is to allocate a matrix<br /> with num_config_bases rows and num_config_regs columns.<br /> <br /> This is currently handled by allocating a buffer to hold a pointer for<br /> each row (i.e. num_config_bases). After that, the logic attempts to<br /> allocate the memory required to hold the register configuration for<br /> each row. However, instead of doing this allocation for each row<br /> (i.e. num_config_bases allocations), the logic erroneously does this<br /> allocation num_config_regs number of times.<br /> <br /> This scenario can lead to out-of-bounds accesses when num_config_regs<br /> is greater than num_config_bases. Fix this by updating the terminating<br /> condition of the loop that allocates the memory for holding the register<br /> configuration to allocate memory only for each row in the matrix.<br /> <br /> Amit Pundir reported a crash that was occurring on his db845c device<br /> due to memory corruption (see "Closes" tag for Amit&amp;#39;s report). The KASAN<br /> report below helped narrow it down to this issue:<br /> <br /> [ 14.033877][ T1] ==================================================================<br /> [ 14.042507][ T1] BUG: KASAN: invalid-access in regmap_add_irq_chip_fwnode+0x594/0x1364<br /> [ 14.050796][ T1] Write of size 8 at addr 06ffff8081021850 by task init/1<br /> <br /> [ 14.242004][ T1] The buggy address belongs to the object at ffffff8081021850<br /> [ 14.242004][ T1] which belongs to the cache kmalloc-8 of size 8<br /> [ 14.255669][ T1] The buggy address is located 0 bytes inside of<br /> [ 14.255669][ T1] 8-byte region [ffffff8081021850, ffffff8081021858)