CVE-2021-47393

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs<br /> <br /> Fan speed minimum can be enforced from sysfs. For example, setting<br /> current fan speed to 20 is used to enforce fan speed to be at 100%<br /> speed, 19 - to be not below 90% speed, etcetera. This feature provides<br /> ability to limit fan speed according to some system wise<br /> considerations, like absence of some replaceable units or high system<br /> ambient temperature.<br /> <br /> Request for changing fan minimum speed is configuration request and can<br /> be set only through &amp;#39;sysfs&amp;#39; write procedure. In this situation value of<br /> argument &amp;#39;state&amp;#39; is above nominal fan speed maximum.<br /> <br /> Return non-zero code in this case to avoid<br /> thermal_cooling_device_stats_update() call, because in this case<br /> statistics update violates thermal statistics table range.<br /> The issues is observed in case kernel is configured with option<br /> CONFIG_THERMAL_STATISTICS.<br /> <br /> Here is the trace from KASAN:<br /> [ 159.506659] BUG: KASAN: slab-out-of-bounds in thermal_cooling_device_stats_update+0x7d/0xb0<br /> [ 159.516016] Read of size 4 at addr ffff888116163840 by task hw-management.s/7444<br /> [ 159.545625] Call Trace:<br /> [ 159.548366] dump_stack+0x92/0xc1<br /> [ 159.552084] ? thermal_cooling_device_stats_update+0x7d/0xb0<br /> [ 159.635869] thermal_zone_device_update+0x345/0x780<br /> [ 159.688711] thermal_zone_device_set_mode+0x7d/0xc0<br /> [ 159.694174] mlxsw_thermal_modules_init+0x48f/0x590 [mlxsw_core]<br /> [ 159.700972] ? mlxsw_thermal_set_cur_state+0x5a0/0x5a0 [mlxsw_core]<br /> [ 159.731827] mlxsw_thermal_init+0x763/0x880 [mlxsw_core]<br /> [ 160.070233] RIP: 0033:0x7fd995909970<br /> [ 160.074239] Code: 73 01 c3 48 8b 0d 28 d5 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 99 2d 2c 00 00 75 10 b8 01 00 00 00 0f 05 3d 01 f0 ff ..<br /> [ 160.095242] RSP: 002b:00007fff54f5d938 EFLAGS: 00000246 ORIG_RAX: 0000000000000001<br /> [ 160.103722] RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 00007fd995909970<br /> [ 160.111710] RDX: 0000000000000013 RSI: 0000000001906008 RDI: 0000000000000001<br /> [ 160.119699] RBP: 0000000001906008 R08: 00007fd995bc9760 R09: 00007fd996210700<br /> [ 160.127687] R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000013<br /> [ 160.135673] R13: 0000000000000001 R14: 00007fd995bc8600 R15: 0000000000000013<br /> [ 160.143671]<br /> [ 160.145338] Allocated by task 2924:<br /> [ 160.149242] kasan_save_stack+0x19/0x40<br /> [ 160.153541] __kasan_kmalloc+0x7f/0xa0<br /> [ 160.157743] __kmalloc+0x1a2/0x2b0<br /> [ 160.161552] thermal_cooling_device_setup_sysfs+0xf9/0x1a0<br /> [ 160.167687] __thermal_cooling_device_register+0x1b5/0x500<br /> [ 160.173833] devm_thermal_of_cooling_device_register+0x60/0xa0<br /> [ 160.180356] mlxreg_fan_probe+0x474/0x5e0 [mlxreg_fan]<br /> [ 160.248140]<br /> [ 160.249807] The buggy address belongs to the object at ffff888116163400<br /> [ 160.249807] which belongs to the cache kmalloc-1k of size 1024<br /> [ 160.263814] The buggy address is located 64 bytes to the right of<br /> [ 160.263814] 1024-byte region [ffff888116163400, ffff888116163800)<br /> [ 160.277536] The buggy address belongs to the page:<br /> [ 160.282898] page:0000000012275840 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888116167000 pfn:0x116160<br /> [ 160.294872] head:0000000012275840 order:3 compound_mapcount:0 compound_pincount:0<br /> [ 160.303251] flags: 0x200000000010200(slab|head|node=0|zone=2)<br /> [ 160.309694] raw: 0200000000010200 ffffea00046f7208 ffffea0004928208 ffff88810004dbc0<br /> [ 160.318367] raw: ffff888116167000 00000000000a0006 00000001ffffffff 0000000000000000<br /> [ 160.327033] page dumped because: kasan: bad access detected<br /> [ 160.333270]<br /> [ 160.334937] Memory state around the buggy address:<br /> [ 160.356469] &gt;ffff888116163800: fc ..