Received: by 2002:ab2:2994:0:b0:1ef:ca3e:3cd5 with SMTP id n20csp4924lqb; Thu, 14 Mar 2024 04:01:28 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWj5IDr/4OexMzab7rG4zhDjL3Z+kAg1S5b7NhHCtoxcvbo5uUh5Lq9QghnAW2XdWvYj+rooGZf1Jb8FU9Zs0t3zYdinzR+TgEOMYbXog== X-Google-Smtp-Source: AGHT+IHePxJ/MmhK2yl7SYbFyF18lYc+Rc4y8DsQD+hBF+N4cG2HR832qyqo/eqjncTwy6w5BqF6 X-Received: by 2002:a0c:c24b:0:b0:690:d102:a6a8 with SMTP id w11-20020a0cc24b000000b00690d102a6a8mr1277387qvh.42.1710414088606; Thu, 14 Mar 2024 04:01:28 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1710414088; cv=pass; d=google.com; s=arc-20160816; b=awV8k++MZaY/vDAV+HXwDsT5ZdSqd9G61I2yoLFIV3NNijJ5Veb66xK/Mqw0jv8/ew inqEP7PcfAfJHHAA9mzshq0+NRLKomY2MxL1hal/X6wDXWNc+KNkV7+x/1y7Bx7VHO/N tfVt8YtZNb1O8yxXTsqd7c9BzsIjy1H3eoPB5bFT10NufqDUUGyKcZn2kGzlnlpMJ3pZ pd8mgHjaXjMssjYpIkC0hQXgKCLu2A0Q9sfEzW9tTzzlSdfwCRrTMwEFjJS8yXmLxrBi b8GshRuRlK7cYq08s1/lqYaT0sX3Tg4NNPb0k6hpTaIRI8YI2kzpehveilQlDyfba1On v9UA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date:dkim-signature; bh=6fiNl5GoOI92+CrsOH6k0iiLAsmOVXJ5oHoO3NjLPV8=; fh=bQx4ny8LJnqNrXzGOv7GIHVU96P5jyPyouTZGgUH5xI=; b=RLRcCpjgh/JyhKMsEQWCXW5dVSSfH0qkIfNyLEt9xzoMNTUnm6c4qnkGKrTh6CBMJc SzysjVhAIfU7HBJpZfU9IJvPJdp+2IIU+HV7dX5ll+EdjGDBycW2kkzvqMaFHXtNRzBt M+GUWP6LxeHJgs9012b/+hKOer/fmDg8OZYH38Inzlfu6NNZdN8ragu0DiyY+aXmYcSa KJVDH/QCqioAp4Wpa3u71bJYHUsep+4uZ526a/KLeBn5U96PeJcT4AJd7HhS2rn8uXjk HVK+iDZP+VaQdbPDh17yBGLEIF5DwLW1gAilvlh0R4JSezUIyZOZ1g/W78zTMA0YZkEb xNrw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=NcDIDZpV; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-103153-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-103153-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id gg9-20020a056214252900b0068fcc6a4593si407183qvb.38.2024.03.14.04.01.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Mar 2024 04:01:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-103153-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=NcDIDZpV; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-103153-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-103153-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 9D34E1C21507 for ; Thu, 14 Mar 2024 11:01:22 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 5BFAC6EB4C; Thu, 14 Mar 2024 11:01:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="NcDIDZpV" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7C58D6CDB6; Thu, 14 Mar 2024 11:01:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710414075; cv=none; b=u6bBLFeNS8nSbZVe7jyiMOP0m2ocw+MxtCixLLqQ9vvbzn0G70TPhTI+hhxWFuXlX1IXcf+JtMq1wArKHMaIYiZR88cymkmOaVa3lv8YAGwJAj2LWhRfPzo6vi7kdIo+v2MDC+GbQBQX+ymMBlkObk9dwz743qHs74YHiSxnfHI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710414075; c=relaxed/simple; bh=hui6dIGTuxXacv/8Um90mAFCU+PzNLYrE6gXqUxus0w=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=LwjMkshvl9B0mWZeaPNObKu+lTPTwn4TsVZtNcnkTpv5oCu7nBQmI4B0OakFeQi75ntskkt7OuQVdu/821P67LbHEdSqti75rezTmTiLzFe0iJejW68zZ0AX2C/XVnLZTn2e0C0owr/T7KvRVTNpEhkNBFSMQD0Tr8xD255oCjo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=NcDIDZpV; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 97E6DC433F1; Thu, 14 Mar 2024 11:01:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1710414075; bh=hui6dIGTuxXacv/8Um90mAFCU+PzNLYrE6gXqUxus0w=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=NcDIDZpVad7ubYqbZTHWR1S10DDL5ecyHlvJrj1zzPCzWrC5XiUfdD2Az8lUq5jL4 rYvxkuJgNISO3f1nZq9zOEy1F05nQsxbPeT65EqBshmbLmUcdP5XGFt/Op35OBmT4w 003wbkYje1N8vx+kekN/JbgNTcempBF72PWriKrW+QGdrZaUzcPrY3Gx1x5SdiYJjp WnMCLEx6gQbzOX+3en+fz9MjF975GoHBcvd/BuRRzd50tHVTNYlLhTwYkkuE4/FeFb HLJgz9RUDLauhSDMQTmDD/tFmi0Owm+lwtXsaQUvM8rRRoqgJqqF8uSM9zN4mpBloo JP2nxUEHdpv2w== Date: Thu, 14 Mar 2024 11:01:10 +0000 From: Lee Jones To: Prarit Bhargava Cc: Vegard Nossum , cve@kernel.org, linux-kernel@vger.kernel.org, linux-cve-announce@vger.kernel.org, Greg Kroah-Hartman , "Rafael J. Wysocki" Subject: Re: CVE-2023-52605: ACPI: extlog: fix NULL pointer dereference check Message-ID: <20240314110110.GL1522089@google.com> References: <2024030647-CVE-2023-52605-292a@gregkh> <7591f33e-d64f-49c5-b7c8-deda2b6f0fde@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <7591f33e-d64f-49c5-b7c8-deda2b6f0fde@redhat.com> On Mon, 11 Mar 2024, Prarit Bhargava wrote: > On 3/10/24 04:10, Vegard Nossum wrote: > > > > (Added author/maintainer to Cc) > > > > On 06/03/2024 07:46, Greg Kroah-Hartman wrote: > > > Description > > > =========== > > > > > > In the Linux kernel, the following vulnerability has been resolved: > > > > > > ACPI: extlog: fix NULL pointer dereference check > > > > > > The gcc plugin -fanalyzer [1] tries to detect various > > > patterns of incorrect behaviour.  The tool reports: > > > > > > drivers/acpi/acpi_extlog.c: In function ‘extlog_exit’: > > > drivers/acpi/acpi_extlog.c:307:12: warning: check of > > > ‘extlog_l1_addr’ for NULL after already dereferencing it > > > [-Wanalyzer-deref-before-check] > > >      | > > >      |  306 |         ((struct extlog_l1_head > > > *)extlog_l1_addr)->flags &= ~FLAG_OS_OPTIN; > > >      |      |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~ > > >      |      |                                                  | > > >      |      |                                                  (1) > > > pointer ‘extlog_l1_addr’ is dereferenced here > > >      |  307 |         if (extlog_l1_addr) > > >      |      |            ~ > > >      |      |            | > > >      |      |            (2) pointer ‘extlog_l1_addr’ is checked for > > > NULL here but it was already dereferenced at (1) > > >      | > > > > > > Fix the NULL pointer dereference check in extlog_exit(). > > > > > > The Linux kernel CVE team has assigned CVE-2023-52605 to this issue. > > > > This code is in an __exit function: > > > > diff --git a/drivers/acpi/acpi_extlog.c b/drivers/acpi/acpi_extlog.c > > index e120a96e1eaee..193147769146e 100644 > > --- a/drivers/acpi/acpi_extlog.c > > +++ b/drivers/acpi/acpi_extlog.c > > @@ -303,9 +303,10 @@ err: > >  static void __exit extlog_exit(void) > >  { > >      mce_unregister_decode_chain(&extlog_mce_dec); > > -    ((struct extlog_l1_head *)extlog_l1_addr)->flags &= ~FLAG_OS_OPTIN; > > -    if (extlog_l1_addr) > > +    if (extlog_l1_addr) { > > +        ((struct extlog_l1_head *)extlog_l1_addr)->flags &= > > ~FLAG_OS_OPTIN; > >          acpi_os_unmap_iomem(extlog_l1_addr, l1_size); > > +    } > >      if (elog_addr) > >          acpi_os_unmap_iomem(elog_addr, elog_size); > >      release_mem_region(elog_base, elog_size); > > > > This can only run when you unload a module, which is a privileged > > operation (restricted to CAP_SYS_MODULE). > > > > Moreover, extlog_l1_addr is only ever assigned in the corresponding > > module init function, and it looks like it will never be NULL if the > > module was loaded successfully, at least on a recent mainline kernel. > > > > Since the module exit won't be called unless module init succeeded, I > > don't see a way to trigger this bug. Is this a vulnerability? > > > > This is certainly not a CVE. > > > It might be better to just delete the NULL check altogether. > > > > As usual, I could be wrong... > > > > When I made this code change I thought the same thing: Perhaps it's better > to remove the NULL check given the status of the code. I assumed that the > check was there as a failsafe on unload. If Rafael agrees with you both, I'd be happy to revoke its CVE status. -- Lee Jones [李琼斯]