Received: by 2002:a89:d88:0:b0:1fa:5c73:8e2d with SMTP id eb8csp627290lqb; Fri, 24 May 2024 08:28:49 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUB+o/m5Ry+Ub+L8Cw0WmPUXBjNqfQxKxPw8XamBEG5ppOZ1lGu9El0yCoPX4IWsZEeb7UGAH4PvAn9jnemTmVPMs4c0CkFVsJoNLZ7mQ== X-Google-Smtp-Source: AGHT+IH4alfikaxGO92c4rz4kEeAEIDk+dGIlIoHTMQr4Qlr8LqLQMbybLat94h0IdbOZHb1FMaX X-Received: by 2002:a17:902:e847:b0:1f3:1184:77b5 with SMTP id d9443c01a7336-1f4486d2142mr33952375ad.2.1716564529154; Fri, 24 May 2024 08:28:49 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716564529; cv=pass; d=google.com; s=arc-20160816; b=b03scxxPU6V0JQa0PDE1puRSkttRMongoW5kcm+Bvlouj/tG0dCxfP8Bm3HptCPbry MTgyKrL7tjZdBM1x68N4+4qy2ShZ6QYYzRCiSIjO+QTS8n2Pffina4UQ4gK4/1i22etH 7W1A786AR5ijYyITk6KI7VjIgzGpToZ8e+0k6Wio5NqNQTzmwBCDHdChXg/fc3bT8jXI vV/WPJzYCPnfyrq96+G6bgg3NFk7ASda1PfSO4z+EJeXxquqeBWYn7bn4U48bKZiHE82 DjKVT73CFf2zR3sd+vqulTWNX4/An7fP3F2G2m0EUkIywYrVon6f6YuczEZVltd8gh4E MMMQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=wD8f+gBbVdZtPCPbayLa4fqmjjymoqjyAb/0Xmle7mU=; fh=6w1WhOOfoTPm3TAzZ0TEvTJY7PMhNgQ7GupS1KuGQxg=; b=hB6mJ30Tak9LzBYqfB81TWmo4Nmn0komrmj97INHC+4irzBp/5ov07IKAC4viYAttY 8bd9jURDiBnsn4s5g8DdYsLPVcxGWLVy7PJS37nSDUfrkvB1+lHBAwECg0UdMUH1Ksjq FOlGfH4jg01oeUvwTo0hgCKVLRtP0zxgc46GdnkskUbQrMc2SDFgGDZjOP7GF8OsBbhw koX7tFe40usOADNetuw9SOX/DzUZucpIaU5/w761sBVfcOgYfIJWkWqdooJmhJHjj/oW EqWCcnABYZj0gJa61E4UOr8EPjbrKsw7fYJf5QlOY8NI30BgdnPrS3+25HIeid4tF0rr f/EA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Tt7E37Ji; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-188855-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-188855-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id d9443c01a7336-1f44c9d1513si15660105ad.521.2024.05.24.08.28.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 24 May 2024 08:28:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-188855-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Tt7E37Ji; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-188855-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-188855-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 25027B218F2 for ; Fri, 24 May 2024 15:27:03 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 5351812DDA7; Fri, 24 May 2024 15:26:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="Tt7E37Ji" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7707712DD98; Fri, 24 May 2024 15:26:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716564416; cv=none; b=cqPi0Y1E3huKxu1lHtz9OtvVAH3gNdw1e2EyjGELMV5gTdPAV3AX+Hi1jb0EpyKMBLVVBv8kQ0tHT2iTawdyX+NiQ8pIbl2rdEhDsdqGP35VcyhvDPni8BD5fQxQZFFJHZKNmCyX84li++XilMsO2W5HNvr+1K2Qd2J1mb5asQY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716564416; c=relaxed/simple; bh=NLTly/Ziw39O2EegvKrx3fgQaIpoemL3GO1n6sD2/2M=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=XZ/ihy4ftrj8DjOlaf+OmPWG6lbvMDI3BtMI5bf3YLehw69K68t1jCY3Ih41C1yG7SUyrC5jgsmDNo/ZByClKO7TFSvUvVM7t9fqZiL+xf8/4MdGmOa2NpN5y5v5JftE37ppKzRbjqEGPvSMm+C3Lr3VIpe5lwxnas1GuX4x5As= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=Tt7E37Ji; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id BCDCCC2BBFC; Fri, 24 May 2024 15:26:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1716564416; bh=NLTly/Ziw39O2EegvKrx3fgQaIpoemL3GO1n6sD2/2M=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Tt7E37Ji8Nlrkf5LLq3db4+FpfySQAVKAFS21sgYgQ6veuRQXUovU4vxI1W1w+/ZT T8SE7exYq6ze+kSfLxufUmg1HdsXQnimEzxw4G+2AJgouPEOTySKonFdwnstI0fuIC GMcrW30P1EVP9sEXJCAZrp0VN+v3O1zSayi+12ao= Date: Fri, 24 May 2024 17:26:53 +0200 From: Greg Kroah-Hartman To: Jiri Bohac Cc: cve@kernel.org, linux-kernel@vger.kernel.org, linux-cve-announce@vger.kernel.org, Eric Biederman , kexec@lists.infradead.org Subject: Re: CVE-2023-52823: kernel: kexec: copy user-array safely Message-ID: <2024052440-irrigate-tightness-4a8a@gregkh> References: <2024052106-CVE-2023-52823-3d81@gregkh> <2024052420-clang-flatterer-366b@gregkh> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Fri, May 24, 2024 at 02:38:04PM +0200, Jiri Bohac wrote: > On Fri, May 24, 2024 at 12:15:47PM +0200, Greg Kroah-Hartman wrote: > > Nice, but then why was this commit worded this way? Now we check twice? > > Double safe? Should it be reverted? > > double safe's good; turning it into a CVE not so much :( > CVE-2023-52822, CVE-2023-52824 and CVE-2023-52820, originally from the same patch > series, seem to be the exact same case. > > CVE-2023-52822: > > int vmw_surface_define_ioctl(struct drm_device *dev, void *data, > struct drm_file *file_priv) > { > ... > if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS || > num_sizes == 0) > return -EINVAL; > ... > metadata->num_sizes = num_sizes; > metadata->sizes = > memdup_user((struct drm_vmw_size __user *)(unsigned long) > req->size_addr, > sizeof(*metadata->sizes) * metadata->num_sizes); > } Agreed, now rejected. > CVE-2023-52824 (here the check is in the immediately preceeding statement, could it > be any more obvious?): > > long watch_queue_set_filter(struct pipe_inode_info *pipe, > struct watch_notification_filter __user *_filter) > { > if (filter.nr_filters == 0 || > filter.nr_filters > 16 || > filter.__reserved != 0) > return -EINVAL; > > tf = memdup_user(_filter->filters, filter.nr_filters * sizeof(*tf)); > } Yup, now rejected. > > > CVE-2023-52820 is a little less obvious to be safe, but I believe it is: > > int drm_mode_create_lease_ioctl(struct drm_device *dev, > void *data, struct drm_file *lessor_priv) > { > ... > object_ids = memdup_user(u64_to_user_ptr(cl->object_ids), > array_size(object_count, sizeof(__u32))); > > array_size() will safely multiply object_count * 4 and return SIZE_MAX on > overflow, making the kmalloc inside memdup_user cleanly fail with -ENOMEM. Also agreed, now rejected. thanks, greg k-h