Received: by 2002:a89:d88:0:b0:1fa:5c73:8e2d with SMTP id eb8csp2349227lqb; Mon, 27 May 2024 17:33:14 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUxUyfSH/EeLmN7ENiPAdRPPHSAXrPc0zSQl6e5ivcmtcnO54vOB0S1i5WUCc+9YhBLtLtXZ7gctmeI5ceKiA4ddn4SZ5gHJ0M2El9RFw== X-Google-Smtp-Source: AGHT+IGHEki6w1/Zb7oytZ3tLxk32WS/RYjcW+E5lQa9QdWAp0tC/RXQ5qvcLwIS4xFEmpbStsh+ X-Received: by 2002:a17:902:da8b:b0:1f4:7a5c:65d4 with SMTP id d9443c01a7336-1f47a5c706bmr64954645ad.18.1716856394692; Mon, 27 May 2024 17:33:14 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716856394; cv=pass; d=google.com; s=arc-20160816; b=R5KPa9scKaxouLVFpWIpX/ZMVMapnZIgPMNwv4pA/+4K6i+5ggHKUaYug4dg+l0r1u mfeRs93BtZTePjK/wVTOSb2xDIToOlTj1iS33wAAK5o61pbkXXfUZZIHjOC2ZPkLo9ld s2qwbbZRePy5NIYtQj5EKexlPhExkM24Z/daHra0XfTeNBn38oCbqnW7aOmFrVwoLbiZ cj1nhFfJomgeEB44ytV4gvD1amY5gXJV2DYgeytzUOPgFNxdtgPAF4cADHd5Dted+cXd 3TkEiKRIF97wJyeV8/qDYt2hGJJe3BR0kRyQYhu9VBluoR2JskyoyYZW0D/j1XSEf6kp m7IA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence :user-agent:message-id:date:references:in-reply-to:subject:cc:to :from:dkim-signature:dkim-signature:dkim-signature:dkim-signature; bh=/ZAL6RZoWSx91cpX0WCzS5wAlhagkbg1LxuHIspcF2k=; fh=zfvpEd5z7Vx/SqJk7ZEs3jXE2t25Xm2SK49u9Hnoz2U=; b=0p+8tObz+QmjoH0PA8GCC+8Zs5X4sXNwf0KOC+qeQHVH4/SLq1fkMqFzYvVQrXTQDc zpaItXK1vbE0spqIsFMgMao4dS1pIOLxiz5U8225893V8uq3QUe9iP6DXqx8Rzsbmbh7 Ws5Bhuz/CSMHQ3/M8Tfgcw9SAZVuLwXWHUL+ml0R8nj0A6K86P/oh+3JvYhsCNE4CEag I0RZ77aMvkiJttTjvavaf6uiU+qmrhlkHjm4vBkyn9oWsC+OQVPA2Y6RcflzGJGbRm6x yiYcKgy1uHwhYDPiCQbpr2EiayGD0YgbB+7v2gOF3oAXDy7N213cf0ouoUeNPvQ5J30m NnMQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=KTCPaFEP; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=KTCPaFEP; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519; arc=pass (i=1 spf=pass spfdomain=suse.de dkim=pass dkdomain=suse.de dkim=pass dkdomain=suse.de dmarc=pass fromdomain=suse.de); spf=pass (google.com: domain of linux-kernel+bounces-191544-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-191544-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id d9443c01a7336-1f44c970163si68396625ad.225.2024.05.27.17.33.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 May 2024 17:33:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-191544-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=KTCPaFEP; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=KTCPaFEP; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519; arc=pass (i=1 spf=pass spfdomain=suse.de dkim=pass dkdomain=suse.de dkim=pass dkdomain=suse.de dmarc=pass fromdomain=suse.de); spf=pass (google.com: domain of linux-kernel+bounces-191544-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-191544-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 530832820CF for ; Tue, 28 May 2024 00:33:14 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 1548C79D0; Tue, 28 May 2024 00:33:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b="KTCPaFEP"; dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b="WrqU41HN"; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b="KTCPaFEP"; dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b="WrqU41HN" Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5493038D; Tue, 28 May 2024 00:33:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.130 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716856389; cv=none; b=EGZ0AUx6JqvzjeOYF4Ml/RqtAceI9yWCuFjvGFdhK/6M3gLcCS62zF8fsJTL5PnlU3Dh70vPVL4Zgumn638rQX5mDgNj9PnrTwGEVYT3Eq9pEbMXVh0XdQapgwTrEyxtEbbqaaGPux00Z/1v8hILmNRsqHyagS0JYNoz/q+gM4Y= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716856389; c=relaxed/simple; bh=7clH/Iv4ClqYjilRnT04DvbFwWKh1zOKab598Eace5g=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=S1LLMweZGRNMDpv9KnRTMS9Fx9EpRq39qp75Mbe8b7YOeZpQUW725mJhf1G/wC0tWwHjou5BcBMhNPKZ8cbWiYG6QpzRWZt2iID2dMd37YbOZans0/zx7kZJK/a972I2W/EdQMO5pYjxqSsbfcMQo8kb3lSFD6sfBOoEG8/OZZs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=suse.de; spf=pass smtp.mailfrom=suse.de; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b=KTCPaFEP; dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b=WrqU41HN; dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de header.b=KTCPaFEP; dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de header.b=WrqU41HN; arc=none smtp.client-ip=195.135.223.130 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=suse.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.de Received: from imap1.dmz-prg2.suse.org (unknown [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 24C6D223BA; Tue, 28 May 2024 00:33:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1716856385; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=/ZAL6RZoWSx91cpX0WCzS5wAlhagkbg1LxuHIspcF2k=; b=KTCPaFEPgWvrWPcj6WfU2O8YvOP400K7+r8e3Zmkngx+9nQt10bIF1ycUWwG7v9va5tWtc idoiC99zjjRV7xaG4GX+gDDUb1knHLsIZCtQGiqEYlRcB6tnfkV1yan9VqRGjlMxUh03iK QG75MDvweQW3wQ5jPZZZ5qNqH1hSN14= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1716856385; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=/ZAL6RZoWSx91cpX0WCzS5wAlhagkbg1LxuHIspcF2k=; b=WrqU41HNdhPPxYeCajyR0L9fo6TYILaUNUfgTK5pzpqXW8GYFsCk10G8hLR1+/63zIJz3U W+1GyztlKnZVICBg== Authentication-Results: smtp-out1.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1716856385; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=/ZAL6RZoWSx91cpX0WCzS5wAlhagkbg1LxuHIspcF2k=; b=KTCPaFEPgWvrWPcj6WfU2O8YvOP400K7+r8e3Zmkngx+9nQt10bIF1ycUWwG7v9va5tWtc idoiC99zjjRV7xaG4GX+gDDUb1knHLsIZCtQGiqEYlRcB6tnfkV1yan9VqRGjlMxUh03iK QG75MDvweQW3wQ5jPZZZ5qNqH1hSN14= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1716856385; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=/ZAL6RZoWSx91cpX0WCzS5wAlhagkbg1LxuHIspcF2k=; b=WrqU41HNdhPPxYeCajyR0L9fo6TYILaUNUfgTK5pzpqXW8GYFsCk10G8hLR1+/63zIJz3U W+1GyztlKnZVICBg== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id DFA1713A6B; Tue, 28 May 2024 00:33:04 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id vopSMEAmVWb8IAAAD6G6ig (envelope-from ); Tue, 28 May 2024 00:33:04 +0000 From: Gabriel Krisman Bertazi To: Greg Kroah-Hartman Cc: linux-cve-announce@vger.kernel.org, , , keescook@chromium.org Subject: Re: CVE-2023-52685: pstore: ram_core: fix possible overflow in persistent_ram_init_ecc() In-Reply-To: <2024051752-CVE-2023-52685-64c5@gregkh> (Greg Kroah-Hartman's message of "Fri, 17 May 2024 16:26:58 +0200") References: <2024051752-CVE-2023-52685-64c5@gregkh> Date: Mon, 27 May 2024 20:32:54 -0400 Message-ID: <87jzjeojwp.fsf@mailhost.krisman.be> User-Agent: Gnus/5.13 (Gnus v5.13) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain X-Spam-Level: X-Spamd-Result: default: False [-4.27 / 50.00]; BAYES_HAM(-2.97)[99.88%]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519]; FUZZY_BLOCKED(0.00)[rspamd.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; RCPT_COUNT_FIVE(0.00)[5] X-Spam-Score: -4.27 X-Spam-Flag: NO Greg Kroah-Hartman writes: > Description > =========== > > In the Linux kernel, the following vulnerability has been resolved: > > pstore: ram_core: fix possible overflow in persistent_ram_init_ecc() > > In persistent_ram_init_ecc(), on 64-bit arches DIV_ROUND_UP() will return > 64-bit value since persistent_ram_zone::buffer_size has type size_t which > is derived from the 64-bit *unsigned long*, while the ecc_blocks variable > this value gets assigned to has (always 32-bit) *int* type. Even if that > value fits into *int* type, an overflow is still possible when calculating > the size_t typed ecc_total variable further below since there's no cast to > any 64-bit type before multiplication. Declaring the ecc_blocks variable > as *size_t* should fix this mess... > > Found by Linux Verification Center (linuxtesting.org) with the SVACE static > analysis tool. Hi Greg, [Cc'ing Kees, who is listed as the pstore maintainer] I want to dispute this CVE. The overflow is in the module initialization path, and can only happen at boot time or if the module is loaded with specific parameters or due to specific acpi/device tree data. Either way, it would require root privileges to trigger. -- Gabriel Krisman Bertazi