[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2025050232-CVE-2023-53123-73ac@gregkh>
Date: Fri, 2 May 2025 17:56:28 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2023-53123: PCI: s390: Fix use-after-free of PCI resources with per-function hotplug
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
PCI: s390: Fix use-after-free of PCI resources with per-function hotplug
On s390 PCI functions may be hotplugged individually even when they
belong to a multi-function device. In particular on an SR-IOV device VFs
may be removed and later re-added.
In commit a50297cf8235 ("s390/pci: separate zbus creation from
scanning") it was missed however that struct pci_bus and struct
zpci_bus's resource list retained a reference to the PCI functions MMIO
resources even though those resources are released and freed on
hot-unplug. These stale resources may subsequently be claimed when the
PCI function re-appears resulting in use-after-free.
One idea of fixing this use-after-free in s390 specific code that was
investigated was to simply keep resources around from the moment a PCI
function first appeared until the whole virtual PCI bus created for
a multi-function device disappears. The problem with this however is
that due to the requirement of artificial MMIO addreesses (address
cookies) extra logic is then needed to keep the address cookies
compatible on re-plug. At the same time the MMIO resources semantically
belong to the PCI function so tying their lifecycle to the function
seems more logical.
Instead a simpler approach is to remove the resources of an individually
hot-unplugged PCI function from the PCI bus's resource list while
keeping the resources of other PCI functions on the PCI bus untouched.
This is done by introducing pci_bus_remove_resource() to remove an
individual resource. Similarly the resource also needs to be removed
from the struct zpci_bus's resource list. It turns out however, that
there is really no need to add the MMIO resources to the struct
zpci_bus's resource list at all and instead we can simply use the
zpci_bar_struct's resource pointer directly.
The Linux kernel CVE team has assigned CVE-2023-53123 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.13 with commit a50297cf8235b062bcdeaa8b1dad58e69d3e1b43 and fixed in 5.15.104 with commit 437bb839e36cc9f35adc6d2a2bf113b7a0fc9985
Issue introduced in 5.13 with commit a50297cf8235b062bcdeaa8b1dad58e69d3e1b43 and fixed in 6.1.21 with commit a2410d0c3d2d714ed968a135dfcbed6aa3ff7027
Issue introduced in 5.13 with commit a50297cf8235b062bcdeaa8b1dad58e69d3e1b43 and fixed in 6.2.8 with commit b99ebf4b62774e690e73a551cf5fbf6f219bdd96
Issue introduced in 5.13 with commit a50297cf8235b062bcdeaa8b1dad58e69d3e1b43 and fixed in 6.3 with commit ab909509850b27fd39b8ba99e44cda39dbc3858c
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2023-53123
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
arch/s390/pci/pci.c
arch/s390/pci/pci_bus.c
arch/s390/pci/pci_bus.h
drivers/pci/bus.c
include/linux/pci.h
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/437bb839e36cc9f35adc6d2a2bf113b7a0fc9985
https://git.kernel.org/stable/c/a2410d0c3d2d714ed968a135dfcbed6aa3ff7027
https://git.kernel.org/stable/c/b99ebf4b62774e690e73a551cf5fbf6f219bdd96
https://git.kernel.org/stable/c/ab909509850b27fd39b8ba99e44cda39dbc3858c
Powered by blists - more mailing lists