| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025061801-CVE-2022-50093-efbe@gregkh> Date: Wed, 18 Jun 2025 13:02:38 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2022-50093: iommu/vt-d: avoid invalid memory access via node_online(NUMA_NO_NODE) From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: avoid invalid memory access via node_online(NUMA_NO_NODE) KASAN reports: [ 4.668325][ T0] BUG: KASAN: wild-memory-access in dmar_parse_one_rhsa (arch/x86/include/asm/bitops.h:214 arch/x86/include/asm/bitops.h:226 include/asm-generic/bitops/instrumented-non-atomic.h:142 include/linux/nodemask.h:415 drivers/iommu/intel/dmar.c:497) [ 4.676149][ T0] Read of size 8 at addr 1fffffff85115558 by task swapper/0/0 [ 4.683454][ T0] [ 4.685638][ T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.19.0-rc3-00004-g0e862838f290 #1 [ 4.694331][ T0] Hardware name: Supermicro SYS-5018D-FN4T/X10SDV-8C-TLN4F, BIOS 1.1 03/02/2016 [ 4.703196][ T0] Call Trace: [ 4.706334][ T0] <TASK> [ 4.709133][ T0] ? dmar_parse_one_rhsa (arch/x86/include/asm/bitops.h:214 arch/x86/include/asm/bitops.h:226 include/asm-generic/bitops/instrumented-non-atomic.h:142 include/linux/nodemask.h:415 drivers/iommu/intel/dmar.c:497) after converting the type of the first argument (@nr, bit number) of arch_test_bit() from `long` to `unsigned long`[0]. Under certain conditions (for example, when ACPI NUMA is disabled via command line), pxm_to_node() can return %NUMA_NO_NODE (-1). It is valid 'magic' number of NUMA node, but not valid bit number to use in bitops. node_online() eventually descends to test_bit() without checking for the input, assuming it's on caller side (which might be good for perf-critical tasks). There, -1 becomes %ULONG_MAX which leads to an insane array index when calculating bit position in memory. For now, add an explicit check for @node being not %NUMA_NO_NODE before calling test_bit(). The actual logics didn't change here at all. [0] https://github.com/norov/linux/commit/0e862838f290147ea9c16db852d8d494b552d38d The Linux kernel CVE team has assigned CVE-2022-50093 to this issue. Affected and fixed versions =========================== Issue introduced in 2.6.33 with commit ee34b32d8c2950f66038c8975747ef9aec855289 and fixed in 5.4.211 with commit b12304984654d8e58a2b22ff94c4410906d6267f Issue introduced in 2.6.33 with commit ee34b32d8c2950f66038c8975747ef9aec855289 and fixed in 5.10.137 with commit 5659efdadf04b56707d58c1b758df16d2e0eff2c Issue introduced in 2.6.33 with commit ee34b32d8c2950f66038c8975747ef9aec855289 and fixed in 5.15.61 with commit 0b4c0003aeda32a600f95df53b2848da8a5aa3fa Issue introduced in 2.6.33 with commit ee34b32d8c2950f66038c8975747ef9aec855289 and fixed in 5.18.18 with commit 73ce2046e04ad488cecc66757c36cbe1bdf089d4 Issue introduced in 2.6.33 with commit ee34b32d8c2950f66038c8975747ef9aec855289 and fixed in 5.19.2 with commit c2304c50f4d94f56c2e326f25c9dc8cf2ba6f5fa Issue introduced in 2.6.33 with commit ee34b32d8c2950f66038c8975747ef9aec855289 and fixed in 6.0 with commit b0b0b77ea611e3088e9523e60860f4f41b62b235 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-50093 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/iommu/intel/dmar.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/b12304984654d8e58a2b22ff94c4410906d6267f https://git.kernel.org/stable/c/5659efdadf04b56707d58c1b758df16d2e0eff2c https://git.kernel.org/stable/c/0b4c0003aeda32a600f95df53b2848da8a5aa3fa https://git.kernel.org/stable/c/73ce2046e04ad488cecc66757c36cbe1bdf089d4 https://git.kernel.org/stable/c/c2304c50f4d94f56c2e326f25c9dc8cf2ba6f5fa https://git.kernel.org/stable/c/b0b0b77ea611e3088e9523e60860f4f41b62b235
Powered by blists - more mailing lists