From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4632114901F for ; Wed, 3 Apr 2024 14:56:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712156169; cv=none; b=O+BmL2byVC5uTg1vhfsqttlqPP/DkQ38VmOOGNkXYNDTuNzfEYRH1JyFYi+XEZeljQoN54JIH9VF3jw9qXV+1e3oJkwbsBf71ZF9uuXdB8iqIJr1h1bCY/b9WrCBuJbbcR454eMZsQIcYNX2mfSMyUxe4INi9rrSqwqjmRKMkHw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712156169; c=relaxed/simple; bh=kNSsyscThtMRRUPf0v7OM8on72F3PCI/ehOxyiihR4c=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=taahs06BzzPa6Mek4fSNAhfyry9CCKE0LK7KZOiEM4xsGZMV/ktl9igB27Pw4/cqJbkYH/sXPQnSdJhN63op1M5MCh8ELfhOgMh1hjnOikEguPkVnIycfszWMYzDpxMFCmJ9gsqskdJPHB7bX+tJHcU5VGO+PO3jXrJhwr07Ovo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=WVO6Mb3N; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="WVO6Mb3N" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5129DC433F1; Wed, 3 Apr 2024 14:56:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1712156168; bh=kNSsyscThtMRRUPf0v7OM8on72F3PCI/ehOxyiihR4c=; h=From:To:Cc:Subject:Date:Reply-to:From; b=WVO6Mb3NUzIwrZSJyIElfipwVQ5jr2Jng5od/e7yMGfaDpW9unnwRPnGvSytVeURr GrBfCaDcqCKIr0RErLWQeTnu+Pi0/GNTc1w/rb+voB63ezXfluqGwaRyT4CDttnGoT I52eCQWXOdSp27jTjNYEFqcQutXRH3nXAmqCLKbs= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2024-26695: crypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked Date: Wed, 3 Apr 2024 16:55:46 +0200 Message-ID: <2024040338-CVE-2024-26695-e41f@gregkh> X-Mailer: git-send-email 2.44.0 Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Reply-to: , X-Developer-Signature: v=1; a=openpgp-sha256; l=6547; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=kNSsyscThtMRRUPf0v7OM8on72F3PCI/ehOxyiihR4c=; b=owGbwMvMwCRo6H6F97bub03G02pJDGm8ua8CT25azfE9ekLPX4FJPZ63pvw+NH22Y/vm1x1/I qeaHHxX1RHLwiDIxCArpsjyZRvP0f0VhxS9DG1Pw8xhZQIZwsDFKQATmZXDsOByx6sls4LfFMVF HXl94m7MjslTuEQYFhzjaJtzZML0FxzxeW7bV0x/lPXp0D4A X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit Description =========== In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked The SEV platform device can be shutdown with a null psp_master, e.g., using DEBUG_TEST_DRIVER_REMOVE. Found using KASAN: [ 137.148210] ccp 0000:23:00.1: enabling device (0000 -> 0002) [ 137.162647] ccp 0000:23:00.1: no command queues available [ 137.170598] ccp 0000:23:00.1: sev enabled [ 137.174645] ccp 0000:23:00.1: psp enabled [ 137.178890] general protection fault, probably for non-canonical address 0xdffffc000000001e: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI [ 137.182693] KASAN: null-ptr-deref in range [0x00000000000000f0-0x00000000000000f7] [ 137.182693] CPU: 93 PID: 1 Comm: swapper/0 Not tainted 6.8.0-rc1+ #311 [ 137.182693] RIP: 0010:__sev_platform_shutdown_locked+0x51/0x180 [ 137.182693] Code: 08 80 3c 08 00 0f 85 0e 01 00 00 48 8b 1d 67 b6 01 08 48 b8 00 00 00 00 00 fc ff df 48 8d bb f0 00 00 00 48 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 fe 00 00 00 48 8b 9b f0 00 00 00 48 85 db 74 2c [ 137.182693] RSP: 0018:ffffc900000cf9b0 EFLAGS: 00010216 [ 137.182693] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 000000000000001e [ 137.182693] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 00000000000000f0 [ 137.182693] RBP: ffffc900000cf9c8 R08: 0000000000000000 R09: fffffbfff58f5a66 [ 137.182693] R10: ffffc900000cf9c8 R11: ffffffffac7ad32f R12: ffff8881e5052c28 [ 137.182693] R13: ffff8881e5052c28 R14: ffff8881758e43e8 R15: ffffffffac64abf8 [ 137.182693] FS: 0000000000000000(0000) GS:ffff889de7000000(0000) knlGS:0000000000000000 [ 137.182693] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 137.182693] CR2: 0000000000000000 CR3: 0000001cf7c7e000 CR4: 0000000000350ef0 [ 137.182693] Call Trace: [ 137.182693] [ 137.182693] ? show_regs+0x6c/0x80 [ 137.182693] ? __die_body+0x24/0x70 [ 137.182693] ? die_addr+0x4b/0x80 [ 137.182693] ? exc_general_protection+0x126/0x230 [ 137.182693] ? asm_exc_general_protection+0x2b/0x30 [ 137.182693] ? __sev_platform_shutdown_locked+0x51/0x180 [ 137.182693] sev_firmware_shutdown.isra.0+0x1e/0x80 [ 137.182693] sev_dev_destroy+0x49/0x100 [ 137.182693] psp_dev_destroy+0x47/0xb0 [ 137.182693] sp_destroy+0xbb/0x240 [ 137.182693] sp_pci_remove+0x45/0x60 [ 137.182693] pci_device_remove+0xaa/0x1d0 [ 137.182693] device_remove+0xc7/0x170 [ 137.182693] really_probe+0x374/0xbe0 [ 137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] __driver_probe_device+0x199/0x460 [ 137.182693] driver_probe_device+0x4e/0xd0 [ 137.182693] __driver_attach+0x191/0x3d0 [ 137.182693] ? __pfx___driver_attach+0x10/0x10 [ 137.182693] bus_for_each_dev+0x100/0x190 [ 137.182693] ? __pfx_bus_for_each_dev+0x10/0x10 [ 137.182693] ? __kasan_check_read+0x15/0x20 [ 137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] ? _raw_spin_unlock+0x27/0x50 [ 137.182693] driver_attach+0x41/0x60 [ 137.182693] bus_add_driver+0x2a8/0x580 [ 137.182693] driver_register+0x141/0x480 [ 137.182693] __pci_register_driver+0x1d6/0x2a0 [ 137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] ? esrt_sysfs_init+0x1cd/0x5d0 [ 137.182693] ? __pfx_sp_mod_init+0x10/0x10 [ 137.182693] sp_pci_init+0x22/0x30 [ 137.182693] sp_mod_init+0x14/0x30 [ 137.182693] ? __pfx_sp_mod_init+0x10/0x10 [ 137.182693] do_one_initcall+0xd1/0x470 [ 137.182693] ? __pfx_do_one_initcall+0x10/0x10 [ 137.182693] ? parameq+0x80/0xf0 [ 137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] ? __kmalloc+0x3b0/0x4e0 [ 137.182693] ? kernel_init_freeable+0x92d/0x1050 [ 137.182693] ? kasan_populate_vmalloc_pte+0x171/0x190 [ 137.182693] ? srso_return_thunk+0x5/0x5f [ 137.182693] kernel_init_freeable+0xa64/0x1050 [ 137.182693] ? __pfx_kernel_init+0x10/0x10 [ 137.182693] kernel_init+0x24/0x160 [ 137.182693] ? __switch_to_asm+0x3e/0x70 [ 137.182693] ret_from_fork+0x40/0x80 [ 137.182693] ? __pfx_kernel_init+0x10/0x10 [ 137.182693] ret_from_fork_asm+0x1b/0x30 [ 137.182693] [ 137.182693] Modules linked in: [ 137.538483] ---[ end trace 0000000000000000 ]--- The Linux kernel CVE team has assigned CVE-2024-26695 to this issue. Affected and fixed versions =========================== Issue introduced in 5.10.137 with commit 87af9b0b4566 and fixed in 5.10.210 with commit 58054faf3bd2 Issue introduced in 5.15.61 with commit f831d2882c84 and fixed in 5.15.149 with commit 7535ec350a5f Issue introduced in 6.0 with commit 1b05ece0c931 and fixed in 6.1.79 with commit 8731fe001a60 Issue introduced in 6.0 with commit 1b05ece0c931 and fixed in 6.6.18 with commit 88aa493f393d Issue introduced in 6.0 with commit 1b05ece0c931 and fixed in 6.7.6 with commit b5909f197f3b Issue introduced in 6.0 with commit 1b05ece0c931 and fixed in 6.8 with commit ccb88e9549e7 Issue introduced in 5.18.18 with commit fcb04178c05b Issue introduced in 5.19.2 with commit d87bbd10fc01 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-26695 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/crypto/ccp/sev-dev.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/58054faf3bd29cd0b949b77efcb6157f66f401ed https://git.kernel.org/stable/c/7535ec350a5f09b5756a7607f5582913f21200f4 https://git.kernel.org/stable/c/8731fe001a60581794ed9cf65da8cd304846a6fb https://git.kernel.org/stable/c/88aa493f393d2ee38ac140e1f6ac1881346e85d4 https://git.kernel.org/stable/c/b5909f197f3b26aebedca7d8ac7b688fd993a266 https://git.kernel.org/stable/c/ccb88e9549e7cfd8bcd511c538f437e20026e983