* Re: CVE-2023-52685: pstore: ram_core: fix possible overflow in persistent_ram_init_ecc() [not found] <2024051752-CVE-2023-52685-64c5@gregkh> @ 2024-05-28 0:32 ` Gabriel Krisman Bertazi 2024-05-28 19:01 ` Greg Kroah-Hartman 0 siblings, 1 reply; 4+ messages in thread From: Gabriel Krisman Bertazi @ 2024-05-28 0:32 UTC (permalink / raw) To: Greg Kroah-Hartman; +Cc: linux-cve-announce, cve, linux-kernel, keescook Greg Kroah-Hartman <gregkh@linuxfoundation.org> writes: > Description > =========== > > In the Linux kernel, the following vulnerability has been resolved: > > pstore: ram_core: fix possible overflow in persistent_ram_init_ecc() > > In persistent_ram_init_ecc(), on 64-bit arches DIV_ROUND_UP() will return > 64-bit value since persistent_ram_zone::buffer_size has type size_t which > is derived from the 64-bit *unsigned long*, while the ecc_blocks variable > this value gets assigned to has (always 32-bit) *int* type. Even if that > value fits into *int* type, an overflow is still possible when calculating > the size_t typed ecc_total variable further below since there's no cast to > any 64-bit type before multiplication. Declaring the ecc_blocks variable > as *size_t* should fix this mess... > > Found by Linux Verification Center (linuxtesting.org) with the SVACE static > analysis tool. Hi Greg, [Cc'ing Kees, who is listed as the pstore maintainer] I want to dispute this CVE. The overflow is in the module initialization path, and can only happen at boot time or if the module is loaded with specific parameters or due to specific acpi/device tree data. Either way, it would require root privileges to trigger. -- Gabriel Krisman Bertazi ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: CVE-2023-52685: pstore: ram_core: fix possible overflow in persistent_ram_init_ecc() 2024-05-28 0:32 ` CVE-2023-52685: pstore: ram_core: fix possible overflow in persistent_ram_init_ecc() Gabriel Krisman Bertazi @ 2024-05-28 19:01 ` Greg Kroah-Hartman 2024-06-17 21:17 ` Kees Cook 0 siblings, 1 reply; 4+ messages in thread From: Greg Kroah-Hartman @ 2024-05-28 19:01 UTC (permalink / raw) To: Gabriel Krisman Bertazi; +Cc: linux-cve-announce, cve, linux-kernel, keescook On Mon, May 27, 2024 at 08:32:54PM -0400, Gabriel Krisman Bertazi wrote: > Greg Kroah-Hartman <gregkh@linuxfoundation.org> writes: > > > Description > > =========== > > > > In the Linux kernel, the following vulnerability has been resolved: > > > > pstore: ram_core: fix possible overflow in persistent_ram_init_ecc() > > > > In persistent_ram_init_ecc(), on 64-bit arches DIV_ROUND_UP() will return > > 64-bit value since persistent_ram_zone::buffer_size has type size_t which > > is derived from the 64-bit *unsigned long*, while the ecc_blocks variable > > this value gets assigned to has (always 32-bit) *int* type. Even if that > > value fits into *int* type, an overflow is still possible when calculating > > the size_t typed ecc_total variable further below since there's no cast to > > any 64-bit type before multiplication. Declaring the ecc_blocks variable > > as *size_t* should fix this mess... > > > > Found by Linux Verification Center (linuxtesting.org) with the SVACE static > > analysis tool. > > Hi Greg, > > [Cc'ing Kees, who is listed as the pstore maintainer] > > I want to dispute this CVE. The overflow is in the module > initialization path, and can only happen at boot time or if the module > is loaded with specific parameters or due to specific acpi/device tree > data. Either way, it would require root privileges to trigger. Normally root privileges isn't the issue, as many containers allow root to do things (including loading modules, crazy systems...) Anyway, I'll defer to Kees as to if this should be revoked or not. thanks, gre gk-h > > -- > Gabriel Krisman Bertazi ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: CVE-2023-52685: pstore: ram_core: fix possible overflow in persistent_ram_init_ecc() 2024-05-28 19:01 ` Greg Kroah-Hartman @ 2024-06-17 21:17 ` Kees Cook 2024-06-18 13:09 ` Greg Kroah-Hartman 0 siblings, 1 reply; 4+ messages in thread From: Kees Cook @ 2024-06-17 21:17 UTC (permalink / raw) To: Greg Kroah-Hartman Cc: Gabriel Krisman Bertazi, linux-cve-announce, cve, linux-kernel On Tue, May 28, 2024 at 09:01:13PM +0200, Greg Kroah-Hartman wrote: > On Mon, May 27, 2024 at 08:32:54PM -0400, Gabriel Krisman Bertazi wrote: > > Greg Kroah-Hartman <gregkh@linuxfoundation.org> writes: > > > > > Description > > > =========== > > > > > > In the Linux kernel, the following vulnerability has been resolved: > > > > > > pstore: ram_core: fix possible overflow in persistent_ram_init_ecc() > > > > > > In persistent_ram_init_ecc(), on 64-bit arches DIV_ROUND_UP() will return > > > 64-bit value since persistent_ram_zone::buffer_size has type size_t which > > > is derived from the 64-bit *unsigned long*, while the ecc_blocks variable > > > this value gets assigned to has (always 32-bit) *int* type. Even if that > > > value fits into *int* type, an overflow is still possible when calculating > > > the size_t typed ecc_total variable further below since there's no cast to > > > any 64-bit type before multiplication. Declaring the ecc_blocks variable > > > as *size_t* should fix this mess... > > > > > > Found by Linux Verification Center (linuxtesting.org) with the SVACE static > > > analysis tool. > > > > Hi Greg, > > > > [Cc'ing Kees, who is listed as the pstore maintainer] > > > > I want to dispute this CVE. The overflow is in the module > > initialization path, and can only happen at boot time or if the module > > is loaded with specific parameters or due to specific acpi/device tree > > data. Either way, it would require root privileges to trigger. > > Normally root privileges isn't the issue, as many containers allow root > to do things (including loading modules, crazy systems...) > > Anyway, I'll defer to Kees as to if this should be revoked or not. It's a module parameter or device tree value that is at most INT_MAX or UINT_MAX respectively. Also, it is bounds checked against the buffer itself: if (ecc_total >= prz->buffer_size) { So even if it wrapped around and got "too small", there's no damage to be had here. The worst case is that the ramoops info goes missing because pstore refuses to do anything with the bad value, but pstore can be disabled way more easily than that, by design. So, no, I don't think this is CVE worthy. I took the patch because it's reasonable to try to get the math right and provide better error reporting. -- Kees Cook ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: CVE-2023-52685: pstore: ram_core: fix possible overflow in persistent_ram_init_ecc() 2024-06-17 21:17 ` Kees Cook @ 2024-06-18 13:09 ` Greg Kroah-Hartman 0 siblings, 0 replies; 4+ messages in thread From: Greg Kroah-Hartman @ 2024-06-18 13:09 UTC (permalink / raw) To: Kees Cook; +Cc: Gabriel Krisman Bertazi, linux-cve-announce, cve, linux-kernel On Mon, Jun 17, 2024 at 02:17:49PM -0700, Kees Cook wrote: > On Tue, May 28, 2024 at 09:01:13PM +0200, Greg Kroah-Hartman wrote: > > On Mon, May 27, 2024 at 08:32:54PM -0400, Gabriel Krisman Bertazi wrote: > > > Greg Kroah-Hartman <gregkh@linuxfoundation.org> writes: > > > > > > > Description > > > > =========== > > > > > > > > In the Linux kernel, the following vulnerability has been resolved: > > > > > > > > pstore: ram_core: fix possible overflow in persistent_ram_init_ecc() > > > > > > > > In persistent_ram_init_ecc(), on 64-bit arches DIV_ROUND_UP() will return > > > > 64-bit value since persistent_ram_zone::buffer_size has type size_t which > > > > is derived from the 64-bit *unsigned long*, while the ecc_blocks variable > > > > this value gets assigned to has (always 32-bit) *int* type. Even if that > > > > value fits into *int* type, an overflow is still possible when calculating > > > > the size_t typed ecc_total variable further below since there's no cast to > > > > any 64-bit type before multiplication. Declaring the ecc_blocks variable > > > > as *size_t* should fix this mess... > > > > > > > > Found by Linux Verification Center (linuxtesting.org) with the SVACE static > > > > analysis tool. > > > > > > Hi Greg, > > > > > > [Cc'ing Kees, who is listed as the pstore maintainer] > > > > > > I want to dispute this CVE. The overflow is in the module > > > initialization path, and can only happen at boot time or if the module > > > is loaded with specific parameters or due to specific acpi/device tree > > > data. Either way, it would require root privileges to trigger. > > > > Normally root privileges isn't the issue, as many containers allow root > > to do things (including loading modules, crazy systems...) > > > > Anyway, I'll defer to Kees as to if this should be revoked or not. > > It's a module parameter or device tree value that is at most INT_MAX or > UINT_MAX respectively. Also, it is bounds checked against the buffer > itself: > if (ecc_total >= prz->buffer_size) { > > So even if it wrapped around and got "too small", there's no damage to > be had here. > > The worst case is that the ramoops info goes missing because pstore > refuses to do anything with the bad value, but pstore can be disabled > way more easily than that, by design. > > So, no, I don't think this is CVE worthy. I took the patch because it's > reasonable to try to get the math right and provide better error > reporting. Now rejected, thanks. greg k-h ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-06-18 13:20 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <2024051752-CVE-2023-52685-64c5@gregkh>
2024-05-28 0:32 ` CVE-2023-52685: pstore: ram_core: fix possible overflow in persistent_ram_init_ecc() Gabriel Krisman Bertazi
2024-05-28 19:01 ` Greg Kroah-Hartman
2024-06-17 21:17 ` Kees Cook
2024-06-18 13:09 ` Greg Kroah-Hartman
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox