lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 22 Feb 2024 17:21:56 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2023-52449: mtd: Fix gluebi NULL pointer dereference caused by ftl notifier

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

mtd: Fix gluebi NULL pointer dereference caused by ftl notifier

If both ftl.ko and gluebi.ko are loaded, the notifier of ftl
triggers NULL pointer dereference when trying to access
‘gluebi->desc’ in gluebi_read().

ubi_gluebi_init
  ubi_register_volume_notifier
    ubi_enumerate_volumes
      ubi_notify_all
        gluebi_notify    nb->notifier_call()
          gluebi_create
            mtd_device_register
              mtd_device_parse_register
                add_mtd_device
                  blktrans_notify_add   not->add()
                    ftl_add_mtd         tr->add_mtd()
                      scan_header
                        mtd_read
                          mtd_read_oob
                            mtd_read_oob_std
                              gluebi_read   mtd->read()
                                gluebi->desc - NULL

Detailed reproduction information available at the Link [1],

In the normal case, obtain gluebi->desc in the gluebi_get_device(),
and access gluebi->desc in the gluebi_read(). However,
gluebi_get_device() is not executed in advance in the
ftl_add_mtd() process, which leads to NULL pointer dereference.

The solution for the gluebi module is to run jffs2 on the UBI
volume without considering working with ftl or mtdblock [2].
Therefore, this problem can be avoided by preventing gluebi from
creating the mtdblock device after creating mtd partition of the
type MTD_UBIVOLUME.

The Linux kernel CVE team has assigned CVE-2023-52449 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 2.6.31 with commit 2ba3d76a1e29 and fixed in 4.19.306 with commit aeba358bcc8f
	Issue introduced in 2.6.31 with commit 2ba3d76a1e29 and fixed in 5.4.268 with commit 1bf4fe14e97c
	Issue introduced in 2.6.31 with commit 2ba3d76a1e29 and fixed in 5.10.209 with commit 001a3f59d8c9
	Issue introduced in 2.6.31 with commit 2ba3d76a1e29 and fixed in 5.15.148 with commit d8ac2537763b
	Issue introduced in 2.6.31 with commit 2ba3d76a1e29 and fixed in 6.1.75 with commit 5389407bba1e
	Issue introduced in 2.6.31 with commit 2ba3d76a1e29 and fixed in 6.6.14 with commit cfd7c9d260dc
	Issue introduced in 2.6.31 with commit 2ba3d76a1e29 and fixed in 6.7.2 with commit b36aaa64d58a
	Issue introduced in 2.6.31 with commit 2ba3d76a1e29 and fixed in 6.8-rc1 with commit a43bdc376dea

Please see https://www.kernel.org or a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52449
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/mtd/mtd_blkdevs.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/aeba358bcc8ffddf9b4a9bd0e5ec9eb338d46022
	https://git.kernel.org/stable/c/1bf4fe14e97cda621522eb2f28b0a4e87c5b0745
	https://git.kernel.org/stable/c/001a3f59d8c914ef8273461d4bf495df384cc5f8
	https://git.kernel.org/stable/c/d8ac2537763b54d278b80b2b080e1652523c7d4c
	https://git.kernel.org/stable/c/5389407bba1eab1266c6d83e226fb0840cb98dd5
	https://git.kernel.org/stable/c/cfd7c9d260dc0a3baaea05a122a19ab91e193c65
	https://git.kernel.org/stable/c/b36aaa64d58aaa2f2cbc8275e89bae76a2b6c3dc
	https://git.kernel.org/stable/c/a43bdc376deab5fff1ceb93dca55bcab8dbdc1d6

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ