CVE-2022-48871

21.08.2024, 07:15

In the Linux kernel, the following vulnerability has been resolved:

tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer

Driver's probe allocates memory for RX FIFO (port->rx_fifo) based on
default RX FIFO depth, e.g. 16.  Later during serial startup the
qcom_geni_serial_port_setup() updates the RX FIFO depth
(port->rx_fifo_depth) to match real device capabilities, e.g. to 32.

The RX UART handle code will read "port->rx_fifo_depth" number of words
into "port->rx_fifo" buffer, thus exceeding the bounds.  This can be
observed in certain configurations with Qualcomm Bluetooth HCI UART
device and KASAN:

  Bluetooth: hci0: QCA Product ID   :0x00000010
  Bluetooth: hci0: QCA SOC Version  :0x400a0200
  Bluetooth: hci0: QCA ROM Version  :0x00000200
  Bluetooth: hci0: QCA Patch Version:0x00000d2b
  Bluetooth: hci0: QCA controller version 0x02000200
  Bluetooth: hci0: QCA Downloading qca/htbtfw20.tlv
  bluetooth hci0: Direct firmware load for qca/htbtfw20.tlv failed with error -2
  Bluetooth: hci0: QCA Failed to request file: qca/htbtfw20.tlv (-2)
  Bluetooth: hci0: QCA Failed to download patch (-2)
  ==================================================================
  BUG: KASAN: slab-out-of-bounds in handle_rx_uart+0xa8/0x18c
  Write of size 4 at addr ffff279347d578c0 by task swapper/0/0

  CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rt5-00350-gb2450b7e00be-dirty #26
  Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)
  Call trace:
   dump_backtrace.part.0+0xe0/0xf0
   show_stack+0x18/0x40
   dump_stack_lvl+0x8c/0xb8
   print_report+0x188/0x488
   kasan_report+0xb4/0x100
   __asan_store4+0x80/0xa4
   handle_rx_uart+0xa8/0x18c
   qcom_geni_serial_handle_rx+0x84/0x9c
   qcom_geni_serial_isr+0x24c/0x760
   __handle_irq_event_percpu+0x108/0x500
   handle_irq_event+0x6c/0x110
   handle_fasteoi_irq+0x138/0x2cc
   generic_handle_domain_irq+0x48/0x64

If the RX FIFO depth changes after probe, be sure to resize the buffer.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.1 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Linux	CNA	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 9%

Vendor	Product	Version
linux	linux_kernel	5.7 ≤ 𝑥 < 5.10.165
linux	linux_kernel	5.11 ≤ 𝑥 < 5.15.90
linux	linux_kernel	5.16 ≤ 𝑥 < 6.1.8

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 fixed
bullseye (security)	5.10.226-1 fixed
bookworm	6.1.106-3 fixed
bookworm (security)	6.1.112-1 fixed
trixie	6.11.5-1 fixed
sid	6.11.6-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

noble	not-affected
jammy	Fixed 5.15.0-70.77 released
focal	not-affected
bionic	not-affected
xenial	not-affected
trusty	not-affected

linux-allwinner-5.19

noble	dne
jammy	ignored
focal	dne

linux-aws

noble	not-affected
jammy	Fixed 5.15.0-1034.38 released
focal	not-affected
bionic	not-affected
xenial	not-affected
trusty	not-affected

linux-aws-5.0

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-aws-5.11

noble	dne
jammy	dne
focal	ignored

linux-aws-5.13

noble	dne
jammy	dne
focal	ignored

linux-aws-5.15

noble	dne
jammy	dne
focal	Fixed 5.15.0-1034.38~20.04.1 released

linux-aws-5.19

noble	dne
jammy	ignored
focal	dne

linux-aws-5.3

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-aws-5.4

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-aws-5.8

noble	dne
jammy	dne
focal	ignored

linux-aws-6.2

noble	dne
jammy	ignored
focal	dne

linux-aws-6.5

noble	dne
jammy	ignored
focal	dne

linux-aws-fips

noble	dne
jammy	dne
focal	dne

linux-aws-hwe

noble	dne
jammy	dne
focal	dne
xenial	not-affected

linux-azure

noble	not-affected
jammy	Fixed 5.15.0-1036.43 released
focal	not-affected
bionic	ignored
xenial	not-affected
trusty	not-affected

linux-azure-4.15

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-azure-5.11

noble	dne
jammy	dne
focal	ignored

linux-azure-5.13

noble	dne
jammy	dne
focal	ignored

linux-azure-5.15

noble	dne
jammy	dne
focal	Fixed 5.15.0-1036.43~20.04.1 released

linux-azure-5.19

noble	dne
jammy	ignored
focal	dne

linux-azure-5.3

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-azure-5.4

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-azure-5.8

noble	dne
jammy	dne
focal	ignored

linux-azure-6.2

noble	dne
jammy	ignored
focal	dne

linux-azure-6.5

noble	dne
jammy	ignored
focal	dne

linux-azure-edge

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-azure-fde

noble	dne
jammy	Fixed 5.15.0-1036.43.1 released
focal	ignored

linux-azure-fde-5.15

noble	dne
jammy	dne
focal	Fixed 5.15.0-1036.43~20.04.1.1 released

linux-azure-fde-5.19

noble	dne
jammy	ignored
focal	dne

linux-azure-fde-6.2

noble	dne
jammy	ignored
focal	dne

linux-azure-fips

noble	dne
jammy	dne
focal	dne

linux-bluefield

noble	dne
jammy	dne
focal	not-affected

linux-fips

noble	dne
jammy	dne
focal	dne

linux-gcp

noble	not-affected
jammy	Fixed 5.15.0-1032.40 released
focal	not-affected
bionic	ignored
xenial	not-affected

linux-gcp-4.15

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-gcp-5.11

noble	dne
jammy	dne
focal	ignored

linux-gcp-5.13

noble	dne
jammy	dne
focal	ignored

linux-gcp-5.15

noble	dne
jammy	dne
focal	Fixed 5.15.0-1032.40~20.04.1 released

linux-gcp-5.19

noble	dne
jammy	ignored
focal	dne

linux-gcp-5.3

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-gcp-5.4

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-gcp-5.8

noble	dne
jammy	dne
focal	ignored

linux-gcp-6.2

noble	dne
jammy	ignored
focal	dne

linux-gcp-6.5

noble	dne
jammy	ignored
focal	dne

linux-gcp-fips

noble	dne
jammy	dne
focal	dne

linux-gke

noble	not-affected
jammy	Fixed 5.15.0-1031.36 released
focal	ignored

linux-gke-4.15

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-gke-5.15

noble	dne
jammy	dne
focal	ignored

linux-gke-5.4

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-gkeop

noble	dne
jammy	Fixed 5.15.0-1018.23 released
focal	not-affected

linux-gkeop-5.15

noble	dne
jammy	dne
focal	Fixed 5.15.0-1018.23~20.04.1 released

linux-gkeop-5.4

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-hwe

noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	not-affected

linux-hwe-5.11

noble	dne
jammy	dne
focal	ignored

linux-hwe-5.13

noble	dne
jammy	dne
focal	ignored

linux-hwe-5.15

noble	dne
jammy	dne
focal	Fixed 5.15.0-70.77~20.04.1 released

linux-hwe-5.19

noble	dne
jammy	ignored
focal	dne

linux-hwe-5.4

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-hwe-5.8

noble	dne
jammy	dne
focal	ignored

linux-hwe-6.2

noble	dne
jammy	ignored
focal	dne

linux-hwe-6.5

noble	dne
jammy	ignored
focal	dne

linux-hwe-6.8

noble	dne
jammy	not-affected
focal	dne

linux-hwe-edge

noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	ignored

linux-ibm

noble	not-affected
jammy	Fixed 5.15.0-1028.31 released
focal	not-affected

linux-ibm-5.15

noble	dne
jammy	dne
focal	not-affected

linux-ibm-5.4

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-intel

noble	not-affected
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-intel-5.13

noble	dne
jammy	dne
focal	ignored

linux-intel-iot-realtime

noble	dne
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-intel-iotg

noble	dne
jammy	Fixed 5.15.0-1028.33 released
focal	dne

linux-intel-iotg-5.15

noble	dne
jammy	dne
focal	Fixed 5.15.0-1030.35~20.04.1 released

linux-iot

noble	dne
jammy	dne
focal	not-affected

linux-kvm

noble	dne
jammy	Fixed 5.15.0-1031.36 released
focal	not-affected
bionic	not-affected
xenial	not-affected

linux-lowlatency

noble	not-affected
jammy	Fixed 5.15.0-70.77 released
focal	dne

linux-lowlatency-hwe-5.15

noble	dne
jammy	dne
focal	Fixed 5.15.0-70.77~20.04.1 released

linux-lowlatency-hwe-5.19

noble	dne
jammy	ignored
focal	dne

linux-lowlatency-hwe-6.2

noble	dne
jammy	ignored
focal	dne

linux-lowlatency-hwe-6.5

noble	dne
jammy	ignored
focal	dne

linux-lowlatency-hwe-6.8

noble	dne
jammy	not-affected
focal	dne

linux-lts-xenial

noble	dne
jammy	dne
focal	dne
trusty	not-affected

linux-nvidia

noble	not-affected
jammy	Fixed 5.15.0-1023.23 released
focal	dne

linux-nvidia-6.2

noble	dne
jammy	ignored
focal	dne

linux-nvidia-6.5

noble	dne
jammy	not-affected
focal	dne

linux-nvidia-6.8

noble	dne
jammy	not-affected
focal	dne

linux-nvidia-lowlatency

noble	not-affected
jammy	dne
focal	dne

linux-oem

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-oem-5.10

noble	dne
jammy	dne
focal	ignored

linux-oem-5.13

noble	dne
jammy	dne
focal	ignored

linux-oem-5.14

noble	dne
jammy	dne
focal	ignored

linux-oem-5.17

noble	dne
jammy	ignored
focal	dne

linux-oem-5.6

noble	dne
jammy	dne
focal	ignored

linux-oem-6.0

noble	dne
jammy	ignored
focal	dne

linux-oem-6.1

noble	dne
jammy	ignored
focal	dne

linux-oem-6.5

noble	dne
jammy	ignored
focal	dne

linux-oem-6.8

noble	not-affected
jammy	dne
focal	dne

linux-oracle

noble	not-affected
jammy	Fixed 5.15.0-1033.39 released
focal	not-affected
bionic	not-affected
xenial	not-affected

linux-oracle-5.0

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-oracle-5.11

noble	dne
jammy	dne
focal	ignored

linux-oracle-5.13

noble	dne
jammy	dne
focal	ignored

linux-oracle-5.15

noble	dne
jammy	dne
focal	Fixed 5.15.0-1033.39~20.04.1 released

linux-oracle-5.3

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-oracle-5.4

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-oracle-5.8

noble	dne
jammy	dne
focal	ignored

linux-oracle-6.5

noble	dne
jammy	ignored
focal	dne

linux-raspi

noble	not-affected
jammy	Fixed 5.15.0-1027.29 released
focal	not-affected

linux-raspi-5.4

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-raspi-realtime

noble	dne
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-raspi2

noble	dne
jammy	dne
focal	ignored

linux-realtime

noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-riscv

noble	not-affected
jammy	ignored
focal	ignored

linux-riscv-5.11

noble	dne
jammy	dne
focal	ignored

linux-riscv-5.15

noble	dne
jammy	dne
focal	Fixed 5.15.0-1031.35~20.04.1 released

linux-riscv-5.19

noble	dne
jammy	ignored
focal	dne

linux-riscv-5.8

noble	dne
jammy	dne
focal	ignored

linux-riscv-6.5

noble	dne
jammy	ignored
focal	dne

linux-riscv-6.8

noble	dne
jammy	not-affected
focal	dne

linux-starfive-5.19

noble	dne
jammy	ignored
focal	dne

linux-starfive-6.2

noble	dne
jammy	ignored
focal	dne

linux-starfive-6.5

noble	dne
jammy	ignored
focal	dne

linux-xilinx-zynqmp

noble	dne
jammy	not-affected
focal	not-affected

Common Weakness Enumeration

CWE-125 - Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer.

References

https://git.kernel.org/stable/c/894681682dbefdad917b88f86cde1069140a047a

https://git.kernel.org/stable/c/b8caf69a6946e18ffebad49847e258f5b6d52ac2

https://git.kernel.org/stable/c/cb53a3366eb28fed67850c80afa52075bb71a38a

https://git.kernel.org/stable/c/fd524ca7fe45b8a06dca2dd546d62684a9768f95