cve-2021-47441
Vulnerability from cvelistv5
Published
2024-05-22 06:19
Modified
2024-12-19 07:42
Summary
In the Linux kernel, the following vulnerability has been resolved: mlxsw: thermal: Fix out-of-bounds memory accesses Currently, mlxsw allows cooling states to be set above the maximum cooling state supported by the driver: # cat /sys/class/thermal/thermal_zone2/cdev0/type mlxsw_fan # cat /sys/class/thermal/thermal_zone2/cdev0/max_state 10 # echo 18 > /sys/class/thermal/thermal_zone2/cdev0/cur_state # echo $? 0 This results in out-of-bounds memory accesses when thermal state transition statistics are enabled (CONFIG_THERMAL_STATISTICS=y), as the transition table is accessed with a too large index (state) [1]. According to the thermal maintainer, it is the responsibility of the driver to reject such operations [2]. Therefore, return an error when the state to be set exceeds the maximum cooling state supported by the driver. To avoid dead code, as suggested by the thermal maintainer [3], partially revert commit a421ce088ac8 ("mlxsw: core: Extend cooling device with cooling levels") that tried to interpret these invalid cooling states (above the maximum) in a special way. The cooling levels array is not removed in order to prevent the fans going below 20% PWM, which would cause them to get stuck at 0% PWM. [1] BUG: KASAN: slab-out-of-bounds in thermal_cooling_device_stats_update+0x271/0x290 Read of size 4 at addr ffff8881052f7bf8 by task kworker/0:0/5 CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.15.0-rc3-custom-45935-gce1adf704b14 #122 Hardware name: Mellanox Technologies Ltd. "MSN2410-CB2FO"/"SA000874", BIOS 4.6.5 03/08/2016 Workqueue: events_freezable_power_ thermal_zone_device_check Call Trace: dump_stack_lvl+0x8b/0xb3 print_address_description.constprop.0+0x1f/0x140 kasan_report.cold+0x7f/0x11b thermal_cooling_device_stats_update+0x271/0x290 __thermal_cdev_update+0x15e/0x4e0 thermal_cdev_update+0x9f/0xe0 step_wise_throttle+0x770/0xee0 thermal_zone_device_update+0x3f6/0xdf0 process_one_work+0xa42/0x1770 worker_thread+0x62f/0x13e0 kthread+0x3ee/0x4e0 ret_from_fork+0x1f/0x30 Allocated by task 1: kasan_save_stack+0x1b/0x40 __kasan_kmalloc+0x7c/0x90 thermal_cooling_device_setup_sysfs+0x153/0x2c0 __thermal_cooling_device_register.part.0+0x25b/0x9c0 thermal_cooling_device_register+0xb3/0x100 mlxsw_thermal_init+0x5c5/0x7e0 __mlxsw_core_bus_device_register+0xcb3/0x19c0 mlxsw_core_bus_device_register+0x56/0xb0 mlxsw_pci_probe+0x54f/0x710 local_pci_probe+0xc6/0x170 pci_device_probe+0x2b2/0x4d0 really_probe+0x293/0xd10 __driver_probe_device+0x2af/0x440 driver_probe_device+0x51/0x1e0 __driver_attach+0x21b/0x530 bus_for_each_dev+0x14c/0x1d0 bus_add_driver+0x3ac/0x650 driver_register+0x241/0x3d0 mlxsw_sp_module_init+0xa2/0x174 do_one_initcall+0xee/0x5f0 kernel_init_freeable+0x45a/0x4de kernel_init+0x1f/0x210 ret_from_fork+0x1f/0x30 The buggy address belongs to the object at ffff8881052f7800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 1016 bytes inside of 1024-byte region [ffff8881052f7800, ffff8881052f7c00) The buggy address belongs to the page: page:0000000052355272 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1052f0 head:0000000052355272 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x200000000010200(slab|head|node=0|zone=2) raw: 0200000000010200 ffffea0005034800 0000000300000003 ffff888100041dc0 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881052f7a80: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc ffff8881052f7b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8881052f7b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8881052f7c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8881052f7c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [2] https://lore.kernel.org/linux-pm/9aca37cb-1629-5c67- ---truncated---
Impacted products
Vendor Product Version
Linux Linux Version: 4.10
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "lessThan": "ae0993739e14",
                "status": "affected",
                "version": "a50c1e35650b",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "status": "affected",
                "version": "4.10"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "lessThan": "4.10",
                "status": "unaffected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "lessThanOrEqual": "5.5",
                "status": "unaffected",
                "version": "5.4.155",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "lessThanOrEqual": "5.11",
                "status": "unaffected",
                "version": "5.10.75",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "lessThanOrEqual": "5.15",
                "status": "unaffected",
                "version": "5.14.14",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "linux_kernel",
            "vendor": "linux",
            "versions": [
              {
                "lessThanOrEqual": "*",
                "status": "unaffected",
                "version": "5.15",
                "versionType": "custom"
              },
              {
                "lessThan": "e59d839743b5",
                "status": "affected",
                "version": "a50c1e35650b",
                "versionType": "custom"
              },
              {
                "lessThan": "df8e58716afb",
                "status": "affected",
                "version": "a50c1e35650b",
                "versionType": "custom"
              },
              {
                "lessThan": "332fdf951df8",
                "status": "affected",
                "version": "a50c1e35650b",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.3,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2021-47441",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-22T15:01:53.700681Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-787",
                "description": "CWE-787 Out-of-bounds Write",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-22T18:05:13.999Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:39:59.326Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ae0993739e14a102d506aa09e11b0065f3144f10"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e59d839743b50cb1d3f42a786bea48cc5621d254"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/df8e58716afb3bee2b59de66b1ba1033f2e26303"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/332fdf951df8b870e3da86b122ae304e2aabe88c"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlxsw/core_thermal.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ae0993739e14a102d506aa09e11b0065f3144f10",
              "status": "affected",
              "version": "a50c1e35650b929500bd89be61c89d95a267ce56",
              "versionType": "git"
            },
            {
              "lessThan": "e59d839743b50cb1d3f42a786bea48cc5621d254",
              "status": "affected",
              "version": "a50c1e35650b929500bd89be61c89d95a267ce56",
              "versionType": "git"
            },
            {
              "lessThan": "df8e58716afb3bee2b59de66b1ba1033f2e26303",
              "status": "affected",
              "version": "a50c1e35650b929500bd89be61c89d95a267ce56",
              "versionType": "git"
            },
            {
              "lessThan": "332fdf951df8b870e3da86b122ae304e2aabe88c",
              "status": "affected",
              "version": "a50c1e35650b929500bd89be61c89d95a267ce56",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlxsw/core_thermal.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.10"
            },
            {
              "lessThan": "4.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.155",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.14.*",
              "status": "unaffected",
              "version": "5.14.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: thermal: Fix out-of-bounds memory accesses\n\nCurrently, mlxsw allows cooling states to be set above the maximum\ncooling state supported by the driver:\n\n # cat /sys/class/thermal/thermal_zone2/cdev0/type\n mlxsw_fan\n # cat /sys/class/thermal/thermal_zone2/cdev0/max_state\n 10\n # echo 18 \u003e /sys/class/thermal/thermal_zone2/cdev0/cur_state\n # echo $?\n 0\n\nThis results in out-of-bounds memory accesses when thermal state\ntransition statistics are enabled (CONFIG_THERMAL_STATISTICS=y), as the\ntransition table is accessed with a too large index (state) [1].\n\nAccording to the thermal maintainer, it is the responsibility of the\ndriver to reject such operations [2].\n\nTherefore, return an error when the state to be set exceeds the maximum\ncooling state supported by the driver.\n\nTo avoid dead code, as suggested by the thermal maintainer [3],\npartially revert commit a421ce088ac8 (\"mlxsw: core: Extend cooling\ndevice with cooling levels\") that tried to interpret these invalid\ncooling states (above the maximum) in a special way. The cooling levels\narray is not removed in order to prevent the fans going below 20% PWM,\nwhich would cause them to get stuck at 0% PWM.\n\n[1]\nBUG: KASAN: slab-out-of-bounds in thermal_cooling_device_stats_update+0x271/0x290\nRead of size 4 at addr ffff8881052f7bf8 by task kworker/0:0/5\n\nCPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.15.0-rc3-custom-45935-gce1adf704b14 #122\nHardware name: Mellanox Technologies Ltd. \"MSN2410-CB2FO\"/\"SA000874\", BIOS 4.6.5 03/08/2016\nWorkqueue: events_freezable_power_ thermal_zone_device_check\nCall Trace:\n dump_stack_lvl+0x8b/0xb3\n print_address_description.constprop.0+0x1f/0x140\n kasan_report.cold+0x7f/0x11b\n thermal_cooling_device_stats_update+0x271/0x290\n __thermal_cdev_update+0x15e/0x4e0\n thermal_cdev_update+0x9f/0xe0\n step_wise_throttle+0x770/0xee0\n thermal_zone_device_update+0x3f6/0xdf0\n process_one_work+0xa42/0x1770\n worker_thread+0x62f/0x13e0\n kthread+0x3ee/0x4e0\n ret_from_fork+0x1f/0x30\n\nAllocated by task 1:\n kasan_save_stack+0x1b/0x40\n __kasan_kmalloc+0x7c/0x90\n thermal_cooling_device_setup_sysfs+0x153/0x2c0\n __thermal_cooling_device_register.part.0+0x25b/0x9c0\n thermal_cooling_device_register+0xb3/0x100\n mlxsw_thermal_init+0x5c5/0x7e0\n __mlxsw_core_bus_device_register+0xcb3/0x19c0\n mlxsw_core_bus_device_register+0x56/0xb0\n mlxsw_pci_probe+0x54f/0x710\n local_pci_probe+0xc6/0x170\n pci_device_probe+0x2b2/0x4d0\n really_probe+0x293/0xd10\n __driver_probe_device+0x2af/0x440\n driver_probe_device+0x51/0x1e0\n __driver_attach+0x21b/0x530\n bus_for_each_dev+0x14c/0x1d0\n bus_add_driver+0x3ac/0x650\n driver_register+0x241/0x3d0\n mlxsw_sp_module_init+0xa2/0x174\n do_one_initcall+0xee/0x5f0\n kernel_init_freeable+0x45a/0x4de\n kernel_init+0x1f/0x210\n ret_from_fork+0x1f/0x30\n\nThe buggy address belongs to the object at ffff8881052f7800\n which belongs to the cache kmalloc-1k of size 1024\nThe buggy address is located 1016 bytes inside of\n 1024-byte region [ffff8881052f7800, ffff8881052f7c00)\nThe buggy address belongs to the page:\npage:0000000052355272 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1052f0\nhead:0000000052355272 order:3 compound_mapcount:0 compound_pincount:0\nflags: 0x200000000010200(slab|head|node=0|zone=2)\nraw: 0200000000010200 ffffea0005034800 0000000300000003 ffff888100041dc0\nraw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\n\nMemory state around the buggy address:\n ffff8881052f7a80: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc\n ffff8881052f7b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n\u003effff8881052f7b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n                                                                ^\n ffff8881052f7c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff8881052f7c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n\n[2] https://lore.kernel.org/linux-pm/9aca37cb-1629-5c67-\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T07:42:21.293Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ae0993739e14a102d506aa09e11b0065f3144f10"
        },
        {
          "url": "https://git.kernel.org/stable/c/e59d839743b50cb1d3f42a786bea48cc5621d254"
        },
        {
          "url": "https://git.kernel.org/stable/c/df8e58716afb3bee2b59de66b1ba1033f2e26303"
        },
        {
          "url": "https://git.kernel.org/stable/c/332fdf951df8b870e3da86b122ae304e2aabe88c"
        }
      ],
      "title": "mlxsw: thermal: Fix out-of-bounds memory accesses",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47441",
    "datePublished": "2024-05-22T06:19:35.562Z",
    "dateReserved": "2024-05-21T14:58:30.831Z",
    "dateUpdated": "2024-12-19T07:42:21.293Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-47441\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-22T07:15:09.340\",\"lastModified\":\"2024-11-21T06:36:09.100\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmlxsw: thermal: Fix out-of-bounds memory accesses\\n\\nCurrently, mlxsw allows cooling states to be set above the maximum\\ncooling state supported by the driver:\\n\\n # cat /sys/class/thermal/thermal_zone2/cdev0/type\\n mlxsw_fan\\n # cat /sys/class/thermal/thermal_zone2/cdev0/max_state\\n 10\\n # echo 18 \u003e /sys/class/thermal/thermal_zone2/cdev0/cur_state\\n # echo $?\\n 0\\n\\nThis results in out-of-bounds memory accesses when thermal state\\ntransition statistics are enabled (CONFIG_THERMAL_STATISTICS=y), as the\\ntransition table is accessed with a too large index (state) [1].\\n\\nAccording to the thermal maintainer, it is the responsibility of the\\ndriver to reject such operations [2].\\n\\nTherefore, return an error when the state to be set exceeds the maximum\\ncooling state supported by the driver.\\n\\nTo avoid dead code, as suggested by the thermal maintainer [3],\\npartially revert commit a421ce088ac8 (\\\"mlxsw: core: Extend cooling\\ndevice with cooling levels\\\") that tried to interpret these invalid\\ncooling states (above the maximum) in a special way. The cooling levels\\narray is not removed in order to prevent the fans going below 20% PWM,\\nwhich would cause them to get stuck at 0% PWM.\\n\\n[1]\\nBUG: KASAN: slab-out-of-bounds in thermal_cooling_device_stats_update+0x271/0x290\\nRead of size 4 at addr ffff8881052f7bf8 by task kworker/0:0/5\\n\\nCPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.15.0-rc3-custom-45935-gce1adf704b14 #122\\nHardware name: Mellanox Technologies Ltd. \\\"MSN2410-CB2FO\\\"/\\\"SA000874\\\", BIOS 4.6.5 03/08/2016\\nWorkqueue: events_freezable_power_ thermal_zone_device_check\\nCall Trace:\\n dump_stack_lvl+0x8b/0xb3\\n print_address_description.constprop.0+0x1f/0x140\\n kasan_report.cold+0x7f/0x11b\\n thermal_cooling_device_stats_update+0x271/0x290\\n __thermal_cdev_update+0x15e/0x4e0\\n thermal_cdev_update+0x9f/0xe0\\n step_wise_throttle+0x770/0xee0\\n thermal_zone_device_update+0x3f6/0xdf0\\n process_one_work+0xa42/0x1770\\n worker_thread+0x62f/0x13e0\\n kthread+0x3ee/0x4e0\\n ret_from_fork+0x1f/0x30\\n\\nAllocated by task 1:\\n kasan_save_stack+0x1b/0x40\\n __kasan_kmalloc+0x7c/0x90\\n thermal_cooling_device_setup_sysfs+0x153/0x2c0\\n __thermal_cooling_device_register.part.0+0x25b/0x9c0\\n thermal_cooling_device_register+0xb3/0x100\\n mlxsw_thermal_init+0x5c5/0x7e0\\n __mlxsw_core_bus_device_register+0xcb3/0x19c0\\n mlxsw_core_bus_device_register+0x56/0xb0\\n mlxsw_pci_probe+0x54f/0x710\\n local_pci_probe+0xc6/0x170\\n pci_device_probe+0x2b2/0x4d0\\n really_probe+0x293/0xd10\\n __driver_probe_device+0x2af/0x440\\n driver_probe_device+0x51/0x1e0\\n __driver_attach+0x21b/0x530\\n bus_for_each_dev+0x14c/0x1d0\\n bus_add_driver+0x3ac/0x650\\n driver_register+0x241/0x3d0\\n mlxsw_sp_module_init+0xa2/0x174\\n do_one_initcall+0xee/0x5f0\\n kernel_init_freeable+0x45a/0x4de\\n kernel_init+0x1f/0x210\\n ret_from_fork+0x1f/0x30\\n\\nThe buggy address belongs to the object at ffff8881052f7800\\n which belongs to the cache kmalloc-1k of size 1024\\nThe buggy address is located 1016 bytes inside of\\n 1024-byte region [ffff8881052f7800, ffff8881052f7c00)\\nThe buggy address belongs to the page:\\npage:0000000052355272 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1052f0\\nhead:0000000052355272 order:3 compound_mapcount:0 compound_pincount:0\\nflags: 0x200000000010200(slab|head|node=0|zone=2)\\nraw: 0200000000010200 ffffea0005034800 0000000300000003 ffff888100041dc0\\nraw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000\\npage dumped because: kasan: bad access detected\\n\\nMemory state around the buggy address:\\n ffff8881052f7a80: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc\\n ffff8881052f7b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\\n\u003effff8881052f7b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\\n                                                                ^\\n ffff8881052f7c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\\n ffff8881052f7c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\\n\\n[2] https://lore.kernel.org/linux-pm/9aca37cb-1629-5c67-\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mlxsw: Thermal: corrige accesos a memoria fuera de los l\u00edmites Actualmente, mlxsw permite establecer estados de enfriamiento por encima del estado de enfriamiento m\u00e1ximo admitido por el controlador: # cat /sys/class/ Thermal/thermal_zone2/cdev0/type mlxsw_fan # cat /sys/class/thermal/thermal_zone2/cdev0/max_state 10 # echo 18 \u0026gt; /sys/class/thermal/thermal_zone2/cdev0/cur_state # echo $? 0 Esto da como resultado accesos a la memoria fuera de los l\u00edmites cuando las estad\u00edsticas de transici\u00f3n de estado t\u00e9rmico est\u00e1n habilitadas (CONFIG_THERMAL_STATISTICS=y), ya que se accede a la tabla de transici\u00f3n con un \u00edndice (estado) demasiado grande [1]. Seg\u00fan el mantenedor t\u00e9rmico, es responsabilidad del conductor rechazar este tipo de operaciones [2]. Por lo tanto, devolver\u00e1 un error cuando el estado que se establecer\u00e1 exceda el estado de enfriamiento m\u00e1ximo admitido por el controlador. Para evitar el c\u00f3digo inactivo, como lo sugiere el mantenedor t\u00e9rmico [3], revierta parcialmente el commit a421ce088ac8 (\\\"mlxsw: core: Extend Cooling Device with Cooling Levels\\\") que intent\u00f3 interpretar estos estados de enfriamiento no v\u00e1lidos (por encima del m\u00e1ximo) de una manera especial. . La matriz de niveles de enfriamiento no se elimina para evitar que los ventiladores bajen del 20 % de PWM, lo que provocar\u00eda que se atasquen en el 0 % de PWM. [1] ERROR: KASAN: losa fuera de los l\u00edmites en Thermal_cooling_device_stats_update+0x271/0x290 Lectura de tama\u00f1o 4 en la direcci\u00f3n ffff8881052f7bf8 por tarea kworker/0:0/5 CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.15.0-rc3-custom-45935-gce1adf704b14 #122 Nombre del hardware: Mellanox Technologies Ltd. \\\"MSN2410-CB2FO\\\"/\\\"SA000874\\\", BIOS 4.6.5 08/03/2016 Cola de trabajo: events_freezable_power_ Thermal_zone_device_check Seguimiento de llamadas: dump_stack_lvl+0x8b /0xb3 print_address_description.constprop.0+0x1f/0x140 kasan_report.cold+0x7f/0x11b Thermal_cooling_device_stats_update+0x271/0x290 __thermal_cdev_update+0x15e/0x4e0 Thermal_cdev_update+0x9f/0xe0 70/0xee0 actualizaci\u00f3n_dispositivo_zona_termal+0x3f6/0xdf0 proceso_one_work+0xa42/0x1770 hilo_trabajador+ 0x62f/0x13e0 kthread+0x3ee/0x4e0 ret_from_fork+0x1f/0x30 Asignado por tarea 1: kasan_save_stack+0x1b/0x40 __kasan_kmalloc+0x7c/0x90 Thermal_cooling_device_setup_sysfs+0x153/0x2c0 _device_register.part.0+0x25b/0x9c0 Thermal_cooling_device_register+0xb3/0x100 mlxsw_thermal_init+0x5c5 /0x7e0 __mlxsw_core_bus_device_register+0xcb3/0x19c0 mlxsw_core_bus_device_register+0x56/0xb0 mlxsw_pci_probe+0x54f/0x710 local_pci_probe+0xc6/0x170 pci_device_probe+0x2b2/0x4d0 very_probe+ 0x293/0xd10 __driver_probe_device+0x2af/0x440 driver_probe_device+0x51/0x1e0 __driver_attach+0x21b/0x530 bus_for_each_dev+0x14c /0x1d0 bus_add_driver+0x3ac/0x650 driver_register+0x241/0x3d0 mlxsw_sp_module_init+0xa2/0x174 do_one_initcall+0xee/0x5f0 kernel_init_freeable+0x45a/0x4de kernel_init+0x1f/0x210 f/0x30 La direcci\u00f3n con errores pertenece al objeto en ffff8881052f7800 que pertenece al cach\u00e9 kmalloc-1k de tama\u00f1o 1024 La direcci\u00f3n con errores se encuentra 1016 bytes dentro de la regi\u00f3n de 1024 bytes [ffff8881052f7800, ffff8881052f7c00) La direcci\u00f3n con errores pertenece a la p\u00e1gina: p\u00e1gina:0000000052355272 refcount:1 mapcount:0 mapeo:0000000000000000 \u00edndice :0x0 pfn: 0x1052f0 cabeza:0000000052355272 orden:3 compuesto_mapcount:0 compuesto_pincount:0 banderas: 0x200000000010200(slab|head|node=0|zone=2) raw: 0200000000010200 ffffea0005034800 00000003000 00003 ffff888100041dc0 raw: 0000000000000000 0000000000100010 00000001ffffffff 00000000000000000 p\u00e1gina volcada porque: kasan: se detect\u00f3 mal acceso Estado de la memoria alrededor de la direcci\u00f3n del error: ffff8881052f7a80: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc ffff8881052f7b00: fc fc fc fc fc fc fc fc fc fc fc fc \u0026gt;ffff8881052f7 b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8881052f7c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ---truncado---\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.5}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/332fdf951df8b870e3da86b122ae304e2aabe88c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ae0993739e14a102d506aa09e11b0065f3144f10\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/df8e58716afb3bee2b59de66b1ba1033f2e26303\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e59d839743b50cb1d3f42a786bea48cc5621d254\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/332fdf951df8b870e3da86b122ae304e2aabe88c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/ae0993739e14a102d506aa09e11b0065f3144f10\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/df8e58716afb3bee2b59de66b1ba1033f2e26303\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/e59d839743b50cb1d3f42a786bea48cc5621d254\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.