ghsa-7f2x-rjqg-7667
Vulnerability from github
Published
2024-05-21 15:31
Modified
2024-05-21 15:31
Details

In the Linux kernel, the following vulnerability has been resolved:

hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs

Fan speed minimum can be enforced from sysfs. For example, setting current fan speed to 20 is used to enforce fan speed to be at 100% speed, 19 - to be not below 90% speed, etcetera. This feature provides ability to limit fan speed according to some system wise considerations, like absence of some replaceable units or high system ambient temperature.

Request for changing fan minimum speed is configuration request and can be set only through 'sysfs' write procedure. In this situation value of argument 'state' is above nominal fan speed maximum.

Return non-zero code in this case to avoid thermal_cooling_device_stats_update() call, because in this case statistics update violates thermal statistics table range. The issues is observed in case kernel is configured with option CONFIG_THERMAL_STATISTICS.

Here is the trace from KASAN: [ 159.506659] BUG: KASAN: slab-out-of-bounds in thermal_cooling_device_stats_update+0x7d/0xb0 [ 159.516016] Read of size 4 at addr ffff888116163840 by task hw-management.s/7444 [ 159.545625] Call Trace: [ 159.548366] dump_stack+0x92/0xc1 [ 159.552084] ? thermal_cooling_device_stats_update+0x7d/0xb0 [ 159.635869] thermal_zone_device_update+0x345/0x780 [ 159.688711] thermal_zone_device_set_mode+0x7d/0xc0 [ 159.694174] mlxsw_thermal_modules_init+0x48f/0x590 [mlxsw_core] [ 159.700972] ? mlxsw_thermal_set_cur_state+0x5a0/0x5a0 [mlxsw_core] [ 159.731827] mlxsw_thermal_init+0x763/0x880 [mlxsw_core] [ 160.070233] RIP: 0033:0x7fd995909970 [ 160.074239] Code: 73 01 c3 48 8b 0d 28 d5 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 99 2d 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff .. [ 160.095242] RSP: 002b:00007fff54f5d938 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 160.103722] RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 00007fd995909970 [ 160.111710] RDX: 0000000000000013 RSI: 0000000001906008 RDI: 0000000000000001 [ 160.119699] RBP: 0000000001906008 R08: 00007fd995bc9760 R09: 00007fd996210700 [ 160.127687] R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000013 [ 160.135673] R13: 0000000000000001 R14: 00007fd995bc8600 R15: 0000000000000013 [ 160.143671] [ 160.145338] Allocated by task 2924: [ 160.149242] kasan_save_stack+0x19/0x40 [ 160.153541] __kasan_kmalloc+0x7f/0xa0 [ 160.157743] __kmalloc+0x1a2/0x2b0 [ 160.161552] thermal_cooling_device_setup_sysfs+0xf9/0x1a0 [ 160.167687] __thermal_cooling_device_register+0x1b5/0x500 [ 160.173833] devm_thermal_of_cooling_device_register+0x60/0xa0 [ 160.180356] mlxreg_fan_probe+0x474/0x5e0 [mlxreg_fan] [ 160.248140] [ 160.249807] The buggy address belongs to the object at ffff888116163400 [ 160.249807] which belongs to the cache kmalloc-1k of size 1024 [ 160.263814] The buggy address is located 64 bytes to the right of [ 160.263814] 1024-byte region [ffff888116163400, ffff888116163800) [ 160.277536] The buggy address belongs to the page: [ 160.282898] page:0000000012275840 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888116167000 pfn:0x116160 [ 160.294872] head:0000000012275840 order:3 compound_mapcount:0 compound_pincount:0 [ 160.303251] flags: 0x200000000010200(slab|head|node=0|zone=2) [ 160.309694] raw: 0200000000010200 ffffea00046f7208 ffffea0004928208 ffff88810004dbc0 [ 160.318367] raw: ffff888116167000 00000000000a0006 00000001ffffffff 0000000000000000 [ 160.327033] page dumped because: kasan: bad access detected [ 160.333270] [ 160.334937] Memory state around the buggy address: [ 160.356469] >ffff888116163800: fc ..

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2021-47393"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T15:15:24Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs\n\nFan speed minimum can be enforced from sysfs. For example, setting\ncurrent fan speed to 20 is used to enforce fan speed to be at 100%\nspeed, 19 - to be not below 90% speed, etcetera. This feature provides\nability to limit fan speed according to some system wise\nconsiderations, like absence of some replaceable units or high system\nambient temperature.\n\nRequest for changing fan minimum speed is configuration request and can\nbe set only through \u0027sysfs\u0027 write procedure. In this situation value of\nargument \u0027state\u0027 is above nominal fan speed maximum.\n\nReturn non-zero code in this case to avoid\nthermal_cooling_device_stats_update() call, because in this case\nstatistics update violates thermal statistics table range.\nThe issues is observed in case kernel is configured with option\nCONFIG_THERMAL_STATISTICS.\n\nHere is the trace from KASAN:\n[  159.506659] BUG: KASAN: slab-out-of-bounds in thermal_cooling_device_stats_update+0x7d/0xb0\n[  159.516016] Read of size 4 at addr ffff888116163840 by task hw-management.s/7444\n[  159.545625] Call Trace:\n[  159.548366]  dump_stack+0x92/0xc1\n[  159.552084]  ? thermal_cooling_device_stats_update+0x7d/0xb0\n[  159.635869]  thermal_zone_device_update+0x345/0x780\n[  159.688711]  thermal_zone_device_set_mode+0x7d/0xc0\n[  159.694174]  mlxsw_thermal_modules_init+0x48f/0x590 [mlxsw_core]\n[  159.700972]  ? mlxsw_thermal_set_cur_state+0x5a0/0x5a0 [mlxsw_core]\n[  159.731827]  mlxsw_thermal_init+0x763/0x880 [mlxsw_core]\n[  160.070233] RIP: 0033:0x7fd995909970\n[  160.074239] Code: 73 01 c3 48 8b 0d 28 d5 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 99 2d 2c 00 00 75 10 b8 01 00 00 00 0f 05 \u003c48\u003e 3d 01 f0 ff ..\n[  160.095242] RSP: 002b:00007fff54f5d938 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\n[  160.103722] RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 00007fd995909970\n[  160.111710] RDX: 0000000000000013 RSI: 0000000001906008 RDI: 0000000000000001\n[  160.119699] RBP: 0000000001906008 R08: 00007fd995bc9760 R09: 00007fd996210700\n[  160.127687] R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000013\n[  160.135673] R13: 0000000000000001 R14: 00007fd995bc8600 R15: 0000000000000013\n[  160.143671]\n[  160.145338] Allocated by task 2924:\n[  160.149242]  kasan_save_stack+0x19/0x40\n[  160.153541]  __kasan_kmalloc+0x7f/0xa0\n[  160.157743]  __kmalloc+0x1a2/0x2b0\n[  160.161552]  thermal_cooling_device_setup_sysfs+0xf9/0x1a0\n[  160.167687]  __thermal_cooling_device_register+0x1b5/0x500\n[  160.173833]  devm_thermal_of_cooling_device_register+0x60/0xa0\n[  160.180356]  mlxreg_fan_probe+0x474/0x5e0 [mlxreg_fan]\n[  160.248140]\n[  160.249807] The buggy address belongs to the object at ffff888116163400\n[  160.249807]  which belongs to the cache kmalloc-1k of size 1024\n[  160.263814] The buggy address is located 64 bytes to the right of\n[  160.263814]  1024-byte region [ffff888116163400, ffff888116163800)\n[  160.277536] The buggy address belongs to the page:\n[  160.282898] page:0000000012275840 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888116167000 pfn:0x116160\n[  160.294872] head:0000000012275840 order:3 compound_mapcount:0 compound_pincount:0\n[  160.303251] flags: 0x200000000010200(slab|head|node=0|zone=2)\n[  160.309694] raw: 0200000000010200 ffffea00046f7208 ffffea0004928208 ffff88810004dbc0\n[  160.318367] raw: ffff888116167000 00000000000a0006 00000001ffffffff 0000000000000000\n[  160.327033] page dumped because: kasan: bad access detected\n[  160.333270]\n[  160.334937] Memory state around the buggy address:\n[  160.356469] \u003effff888116163800: fc ..",
  "id": "GHSA-7f2x-rjqg-7667",
  "modified": "2024-05-21T15:31:44Z",
  "published": "2024-05-21T15:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47393"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5c6e0bce647d9cb32a17d58ffa669b3421fcc6ca"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/76bbb482d33bfcd7e9070ecf594c9ec73e01c930"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a6c42ae1530f94724d3c42cf91fe3d3c5e394f8a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/aa85fb7bde558bb2e364e85976b14b259c8b6fe8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e6fab7af6ba1bc77c78713a83876f60ca7a4a064"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.