CVE-2022-49353

In the Linux kernel, the following vulnerability has been resolved:

powerpc/papr_scm: don't requests stats with '0' sized stats buffer

Sachin reported [1] that on a POWER-10 lpar he is seeing a kernel panic being reported with vPMEM when papr_scm probe is being called. The panic is of the form below and is observed only with following option disabled(profile) for the said LPAR 'Enable Performance Information Collection' in the HMC:

Kernel attempted to write user page (1c) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on write at 0x0000001c Faulting instruction address: 0xc008000001b90844 Oops: Kernel access of bad area, sig: 11 [#1] <snip> NIP [c008000001b90844] drcpmemquerystats+0x5c/0x270 [paprscm] LR [c008000001b92794] paprscmprobe+0x2ac/0x6ec [paprscm] Call Trace: 0xc00000000941bca0 (unreliable) paprscmprobe+0x2ac/0x6ec [paprscm] platformprobe+0x98/0x150 reallyprobe+0xfc/0x510 _driverprobe_device+0x17c/0x230 <snip> ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Fatal exception

On investigation looks like this panic was caused due to a 'statbuffer' of size==0 being provided to drcpmemquerystats() to fetch all performance stats-ids of an NVDIMM. However drcpmemquerystats() shouldn't have been called since the vPMEM NVDIMM doesn't support and performance stat-id's. This was caused due to missing check for 'p->statbufferlen' at the beginning of paprscmpmucheck_events() which indicates that the NVDIMM doesn't support performance-stats.

Fix this by introducing the check for 'p->statbufferlen' at the beginning of paprscmpmucheckevents().

[1] https://lore.kernel.org/all/6B3A522A-6A5F-4CC9-B268-0C63AA6E07D3@linux.ibm.com