CVE-2023-52451

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-52451
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52451.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-52451
Downstream
Related
Published
2024-02-22T16:21:42.295Z
Modified
2026-03-13T07:48:01.797007Z
Summary
powerpc/pseries/memhp: Fix access beyond end of drmem array
Details

In the Linux kernel, the following vulnerability has been resolved:

powerpc/pseries/memhp: Fix access beyond end of drmem array

dlparmemoryremovebyindex() may access beyond the bounds of the drmem lmb array when the LMB lookup fails to match an entry with the given DRC index. When the search fails, the cursor is left pointing to &drmeminfo->lmbs[drmeminfo->n_lmbs], which is one element past the last valid entry in the array. The debug message at the end of the function then dereferences this pointer:

    pr_debug("Failed to hot-remove memory at %llx\n",
             lmb->base_addr);

This was found by inspection and confirmed with KASAN:

pseries-hotplug-mem: Attempting to hot-remove LMB, drc index 1234 ================================================================== BUG: KASAN: slab-out-of-bounds in dlpar_memory+0x298/0x1658 Read of size 8 at addr c000000364e97fd0 by task bash/949

dumpstacklvl+0xa4/0xfc (unreliable) printreport+0x214/0x63c kasanreport+0x140/0x2e0 _asanload8+0xa8/0xe0 dlparmemory+0x298/0x1658 handledlparerrorlog+0x130/0x1d0 dlparstore+0x18c/0x3e0 kobjattrstore+0x68/0xa0 sysfskfwrite+0xc4/0x110 kernfsfopwriteiter+0x26c/0x390 vfswrite+0x2d4/0x4e0 ksyswrite+0xac/0x1a0 systemcallexception+0x268/0x530 systemcallvectoredcommon+0x15c/0x2ec

Allocated by task 1: kasansavestack+0x48/0x80 kasansettrack+0x34/0x50 kasansavealloc_info+0x34/0x50 __kasan_kmalloc+0xd0/0x120 _kmalloc+0x8c/0x320 kmallocarray.constprop.0+0x48/0x5c drmeminit+0x2a0/0x41c dooneinitcall+0xe0/0x5c0 kernelinitfreeable+0x4ec/0x5a0 kernelinit+0x30/0x1e0 retfromkerneluserthread+0x14/0x1c

The buggy address belongs to the object at c000000364e80000 which belongs to the cache kmalloc-128k of size 131072 The buggy address is located 0 bytes to the right of allocated 98256-byte region [c000000364e80000, c000000364e97fd0)

================================================================== pseries-hotplug-mem: Failed to hot-remove memory at 0

Log failed lookups with a separate message and dereference the cursor only when it points to a valid entry.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/52xxx/CVE-2023-52451.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
51925fb3c5c901aa06cdc853268a6e19e19bcdc7
Fixed
bb79613a9a704469ddb8d6c6029d532a5cea384c
Fixed
9b5f03500bc5b083c0df696d7dd169d7ef3dd0c7
Fixed
b582aa1f66411d4adcc1aa55b8c575683fb4687e
Fixed
999a27b3ce9a69d54ccd5db000ec3a447bc43e6d
Fixed
026fd977dc50ff4a5e09bfb0603557f104d3f3a0
Fixed
df16afba2378d985359812c865a15c05c70a967e
Fixed
708a4b59baad96c4718dc0bd3a3427d3ab22fedc
Fixed
bd68ffce69f6cf8ddd3a3c32549d1d2275e49fc5

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52451.json"