CVE-2023-53265

In the Linux kernel, the following vulnerability has been resolved:

ubi: ensure that VID header offset + VID header size <= alloc, size

Ensure that the VID header offset + VID header size does not exceed the allocated area to avoid slab OOB.

BUG: KASAN: slab-out-of-bounds in crc32body lib/crc32.c:111 [inline] BUG: KASAN: slab-out-of-bounds in crc32legeneric lib/crc32.c:179 [inline] BUG: KASAN: slab-out-of-bounds in crc32le_base+0x58c/0x626 lib/crc32.c:197 Read of size 4 at addr ffff88802bb36f00 by task syz-executor136/1555

CPU: 2 PID: 1555 Comm: syz-executor136 Tainted: G W 6.0.0-1868 #1 Hardware name: Red Hat KVM, BIOS 1.13.0-2.module+el8.3.0+7860+a7792d29 04/01/2014 Call Trace: <TASK> __dumpstack lib/dumpstack.c:88 [inline] dump_stacklvl+0x85/0xad lib/dumpstack.c:106 printaddressdescription mm/kasan/report.c:317 [inline] printreport.cold.13+0xb6/0x6bb mm/kasan/report.c:433 kasanreport+0xa7/0x11b mm/kasan/report.c:495 crc32body lib/crc32.c:111 [inline] crc32legeneric lib/crc32.c:179 [inline] crc32lebase+0x58c/0x626 lib/crc32.c:197 ubiiowritevidhdr+0x1b7/0x472 drivers/mtd/ubi/io.c:1067 createvtbl+0x4d5/0x9c4 drivers/mtd/ubi/vtbl.c:317 createemptylvol drivers/mtd/ubi/vtbl.c:500 [inline] ubireadvolumetable+0x67b/0x288a drivers/mtd/ubi/vtbl.c:812 ubiattach+0xf34/0x1603 drivers/mtd/ubi/attach.c:1601 ubiattachmtddev+0x6f3/0x185e drivers/mtd/ubi/build.c:965 ctrlcdevioctl+0x2db/0x347 drivers/mtd/ubi/cdev.c:1043 vfsioctl fs/ioctl.c:51 [inline] __dosysioctl fs/ioctl.c:870 [inline] __sesysioctl fs/ioctl.c:856 [inline] _x64sysioctl+0x193/0x213 fs/ioctl.c:856 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x3e/0x86 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0x0 RIP: 0033:0x7f96d5cf753d Code: RSP: 002b:00007fffd72206f8 EFLAGS: 00000246 ORIGRAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f96d5cf753d RDX: 0000000020000080 RSI: 0000000040186f40 RDI: 0000000000000003 RBP: 0000000000400cd0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400be0 R13: 00007fffd72207e0 R14: 0000000000000000 R15: 0000000000000000 </TASK>

Allocated by task 1555: kasansavestack+0x20/0x3d mm/kasan/common.c:38 kasansettrack mm/kasan/common.c:45 [inline] setallocinfo mm/kasan/common.c:437 [inline] ____kasan_kmalloc mm/kasan/common.c:516 [inline] __kasankmalloc+0x88/0xa3 mm/kasan/common.c:525 kasankmalloc include/linux/kasan.h:234 [inline] __kmalloc+0x138/0x257 mm/slub.c:4429 kmalloc include/linux/slab.h:605 [inline] ubiallocvidbuf drivers/mtd/ubi/ubi.h:1093 [inline] createvtbl+0xcc/0x9c4 drivers/mtd/ubi/vtbl.c:295 createemptylvol drivers/mtd/ubi/vtbl.c:500 [inline] ubireadvolumetable+0x67b/0x288a drivers/mtd/ubi/vtbl.c:812 ubiattach+0xf34/0x1603 drivers/mtd/ubi/attach.c:1601 ubiattachmtddev+0x6f3/0x185e drivers/mtd/ubi/build.c:965 ctrlcdevioctl+0x2db/0x347 drivers/mtd/ubi/cdev.c:1043 vfsioctl fs/ioctl.c:51 [inline] __dosysioctl fs/ioctl.c:870 [inline] __sesysioctl fs/ioctl.c:856 [inline] __x64sysioctl+0x193/0x213 fs/ioctl.c:856 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x3e/0x86 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0x0

The buggy address belongs to the object at ffff88802bb36e00 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 0 bytes to the right of 256-byte region [ffff88802bb36e00, ffff88802bb36f00)

The buggy address belongs to the physical page: page:00000000ea4d1263 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2bb36 head:00000000ea4d1263 order:1 compoundmapcount:0 compoundpincount:0 flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) raw: 000fffffc0010200 ffffea000066c300 dead000000000003 ffff888100042b40 raw: 0000000000000000 00000000001 ---truncated---