CVE-2023-53659

In the Linux kernel, the following vulnerability has been resolved:

iavf: Fix out-of-bounds when setting channels on remove

If we set channels greater during iavfremove(), and waiting reset done would be timeout, then returned with error but changed numactivequeues directly, that will lead to OOB like the following logs. Because the numactivequeues is greater than tx/rxrings[] allocated actually.

Reproducer:

[root@host ~]# cat repro.sh #!/bin/bash

pfdbsf="0000:41:00.0" vf0dbsf="0000:41:02.0" g_pids=()

function dosetnumvf() { echo 2 >/sys/bus/pci/devices/${pfdbsf}/sriovnumvfs sleep $((RANDOM%3+1)) echo 0 >/sys/bus/pci/devices/${pfdbsf}/sriovnumvfs sleep $((RANDOM%3+1)) }

function dosetchannel() { local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/) [ -z "$nic" ] && { sleep $((RANDOM%3)) ; return 1; } ifconfig $nic 192.168.18.5 netmask 255.255.255.0 ifconfig $nic up ethtool -L $nic combined 1 ethtool -L $nic combined 4 sleep $((RANDOM%3)) }

function onexit() { local pid for pid in "${gpids[@]}"; do kill -0 "$pid" &>/dev/null && kill "$pid" &>/dev/null done g_pids=() }

trap "on_exit; exit" EXIT

while :; do dosetnumvf ; done & gpids+=($!) while :; do dosetchannel ; done & gpids+=($!)

wait

Result:

[ 3506.152887] iavf 0000:41:02.0: Removing device [ 3510.400799] ================================================================== [ 3510.400820] BUG: KASAN: slab-out-of-bounds in iavffreealltxresources+0x156/0x160 [iavf] [ 3510.400823] Read of size 8 at addr ffff88b6f9311008 by task repro.sh/55536 [ 3510.400823] [ 3510.400830] CPU: 101 PID: 55536 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1 [ 3510.400832] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021 [ 3510.400835] Call Trace: [ 3510.400851] dumpstack+0x71/0xab [ 3510.400860] printaddressdescription+0x6b/0x290 [ 3510.400865] ? iavffreealltxresources+0x156/0x160 [iavf] [ 3510.400868] kasanreport+0x14a/0x2b0 [ 3510.400873] iavffreealltxresources+0x156/0x160 [iavf] [ 3510.400880] iavfremove+0x2b6/0xc70 [iavf] [ 3510.400884] ? iavffreeallrxresources+0x160/0x160 [iavf] [ 3510.400891] ? waitwoken+0x1d0/0x1d0 [ 3510.400895] ? notifiercallchain+0xc1/0x130 [ 3510.400903] pcideviceremove+0xa8/0x1f0 [ 3510.400910] devicereleasedriverinternal+0x1c6/0x460 [ 3510.400916] pcistopbusdevice+0x101/0x150 [ 3510.400919] pcistopandremovebusdevice+0xe/0x20 [ 3510.400924] pciiovremovevirtfn+0x187/0x420 [ 3510.400927] ? pciiovaddvirtfn+0xe10/0xe10 [ 3510.400929] ? pcigetsubsys+0x90/0x90 [ 3510.400932] sriovdisable+0xed/0x3e0 [ 3510.400936] ? busfinddevice+0x12d/0x1a0 [ 3510.400953] i40efreevfs+0x754/0x1210 [i40e] [ 3510.400966] ? i40eresetallvfs+0x880/0x880 [i40e] [ 3510.400968] ? pcigetdevice+0x7c/0x90 [ 3510.400970] ? pcigetsubsys+0x90/0x90 [ 3510.400982] ? pcivfs_assigned.part.7+0x144/0x210 [ 3510.400987] ? __mutexlockslowpath+0x10/0x10 [ 3510.400996] i40epcisriovconfigure+0x1fa/0x2e0 [i40e] [ 3510.401001] sriovnumvfsstore+0x214/0x290 [ 3510.401005] ? sriovtotalvfs_show+0x30/0x30 [ 3510.401007] ? __mutexlockslowpath+0x10/0x10 [ 3510.401011] ? __checkobjectsize+0x15a/0x350 [ 3510.401018] kernfsfopwrite+0x280/0x3f0 [ 3510.401022] vfswrite+0x145/0x440 [ 3510.401025] ksyswrite+0xab/0x160 [ 3510.401028] ? _ia32sysread+0xb0/0xb0 [ 3510.401031] ? fputmany+0x1a/0x120 [ 3510.401032] ? filpclose+0xf0/0x130 [ 3510.401038] dosyscall64+0xa0/0x370 [ 3510.401041] ? pagefault+0x8/0x30 [ 3510.401043] entrySYSCALL64afterhwframe+0x65/0xca [ 3510.401073] RIP: 0033:0x7f3a9bb842c0 [ 3510.401079] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d ---truncated---