Headline
CVE-2023-31085: Re: BUG: divide error in ubi_attach_mtd_dev
An issue was discovered in drivers/mtd/ubi/cdev.c in the Linux kernel 6.2. There is a divide-by-zero error in do_div(sz,mtd->erasesize), used indirectly by ctrl_cdev_ioctl, when mtd->erasesize is 0.
From: Richard Weinberger [email protected] To: Yu Hao [email protected] Cc: Miquel Raynal [email protected], Vignesh Raghavendra [email protected], linux-mtd [email protected], linux-kernel [email protected] Subject: Re: BUG: divide error in ubi_attach_mtd_dev Date: Tue, 18 Apr 2023 08:30:47 +0200 (CEST) [thread overview] Message-ID: [email protected] (raw) In-Reply-To: <CA+UBctDsHRpkLG5ppdiuV8Msn4Dx-ZJ2xDrxfa48VMb7ZE+xBA@mail.gmail.com>
Yu Hao,
----- Ursprüngliche Mail ----- > Von: “Yu Hao” [email protected]
ubi: mtd0 is already attached to ubi0 ubi7: attaching mtd147 divide error: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 20023 Comm: syz-executor.0 Not tainted 6.2.0 #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:mtd_div_by_eb include/linux/mtd/mtd.h:580 [inline] RIP: 0010:io_init drivers/mtd/ubi/build.c:620 [inline] RIP: 0010:ubi_attach_mtd_dev+0x77f/0x2fe0 drivers/mtd/ubi/build.c:955 Code: fc ff df 48 c1 ea 03 0f b6 14 02 4c 89 f0 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 1f 25 00 00 41 8b 4c 24 10 48 89 d8 31 d2 <48> f7 f1 48 89 c3 e8 b6 f3 1b fc 48 8d 85 40 17 00 00 48 89 c2 48 RSP: 0018:ffffc9000be0fd30 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff888047a49d40 RDI: 0000000000000002 RBP: ffff888024e1c000 R08: 0000000000000016 R09: fffff520017c1f47 R10: ffffc9000be0fa37 R11: fffff520017c1f46 R12: ffff88806545a000 R13: 0000000000000000 R14: ffff88806545a010 R15: 0000000000000007 FS: 00007fd45e85c700(0000) GS:ffff88802ca00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f64aeef53a4 CR3: 000000004f39a000 CR4: 0000000000350ef0 Call Trace: <TASK> ctrl_cdev_ioctl+0x303/0x3a0 drivers/mtd/ubi/cdev.c:1043 What kind of MTD you attaching? Has it erasesize 0?
Thanks, //richard
WARNING: multiple messages have this Message-ID
From: Richard Weinberger [email protected] To: Yu Hao [email protected] Cc: Miquel Raynal [email protected], Vignesh Raghavendra [email protected], linux-mtd [email protected], linux-kernel [email protected] Subject: Re: BUG: divide error in ubi_attach_mtd_dev Date: Tue, 18 Apr 2023 08:30:47 +0200 (CEST) [thread overview] Message-ID: [email protected] (raw) In-Reply-To: <CA+UBctDsHRpkLG5ppdiuV8Msn4Dx-ZJ2xDrxfa48VMb7ZE+xBA@mail.gmail.com>
Yu Hao,
----- Ursprüngliche Mail ----- > Von: “Yu Hao” [email protected]
ubi: mtd0 is already attached to ubi0 ubi7: attaching mtd147 divide error: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 20023 Comm: syz-executor.0 Not tainted 6.2.0 #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:mtd_div_by_eb include/linux/mtd/mtd.h:580 [inline] RIP: 0010:io_init drivers/mtd/ubi/build.c:620 [inline] RIP: 0010:ubi_attach_mtd_dev+0x77f/0x2fe0 drivers/mtd/ubi/build.c:955 Code: fc ff df 48 c1 ea 03 0f b6 14 02 4c 89 f0 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 1f 25 00 00 41 8b 4c 24 10 48 89 d8 31 d2 <48> f7 f1 48 89 c3 e8 b6 f3 1b fc 48 8d 85 40 17 00 00 48 89 c2 48 RSP: 0018:ffffc9000be0fd30 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff888047a49d40 RDI: 0000000000000002 RBP: ffff888024e1c000 R08: 0000000000000016 R09: fffff520017c1f47 R10: ffffc9000be0fa37 R11: fffff520017c1f46 R12: ffff88806545a000 R13: 0000000000000000 R14: ffff88806545a010 R15: 0000000000000007 FS: 00007fd45e85c700(0000) GS:ffff88802ca00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f64aeef53a4 CR3: 000000004f39a000 CR4: 0000000000350ef0 Call Trace: <TASK> ctrl_cdev_ioctl+0x303/0x3a0 drivers/mtd/ubi/cdev.c:1043 What kind of MTD you attaching? Has it erasesize 0?
Thanks, //richard
______________________________________________________ Linux MTD discussion mailing list http://lists.infradead.org/mailman/listinfo/linux-mtd/
next prev parent reply other threads:[~2023-04-18 6:30 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top 2023-04-18 5:10 BUG: divide error in ubi_attach_mtd_dev Yu Hao 2023-04-18 5:16 ` Yu Hao 2023-04-18 5:16 ` Yu Hao 2023-04-18 6:30 ` Richard Weinberger [this message] 2023-04-18 6:30 ` Richard Weinberger 2023-04-20 4:49 ` Zhihao Cheng 2023-04-20 4:49 ` Zhihao Cheng 2023-04-20 17:27 ` Yu Hao 2023-04-20 17:27 ` Yu Hao 2023-04-20 17:33 ` Richard Weinberger 2023-04-20 17:33 ` Richard Weinberger 2023-04-20 18:14 ` Yu Hao 2023-04-20 18:14 ` Yu Hao 2023-04-20 20:36 ` Richard Weinberger 2023-04-20 20:36 ` Richard Weinberger 2023-04-23 3:20 ` Zhihao Cheng 2023-04-23 3:20 ` Zhihao Cheng 2023-04-23 8:02 ` Richard Weinberger 2023-04-23 8:02 ` Richard Weinberger 2023-04-23 9:13 ` Zhihao Cheng 2023-04-23 9:13 ` Zhihao Cheng
Reply instructions:
You may reply publicly to this message via plain-text email using any one of the following methods:
* Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the –to, –cc, and –in-reply-to switches of git-send-email(1):
git send-email \ –in-reply-to=687864524.118195.1681799447034.JavaMail.zimbra@nod.at \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ –[email protected] \ /path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.
Related news
Ubuntu Security Notice 6572-1 - Yu Hao discovered that the UBI driver in the Linux kernel did not properly check for MTD with zero erasesize during device attachment. A local privileged attacker could use this to cause a denial of service. Bien Pham discovered that the netfiler subsystem in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. A local user could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 6537-1 - Yu Hao discovered that the UBI driver in the Linux kernel did not properly check for MTD with zero erasesize during device attachment. A local privileged attacker could use this to cause a denial of service. Lucas Leong discovered that the netfilter subsystem in the Linux kernel did not properly validate some attributes passed from userspace. A local attacker could use this to cause a denial of service or possibly expose sensitive information.
Ubuntu Security Notice 6532-1 - Tavis Ormandy discovered that some AMD processors did not properly handle speculative execution of certain vector register instructions. A local attacker could use this to expose sensitive information. Yu Hao discovered that the UBI driver in the Linux kernel did not properly check for MTD with zero erasesize during device attachment. A local privileged attacker could use this to cause a denial of service.
Ubuntu Security Notice 6502-4 - Ivan D Barrera, Christopher Bednarz, Mustafa Ismail, and Shiraz Saleem discovered that the InfiniBand RDMA driver in the Linux kernel did not properly check for zero-length STAG or MR registration. A remote attacker could possibly use this to execute arbitrary code. Yu Hao discovered that the UBI driver in the Linux kernel did not properly check for MTD with zero erasesize during device attachment. A local privileged attacker could use this to cause a denial of service.
Ubuntu Security Notice 6496-2 - Ivan D Barrera, Christopher Bednarz, Mustafa Ismail, and Shiraz Saleem discovered that the InfiniBand RDMA driver in the Linux kernel did not properly check for zero-length STAG or MR registration. A remote attacker could possibly use this to execute arbitrary code. Yu Hao discovered that the UBI driver in the Linux kernel did not properly check for MTD with zero erasesize during device attachment. A local privileged attacker could use this to cause a denial of service.
Ubuntu Security Notice 6495-2 - Yu Hao discovered that the UBI driver in the Linux kernel did not properly check for MTD with zero erasesize during device attachment. A local privileged attacker could use this to cause a denial of service. Manfred Rudigier discovered that the Intel PCI-Express Gigabit Ethernet driver in the Linux kernel did not properly validate received frames that are larger than the set MTU size, leading to a buffer overflow vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 6494-2 - Yu Hao discovered that the UBI driver in the Linux kernel did not properly check for MTD with zero erasesize during device attachment. A local privileged attacker could use this to cause a denial of service. Lucas Leong discovered that the netfilter subsystem in the Linux kernel did not properly validate some attributes passed from userspace. A local attacker could use this to cause a denial of service or possibly expose sensitive information.
Ubuntu Security Notice 6502-2 - Ivan D Barrera, Christopher Bednarz, Mustafa Ismail, and Shiraz Saleem discovered that the InfiniBand RDMA driver in the Linux kernel did not properly check for zero-length STAG or MR registration. A remote attacker could possibly use this to execute arbitrary code. Yu Hao discovered that the UBI driver in the Linux kernel did not properly check for MTD with zero erasesize during device attachment. A local privileged attacker could use this to cause a denial of service.
Ubuntu Security Notice 6516-1 - Ivan D Barrera, Christopher Bednarz, Mustafa Ismail, and Shiraz Saleem discovered that the InfiniBand RDMA driver in the Linux kernel did not properly check for zero-length STAG or MR registration. A remote attacker could possibly use this to execute arbitrary code. Yu Hao and Weiteng Chen discovered that the Bluetooth HCI UART driver in the Linux kernel contained a race condition, leading to a null pointer dereference vulnerability. A local attacker could use this to cause a denial of service.
Ubuntu Security Notice 6503-1 - Yu Hao discovered that the UBI driver in the Linux kernel did not properly check for MTD with zero erasesize during device attachment. A local privileged attacker could use this to cause a denial of service. Bien Pham discovered that the netfiler subsystem in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. A local user could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 6502-1 - Ivan D Barrera, Christopher Bednarz, Mustafa Ismail, and Shiraz Saleem discovered that the InfiniBand RDMA driver in the Linux kernel did not properly check for zero-length STAG or MR registration. A remote attacker could possibly use this to execute arbitrary code. Yu Hao discovered that the UBI driver in the Linux kernel did not properly check for MTD with zero erasesize during device attachment. A local privileged attacker could use this to cause a denial of service.
Ubuntu Security Notice 6496-1 - Ivan D Barrera, Christopher Bednarz, Mustafa Ismail, and Shiraz Saleem discovered that the InfiniBand RDMA driver in the Linux kernel did not properly check for zero-length STAG or MR registration. A remote attacker could possibly use this to execute arbitrary code. Yu Hao discovered that the UBI driver in the Linux kernel did not properly check for MTD with zero erasesize during device attachment. A local privileged attacker could use this to cause a denial of service.
Ubuntu Security Notice 6495-1 - Yu Hao discovered that the UBI driver in the Linux kernel did not properly check for MTD with zero erasesize during device attachment. A local privileged attacker could use this to cause a denial of service. Manfred Rudigier discovered that the Intel PCI-Express Gigabit Ethernet driver in the Linux kernel did not properly validate received frames that are larger than the set MTU size, leading to a buffer overflow vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code.
Ubuntu Security Notice 6494-1 - Yu Hao discovered that the UBI driver in the Linux kernel did not properly check for MTD with zero erasesize during device attachment. A local privileged attacker could use this to cause a denial of service. Lucas Leong discovered that the netfilter subsystem in the Linux kernel did not properly validate some attributes passed from userspace. A local attacker could use this to cause a denial of service or possibly expose sensitive information.