Android GKI kernels contain broken non-upstream Speculative Page Faults MM code that can lead to multiple use-after-free conditions.

    Android: GKI kernels contain broken non-upstream Speculative Page Faults MM codeA central recurring theme in Linux MM development is that contention on themmap lock can have a big negative performance impact on multithreaded workloads:If one thread is holding the mmap lock in exclusive mode for an extended amountof time, other threads will block as soon as they try to handle a page fault.Therefore there is a bunch of work to downgrade exclusive lock holders tonon-exclusive lock holders, shrink critical sections, and avoid holding the lockaltogether in some cases.One proposal to avoid holding the mmap lock in page fault handling are\"Speculative page faults (SPF)\"; here's a patch series from 2019 that had alreadygone through 11 rounds of review:<https://lore.kernel.org/lkml/20190416134522.17540-1-ldufour@linux.ibm.com/t/>This patch series didn't land at the time; but something along those lines mightland upstream in the next few years.But for some reason, Android decided that they need speculative page faultsimmediately, and merged the patches that were discussed on the upstream mailinglist into their GKI kernels. This is problematic for two reasons:A) The MM code is complicated and easy to get wrong.   If you run MM code that has not been through the fuzzing, testing and review   that committed upstream code gets, there's a higher chance of undiscovered   bugs.B) The SPF patches **change the rules** that MM code has to follow, so now   Android's version of MM has different rules than upstream MM.   This means that any patches in vaguely related parts of upstream MM need to   be checked by an Android engineer to see if they conflict with Android's   special rules.As far as I can tell, there are a bunch of memory safety bugs in the SPF versionthat is currently in AOSP's android13-5.10 branch (at commit 232bdcbd660b):1. handle_pte_fault() calls pmd_none() without protection against concurrent   page table deletion, leading to UAF read.2. do_anonymous_page() calls pte_alloc() without protection against concurrent   page table deletion, leading to UAF write.3. do_anonymous_page() calls pmd_trans_unstable() without protection against   concurrent page table deletion, leading to UAF read.4. do_swap_page() -> migration_entry_wait() -> __migration_entry_wait() operates   on a page table without protection against concurrent page table deletion,   leading to use-after-union-change read+write in struct page (on the page   table lock) and use-after-free read of a page table entry (resulting in bogus   page* calculation)5. do_wp_page() calls handle_userfault() without protection against concurrent   userfaultfd_release(), leading to UAF reads of some flags from   userfaultfd_ctx.   I think back when the SPF series was posted upstream, there might have been   sufficient protection against this (because ___handle_speculative_fault()   bails on VMAs with VM_UFFD_MISSING), but since then the WP userfaultfd   support was added, and ___handle_speculative_fault() doesn't bail on   VM_UFFD_WP. do_wp_page() also doesn't check the cached VMA flags, it uses   userfaultfd_pte_wp() which reads flags from the VMA.6. The way seqcounts are used to detect concurrent writers looks wrong.   The seqcount API requires that only one writer at a time can be in a   vm_write_begin() / vm_write_end() section, but these helpers are used in   codepaths that only hold the mmap lock in shared mode, so there can be   concurrent writers.   As far as I can tell, this means that when there are an even number of   concurrent writers, it will look as if there are no active writers.   This _probably_ doesn't have much security impact because all of the places   that do vm_write_begin() where concurrency would be an actual problem seem to   hold the mmap lock in exclusive mode?As an example, I tested issue 2. To reproduce this easily, I patched an extradelay into the kernel:```diff --git a/mm/memory.c b/mm/memory.cindex 83b715ed65775..35ce412d0a965 100644--- a/mm/memory.c+++ b/mm/memory.c@@ -84,6 +84,8 @@ #include <asm/tlb.h> #include <asm/tlbflush.h> +#include <linux/delay.h>+ #include \"pgalloc-track.h\" #include \"internal.h\" @@ -3819,6 +3821,12 @@ static vm_fault_t do_anonymous_page(struct vm_fault *vmf)        vm_fault_t ret = 0;        pte_t entry; +       if (strcmp(current->comm, \"SLOWME\") == 0 && (vmf->flags & FAULT_FLAG_SPECULATIVE)) {+               pr_warn(\"%s: BEGIN DELAY 0x%lx\\", __func__, vmf->address);+               mdelay(2000);+               pr_warn(\"%s: END DELAY 0x%lx\\", __func__, vmf->address);+       }+        /* File mapping without ->vm_ops ? */        if (vmf->vma_flags & VM_SHARED)                return VM_FAULT_SIGBUS;```Then, I ran this testcase on an x86 build with ASAN and CONFIG_PREEMPT:```#define _GNU_SOURCE#include <pthread.h>#include <err.h>#include <unistd.h>#include <sys/prctl.h>#include <sys/mman.h>// basic idea:// delete the 1G-covering page table while do_anonymous_page() is at its entry// point#define VMA_ADDR ((void*)0x40000000UL)#define VMA_SIZE (0x40000000UL)#define SYSCHK(x) ({          \\  typeof(x) __res = (x);      \\  if (__res == (typeof(x))-1) \\    err(1, \"SYSCHK(\" #x \")\"); \\  __res;                      \\})static void *thread_fn(void *dummy) {  SYSCHK(prctl(PR_SET_NAME, \"SLOWME\"));  *(volatile char *)VMA_ADDR;  SYSCHK(prctl(PR_SET_NAME, \"spfthread\"));}int main(void) {  SYSCHK(mmap(VMA_ADDR, VMA_SIZE, PROT_READ|PROT_WRITE,                        MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0));  SYSCHK(madvise(VMA_ADDR, VMA_SIZE, MADV_NOHUGEPAGE));  // create anon_vma and page tables  *(volatile char *)(VMA_ADDR+0x1000) = 1;  pthread_t thread;  if (pthread_create(&thread, NULL, thread_fn, NULL))    errx(1, \"pthread_create\");  sleep(1);  munmap(VMA_ADDR, VMA_SIZE);  if (pthread_join(thread, NULL))    errx(1, \"pthread_join\");  return 0;}```This first results in a UAF read of a PTE:```do_anonymous_page: BEGIN DELAY 0x40000000do_anonymous_page: END DELAY 0x40000000==================================================================BUG: KASAN: use-after-free in handle_pte_fault (./arch/x86/include/asm/pgtable_types.h:394 ./arch/x86/include/asm/pgtable.h:823 mm/memory.c:3844 mm/memory.c:4687) Read of size 8 at addr ffff88800f358000 by task SLOWME/724CPU: 12 PID: 724 Comm: SLOWME Not tainted 5.10.107-00033-g232bdcbd660b-dirty #215Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014Call Trace:dump_stack_lvl (lib/dump_stack.c:120) [...]print_address_description.constprop.0 (mm/kasan/report.c:257) [...][...]kasan_report.cold (mm/kasan/report.c:444 mm/kasan/report.c:460) [...]handle_pte_fault (./arch/x86/include/asm/pgtable_types.h:394 ./arch/x86/include/asm/pgtable.h:823 mm/memory.c:3844 mm/memory.c:4687) [...]___handle_speculative_fault (./include/linux/memcontrol.h:686 mm/memory.c:5106) [...]__handle_speculative_fault (mm/memory.c:5148) [...]do_user_addr_fault (arch/x86/mm/fault.c:1320) [...]exc_page_fault (./arch/x86/include/asm/irqflags.h:157 arch/x86/mm/fault.c:1470 arch/x86/mm/fault.c:1518) [...]asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:571) RIP: 0033:0x55d52bfe41fb```Then pte_alloc() tries to lock the page table entry:```BUG: KASAN: use-after-free in do_raw_spin_lock (kernel/locking/spinlock_debug.c:83 kernel/locking/spinlock_debug.c:112) Read of size 4 at addr ffff88801a730004 by task SLOWME/724```and after that, it will write into the freed page table.From a security perspective, my recommendation is to fix this by reverting thespeculative page fault patches out of the GKI trees, since I believe that sucha divergence from upstream semantics is not maintainable. Looking through thecommit history of the AOSP android13-5.10 kernel branch also shows that a seriesof bugs have already been discovered that were introduced by SPF:81a1ae6b4395a ANDROID: mm: unlock the page on speculative fault retry88e4dbaf592d8 ANDROID: Make MGLRU aware of speculative faults320ffbea77113 ANDROID: mm: Fix page table lookup in speculative fault path729a79f366e5e ANDROID: fix mmu_notifier race caused by not taking mmap_lock during SPFc3cbea92297d5 ANDROID: mm: avoid writing to read-only elementsdd3f538bf715c ANDROID: x86/mm: fix vm_area_struct leak in speculative pagefault handlingcf397c6c269ac ANDROID: mm: sync rss in speculative page fault path531f65ae67382 ANDROID: mm: Fix sleeping while atomic during speculative page faultThis bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2023-02-01.Please note that, according to our disclosure policy, if Project Zero discoversa variant of a previously reported Project Zero bug, technical details of thevariant will be added to the existing Project Zero report (which may be alreadypublic) and the report will not receive a new deadline.Project Zero will consider new race conditions where the SPF fault path accessespage tables or the VMA without sufficient locking variants of this issue.This includes issues that are introduced after this bug is reported.For more details, seehttps://googleprojectzero.blogspot.com/2021/04/policy-and-disclosure-2021-edition.html.Related CVE Number: CVE-2023-20937.Found by: jannh@google.com

Android GKI Kernels Contain Broken Non-Upstream Speculative Page Faults MM Code

In the Linux kernel 6.0.8, there is a use-after-free in ntfs_trim_fs in fs/ntfs3/bitmap.c.

Hello,  
I found the following issue using syzkaller on:  
HEAD commit : e60276b8c11ab4a8be23807bc67b04  
8cfb937dfa (v6.0.8)  
git tree: stable

C Reproducer : https://gist.github.com/oswalpalash/113c274067bc9c4c653a6dd09fb2e456  
Kernel .config :  
https://gist.github.com/oswalpalash/0962c70d774e5ec736a047bba917cecb

Console log :

\==================================================================  
BUG: KASAN: use-after-free in ntfs\_trim\_fs+0x84e/0x960  
Read of size 2 at addr ffff888104fea640 by task syz-executor.0/8081

CPU: 1 PID: 8081 Comm: syz-executor.0 Not tainted 6.0.8-pasta #2  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
1.13.0-1ubuntu1.1 04/01/2014  
Call Trace:  
<TASK>  
dump\_stack\_lvl+0xcd/0x134  
print\_report.cold+0xe5/0x63a  
kasan\_report+0x8a/0x1b0  
ntfs\_trim\_fs+0x84e/0x960  
ntfs\_ioctl\_fitrim+0x23e/0x340  
ntfs\_ioctl+0x9c/0xd0  
\_\_x64\_sys\_ioctl+0x193/0x200  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd  
RIP: 0033:0x7fac7f88eacd  
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48  
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007fac805f9bf8 EFLAGS: 00000246 ORIG\_RAX: 0000000000000010  
RAX: ffffffffffffffda RBX: 00007fac7f9bbf80 RCX: 00007fac7f88eacd  
RDX: 0000000020000040 RSI: 00000000c0185879 RDI: 0000000000000003  
RBP: 00007fac7f8fcb05 R08: 0000000000000000 R09: 0000000000000000  
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000  
R13: 00007ffcb363e05f R14: 00007ffcb363e200 R15: 00007fac805f9d80  
</TASK>

Allocated by task 8074:  
kasan\_save\_stack+0x1e/0x40  
\_\_kasan\_kmalloc+0xa6/0xd0  
\_\_kmalloc+0x349/0xd40  
tomoyo\_encode2.part.0+0xec/0x3b0  
tomoyo\_encode+0x28/0x50  
tomoyo\_realpath\_from\_path+0x186/0x620  
tomoyo\_path\_perm+0x219/0x420  
security\_inode\_getattr+0xcf/0x140  
vfs\_getattr+0x22/0x60  
vfs\_fstat+0x49/0x90  
\_\_do\_sys\_newfstat+0x81/0x100  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Freed by task 8074:  
kasan\_save\_stack+0x1e/0x40  
kasan\_set\_track+0x21/0x30  
kasan\_set\_free\_info+0x20/0x30  
\_\_kasan\_slab\_free+0xf5/0x180  
kfree+0x15e/0x540  
tomoyo\_path\_perm+0x240/0x420  
security\_inode\_getattr+0xcf/0x140  
vfs\_getattr+0x22/0x60  
vfs\_fstat+0x49/0x90  
\_\_do\_sys\_newfstat+0x81/0x100  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888104fea640  
which belongs to the cache kmalloc-32 of size 32  
The buggy address is located 0 bytes inside of  
32-byte region \[ffff888104fea640, ffff888104fea660)

The buggy address belongs to the physical page:  
page:ffffea000413fa80 refcount:1 mapcount:0 mapping:0000000000000000  
index:0xffff888104feafc1 pfn:0x104fea  
flags: 0x57ff00000000200(slab|node=1|zone=2|lastcpupid=0x7ff)  
raw: 057ff00000000200 ffffea00043f1b88 ffffea000414bec8 ffff888011840100  
raw: ffff888104feafc1 ffff888104fea000 000000010000003d 0000000000000000  
page dumped because: kasan: bad access detected  
page\_owner tracks the page as allocated  
page last allocated via order 0, migratetype Unmovable, gfp\_mask  
0x2420c0(\_\_GFP\_IO|\_\_GFP\_FS|\_\_GFP\_NOWARN|\_\_GFP\_COMP|\_\_GFP\_THISNODE),  
pid 6509, tgid 6509 (syz-executor.3), ts 50269499850, free\_ts  
50269456139  
prep\_new\_page+0x2c6/0x350  
get\_page\_from\_freelist+0xae9/0x3a80  
\_\_alloc\_pages+0x321/0x710  
cache\_grow\_begin+0x75/0x360  
kmem\_cache\_alloc\_node\_trace+0xbe2/0xd40  
\_\_kmalloc\_node+0x38/0x60  
\_\_vmalloc\_node\_range+0x3d3/0x1320  
vzalloc+0x67/0x80  
alloc\_counters.isra.0+0x5d/0x6f0  
do\_ipt\_get\_ctl+0x5de/0x980  
nf\_getsockopt+0x72/0xd0  
ip\_getsockopt+0x164/0x1c0  
tcp\_getsockopt+0x86/0xd0  
\_\_sys\_getsockopt+0x216/0x690  
\_\_x64\_sys\_getsockopt+0xba/0x150  
do\_syscall\_64+0x35/0xb0  
page last free stack trace:  
free\_pcp\_prepare+0x5ab/0xd00  
free\_unref\_page+0x19/0x410  
\_\_vunmap+0x6ff/0xaa0  
\_\_vfree+0x3c/0xd0  
vfree+0x5a/0x90  
do\_ipt\_get\_ctl+0x7b2/0x980  
nf\_getsockopt+0x72/0xd0  
ip\_getsockopt+0x164/0x1c0  
tcp\_getsockopt+0x86/0xd0  
\_\_sys\_getsockopt+0x216/0x690  
\_\_x64\_sys\_getsockopt+0xba/0x150  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Memory state around the buggy address:  
ffff888104fea500: fa fb fb fb fc fc fc fc 02 fc fc fc fc fc fc fc  
ffff888104fea580: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc  
\>ffff888104fea600: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc  
^  
ffff888104fea680: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc  
ffff888104fea700: fa fb fb fb fc fc fc fc fa fb fb fb fc fc fc fc  
\==================================================================

CVE-2023-26606: LKML: Palash Oswal: KASAN: use-after-free Read in ntfs_trim_fs

In the Linux kernel 6.0.8, there is an out-of-bounds read in ntfs_attr_find in fs/ntfs/attrib.c.

Hello,  
I found the following issue using syzkaller on:  
HEAD commit : e60276b8c11ab4a8be23807bc67b04  
8cfb937dfa (v6.0.8)  
git tree: stable

C Reproducer : https://gist.github.com/oswalpalash/cb298c137f3dbfb95a609671a61103fb  
Kernel .config :  
https://gist.github.com/oswalpalash/0962c70d774e5ec736a047bba917cecb

I found a related discussion in the past about a similar bug here :  
https://groups.google.com/g/syzkaller-bugs/c/BFLa1ZwXyG0/m/UIh6Pl2GBAAJ

Console log :

loop3: detected capacity change from 0 to 4096  
\==================================================================  
BUG: KASAN: slab-out-of-bounds in ntfs\_attr\_find+0xb87/0xce0  
Read of size 2 at addr ffff888106fc30ab by task syz-executor.3/11599

CPU: 0 PID: 11599 Comm: syz-executor.3 Not tainted 6.0.8-pasta #2  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
1.13.0-1ubuntu1.1 04/01/2014  
Call Trace:  
<TASK>  
dump\_stack\_lvl+0xcd/0x134  
print\_report.cold+0xe5/0x63a  
kasan\_report+0x8a/0x1b0  
ntfs\_attr\_find+0xb87/0xce0  
ntfs\_attr\_lookup+0x1051/0x2040  
ntfs\_read\_locked\_inode+0xb0c/0x5ab0  
ntfs\_iget+0x12d/0x180  
ntfs\_fill\_super+0x1ed0/0x8590  
mount\_bdev+0x34d/0x410  
legacy\_get\_tree+0x105/0x220  
vfs\_get\_tree+0x89/0x2f0  
path\_mount+0x121b/0x1cb0  
do\_mount+0xf3/0x110  
\_\_x64\_sys\_mount+0x18f/0x230  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd  
RIP: 0033:0x7f0e85e9146e  
Code: 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f  
84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007f0e849fda08 EFLAGS: 00000206 ORIG\_RAX: 00000000000000a5  
RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 00007f0e85e9146e  
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007f0e849fda60  
RBP: 00007f0e849fdaa0 R08: 00007f0e849fdaa0 R09: 0000000020000000  
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000020000000  
R13: 0000000020000100 R14: 00007f0e849fda60 R15: 0000000020000040  
</TASK>

Allocated by task 1:  
kasan\_save\_stack+0x1e/0x40  
\_\_kasan\_slab\_alloc+0x85/0xb0  
kmem\_cache\_alloc+0x204/0xcc0  
\_\_kernfs\_new\_node+0xd4/0x8b0  
kernfs\_new\_node+0x93/0x120  
\_\_kernfs\_create\_file+0x51/0x350  
sysfs\_add\_file\_mode\_ns+0x20f/0x3f0  
internal\_create\_group+0x314/0xba0  
internal\_create\_groups.part.0+0x90/0x140  
sysfs\_create\_groups+0x25/0x50  
kobject\_add\_internal+0x318/0x8f0  
kobject\_init\_and\_add+0x101/0x160  
netdev\_queue\_update\_kobjects+0x1fe/0x4e0  
netdev\_register\_kobject+0x333/0x400  
register\_netdevice+0xbe9/0x1390  
bond\_create+0xb4/0x120  
bonding\_init+0x9f/0x114  
do\_one\_initcall+0xfe/0x650  
kernel\_init\_freeable+0x6c3/0x74c  
kernel\_init+0x1a/0x1d0  
ret\_from\_fork+0x1f/0x30

The buggy address belongs to the object at ffff888106fc3000  
which belongs to the cache kernfs\_node\_cache of size 168  
The buggy address is located 3 bytes to the right of  
168-byte region \[ffff888106fc3000, ffff888106fc30a8)

The buggy address belongs to the physical page:  
page:ffffea00041bf0c0 refcount:1 mapcount:0 mapping:0000000000000000  
index:0x0 pfn:0x106fc3  
flags: 0x57ff00000000200(slab|node=1|zone=2|lastcpupid=0x7ff)  
raw: 057ff00000000200 ffffea00041bc848 ffffea00041a9fc8 ffff88810006f200  
raw: 0000000000000000 ffff888106fc3000 0000000100000011 0000000000000000  
page dumped because: kasan: bad access detected  
page\_owner tracks the page as allocated  
page last allocated via order 0, migratetype Unmovable, gfp\_mask  
0x2420c0(\_\_GFP\_IO|\_\_GFP\_FS|\_\_GFP\_NOWARN|\_\_GFP\_COMP|\_\_GFP\_THISNODE),  
pid 1, tgid 1 (swapper/0), ts 8385653965, free\_ts 0  
prep\_new\_page+0x2c6/0x350  
get\_page\_from\_freelist+0xae9/0x3a80  
\_\_alloc\_pages+0x321/0x710  
cache\_grow\_begin+0x75/0x360  
kmem\_cache\_alloc+0xb69/0xcc0  
\_\_kernfs\_new\_node+0xd4/0x8b0  
kernfs\_new\_node+0x93/0x120  
kernfs\_create\_dir\_ns+0x48/0x150  
sysfs\_create\_dir\_ns+0x127/0x290  
kobject\_add\_internal+0x2c9/0x8f0  
kobject\_init\_and\_add+0x101/0x160  
net\_rx\_queue\_update\_kobjects+0x264/0x510  
netdev\_register\_kobject+0x278/0x400  
register\_netdevice+0xbe9/0x1390  
bond\_create+0xb4/0x120  
bonding\_init+0x9f/0x114  
page\_owner free stack trace missing

Memory state around the buggy address:  
ffff888106fc2f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
ffff888106fc3000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\>ffff888106fc3080: 00 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00  
^  
ffff888106fc3100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
ffff888106fc3180: 00 00 fc fc fc fc fc fc fc fc 00 00 00 00 00 00  
\==================================================================

CVE-2023-26607: LKML: Palash Oswal: KASAN: slab-out-of-bounds Read in ntfs_attr_find

In the Linux kernel 6.0.8, there is a use-after-free in inode_cgwb_move_to_attached in fs/fs-writeback.c, related to __list_del_entry_valid.

Hello,  
I found the following issue using syzkaller on:  
HEAD commit : e60276b8c11ab4a8be23807bc67b04  
8cfb937dfa (v6.0.8)  
git tree: stable

C Reproducer : https://gist.github.com/oswalpalash/bed0eba75def3cdd34a285428e9bcdc4  
Kernel .config :  
https://gist.github.com/oswalpalash/0962c70d774e5ec736a047bba917cecb

Console log :

\==================================================================  
BUG: KASAN: use-after-free in \_\_list\_del\_entry\_valid+0xf2/0x110  
Read of size 8 at addr ffff8880273c4358 by task syz-executor.1/6475

CPU: 0 PID: 6475 Comm: syz-executor.1 Not tainted 6.0.8-pasta #2  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
1.13.0-1ubuntu1.1 04/01/2014  
Call Trace:  
<TASK>  
dump\_stack\_lvl+0xcd/0x134  
print\_report.cold+0xe5/0x63a  
kasan\_report+0x8a/0x1b0  
\_\_list\_del\_entry\_valid+0xf2/0x110  
inode\_cgwb\_move\_to\_attached+0x2ee/0x4e0  
writeback\_single\_inode+0x3fa/0x510  
write\_inode\_now+0x16a/0x1e0  
blkdev\_flush\_mapping+0x168/0x220  
blkdev\_put\_whole+0xd1/0xf0  
blkdev\_put+0x29b/0x700  
deactivate\_locked\_super+0x8c/0xf0  
deactivate\_super+0xad/0xd0  
cleanup\_mnt+0x347/0x4b0  
task\_work\_run+0xe0/0x1a0  
exit\_to\_user\_mode\_prepare+0x25d/0x270  
syscall\_exit\_to\_user\_mode+0x19/0x50  
do\_syscall\_64+0x42/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd  
RIP: 0033:0x7f22bd29143b  
Code: ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 90 f3 0f 1e fa 31 f6  
e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8 a6 00 00 00 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007ffe505103b8 EFLAGS: 00000246 ORIG\_RAX: 00000000000000a6  
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f22bd29143b  
RDX: 00007f22bd228a90 RSI: 000000000000000a RDI: 00007ffe50510480  
RBP: 00007ffe50510480 R08: 00007f22bd2fba1f R09: 00007ffe50510240  
R10: 00000000fffffffb R11: 0000000000000246 R12: 00007f22bd2fb9f8  
R13: 00007ffe50511520 R14: 0000555556f4bd90 R15: 0000000000000032  
</TASK>

Allocated by task 7810:  
kasan\_save\_stack+0x1e/0x40  
\_\_kasan\_slab\_alloc+0x85/0xb0  
kmem\_cache\_alloc\_lru+0x25b/0xfb0  
fat\_alloc\_inode+0x23/0x1e0  
alloc\_inode+0x61/0x1e0  
new\_inode\_pseudo+0x13/0x80  
new\_inode+0x1b/0x40  
fat\_build\_inode+0x146/0x2d0  
vfat\_create+0x249/0x390  
lookup\_open+0x10bc/0x1640  
path\_openat+0xa42/0x2840  
do\_filp\_open+0x1ca/0x2a0  
do\_sys\_openat2+0x61b/0x990  
do\_sys\_open+0xc3/0x140  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Freed by task 16:  
kasan\_save\_stack+0x1e/0x40  
kasan\_set\_track+0x21/0x30  
kasan\_set\_free\_info+0x20/0x30  
\_\_kasan\_slab\_free+0xf5/0x180  
kmem\_cache\_free.part.0+0xfc/0x4a0  
i\_callback+0x3f/0x70  
rcu\_core+0x785/0x1720  
\_\_do\_softirq+0x1d0/0x908

Last potentially related work creation:  
kasan\_save\_stack+0x1e/0x40  
\_\_kasan\_record\_aux\_stack+0x7e/0x90  
call\_rcu+0x99/0x740  
destroy\_inode+0x129/0x1b0  
iput.part.0+0x5cd/0x800  
iput+0x58/0x70  
dentry\_unlink\_inode+0x2e2/0x4a0  
\_\_dentry\_kill+0x374/0x5e0  
dput+0x656/0xbe0  
\_\_fput+0x3cc/0xa90  
task\_work\_run+0xe0/0x1a0  
exit\_to\_user\_mode\_prepare+0x25d/0x270  
syscall\_exit\_to\_user\_mode+0x19/0x50  
do\_syscall\_64+0x42/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff8880273c4080  
which belongs to the cache fat\_inode\_cache of size 1488  
The buggy address is located 728 bytes inside of  
1488-byte region \[ffff8880273c4080, ffff8880273c4650)

The buggy address belongs to the physical page:  
page:ffffea00009cf100 refcount:1 mapcount:0 mapping:0000000000000000  
index:0xffff8880273c4ffe pfn:0x273c4  
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)  
raw: 00fff00000000200 ffffea00009cf0c8 ffff88801820e450 ffff888103e00e00  
raw: ffff8880273c4ffe ffff8880273c4080 0000000100000002 0000000000000000  
page dumped because: kasan: bad access detected  
page\_owner tracks the page as allocated  
page last allocated via order 0, migratetype Reclaimable, gfp\_mask  
0x242050(\_\_GFP\_IO|\_\_GFP\_NOWARN|\_\_GFP\_COMP|\_\_GFP\_THISNODE|\_\_GFP\_RECLAIMABLE),  
pid 7810, tgid 7808 (syz-executor.1), ts 50543388569, free\_ts  
21285403579  
prep\_new\_page+0x2c6/0x350  
get\_page\_from\_freelist+0xae9/0x3a80  
\_\_alloc\_pages+0x321/0x710  
cache\_grow\_begin+0x75/0x360  
kmem\_cache\_alloc\_lru+0xe72/0xfb0  
fat\_alloc\_inode+0x23/0x1e0  
alloc\_inode+0x61/0x1e0  
new\_inode\_pseudo+0x13/0x80  
new\_inode+0x1b/0x40  
fat\_fill\_super+0x1c37/0x3710  
mount\_bdev+0x34d/0x410  
legacy\_get\_tree+0x105/0x220  
vfs\_get\_tree+0x89/0x2f0  
path\_mount+0x121b/0x1cb0  
do\_mount+0xf3/0x110  
\_\_x64\_sys\_mount+0x18f/0x230  
page last free stack trace:  
free\_pcp\_prepare+0x5ab/0xd00  
free\_unref\_page+0x19/0x410  
slab\_destroy+0x14/0x50  
slabs\_destroy+0x6a/0x90  
\_\_\_cache\_free+0x1e3/0x3b0  
qlist\_free\_all+0x51/0x1c0  
kasan\_quarantine\_reduce+0x13d/0x180  
\_\_kasan\_slab\_alloc+0x97/0xb0  
kmem\_cache\_alloc+0x204/0xcc0  
getname\_flags+0xd2/0x5b0  
vfs\_fstatat+0x73/0xb0  
\_\_do\_sys\_newlstat+0x8b/0x110  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Memory state around the buggy address:  
ffff8880273c4200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
ffff8880273c4280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
\>ffff8880273c4300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
^  
ffff8880273c4380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
ffff8880273c4400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
\==================================================================

CVE-2023-26605: LKML: Palash Oswal: KASAN: use-after-free Read in inode_cgwb_move_to_attached

In the Linux kernel before 6.1.13, there is a double free in net/mpls/af_mpls.c upon an allocation failure (for registering the sysctl table under a new location) during the renaming of a device.

CVE-2023-26545

In the Linux kernel 6.0.8, there is a use-after-free in run_unpack in fs/ntfs3/run.c, related to a difference between NTFS sector size and media sector size.

Hello,  
I found the following issue using syzkaller on:  
HEAD commit : e60276b8c11ab4a8be23807bc67b048cfb937dfa (v6.0.8)  
git tree: stable

C Reproducer : https://gist.github.com/oswalpalash/76ca8fcd92332c75a0a7efaa26269c42  
Kernel .config :  
https://gist.github.com/oswalpalash/0962c70d774e5ec736a047bba917cecb

Console log :  
loop0: detected capacity change from 0 to 4096  
ntfs3: loop0: Different NTFS' sector size (1024) and media sector size (512)  
\==================================================================  
BUG: KASAN: use-after-free in run\_unpack+0x89a/0x940  
Read of size 1 at addr ffff888024b21900 by task syz-executor.0/16961

CPU: 0 PID: 16961 Comm: syz-executor.0 Not tainted 6.0.8-pasta #2  
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS  
1.13.0-1ubuntu1.1 04/01/2014  
Call Trace:  
<TASK>  
dump\_stack\_lvl+0xcd/0x134  
print\_report.cold+0xe5/0x63a  
kasan\_report+0x8a/0x1b0  
run\_unpack+0x89a/0x940  
run\_unpack\_ex+0xb8/0x620  
ntfs\_iget5+0xc18/0x3270  
ntfs\_fill\_super+0x27de/0x3d30  
get\_tree\_bdev+0x440/0x760  
vfs\_get\_tree+0x89/0x2f0  
path\_mount+0x121b/0x1cb0  
do\_mount+0xf3/0x110  
\_\_x64\_sys\_mount+0x18f/0x230  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd  
RIP: 0033:0x7fcf8309146e  
Code: 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f  
84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d  
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48  
RSP: 002b:00007fcf83dc4a08 EFLAGS: 00000206 ORIG\_RAX: 00000000000000a5  
RAX: ffffffffffffffda RBX: 0000000020000200 RCX: 00007fcf8309146e  
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007fcf83dc4a60  
RBP: 00007fcf83dc4aa0 R08: 00007fcf83dc4aa0 R09: 0000000020000000  
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000020000000  
R13: 0000000020000100 R14: 00007fcf83dc4a60 R15: 0000000020002a00  
</TASK>

Allocated by task 6460:  
kasan\_save\_stack+0x1e/0x40  
\_\_kasan\_kmalloc+0xa6/0xd0  
kmalloc\_reserve+0x32/0xd0  
\_\_alloc\_skb+0x11a/0x320  
tcp\_stream\_alloc\_skb+0x38/0x550  
tcp\_sendmsg\_locked+0xc44/0x2fd0  
tcp\_sendmsg+0x2b/0x40  
inet\_sendmsg+0x99/0xe0  
sock\_sendmsg+0xc3/0x120  
sock\_write\_iter+0x291/0x3d0  
vfs\_write+0x9ca/0xd90  
ksys\_write+0x1e8/0x250  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Freed by task 6460:  
kasan\_save\_stack+0x1e/0x40  
kasan\_set\_track+0x21/0x30  
kasan\_set\_free\_info+0x20/0x30  
\_\_kasan\_slab\_free+0xf5/0x180  
kfree+0x15e/0x540  
skb\_free\_head+0xac/0x110  
skb\_release\_data+0x56f/0x850  
skb\_release\_all+0x46/0x60  
\_\_kfree\_skb+0x11/0x20  
tcp\_ack+0x1e54/0x5af0  
tcp\_rcv\_established+0x14b5/0x2130  
tcp\_v4\_do\_rcv+0x701/0xd00  
\_\_release\_sock+0x12f/0x3a0  
release\_sock+0x54/0x1b0  
tcp\_sendmsg+0x36/0x40  
inet\_sendmsg+0x99/0xe0  
sock\_sendmsg+0xc3/0x120  
sock\_write\_iter+0x291/0x3d0  
vfs\_write+0x9ca/0xd90  
ksys\_write+0x1e8/0x250  
do\_syscall\_64+0x35/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Last potentially related work creation:  
kasan\_save\_stack+0x1e/0x40  
\_\_kasan\_record\_aux\_stack+0x7e/0x90  
call\_rcu+0x99/0x740  
xfrm\_policy\_kill+0x120/0x250  
xfrm\_policy\_delete+0x65/0x90  
sk\_common\_release+0x24e/0x330  
inet\_release+0x12e/0x270  
\_\_sock\_release+0xcd/0x280  
sock\_close+0x18/0x20  
\_\_fput+0x27c/0xa90  
task\_work\_run+0xe0/0x1a0  
exit\_to\_user\_mode\_prepare+0x25d/0x270  
syscall\_exit\_to\_user\_mode+0x19/0x50  
do\_syscall\_64+0x42/0xb0  
entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888024b21800  
which belongs to the cache kmalloc-1k of size 1024  
The buggy address is located 256 bytes inside of  
1024-byte region \[ffff888024b21800, ffff888024b21c00)

The buggy address belongs to the physical page:  
page:ffffea000092c840 refcount:1 mapcount:0 mapping:0000000000000000  
index:0x0 pfn:0x24b21  
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)  
raw: 00fff00000000200 ffffea0000a00188 ffffea000077b9c8 ffff888011840700  
raw: 0000000000000000 ffff888024b21000 0000000100000002 0000000000000000  
page dumped because: kasan: bad access detected  
page\_owner tracks the page as allocated  
page last allocated via order 0, migratetype Unmovable, gfp\_mask  
0x2c2220(\_\_GFP\_HIGH|\_\_GFP\_ATOMIC|\_\_GFP\_NOWARN|\_\_GFP\_COMP|\_\_GFP\_NOMEMALLOC|\_\_GFP\_THISNODE),  
pid 16, tgid 16 (ksoftirqd/0), ts 86734280820, free\_ts 86664849571  
prep\_new\_page+0x2c6/0x350  
get\_page\_from\_freelist+0xae9/0x3a80  
\_\_alloc\_pages+0x321/0x710  
cache\_grow\_begin+0x75/0x360  
kmem\_cache\_alloc\_node\_trace+0xbe2/0xd40  
\_\_kmalloc\_node\_track\_caller+0x38/0x60  
kmalloc\_reserve+0x32/0xd0  
\_\_alloc\_skb+0x11a/0x320  
tcp\_stream\_alloc\_skb+0x38/0x550  
tcp\_write\_xmit+0x1c72/0x6170  
\_\_tcp\_push\_pending\_frames+0xaa/0x380  
tcp\_rcv\_established+0x9d5/0x2130  
tcp\_v4\_do\_rcv+0x701/0xd00  
tcp\_v4\_rcv+0x3cf0/0x3f70  
ip\_protocol\_deliver\_rcu+0x9b/0x7c0  
ip\_local\_deliver\_finish+0x2fb/0x4e0  
page last free stack trace:  
free\_pcp\_prepare+0x5ab/0xd00  
free\_unref\_page+0x19/0x410  
slab\_destroy+0x14/0x50  
drain\_freelist+0x9c/0xe0  
cache\_reap+0x1b9/0x2f0  
process\_one\_work+0x9c7/0x1650  
worker\_thread+0x623/0x1070  
kthread+0x2e9/0x3a0  
ret\_from\_fork+0x1f/0x30

Memory state around the buggy address:  
ffff888024b21800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
ffff888024b21880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
\>ffff888024b21900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
^  
ffff888024b21980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
ffff888024b21a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb  
\==================================================================

CVE-2023-26544: LKML: Palash Oswal: KASAN: use-after-free Read in run_unpack

Incorrect default permissions in some memory controller configurations for some Intel(R) Xeon(R) Processors when using Intel(R) Software Guard Extensions which may allow a privileged user to potentially enable escalation of privilege via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**2023.1 IPU - Intel® Xeon® Processor Advisory**

**Summary: **

A potential security vulnerability in some Intel® Xeon® Processors with Intel® Software Guard Extensions (SGX) may allow escalation of privilege.  Intel is releasing firmware updates to mitigate this potential vulnerability.  
 

**Vulnerability Details:**

CVEID: CVE-2022-33196

Description: Incorrect default permissions in some memory controller configurations for some Intel(R) Xeon(R) Processors when using Intel(R) Software Guard Extensions which may allow a privileged user to potentially enable escalation of privilege via local access. 

CVSS Base Score:  7.2 High

CVSS Vector:  CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N  
 

**Affected Products:**

**Product Collection**

**Vertical Segment**

**CPU ID**

**Platform ID**

3rd Gen Intel® Xeon® Scalable Processor family

Server

606A6

0x87

Intel® Xeon® D Processors

Server

606C1

01

**Recommendations:  
**

Intel is releasing BIOS and microcode updates for the affected processors.

For the mitigation to be effective for Intel® SGX enabled systems, Intel recommends updating the microcode patch located in platform flash designated by firmware interface table (FIT) entry type1.

Details on the microcode loading points can be found at:

https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/secure-coding/loading-microcode-os.html

When the microcode update is applied via the FIT table the BIOS must also be updated.  If the BIOS is not updated to the latest version with the microcode update when Intel® SGX is enabled, the system will hang. Loading this microcode update via the operating system is acceptable but will not provide the mitigation for this Intel® SGX issue.

For non Intel® (SGX) systems the microcode patch can be OS loaded.

Intel has released microcode updates for the affected Intel® Processors that are currently supported on the public github repository. Please see details below on access to the microcode: 

GitHub\*: Public Github: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files

This CVE requires a Microcode Security Version Number (SVN) update. To address this vulnerability, a SGX TCB recovery is planned, refer here for more information on the SGX TCB recovery process.

**Acknowledgements:**

This issue was found internally by Intel employees in collaboration with external researchers from Google.

Intel would like to thank Cfir Cohen, Erdem Aktas, Felix Wilhelm, James Forshaw and Josh Eads from Google.

Intel would like to thank Nagaraju Kodalapura Nagabhushana Rao, Przemyslaw Duda, Liron Shacham and Ron Anderson from Intel.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

02/14/2023

Initial Release

1.1

02/15/2023

Updated Recommendations

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-33196: INTEL-SA-00738

Improper initialization in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**2023.1 IPU - BIOS Advisory**

**Summary: **

Potential security vulnerabilities in the BIOS firmware and Intel® Trusted Execution Technology (TXT) Secure Initialization (SINIT) Authenticated Code Modules (ACM) for some Intel® Processors may allow escalation of privilege.  Intel is releasing BIOS updates to mitigate these potential vulnerabilities.  
 

**Vulnerability Details:**

CVEID: CVE-2022-26343

Description: Improper access control in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 8.2 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2022-30539

Description: Use after free in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2022-32231

Description: Improper initialization in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2022-26837

Description: Improper input validation in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2022-30704  

Description: Improper initialization in the Intel(R) TXT SINIT ACM for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.2 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N

CVEID: CVE-2021-0187  

Description: Improper access control in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access.

CVSS Base Score: 3.2 Low

**Affected Products:**

CVE-2022-26343

**Product Collection**

**Vertical Segment**

**CPU ID**

**Platform ID**

2nd Generation Intel® Xeon® Scalable Processors

Server,

Workstation

50656

50657

BF

Intel® Xeon® D processor family

Server

50654

B7

Intel® Xeon® Platinum P-8124, P-8136 processors

Server

50653

97

Intel® Xeon® Scalable processor family

Server

50654

B7

Intel® Xeon® D processor 1500 series

Server

50665

10

Intel® Xeon® D processor 1500 series

Server

50663

50664

10

10

CVE-2022-30539  

**Product Collection**

**Vertical Segment**

**CPU ID**

**Platform ID**

3rd Generation Intel® Xeon ®Scalable Processor Family

Server

5065B

BF

CVE-2022-26837

**Product Collection**

**Vertical Segment**

**CPU ID**

**Platform ID**

3rd Gen Intel® Xeon® Scalable processor

Server

606A6

87

3rd Gen Intel® Xeon® Scalable processor

Server

5065B

TBD

Intel® Xeon® E processor family

Workstation

906EA

906ED

22

Intel® Xeon® E processor family

Server,

Workstation

906E9

2A

11th Gen Intel® Core™ processor

Intel® Xeon® W processor

Server, Workstation

A0671

02

CVE-2021-0187

**Product Collection**

**Vertical Segment**

**CPU ID**

**Platform ID**

3rd Gen Intel® Xeon® Scalable processor

Server

606A6

87

CVE-2022-32231

**Product Collection**

**Vertical Segment**

**CPU ID**

**Platform ID**

Intel® Xeon® Scalable Processor Family

Server

50654

B7

3rd Generation Intel® Xeon ®Scalable Processor Family

Server

5065B

BF

2nd Generation Intel® Xeon® Scalable Processors

Server

50657

BF

3rd Gen Intel® Xeon® Scalable processor

Server

606A6

87

Intel® Xeon® Scalable processor family

Server

50653

50654

97

B7

CVE-2022-30704

**Product Collection**

**Vertical Segment**

**CPU ID**

**Platform ID**

11th Generation Intel® Core Processor Family

Mobile

806D1

806C1

806C2

C2

80

12th Generation Intel® Core™ Processor Family

Intel® Pentium® Gold Processor Family

Intel® Celeron® Processor Family

Desktop

Mobile

90672

90675

906A3

906A4

01

11th Generation Intel® Core™ Processor Family

10th Generation Intel® Core™ Processor Family

Intel® Xeon® E-2300 processor family

Intel® Xeon® W processor family

Desktop

Server

Workstation

A0671

A0653

01

**Recommendations:**

Intel recommends that users of listed Intel® Processors update to the latest versions provided

by the system manufacturer that addresses these issues.  
 

**Acknowledgements:**

Intel would like to thank Dmitry Frolov (CVE-2022-26837), Yngweijw (Jiawei Yin) (CVE-2022-30539) for reporting these issues.

The following issues were found internally by Intel employees; CVE-2022-26343, CVE-2022-32231, CVE-2021-0187 and CVE-2022-30704.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

02/14/2023

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-32231: INTEL-SA-00717

Stack overflow vulnerability in Aspire E5-475G 's BIOS firmware, in the FpGui module, a second call to GetVariable services allows local attackers to execute arbitrary code in the UEFI DXE phase and gain escalated privileges.

**

KARNEVAALITARJOUS

JOPA -30 %

**

SÄÄSTÄ

**Acerin kansainvälinen lehdistötilaisuus 2023**

Katso kooste

**Make Your Green Mark**

Tutustu ympäristöystävälliseen Acer Vero -valikoimaan

Explore

**Selaa suosittuja kategorioita**

*   **Kannettavat**
    
*   **Pöytätietokoneet**
    
*   **Näytöt**
    
*   **Projektorit**
    
*   **Chromebookit**
    
*   **Lisävarusteet**
    

*   **Parhaat tarjoukset**
    
    Tutustu Acerin virallisen verkkokaupan erikoistarjouksiin. Säästä rahaa ja hanki parasta tekniikkaa.
    
    Osta nyt
    
*   **YRITYSKUUKAUSI**
    
    10 % ALENNUSTA KAIKISTA TUOTTEISTA
    
    SÄÄSTÄ
    

*   **Windows 11**
    
    Esittelyssä Windows 11
    
    Lisätietoja
    
*   **Project Humanity**
    
    Sosiaalisen vaikutuksen laajentaminen
    
    Lisätietoja
    
*   **Acer Vero**
    
    Vihreät tietokonetuotteet
    
    Lisätietoja
    
*   **Acerin antimikrobiset ratkaisut**
    
    Nykyaikaista suojausta
    
    Lisätietoja

CVE-2022-40080: Acerin kannettavat, pöytäkoneet, Chromebookit, monitorit ja projektorit | Acer Suomi

Red Hat Security Advisory 2023-0698-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.10.52.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.10.52 security update  
Advisory ID:       RHSA-2023:0698-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0698  
Issue date:        2023-02-15  
CVE Names:         CVE-2022-1471 CVE-2022-3064 CVE-2022-23521  
                   CVE-2022-34174 CVE-2022-38023 CVE-2022-41903  
                   CVE-2022-47629  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.10.52 is now available with  
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container  
Platform 4.10.52. See the following advisory for the RPM packages for this  
release:

https://access.redhat.com/errata/RHSA-2023:0697

Space precludes documenting all of the container images in this advisory.  
See the following Release Notes documentation, which will be updated  
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html

Security Fix(es):

* go-yaml: Improve heuristics preventing CPU/memory abuse by parsing  
malicious or large YAML documents (CVE-2022-3064)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* [4.10] Prevent redundant queries of BIOS settings in  
HostFirmwareController (BZ#2061794)

* ovn-nbctl.log is never rotated (BZ#2072601)

* [4.10] APIRemovedInNextEUSReleaseInUse alert for OVN poddisruptionbudgets  
(BZ#2092193)

All OpenShift Container Platform 4.10 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.10 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html

You may download the oc tool and use it to inspect release image metadata  
for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests  
may be found at  
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.

The sha values for the release are:

(For x86_64 architecture)  
The image digest is  
sha256:b13ee67469f7f85a1b1daf57424f3c7c02c3a188cb640dc6284742091a7e6d50

(For s390x architecture)  
The image digest is  
sha256:4c776be05c475ee885829444509258b486d79d8128e12d6d2263ab7cdef83ce8

(For ppc64le architecture)  
The image digest is  
sha256:2d4e0af6ca2afc8c10d210aa520aba602618f3fad4cb42636bddb57b1f0ce425

(For aarch64 architecture)  
The image digest is  
sha256:7cadaaf6e0f71645864963e6c47c75852ce68aff80c963dfba2ddf51c0b836c4

All OpenShift Container Platform 4.10 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2061794 - [4.10] Prevent redundant queries of BIOS settings in HostFirmwareController  
2072601 - ovn-nbctl.log is never rotated  
2092193 - [4.10] APIRemovedInNextEUSReleaseInUse alert for OVN poddisruptionbudgets  
2163037 - CVE-2022-3064 go-yaml: Improve heuristics preventing CPU/memory abuse by parsing malicious or large YAML documents

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-2106 - intra namespace allow network policy doesn't work after applying ingress&egress deny all network policy  
OCPBUGS-2614 - e2e-gcp-builds is permafailing  
OCPBUGS-2982 - [release-4.10] Update blueocean-autofavorite to 1.2.5  
OCPBUGS-3615 - [4.10] [perf/scale] libovsdb builds transaction logs but throws them away  
OCPBUGS-4095 - Various Jenkins CVEs for October 2022 [openshift-4.10.z]  
OCPBUGS-4578 - Origin tests for bonds - 4.10 backport  
OCPBUGS-4882 - [2117255] Failed to dump flows for flow sync, stderr: "ovs-ofctl: br-ext is not a bridge or a socket"  
OCPBUGS-5077 - Service spec value `externalTrafficPolicy` does not trigger rules update in ovnkube-node pod handlers on edit  
OCPBUGS-5296 - Developer Topology always blanks with large contents when first rendering  
OCPBUGS-5961 - Add support for API version v1beta1 for knativeServing and knativeEventing  
OCPBUGS-6690 - OLM details page crashes on incomplete ClusterServiceVersion resource  
OCPBUGS-6702 - The MCO can generate a rendered config with old KubeletConfig contents, blocking upgrades  
OCPBUGS-6754 - Topology gets stuck loading  
OCPBUGS-6886 - [4.10] boot sequence override request fails with Base.1.8.PropertyNotWritable on Lenovo SE450  
OCPBUGS-6930 - hack/check-plugins-supply-chain-change.sh is not executable  
OCPBUGS-7052 - Sync jenkins-version.txt, base-plugins.txt and bundle-plugins.txt from master branch

6. References:

https://access.redhat.com/security/cve/CVE-2022-1471  
https://access.redhat.com/security/cve/CVE-2022-3064  
https://access.redhat.com/security/cve/CVE-2022-23521  
https://access.redhat.com/security/cve/CVE-2022-34174  
https://access.redhat.com/security/cve/CVE-2022-38023  
https://access.redhat.com/security/cve/CVE-2022-41903  
https://access.redhat.com/security/cve/CVE-2022-47629  
https://access.redhat.com/security/updates/classification/#moderate  
https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY+0kZ9zjgjWX9erEAQjaJxAAqF+IAiwuWfRcYGBXUwA/K3P+44YgTiVo  
xISaecxqI5ybSvMPCzFHftDSntW6nhIUFpSC2xIsvzsEIEvT8TFR09NAtGv57kzK  
8nbqNMc+orQhRYe8qNE/kadzQOEpDuM/Ni72anrFDoD7/oFMkoLur1TtBhYG067J  
AyCiSMYF3IA2K9hPapoa9DmjAF+K6XKHrlP4pmdT3bw152BCfQ0K/wb/4tDGUgym  
TH6r7dK3MkKJY+hkx4Rf8O8wRyodMID5tuLeQl9zhsOPHVE+S1T8fWzRkHYMpx1T  
p9IL8mXJs6f5hDR+ZyRr6tLlA36Glaqbpk1sfij96USYC8n7AtOtwY092SmHz3GO  
+OEwiL5Vnk6VgQIxweZ5SZgLUXsTkUYelXFeLUG2TRqw24kjMUqOpql1S/Ps/R6n  
zlnaA2wD+fjYpTv72XKMiaHxsuY36Ys+RWnxOXGDKBrn9yYerwV9iAqKFv3MumkA  
LIXGqkXigGEeNFiaxDPyoeCWW4UxFnGTv1J4JDfRHLIuUNU6ETe/a4Lwy4niaF6m  
Wqd7GqzHcrI/XTMoQyT1VwbKVYLl80F/mEDbxsxXep8Bxck5UbYjm8ta0U5zDxIB  
v3RYCBXm8egt1Y2En6Ul6X4ZM+ePFDlde87cn3wANF6WfikehXenLXwnQBXOebT4  
7rSPY9B2p+A=wyNJ  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#bios