Bug 2119048 (CVE-2022-2873)

Summary: CVE-2022-2873 kernel: an out-of-bounds vulnerability in i2c-ismt driver
Product: [Other] Security Response Reporter: Alex <allarkin>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bdettelb, bhu, brdeoliv, bskeggs, carnil, chwhite, crwood, darcari, ddepaula, debarbos, dvlasenk, hdegoede, hkrzesin, hpa, jarod, jarodwilson, jburrell, jfaracco, jferlan, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jshortt, jstancek, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lleshchi, lzampier, masami256, mcascell, mchehab, nmurray, ptalbert, qzhao, rvrbovsk, scweaver, security-response-team, steved, tyberry, vkumar, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Linux kernel 5.19-rc8 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds memory access flaw was found in the Linux kernel Intel’s iSMT SMBus host controller driver in the way a user triggers the I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS) with malicious input data. This flaw allows a local user to crash the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-16 19:13:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2119065, 2119066, 2119067, 2119068, 2119381, 2154388, 2154429, 2154859, 2162681, 2183134, 2183135    
Bug Blocks: 2112753    

Description Alex 2022-08-17 11:14:08 UTC 
A flaw out of bounds memory access found in the Intel iSMT SMBus host controller driver.
If local user triggers I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS) with some malicious input data, it can lead to system crash.
The problem located in ismt_access() function of the drivers/i2c/busses/i2c-ismt.c.
Comment 4 Alex 2022-08-18 13:44:33 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2119381]
Comment 7 Alex 2022-08-21 07:51:09 UTC 
Need to publish CVE
Comment 8 Alex 2022-08-21 07:52:02 UTC 
Published CVE.
Comment 10 Justin M. Forbes 2022-08-23 12:42:05 UTC 
This was fixed for Fedora with the 5.17.13 stable kernel updates.
Comment 15 Mauro Matteo Cascella 2022-09-01 15:02:26 UTC 
*** Bug 2123309 has been marked as a duplicate of this bug. ***
Comment 19 Salvatore Bonaccorso 2022-09-09 21:04:47 UTC 
Note according to https://bugzilla.redhat.com/show_bug.cgi?id=2123309#c7 this does not yet seem to be addressed upstream, https://lore.kernel.org/lkml/20220729093451.551672-1-zheyuma97@gmail.com/T/ has not been applied at time of this writing.
Comment 20 Alex 2022-09-11 16:42:34 UTC 
In reply to comment #19:
> Note according to https://bugzilla.redhat.com/show_bug.cgi?id=2123309#c7
> this does not yet seem to be addressed upstream,
> https://lore.kernel.org/lkml/20220729093451.551672-1-zheyuma97@gmail.com/T/
> has not been applied at time of this writing.

No, I've just checked
https://elixir.bootlin.com/linux/v5.19-rc8/source/drivers/i2c/busses/i2c-ismt.c
and the patch is there:

static int ismt_access(struct i2c_adapter *adap, u16 addr,
...
case I2C_SMBUS_I2C_BLOCK_DATA:
		/* Make sure the length is valid */
		if (data->block[0] < 1)
			data->block[0] = 1;

		if (data->block[0] > I2C_SMBUS_BLOCK_MAX)
			data->block[0] = I2C_SMBUS_BLOCK_MAX;

		if (read_write == I2C_SMBUS_WRITE) {
			/* i2c Block Write */

;;;

the only diff that instead of 
"
+			if (data->block[0] < 1 || data->block[0] > I2C_SMBUS_BLOCK_MAX)
+				return -EINVAL;
+
" (like that link https://lore.kernel.org/lkml/20220729093451.551672-1-zheyuma97@gmail.com/T/ ),

, they applied
		if (data->block[0] < 1)
			data->block[0] = 1;

		if (data->block[0] > I2C_SMBUS_BLOCK_MAX)
			data->block[0] = I2C_SMBUS_BLOCK_MAX;


They applied it to v5.19-rc8
(and I don't see it yet in v5.19-rc7).
However, you are right that for
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/drivers/i2c/busses/i2c-ismt.c?h=v5.19.8
I don't see it now.
I think they reverted that patch and instead applied this one:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/i2c/busses/i2c-ismt.c?h=v6.0-rc4&id=690b2549b19563ec5ad53e5c82f6a944d910086e
(at least to v6.0-rc4).

I didn't check this again, but from what I remember from Wed 17 Aug 2022 (when did analyses of this) both of these two patches actually required.
Comment 25 errata-xmlrpc 2023-02-21 08:58:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0854 https://access.redhat.com/errata/RHSA-2023:0854
Comment 26 errata-xmlrpc 2023-02-21 09:21:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0832 https://access.redhat.com/errata/RHSA-2023:0832
Comment 27 errata-xmlrpc 2023-02-28 08:18:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0951 https://access.redhat.com/errata/RHSA-2023:0951
Comment 28 errata-xmlrpc 2023-02-28 09:51:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0979 https://access.redhat.com/errata/RHSA-2023:0979
Comment 33 Product Security DevOps Team 2023-05-16 19:13:35 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-2873
Comment 34 errata-xmlrpc 2023-10-10 16:26:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:5627 https://access.redhat.com/errata/RHSA-2023:5627