Bug 2266341 (CVE-2023-52469)

Summary: CVE-2023-52469 kernel: use-after-free in kv_parse_power_table
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, allarkin, aquini, bhu, chwhite, cye, cyin, dbohanno, debarbos, dfreiber, drow, dvlasenk, esandeen, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, ldoskova, lgoncalv, lzampier, mleitner, mmilgram, mstowell, ndegraef, nmurray, ptalbert, rparrazo, rrobaina, rvrbovsk, rysulliv, scweaver, sukulkar, tglozar, tyberry, vkumar, vsroka, wcosta, williams, wmealing, ycote, ykopkova, zhijwang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in kv_parse_power_table in drivers/amd/pm in the Linux kernel. When ps equals NULL, kv_parse_power_table frees adev->pm.dpm.ps. The adev->pm.dpm.ps is used in the loop of kv_dpm_fini after its first free in kv_parse_power_table, causing a use-after-free problem.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2266343    
Bug Blocks: 2266208    

Description Rohit Keshri 2024-02-27 16:34:09 UTC
In the Linux kernel, the following vulnerability has been resolved:

drivers/amd/pm: fix a use-after-free in kv_parse_power_table

When ps allocated by kzalloc equals to NULL, kv_parse_power_table
frees adev->pm.dpm.ps that allocated before. However, after the control
flow goes through the following call chains:

kv_parse_power_table
  |-> kv_dpm_init
        |-> kv_dpm_sw_init
	      |-> kv_dpm_fini

The adev->pm.dpm.ps is used in the for loop of kv_dpm_fini after its
first free in kv_parse_power_table and causes a use-after-free bug.

https://git.kernel.org/stable/c/28dd788382c43b330480f57cd34cde0840896743
https://git.kernel.org/stable/c/3426f059eacc33ecc676b0d66539297e1cfafd02
https://git.kernel.org/stable/c/35fa2394d26e919f63600ce631e6aefc95ec2706
https://git.kernel.org/stable/c/520e213a0b97b64735a13950e9371e0a5d7a5dc3
https://git.kernel.org/stable/c/8a27d9d9fc9b5564b8904c3a77a7dea482bfa34e
https://git.kernel.org/stable/c/8b55b06e737feb2a645b0293ea27e38418876d63
https://git.kernel.org/stable/c/95084632a65d5c0d682a83b55935560bdcd2a1e3
https://git.kernel.org/stable/c/b6dcba02ee178282e0d28684d241e0b8462dea6a

Comment 1 Rohit Keshri 2024-02-27 16:44:04 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2266343]

Comment 4 Justin M. Forbes 2024-02-27 18:51:54 UTC
This was fixed for Fedora with the 6.6.14 stable kernel update.

Comment 8 errata-xmlrpc 2024-08-08 04:40:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5102 https://access.redhat.com/errata/RHSA-2024:5102

Comment 9 errata-xmlrpc 2024-08-08 04:52:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5101 https://access.redhat.com/errata/RHSA-2024:5101