amd_sfh_hid_client_init in drivers/hid/amd-sfh-hid/amd_sfh_client.c lacks check of the return value of dma_alloc_coherent() and will cause the NULL Pointer Dereference. Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=53ffa6a9f83b2170c60591da1ead8791d5a42e81
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2169483]
This was fixed for Fedora with the 6.0.16 stable kernel updates.
Memory allocations with the GFP_KERNEL should not be considered as CVE if alloc small amount of memory (based on " GFP_KERNEL - both background and direct reclaim are allowed and the default page allocator behavior is used. That means that not costly allocation requests are basically no-fail but there is no guarantee of that behavior so failures have to be checked properly by callers (e.g. OOM killer victim is allowed to fail currently). ", and for more info see: https://lwn.net/Articles/627419/ ). However, particular for this CVE I'm not sure if always small amount of memory request, so it is just in case as potential security issue.
Hello Alex, while doing review of the Vulnerability Assessment report of RHEL 8.6 for the purpose of Common Criteria certification, we came across this CVE. Could you update the CVE page https://access.redhat.com/security/cve/CVE-2023-3357 with some publicly facing statement why we consider RHELs 6 to 8 as not affected? Especially given the https://www.kernel.org/doc/html/next/core-api/memory-allocation.html that you quoted in comment 4 says that "... but there is no guarantee of that behavior so failures have to be checked properly by callers". Also, having something else (Fix deferred) listed for RHEL 9 when the code is the same might look suspicious to the evaluating and validating bodies. Thank you, Jan
In reply to comment #11: > Hello Alex, > > while doing review of the Vulnerability Assessment report of RHEL 8.6 for > the purpose of Common Criteria certification, we came across this CVE. > > Could you update the CVE page > https://access.redhat.com/security/cve/CVE-2023-3357 with some publicly > facing statement why we consider RHELs 6 to 8 as not affected? Especially > given the > > https://www.kernel.org/doc/html/next/core-api/memory-allocation.html > > that you quoted in comment 4 says that "... but there is no guarantee of > that behavior so failures have to be checked properly by callers". Also, > having something else (Fix deferred) listed for RHEL 9 when the code is the > same might look suspicious to the evaluating and validating bodies. > > Thank you, Jan Hi Jan, I added statement: "For the Red Hat Enterprise Linux 9 already fixed with the commit 1a4835c9 "HID: amd_sfh: Add missing check for dma_alloc_coherent". The Kernel config param CONFIG_AMD_SFH_HID disabled for all versions of the Red Hat Enterprise Linux before 9, so not affected.". Regards, Alex
Perfect, thank you.