{ "threat_severity" : "Moderate", "public_date" : "2024-09-27T00:00:00Z", "bugzilla" : { "description" : "kernel: spi: nxp-fspi: fix the KASAN report out-of-bounds bug", "id" : "2315205", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2315205" }, "cvss3" : { "cvss3_base_score" : "6.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-125", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nspi: nxp-fspi: fix the KASAN report out-of-bounds bug\nChange the memcpy length to fix the out-of-bounds issue when writing the\ndata that is not 4 byte aligned to TX FIFO.\nTo reproduce the issue, write 3 bytes data to NOR chip.\ndd if=3b of=/dev/mtd0\n[ 36.926103] ==================================================================\n[ 36.933409] BUG: KASAN: slab-out-of-bounds in nxp_fspi_exec_op+0x26ec/0x2838\n[ 36.940514] Read of size 4 at addr ffff00081037c2a0 by task dd/455\n[ 36.946721]\n[ 36.948235] CPU: 3 UID: 0 PID: 455 Comm: dd Not tainted 6.11.0-rc5-gc7b0e37c8434 #1070\n[ 36.956185] Hardware name: Freescale i.MX8QM MEK (DT)\n[ 36.961260] Call trace:\n[ 36.963723] dump_backtrace+0x90/0xe8\n[ 36.967414] show_stack+0x18/0x24\n[ 36.970749] dump_stack_lvl+0x78/0x90\n[ 36.974451] print_report+0x114/0x5cc\n[ 36.978151] kasan_report+0xa4/0xf0\n[ 36.981670] __asan_report_load_n_noabort+0x1c/0x28\n[ 36.986587] nxp_fspi_exec_op+0x26ec/0x2838\n[ 36.990800] spi_mem_exec_op+0x8ec/0xd30\n[ 36.994762] spi_mem_no_dirmap_read+0x190/0x1e0\n[ 36.999323] spi_mem_dirmap_write+0x238/0x32c\n[ 37.003710] spi_nor_write_data+0x220/0x374\n[ 37.007932] spi_nor_write+0x110/0x2e8\n[ 37.011711] mtd_write_oob_std+0x154/0x1f0\n[ 37.015838] mtd_write_oob+0x104/0x1d0\n[ 37.019617] mtd_write+0xb8/0x12c\n[ 37.022953] mtdchar_write+0x224/0x47c\n[ 37.026732] vfs_write+0x1e4/0x8c8\n[ 37.030163] ksys_write+0xec/0x1d0\n[ 37.033586] __arm64_sys_write+0x6c/0x9c\n[ 37.037539] invoke_syscall+0x6c/0x258\n[ 37.041327] el0_svc_common.constprop.0+0x160/0x22c\n[ 37.046244] do_el0_svc+0x44/0x5c\n[ 37.049589] el0_svc+0x38/0x78\n[ 37.052681] el0t_64_sync_handler+0x13c/0x158\n[ 37.057077] el0t_64_sync+0x190/0x194\n[ 37.060775]\n[ 37.062274] Allocated by task 455:\n[ 37.065701] kasan_save_stack+0x2c/0x54\n[ 37.069570] kasan_save_track+0x20/0x3c\n[ 37.073438] kasan_save_alloc_info+0x40/0x54\n[ 37.077736] __kasan_kmalloc+0xa0/0xb8\n[ 37.081515] __kmalloc_noprof+0x158/0x2f8\n[ 37.085563] mtd_kmalloc_up_to+0x120/0x154\n[ 37.089690] mtdchar_write+0x130/0x47c\n[ 37.093469] vfs_write+0x1e4/0x8c8\n[ 37.096901] ksys_write+0xec/0x1d0\n[ 37.100332] __arm64_sys_write+0x6c/0x9c\n[ 37.104287] invoke_syscall+0x6c/0x258\n[ 37.108064] el0_svc_common.constprop.0+0x160/0x22c\n[ 37.112972] do_el0_svc+0x44/0x5c\n[ 37.116319] el0_svc+0x38/0x78\n[ 37.119401] el0t_64_sync_handler+0x13c/0x158\n[ 37.123788] el0t_64_sync+0x190/0x194\n[ 37.127474]\n[ 37.128977] The buggy address belongs to the object at ffff00081037c2a0\n[ 37.128977] which belongs to the cache kmalloc-8 of size 8\n[ 37.141177] The buggy address is located 0 bytes inside of\n[ 37.141177] allocated 3-byte region [ffff00081037c2a0, ffff00081037c2a3)\n[ 37.153465]\n[ 37.154971] The buggy address belongs to the physical page:\n[ 37.160559] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x89037c\n[ 37.168596] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)\n[ 37.175149] page_type: 0xfdffffff(slab)\n[ 37.179021] raw: 0bfffe0000000000 ffff000800002500 dead000000000122 0000000000000000\n[ 37.186788] raw: 0000000000000000 0000000080800080 00000001fdffffff 0000000000000000\n[ 37.194553] page dumped because: kasan: bad access detected\n[ 37.200144]\n[ 37.201647] Memory state around the buggy address:\n[ 37.206460] ffff00081037c180: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc\n[ 37.213701] ffff00081037c200: fa fc fc fc 05 fc fc fc 03 fc fc fc 02 fc fc fc\n[ 37.220946] >ffff00081037c280: 06 fc fc fc 03 fc fc fc fc fc fc fc fc fc fc fc\n[ 37.228186] ^\n[ 37.232473] ffff00081037c300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[ 37.239718] ffff00081037c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n[ 37.246962] ==============================================================\n---truncated---" ], "statement" : "Access to \"drivers/spi\" will be a privileged operation that will need an admin/root to exploit this out of bound write scenario.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-05-13T00:00:00Z", "advisory" : "RHSA-2025:6966", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.12.1.el9_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-46853\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-46853\nhttps://lore.kernel.org/linux-cve-announce/2024092742-CVE-2024-46853-ab04@gregkh/T" ], "name" : "CVE-2024-46853", "csaw" : false }