"value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: thermal: Fix out-of-bounds memory accesses\n\nCurrently, mlxsw allows cooling states to be set above the maximum\ncooling state supported by the driver:\n\n # cat /sys/class/thermal/thermal_zone2/cdev0/type\n mlxsw_fan\n # cat /sys/class/thermal/thermal_zone2/cdev0/max_state\n 10\n # echo 18 > /sys/class/thermal/thermal_zone2/cdev0/cur_state\n # echo $?\n 0\n\nThis results in out-of-bounds memory accesses when thermal state\ntransition statistics are enabled (CONFIG_THERMAL_STATISTICS=y), as the\ntransition table is accessed with a too large index (state) [1].\n\nAccording to the thermal maintainer, it is the responsibility of the\ndriver to reject such operations [2].\n\nTherefore, return an error when the state to be set exceeds the maximum\ncooling state supported by the driver.\n\nTo avoid dead code, as suggested by the thermal maintainer [3],\npartially revert commit a421ce088ac8 (\"mlxsw: core: Extend cooling\ndevice with cooling levels\") that tried to interpret these invalid\ncooling states (above the maximum) in a special way. The cooling levels\narray is not removed in order to prevent the fans going below 20% PWM,\nwhich would cause them to get stuck at 0% PWM.\n\n[1]\nBUG: KASAN: slab-out-of-bounds in thermal_cooling_device_stats_update+0x271/0x290\nRead of size 4 at addr ffff8881052f7bf8 by task kworker/0:0/5\n\nCPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.15.0-rc3-custom-45935-gce1adf704b14 #122\nHardware name: Mellanox Technologies Ltd. \"MSN2410-CB2FO\"/\"SA000874\",BIOS4.6.503/08/2016\nWorkqueue:events_freezable_power_thermal_zone_device_check\nCallTrace:\ndump_stack_lvl+0x8b/0xb3\nprint_address_description.constprop.0+0x1f/0x140\nkasan_report.cold+0x7f/0x11b\nthermal_cooling_device_stats_update+0x271/0x290\n__thermal_cdev_update+0x15e/0x4e0\nthermal_cdev_update+0x9f/0xe0\nstep_wise_throttle+0x770/0xee0\nthermal_zone_device_update+0x3f6/0xdf0\nprocess_one_work+0xa42/0x1770\nworker_thread+0x62f/0x13e0\nkthread+0x3ee/0x4e0\nret_from_fork+0x1f/0x30\n\nAllocatedbytask1:\nkasan_save_stack+0x1b/0x40\n__kasan_kmalloc+0x7c/0x90\nthermal_cooling_device_setup_sysfs+0x153/0x2c0\n__thermal_cooling_device_register.part.0+0x25b/0x9c0\nthermal_cooling_device_register+0xb3/0x100\nmlxsw_thermal_init+0x5c5/0x7e0\n__mlxsw_core_bus_device_register+0xcb3/0x19c0\nmlxsw_core_bus_device_register+0x56/0xb0\nmlxsw_pci_probe+0x54f/0x710\nlocal_pci_probe+0xc6/0x170\npci_device_probe+0x2b2/0x4d0\nreally_probe+0x293/0xd10\n__driver_probe_device+0x2af/0x440\ndriver_probe_device+0x51/0x1e0\n__driver_attach+0x21b/0x530\nbus_for_each_dev+0x14c/0x1d0\nbus_add_driver+0x3ac/0x650\ndriver_register+0x241/0x3d0\nmlxsw_sp_module_init+0xa2/0x174\ndo_one_initcall+0xee/0x5f0\nkernel_init_freeable+0x45a/0x4de\nkernel_init+0x1f/0x210\nret_from_fork+0x1f/0x30\n\nThebuggyaddressbelongstotheobjectatffff8881052f7800\nwhichbelongstothecachekmalloc-1kofsize1024\nThebuggyaddressislocated1016bytesinsideof\n1024-byteregion[ffff8881052f7800,ffff8881052f7c00)\nThebuggyaddressbelongstothepage:\npage:0000000052355272refcount:1mapcount:0mapping:0000000000000000index:0x0pfn:0x1052f0\nhead:0000000052355272order:3compound_mapcount:0compound_pincount:0\nflags:0x200000000010200(slab|head|node=0|zone=2)\nraw:0200000000010200ffffea00050348000000000300000003ffff888100041dc0\nraw:0000000000000000000000000010001000000001ffffffff0000000000000000\npagedumpedbecause:kasan:badaccessdetected\n\nMemorystatearoundthebuggyaddress:\nffff8881052f7a80:00000000000004fcfcfcfcfcfcfcfcfc\nffff8881052f7b00:fcfcfcfcfcfcfcfcfcfcfcfcfcfcfcfc\n>ffff8881052f7b80:fcfcfcfcfcfcfcfcfcfcfcfcfcfcfcfc\n^\nffff8881052f7c00:fcfcfcfcfcfcfcfcfcfcfcfcfcfcfcfc\nffff8881052f7c80:fcfcfcfcfcfcfcfcfcfcfcfcfcfcfcfc\n\n[2]https://lore.kernel.org/linux-pm/9aca37cb-162
"value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mlxsw: Thermal: corrige accesos a memoria fuera de los l\u00edmites Actualmente, mlxsw permite establecer estados de enfriamiento por encima del estado de enfriamiento m\u00e1ximo admitido por el controlador: # cat /sys/class/ Thermal/thermal_zone2/cdev0/type mlxsw_fan # cat /sys/class/thermal/thermal_zone2/cdev0/max_state 10 # echo 18 > /sys/class/thermal/thermal_zone2/cdev0/cur_state # echo $? 0 Esto da como resultado accesos a la memoria fuera de los l\u00edmites cuando las estad\u00edsticas de transici\u00f3n de estado t\u00e9rmico est\u00e1n habilitadas (CONFIG_THERMAL_STATISTICS=y), ya que se accede a la tabla de transici\u00f3n con un \u00edndice (estado) demasiado grande [1]. Seg\u00fan el mantenedor t\u00e9rmico, es responsabilidad del conductor rechazar este tipo de operaciones [2]. Por lo tanto, devolver\u00e1 un error cuando el estado que se establecer\u00e1 exceda el estado de enfriamiento m\u00e1ximo admitido por el controlador. Para evitar el c\u00f3digo inactivo, como lo sugiere el mantenedor t\u00e9rmico [3], revierta parcialmente el commit a421ce088ac8 (\"mlxsw: core: Extend Cooling Device with Cooling Levels\") que intent\u00f3 interpretar estos estados de enfriamiento no v\u00e1lidos (por encima del m\u00e1ximo) de una manera especial. . La matriz de niveles de enfriamiento no se elimina para evitar que los ventiladores bajen del 20 % de PWM, lo que provocar\u00eda que se atasquen en el 0 % de PWM. [1] ERROR: KASAN: losa fuera de los l\u00edmites en Thermal_cooling_device_stats_update+0x271/0x290 Lectura de tama\u00f1o 4 en la direcci\u00f3n ffff8881052f7bf8 por tarea kworker/0:0/5 CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.15.0-rc3-custom-45935-gce1adf704b14 #122 Nombre del hardware: Mellanox Technologies Ltd. \"MSN2410-CB2FO\"/\"SA000874\",BIOS4.6.508/03/2016Coladetrabajo:events_freezable_power_Thermal_zone_device_checkSeguimientodellamadas:dump_stack_lvl+0x8b/0xb3print_address_description.constprop.0+0x1f/0x140kasan_report.cold+0x7f/0x11bThermal_cooling_device_stats_update+0x271/0x290__thermal_cdev_update+0x15e/0x4e0Thermal_cdev_update+0x9f/0xe070/0xee0actualizaci\u00f3n_dispositivo_zona_termal+0x3f6/0xdf0proceso_one_work+0xa42/0x1770hilo_trabajador+0x62f/0x13e0kthread+0x3ee/0x4e0ret_from_fork+0x1f/0x30Asignadoportarea1:kasan_save_stack+0x1b/0x40__kasan_kmalloc+0x7c/0x90Thermal_cooling_device_setup_sysfs+0x153/0x2c0_device_register.part.0+0x25b/0x9c0Thermal_cooling_device_register+0xb3/0x100mlxsw_thermal_init+0x5c5/0x7e0__mlxsw_core_bus_device_register+0xcb3/0x19c0mlxsw_core_bus_device_register+0x56/0xb0mlxsw_pci_probe+0x54f/0x710local_pci_probe+0xc6/0x170pci_device_probe+0x2b2/0x4d0very_probe+0x293/0xd10__driver_probe_device+0x2af/0x440driver_probe_device+0x51/0x1e0__driver_attach+0x21b/0x530bus_for_each_dev+0x14c/0x1d0bus_add_driver+0x3ac/0x650driver_register+0x241/0x3d0mlxsw_sp_module_init+0xa2/0x174do_one_initcall+0xee/0x5f0kernel_init_freeable+0x45a/0x4dekernel_init+0x1f/0x210f/0x30Ladirecci\u00f3nconerrorespertenecealobjetoenffff8881052f7800quepertenecealcach\u00e9kmalloc-1kdetama\u00f1o1024Ladirecci\u00f3nconerroresseencuentra1016bytesdentrodelaregi\u00f3nde1024bytes[ffff8881052f7800,ffff8881052f7c00)Ladirecci\u00f3nconerrorespertenecealap\u00e1gina:p\u00e1gina:0000000052355272refcount:1mapcount:0mapeo:0000000000000000\u00edndice:0x0pfn:0x1052f0cabeza:0000000052355272orden:3compuesto_mapcount:0compuesto_pincount:0banderas:0x200000000010200(slab|head|node=0|zone=2)raw:0200000000010200ffffea00050348000000000300000003ffff888100041dc0raw:0000000000000000000000000010001000000001ffffffff00000000000000000p\u00e1ginavolcadaporque:kasan:sedetect\u00f3malaccesoEstadodelamemoriaalrededordeladirecci\u00f3ndelerror:ffff8881052f7a80:00000000000004fcfcfcfcfcfcfcfcfcffff8881052f7b00:fcfcfcfcfcfcfcfcfcfcfcfc>ffff8881052f7b80:fcfcfcfcfcfcfcf
