Bug 1226909 (CVE-2024-39277)

Summary: VUL-0: CVE-2024-39277: kernel: dma-mapping: benchmark: handle NUMA_NO_NODE correctly
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: camila.matos, mhocko
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/411777/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-39277:6.6:(AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-06-24 15:04:18 UTC 
In the Linux kernel, the following vulnerability has been resolved:

dma-mapping: benchmark: handle NUMA_NO_NODE correctly

cpumask_of_node() can be called for NUMA_NO_NODE inside do_map_benchmark()
resulting in the following sanitizer report:

UBSAN: array-index-out-of-bounds in ./arch/x86/include/asm/topology.h:72:28
index -1 is out of range for type 'cpumask [64][1]'
CPU: 1 PID: 990 Comm: dma_map_benchma Not tainted 6.9.0-rc6 #29
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
Call Trace:
 <TASK>
dump_stack_lvl (lib/dump_stack.c:117)
ubsan_epilogue (lib/ubsan.c:232)
__ubsan_handle_out_of_bounds (lib/ubsan.c:429)
cpumask_of_node (arch/x86/include/asm/topology.h:72) [inline]
do_map_benchmark (kernel/dma/map_benchmark.c:104)
map_benchmark_ioctl (kernel/dma/map_benchmark.c:246)
full_proxy_unlocked_ioctl (fs/debugfs/file.c:333)
__x64_sys_ioctl (fs/ioctl.c:890)
do_syscall_64 (arch/x86/entry/common.c:83)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

Use cpumask_of_node() in place when binding a kernel thread to a cpuset
of a particular node.

Note that the provided node id is checked inside map_benchmark_ioctl().
It's just a NUMA_NO_NODE case which is not handled properly later.

Found by Linux Verification Center (linuxtesting.org).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-39277
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-39277.mbox
https://git.kernel.org/stable/c/b41b0018e8ca06e985e87220a618ec633988fd13
https://git.kernel.org/stable/c/8e1ba9df9a35e8dc64f657a64e523c79ba01e464
https://git.kernel.org/stable/c/5a91116b003175302f2e6ad94b76fb9b5a141a41
https://git.kernel.org/stable/c/50ee21bfc005e69f183d6b4b454e33f0c2571e1f
https://git.kernel.org/stable/c/e64746e74f717961250a155e14c156616fcd981f
https://www.cve.org/CVERecord?id=CVE-2024-39277
https://bugzilla.redhat.com/show_bug.cgi?id=2293647