1220506 – (CVE-2020-36776) VUL-0: CVE-2020-36776: kernel-source,kernel-source-azure,kernel-source-rt: thermal/drivers/cpufreq_cooling: slab OOB read in cpu_power_to_freq()

Bug 1220506 (CVE-2020-36776) - VUL-0: CVE-2020-36776: kernel-source,kernel-source-azure,kernel-source-rt: thermal/drivers/cpufreq_cooling: slab OOB read in cpu_power_to_freq()

Summary: VUL-0: CVE-2020-36776: kernel-source,kernel-source-azure,kernel-source-rt: th...

Status:	RESOLVED FIXED

Alias:	CVE-2020-36776

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Minor
Target Milestone:	---
Assignee:	Kernel Bugs
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/395343/
Whiteboard:	CVSSv3.1:SUSE:CVE-2020-36776:2.5:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-02-28 08:02 UTC by SMASH SMASH
Modified:	2024-02-28 08:03 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-02-28 08:02:40 UTC

In the Linux kernel, the following vulnerability has been resolved:

thermal/drivers/cpufreq_cooling: Fix slab OOB issue

Slab OOB issue is scanned by KASAN in cpu_power_to_freq().
If power is limited below the power of OPP0 in EM table,
it will cause slab out-of-bound issue with negative array
index.

Return the lowest frequency if limited power cannot found
a suitable OPP in EM table to fix this issue.

Backtrace:
[<ffffffd02d2a37f0>] die+0x104/0x5ac
[<ffffffd02d2a5630>] bug_handler+0x64/0xd0
[<ffffffd02d288ce4>] brk_handler+0x160/0x258
[<ffffffd02d281e5c>] do_debug_exception+0x248/0x3f0
[<ffffffd02d284488>] el1_dbg+0x14/0xbc
[<ffffffd02d75d1d4>] __kasan_report+0x1dc/0x1e0
[<ffffffd02d75c2e0>] kasan_report+0x10/0x20
[<ffffffd02d75def8>] __asan_report_load8_noabort+0x18/0x28
[<ffffffd02e6fce5c>] cpufreq_power2state+0x180/0x43c
[<ffffffd02e6ead80>] power_actor_set_power+0x114/0x1d4
[<ffffffd02e6fac24>] allocate_power+0xaec/0xde0
[<ffffffd02e6f9f80>] power_allocator_throttle+0x3ec/0x5a4
[<ffffffd02e6ea888>] handle_thermal_trip+0x160/0x294
[<ffffffd02e6edd08>] thermal_zone_device_check+0xe4/0x154
[<ffffffd02d351cb4>] process_one_work+0x5e4/0xe28
[<ffffffd02d352f44>] worker_thread+0xa4c/0xfac
[<ffffffd02d360124>] kthread+0x33c/0x358
[<ffffffd02d289940>] ret_from_fork+0xc/0x18

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-36776
https://git.kernel.org/stable/c/876a5f33e5d961d879c5436987c09b3d9ef70379
https://git.kernel.org/stable/c/c24a20912eef00587416628149c438e885eb1304
https://www.cve.org/CVERecord?id=CVE-2020-36776
https://git.kernel.org/stable/c/34ab17cc6c2c1ac93d7e5d53bb972df9a968f085
https://git.kernel.org/stable/c/6bf443acf6ca4f666d0e4225614ba9993a3aa1a9

Comment 1 Carlos López 2024-02-28 08:03:20 UTC

We have 371a3bc79c11b ("thermal/drivers/cpufreq_cooling: Fix wrong frequency converted from power") in cve/linux-5.14, SLE15-SP6, stable and master,
all of which have the fix. Closing.