APPLIED: [SRU][F][PATCH 0/1] CVE-2024-56662

[Mehmet Basaran]

Applied to focal:linux master-next branch. Thanks.

-------------- next part --------------
Massimiliano Pellizzer <massimiliano.pellizzer at canonical.com> writes:

> https://ubuntu.com/security/CVE-2024-56662
>
> [ Impact ]
>
> acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl
>
> Fix an issue detected by syzbot with KASAN:
>
> BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func drivers/acpi/nfit/
> core.c:416 [inline]
> BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0
> drivers/acpi/nfit/core.c:459
>
> The issue occurs in cmd_to_func when the call_pkg->nd_reserved2
> array is accessed without verifying that call_pkg points to a buffer
> that is appropriately sized as a struct nd_cmd_pkg. This can lead
> to out-of-bounds access and undefined behavior if the buffer does not
> have sufficient space.
>
> To address this, a check was added in acpi_nfit_ctl() to ensure that
> buf is not NULL and that buf_len is less than sizeof(*call_pkg)
> before accessing it. This ensures safe access to the members of
> call_pkg, including the nd_reserved2 array.
>
> [ Fix ]
>
> Plucky: Not affected
> Oracular: Fixed via upstream stable updates (LP: #2097332)
> Noble: Fixed via upstream stable updates (LP: #2102181)
> Jammy: Fixed via upstream stable updates (LP: #2095302)
> Focal: Backported from mainline
>
> [ Test Plan ]
>
> Compile tested only.
>
> [ Where Problems Could Occur ]
>
> A regression here is unlikely due to the very limited scope
> of the patch.
>
>
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250602/64b0e98d/attachment.sig>