CVE-2023-53272

UBSAN: shift-out-of-bounds in build/linux/drivers/net/ethernet/amazon/ena/enacom.c:540:13 shift exponent 32 is too large for 32-bit type 'unsigned int' CPU: 28 PID: 70012 Comm: kworker/u72:2 Kdump: loaded not tainted 5.15.117 Hardware name: Amazon EC2 c5d.9xlarge/, BIOS 1.0 10/16/2017 Workqueue: ena enafwresetdevice [ena] Call Trace: <TASK> dumpstacklvl+0x4a/0x63 dumpstack+0x10/0x16 ubsanepilogue+0x9/0x36 _ubsanhandleshiftoutofbounds.cold+0x61/0x10e ? _constudelay+0x43/0x50 enadelayexponentialbackoffus.cold+0x16/0x1e [ena] waitforresetstate+0x54/0xa0 [ena] enacomdevreset+0xc8/0x110 [ena] enadown+0x3fe/0x480 [ena] enadestroydevice+0xeb/0xf0 [ena] enafwresetdevice+0x30/0x50 [ena] processonework+0x22b/0x3d0 workerthread+0x4d/0x3f0 ? processonework+0x3d0/0x3d0 kthread+0x12a/0x150 ? setkthreadstruct+0x50/0x50 retfrom_fork+0x22/0x30 </TASK>

Apparently, the reset delays are getting so large they can trigger a UBSAN panic.

Looking at the code, the current timeout is capped at 5000us. Using a base value of 100us, the current code will overflow after (1<<29). Even at values before 32, this function wraps around, perhaps unintentionally.

Cap the value of the exponent used for this backoff at (1<<16) which is larger than currently necessary, but large enough to support bigger values in the future.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

4bb7f4cf60e38a00965d22aa5979ab143193d41f

Fixed

1e760b2d18bf129b3da052c2946c02758e97d15e

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

4bb7f4cf60e38a00965d22aa5979ab143193d41f

Fixed

3e36cc94d6e60a27f27498adf1c71eeba769ab33

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

4bb7f4cf60e38a00965d22aa5979ab143193d41f

Fixed

90947ebf8794e3c229fb2e16e37f1bfea6877f14

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

4bb7f4cf60e38a00965d22aa5979ab143193d41f

Fixed

0939c264729d4a081ff88efce2ffdf85dc5331e0

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

4bb7f4cf60e38a00965d22aa5979ab143193d41f

Fixed

1e9cb763e9bacf0c932aa948f50dcfca6f519a26

Affected versions

v5.*

v5.10

v5.10-rc1

v5.10-rc2

v5.10-rc3

v5.10-rc4

v5.10-rc5

v5.10-rc6

v5.10-rc7

v5.10.1

v5.10.10

v5.10.100

v5.10.101

v5.10.102

v5.10.103

v5.10.104

v5.10.105

v5.10.106

v5.10.107

v5.10.108

v5.10.109

v5.10.11

v5.10.110

v5.10.111

v5.10.112

v5.10.113

v5.10.114

v5.10.115

v5.10.116

v5.10.117

v5.10.118

v5.10.119

v5.10.12

v5.10.120

v5.10.121

v5.10.122

v5.10.123

v5.10.124

v5.10.125

v5.10.126

v5.10.127

v5.10.128

v5.10.129

v5.10.13

v5.10.130

v5.10.131

v5.10.132

v5.10.133

v5.10.134

v5.10.135

v5.10.136

v5.10.137

v5.10.138

v5.10.139

v5.10.14

v5.10.140

v5.10.141

v5.10.142

v5.10.143

v5.10.144

v5.10.145

v5.10.146

v5.10.147

v5.10.148

v5.10.149

v5.10.15

v5.10.150

v5.10.151

v5.10.152

v5.10.153

v5.10.154

v5.10.155

v5.10.156

v5.10.157

v5.10.158

v5.10.159

v5.10.16

v5.10.160

v5.10.161

v5.10.162

v5.10.163

v5.10.164

v5.10.165

v5.10.166

v5.10.167

v5.10.168

v5.10.169

v5.10.17

v5.10.170

v5.10.171

v5.10.172

v5.10.173

v5.10.174

v5.10.175

v5.10.176

v5.10.177

v5.10.178

v5.10.179

v5.10.18

v5.10.180

v5.10.181

v5.10.182

v5.10.183

v5.10.184

v5.10.185

v5.10.186

v5.10.187

v5.10.19

v5.10.2

v5.10.20

v5.10.21

v5.10.22

v5.10.23

v5.10.24

v5.10.25

v5.10.26

v5.10.27

v5.10.28

v5.10.29

v5.10.3

v5.10.30

v5.10.31

v5.10.32

v5.10.33

v5.10.34

v5.10.35

v5.10.36

v5.10.37

v5.10.38

v5.10.39

v5.10.4

v5.10.40

v5.10.41

v5.10.42

v5.10.43

v5.10.44

v5.10.45

v5.10.46

v5.10.47

v5.10.48

v5.10.49

v5.10.5

v5.10.50

v5.10.51

v5.10.52

v5.10.53

v5.10.54

v5.10.55

v5.10.56

v5.10.57

v5.10.58

v5.10.59

v5.10.6

v5.10.60

v5.10.61

v5.10.62

v5.10.63

v5.10.64

v5.10.65

v5.10.66

v5.10.67

v5.10.68

v5.10.69

v5.10.7

v5.10.70

v5.10.71

v5.10.72

v5.10.73

v5.10.74

v5.10.75

v5.10.76

v5.10.77

v5.10.78

v5.10.79

v5.10.8

v5.10.80

v5.10.81

v5.10.82

v5.10.83

v5.10.84

v5.10.85

v5.10.86

v5.10.87

v5.10.88

v5.10.89

v5.10.9

v5.10.90

v5.10.91

v5.10.92

v5.10.93

v5.10.94

v5.10.95

v5.10.96

v5.10.97

v5.10.98

v5.10.99

v5.11

v5.11-rc1

v5.11-rc2

v5.11-rc3

v5.11-rc4

v5.11-rc5

v5.11-rc6

v5.11-rc7

v5.12

v5.12-rc1

v5.12-rc1-dontuse

v5.12-rc2

v5.12-rc3

v5.12-rc4

v5.12-rc5

v5.12-rc6

v5.12-rc7

v5.12-rc8

v5.13

v5.13-rc1

v5.13-rc2

v5.13-rc3

v5.13-rc4

v5.13-rc5

v5.13-rc6

v5.13-rc7

v5.14

v5.14-rc1

v5.14-rc2

v5.14-rc3

v5.14-rc4

v5.14-rc5

v5.14-rc6

v5.14-rc7

v5.15

v5.15-rc1

v5.15-rc2

v5.15-rc3

v5.15-rc4

v5.15-rc5

v5.15-rc6

v5.15-rc7

v5.15.1

v5.15.10

v5.15.100

v5.15.101

v5.15.102

v5.15.103

v5.15.104

v5.15.105

v5.15.106

v5.15.107

v5.15.108

v5.15.109

v5.15.11

v5.15.110

v5.15.111

v5.15.112

v5.15.113

v5.15.114

v5.15.115

v5.15.116

v5.15.117

v5.15.118

v5.15.119

v5.15.12

v5.15.120

v5.15.13

v5.15.14

v5.15.15

v5.15.16

v5.15.17

v5.15.18

v5.15.19

v5.15.2

v5.15.20

v5.15.21

v5.15.22

v5.15.23

v5.15.24

v5.15.25

v5.15.26

v5.15.27

v5.15.28

v5.15.29

v5.15.3

v5.15.30

v5.15.31

v5.15.32

v5.15.33

v5.15.34

v5.15.35

v5.15.36

v5.15.37

v5.15.38

v5.15.39

v5.15.4

v5.15.40

v5.15.41

v5.15.42

v5.15.43

v5.15.44

v5.15.45

v5.15.46

v5.15.47

v5.15.48

v5.15.49

v5.15.5

v5.15.50

v5.15.51

v5.15.52

v5.15.53

v5.15.54

v5.15.55

v5.15.56

v5.15.57

v5.15.58

v5.15.59

v5.15.6

v5.15.60

v5.15.61

v5.15.62

v5.15.63

v5.15.64

v5.15.65

v5.15.66

v5.15.67

v5.15.68

v5.15.69

v5.15.7

v5.15.70

v5.15.71

v5.15.72

v5.15.73

v5.15.74

v5.15.75

v5.15.76

v5.15.77

v5.15.78

v5.15.79

v5.15.8

v5.15.80

v5.15.81

v5.15.82

v5.15.83

v5.15.84

v5.15.85

v5.15.86

v5.15.87

v5.15.88

v5.15.89

v5.15.9

v5.15.90

v5.15.91

v5.15.92

v5.15.93

v5.15.94

v5.15.95

v5.15.96

v5.15.97

v5.15.98

v5.15.99

v5.16

v5.16-rc1

v5.16-rc2

v5.16-rc3

v5.16-rc4

v5.16-rc5

v5.16-rc6

v5.16-rc7

v5.16-rc8

v5.17

v5.17-rc1

v5.17-rc2

v5.17-rc3

v5.17-rc4

v5.17-rc5

v5.17-rc6

v5.17-rc7

v5.17-rc8

v5.18

v5.18-rc1

v5.18-rc2

v5.18-rc3

v5.18-rc4

v5.18-rc5

v5.18-rc6

v5.18-rc7

v5.19

v5.19-rc1

v5.19-rc2

v5.19-rc3

v5.19-rc4

v5.19-rc5

v5.19-rc6

v5.19-rc7

v5.19-rc8

v5.7

v5.7-rc6

v5.7-rc7

v5.8

v5.8-rc1

v5.8-rc2

v5.8-rc3

v5.8-rc4

v5.8-rc5

v5.8-rc6

v5.8-rc7

v5.9

v5.9-rc1

v5.9-rc2

v5.9-rc3

v5.9-rc4

v5.9-rc5

v5.9-rc6

v5.9-rc7

v5.9-rc8

v6.*

v6.0

v6.0-rc1

v6.0-rc2

v6.0-rc3

v6.0-rc4

v6.0-rc5

v6.0-rc6

v6.0-rc7

v6.1

v6.1-rc1

v6.1-rc2

v6.1-rc3

v6.1-rc4

v6.1-rc5

v6.1-rc6

v6.1-rc7

v6.1-rc8

v6.1.1

v6.1.10

v6.1.11

v6.1.12

v6.1.13

v6.1.14

v6.1.15

v6.1.16

v6.1.17

v6.1.18

v6.1.19

v6.1.2

v6.1.20

v6.1.21

v6.1.22

v6.1.23

v6.1.24

v6.1.25

v6.1.26

v6.1.27

v6.1.28

v6.1.29

v6.1.3

v6.1.30

v6.1.31

v6.1.32

v6.1.33

v6.1.34

v6.1.35

v6.1.36

v6.1.37

v6.1.38

v6.1.39

v6.1.4

v6.1.5

v6.1.6

v6.1.7

v6.1.8

v6.1.9

v6.2

v6.2-rc1

v6.2-rc2

v6.2-rc3

v6.2-rc4

v6.2-rc5

v6.2-rc6

v6.2-rc7

v6.2-rc8

v6.3

v6.3-rc1

v6.3-rc2

v6.3-rc3

v6.3-rc4

v6.3-rc5

v6.3-rc6

v6.3-rc7

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.4.1

v6.4.2

v6.4.3

v6.4.4

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0939c264729d4a081ff88efce2ffdf85dc5331e0",
        "deprecated": false,
        "id": "CVE-2023-53272-13446c9f",
        "target": {
            "function": "ena_delay_exponential_backoff_us",
            "file": "drivers/net/ethernet/amazon/ena/ena_com.c"
        },
        "digest": {
            "function_hash": "243305086006511337775005364000215071451",
            "length": 228.0
        },
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0939c264729d4a081ff88efce2ffdf85dc5331e0",
        "deprecated": false,
        "id": "CVE-2023-53272-2372ab38",
        "target": {
            "file": "drivers/net/ethernet/amazon/ena/ena_com.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "217250764876899851905766711606141430301",
                "308137031723555227236609583847495256216",
                "38669243094546268784981767441343182090",
                "118933543244054665436060025605637628588",
                "42289498336672223446846340485530143639",
                "64366601054330877277608598792542114324",
                "127581608222419013256454368830834439061"
            ]
        },
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3e36cc94d6e60a27f27498adf1c71eeba769ab33",
        "deprecated": false,
        "id": "CVE-2023-53272-38642e1f",
        "target": {
            "file": "drivers/net/ethernet/amazon/ena/ena_com.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "217250764876899851905766711606141430301",
                "308137031723555227236609583847495256216",
                "38669243094546268784981767441343182090",
                "118933543244054665436060025605637628588",
                "42289498336672223446846340485530143639",
                "64366601054330877277608598792542114324",
                "127581608222419013256454368830834439061"
            ]
        },
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@90947ebf8794e3c229fb2e16e37f1bfea6877f14",
        "deprecated": false,
        "id": "CVE-2023-53272-5441bf8c",
        "target": {
            "file": "drivers/net/ethernet/amazon/ena/ena_com.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "217250764876899851905766711606141430301",
                "308137031723555227236609583847495256216",
                "38669243094546268784981767441343182090",
                "118933543244054665436060025605637628588",
                "42289498336672223446846340485530143639",
                "64366601054330877277608598792542114324",
                "127581608222419013256454368830834439061"
            ]
        },
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1e9cb763e9bacf0c932aa948f50dcfca6f519a26",
        "deprecated": false,
        "id": "CVE-2023-53272-5a2b4026",
        "target": {
            "function": "ena_delay_exponential_backoff_us",
            "file": "drivers/net/ethernet/amazon/ena/ena_com.c"
        },
        "digest": {
            "function_hash": "243305086006511337775005364000215071451",
            "length": 228.0
        },
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1e760b2d18bf129b3da052c2946c02758e97d15e",
        "deprecated": false,
        "id": "CVE-2023-53272-5cb03f3d",
        "target": {
            "file": "drivers/net/ethernet/amazon/ena/ena_com.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "217250764876899851905766711606141430301",
                "308137031723555227236609583847495256216",
                "38669243094546268784981767441343182090",
                "118933543244054665436060025605637628588",
                "42289498336672223446846340485530143639",
                "64366601054330877277608598792542114324",
                "127581608222419013256454368830834439061"
            ]
        },
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1e760b2d18bf129b3da052c2946c02758e97d15e",
        "deprecated": false,
        "id": "CVE-2023-53272-6e81004c",
        "target": {
            "function": "ena_delay_exponential_backoff_us",
            "file": "drivers/net/ethernet/amazon/ena/ena_com.c"
        },
        "digest": {
            "function_hash": "243305086006511337775005364000215071451",
            "length": 228.0
        },
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@90947ebf8794e3c229fb2e16e37f1bfea6877f14",
        "deprecated": false,
        "id": "CVE-2023-53272-8cf53d75",
        "target": {
            "function": "ena_delay_exponential_backoff_us",
            "file": "drivers/net/ethernet/amazon/ena/ena_com.c"
        },
        "digest": {
            "function_hash": "243305086006511337775005364000215071451",
            "length": 228.0
        },
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1e9cb763e9bacf0c932aa948f50dcfca6f519a26",
        "deprecated": false,
        "id": "CVE-2023-53272-994ccd60",
        "target": {
            "file": "drivers/net/ethernet/amazon/ena/ena_com.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "217250764876899851905766711606141430301",
                "308137031723555227236609583847495256216",
                "38669243094546268784981767441343182090",
                "118933543244054665436060025605637628588",
                "42289498336672223446846340485530143639",
                "64366601054330877277608598792542114324",
                "127581608222419013256454368830834439061"
            ]
        },
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3e36cc94d6e60a27f27498adf1c71eeba769ab33",
        "deprecated": false,
        "id": "CVE-2023-53272-b12feb03",
        "target": {
            "function": "ena_delay_exponential_backoff_us",
            "file": "drivers/net/ethernet/amazon/ena/ena_com.c"
        },
        "digest": {
            "function_hash": "243305086006511337775005364000215071451",
            "length": 228.0
        },
        "signature_type": "Function"
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.8.0

Fixed

5.10.188

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.121

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.1.40

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.4.5