Description
In the Linux kernel, the following vulnerability has been resolved: KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic kvm_s390_pci_aif_enable(), kvm_s390_pci_aif_disable(), and aen_host_forward() index the GAIT by manually multiplying the index with sizeof(struct zpci_gaite). Since aift->gait is already a struct zpci_gaite pointer, this double-scales the offset, accessing element aisb*16 instead of aisb. This causes out-of-bounds accesses when aisb >= 32 (with ZPCI_NR_DEVICES=512) Fix by removing the erroneous sizeof multiplication.
Product status
73f91b004321f2510fa79e66035dbbf1870fcf56 (git) before 31a9d9f9942885aae356a1a57c79e82c5b5b0828
73f91b004321f2510fa79e66035dbbf1870fcf56 (git) before a99a25db131ece5e6c0f7632da606de631efe4f2
73f91b004321f2510fa79e66035dbbf1870fcf56 (git) before 11b8ff5b930b351dd1f6f088dce0beb027ac92d0
73f91b004321f2510fa79e66035dbbf1870fcf56 (git) before b22a2da8792a7bfe743c1a922e77fa499ddedbe8
73f91b004321f2510fa79e66035dbbf1870fcf56 (git) before e7216651b94e92e5433fb2f54b77864642b4ea48
73f91b004321f2510fa79e66035dbbf1870fcf56 (git) before 16d990a15491cf76cd6eef0846e1b4100e63261a
6.0
Any version before 6.0
6.1.175 (semver)
6.6.141 (semver)
6.12.91 (semver)
6.18.33 (semver)
7.0.10 (semver)
7.1 (original_commit_for_fix)
References
git.kernel.org/...c/31a9d9f9942885aae356a1a57c79e82c5b5b0828
git.kernel.org/...c/a99a25db131ece5e6c0f7632da606de631efe4f2
git.kernel.org/...c/11b8ff5b930b351dd1f6f088dce0beb027ac92d0
git.kernel.org/...c/b22a2da8792a7bfe743c1a922e77fa499ddedbe8
git.kernel.org/...c/e7216651b94e92e5433fb2f54b77864642b4ea48
git.kernel.org/...c/16d990a15491cf76cd6eef0846e1b4100e63261a