cve/published/2021/CVE-2021-46910.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-46910: ARM: 9063/1: mm: reduce maximum number of CPUs if DEBUG_KMAP_LOCAL is enabled

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ARM: 9063/1: mm: reduce maximum number of CPUs if DEBUG_KMAP_LOCAL is enabled

 The debugging code for kmap_local() doubles the number of per-CPU fixmap
 slots allocated for kmap_local(), in order to use half of them as guard
 regions. This causes the fixmap region to grow downwards beyond the start
 of its reserved window if the supported number of CPUs is large, and collide
 with the newly added virtual DT mapping right below it, which is obviously
 not good.

 One manifestation of this is EFI boot on a kernel built with NR_CPUS=32
 and CONFIG_DEBUG_KMAP_LOCAL=y, which may pass the FDT in highmem, resulting
 in block entries below the fixmap region that the fixmap code misidentifies
 as fixmap table entries, and subsequently tries to dereference using a
 phys-to-virt translation that is only valid for lowmem. This results in a
 cryptic splat such as the one below.

   ftrace: allocating 45548 entries in 89 pages
   8<--- cut here ---
   Unable to handle kernel paging request at virtual address fc6006f0
   pgd = (ptrval)
   [fc6006f0] *pgd=80000040207003, *pmd=00000000
   Internal error: Oops: a06 [#1] SMP ARM
   Modules linked in:
   CPU: 0 PID: 0 Comm: swapper Not tainted 5.11.0+ #382
   Hardware name: Generic DT based system
   PC is at cpu_ca15_set_pte_ext+0x24/0x30
   LR is at __set_fixmap+0xe4/0x118
   pc : [<c041ac9c>]    lr : [<c04189d8>]    psr: 400000d3
   sp : c1601ed8  ip : 00400000  fp : 00800000
   r10: 0000071f  r9 : 00421000  r8 : 00c00000
   r7 : 00c00000  r6 : 0000071f  r5 : ffade000  r4 : 4040171f
   r3 : 00c00000  r2 : 4040171f  r1 : c041ac78  r0 : fc6006f0
   Flags: nZcv  IRQs off  FIQs off  Mode SVC_32  ISA ARM  Segment none
   Control: 30c5387d  Table: 40203000  DAC: 00000001
   Process swapper (pid: 0, stack limit = 0x(ptrval))

 So let's limit CONFIG_NR_CPUS to 16 when CONFIG_DEBUG_KMAP_LOCAL=y. Also,
 fix the BUILD_BUG_ON() check that was supposed to catch this, by checking
 whether the region grows below the start address rather than above the end
 address.

 The Linux kernel CVE team has assigned CVE-2021-46910 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.11 with commit 2a15ba82fa6ca3f35502b3060f22118a938d2889 and fixed in 5.11.16 with commit 5965ac11b1d5fcb38464728931649cd9df79c7c9
 	Issue introduced in 5.11 with commit 2a15ba82fa6ca3f35502b3060f22118a938d2889 and fixed in 5.12 with commit d624833f5984d484c5e3196f34b926f9e71dafee

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-46910
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/arm/Kconfig
 	arch/arm/mm/mmu.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5965ac11b1d5fcb38464728931649cd9df79c7c9
 	https://git.kernel.org/stable/c/d624833f5984d484c5e3196f34b926f9e71dafee
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-46910: ARM: 9063/1: mm: reduce maximum number of CPUs if DEBUG_KMAP_LOCAL is enabled

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ARM: 9063/1: mm: reduce maximum number of CPUs if DEBUG_KMAP_LOCAL is enabled

	The debugging code for kmap_local() doubles the number of per-CPU fixmap
	slots allocated for kmap_local(), in order to use half of them as guard
	regions. This causes the fixmap region to grow downwards beyond the start
	of its reserved window if the supported number of CPUs is large, and collide
	with the newly added virtual DT mapping right below it, which is obviously
	not good.

	One manifestation of this is EFI boot on a kernel built with NR_CPUS=32
	and CONFIG_DEBUG_KMAP_LOCAL=y, which may pass the FDT in highmem, resulting
	in block entries below the fixmap region that the fixmap code misidentifies
	as fixmap table entries, and subsequently tries to dereference using a
	phys-to-virt translation that is only valid for lowmem. This results in a
	cryptic splat such as the one below.

	ftrace: allocating 45548 entries in 89 pages
	8<--- cut here ---
	Unable to handle kernel paging request at virtual address fc6006f0
	pgd = (ptrval)
	[fc6006f0] pgd=80000040207003, pmd=00000000
	Internal error: Oops: a06 [#1] SMP ARM
	Modules linked in:
	CPU: 0 PID: 0 Comm: swapper Not tainted 5.11.0+ #382
	Hardware name: Generic DT based system
	PC is at cpu_ca15_set_pte_ext+0x24/0x30
	LR is at __set_fixmap+0xe4/0x118
	pc : [<c041ac9c>] lr : [<c04189d8>] psr: 400000d3
	sp : c1601ed8 ip : 00400000 fp : 00800000
	r10: 0000071f r9 : 00421000 r8 : 00c00000
	r7 : 00c00000 r6 : 0000071f r5 : ffade000 r4 : 4040171f
	r3 : 00c00000 r2 : 4040171f r1 : c041ac78 r0 : fc6006f0
	Flags: nZcv IRQs off FIQs off Mode SVC_32 ISA ARM Segment none
	Control: 30c5387d Table: 40203000 DAC: 00000001
	Process swapper (pid: 0, stack limit = 0x(ptrval))

	So let's limit CONFIG_NR_CPUS to 16 when CONFIG_DEBUG_KMAP_LOCAL=y. Also,
	fix the BUILD_BUG_ON() check that was supposed to catch this, by checking
	whether the region grows below the start address rather than above the end
	address.

	The Linux kernel CVE team has assigned CVE-2021-46910 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.11 with commit 2a15ba82fa6ca3f35502b3060f22118a938d2889 and fixed in 5.11.16 with commit 5965ac11b1d5fcb38464728931649cd9df79c7c9
	Issue introduced in 5.11 with commit 2a15ba82fa6ca3f35502b3060f22118a938d2889 and fixed in 5.12 with commit d624833f5984d484c5e3196f34b926f9e71dafee

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-46910
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/arm/Kconfig
	arch/arm/mm/mmu.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5965ac11b1d5fcb38464728931649cd9df79c7c9
	https://git.kernel.org/stable/c/d624833f5984d484c5e3196f34b926f9e71dafee