cve/published/2021/CVE-2021-47623.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47623: powerpc/fixmap: Fix VM debug warning on unmap

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 powerpc/fixmap: Fix VM debug warning on unmap

 Unmapping a fixmap entry is done by calling __set_fixmap()
 with FIXMAP_PAGE_CLEAR as flags.

 Today, powerpc __set_fixmap() calls map_kernel_page().

 map_kernel_page() is not happy when called a second time
 for the same page.

 	WARNING: CPU: 0 PID: 1 at arch/powerpc/mm/pgtable.c:194 set_pte_at+0xc/0x1e8
 	CPU: 0 PID: 1 Comm: swapper Not tainted 5.16.0-rc3-s3k-dev-01993-g350ff07feb7d-dirty #682
 	NIP:  c0017cd4 LR: c00187f0 CTR: 00000010
 	REGS: e1011d50 TRAP: 0700   Not tainted  (5.16.0-rc3-s3k-dev-01993-g350ff07feb7d-dirty)
 	MSR:  00029032 <EE,ME,IR,DR,RI>  CR: 42000208  XER: 00000000

 	GPR00: c0165fec e1011e10 c14c0000 c0ee2550 ff800000 c0f3d000 00000000 c001686c
 	GPR08: 00001000 b00045a9 00000001 c0f58460 c0f50000 00000000 c0007e10 00000000
 	GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
 	GPR24: 00000000 00000000 c0ee2550 00000000 c0f57000 00000ff8 00000000 ff800000
 	NIP [c0017cd4] set_pte_at+0xc/0x1e8
 	LR [c00187f0] map_kernel_page+0x9c/0x100
 	Call Trace:
 	[e1011e10] [c0736c68] vsnprintf+0x358/0x6c8 (unreliable)
 	[e1011e30] [c0165fec] __set_fixmap+0x30/0x44
 	[e1011e40] [c0c13bdc] early_iounmap+0x11c/0x170
 	[e1011e70] [c0c06cb0] ioremap_legacy_serial_console+0x88/0xc0
 	[e1011e90] [c0c03634] do_one_initcall+0x80/0x178
 	[e1011ef0] [c0c0385c] kernel_init_freeable+0xb4/0x250
 	[e1011f20] [c0007e34] kernel_init+0x24/0x140
 	[e1011f30] [c0016268] ret_from_kernel_thread+0x5c/0x64
 	Instruction dump:
 	7fe3fb78 48019689 80010014 7c630034 83e1000c 5463d97e 7c0803a6 38210010
 	4e800020 81250000 712a0001 41820008 <0fe00000> 9421ffe0 93e1001c 48000030

 Implement unmap_kernel_page() which clears an existing pte.

 The Linux kernel CVE team has assigned CVE-2021-47623 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.10.101 with commit 67baac10dd5ad1e9f50e8f2659984b3b0728d54e
 	Fixed in 5.15.24 with commit 43ae0ccc4d2722b833fb59b905af129428e06d03
 	Fixed in 5.16.10 with commit 033fd42c18d9b2121595b6f1e8419a115f9ac5b7
 	Fixed in 5.17 with commit aec982603aa8cc0a21143681feb5f60ecc69d718

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47623
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/powerpc/include/asm/book3s/32/pgtable.h
 	arch/powerpc/include/asm/book3s/64/pgtable.h
 	arch/powerpc/include/asm/fixmap.h
 	arch/powerpc/include/asm/nohash/32/pgtable.h
 	arch/powerpc/include/asm/nohash/64/pgtable.h
 	arch/powerpc/mm/pgtable.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/67baac10dd5ad1e9f50e8f2659984b3b0728d54e
 	https://git.kernel.org/stable/c/43ae0ccc4d2722b833fb59b905af129428e06d03
 	https://git.kernel.org/stable/c/033fd42c18d9b2121595b6f1e8419a115f9ac5b7
 	https://git.kernel.org/stable/c/aec982603aa8cc0a21143681feb5f60ecc69d718
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47623: powerpc/fixmap: Fix VM debug warning on unmap

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	powerpc/fixmap: Fix VM debug warning on unmap

	Unmapping a fixmap entry is done by calling __set_fixmap()
	with FIXMAP_PAGE_CLEAR as flags.

	Today, powerpc __set_fixmap() calls map_kernel_page().

	map_kernel_page() is not happy when called a second time
	for the same page.

	WARNING: CPU: 0 PID: 1 at arch/powerpc/mm/pgtable.c:194 set_pte_at+0xc/0x1e8
	CPU: 0 PID: 1 Comm: swapper Not tainted 5.16.0-rc3-s3k-dev-01993-g350ff07feb7d-dirty #682
	NIP: c0017cd4 LR: c00187f0 CTR: 00000010
	REGS: e1011d50 TRAP: 0700 Not tainted (5.16.0-rc3-s3k-dev-01993-g350ff07feb7d-dirty)
	MSR: 00029032 <EE,ME,IR,DR,RI> CR: 42000208 XER: 00000000

	GPR00: c0165fec e1011e10 c14c0000 c0ee2550 ff800000 c0f3d000 00000000 c001686c
	GPR08: 00001000 b00045a9 00000001 c0f58460 c0f50000 00000000 c0007e10 00000000
	GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
	GPR24: 00000000 00000000 c0ee2550 00000000 c0f57000 00000ff8 00000000 ff800000
	NIP [c0017cd4] set_pte_at+0xc/0x1e8
	LR [c00187f0] map_kernel_page+0x9c/0x100
	Call Trace:
	[e1011e10] [c0736c68] vsnprintf+0x358/0x6c8 (unreliable)
	[e1011e30] [c0165fec] __set_fixmap+0x30/0x44
	[e1011e40] [c0c13bdc] early_iounmap+0x11c/0x170
	[e1011e70] [c0c06cb0] ioremap_legacy_serial_console+0x88/0xc0
	[e1011e90] [c0c03634] do_one_initcall+0x80/0x178
	[e1011ef0] [c0c0385c] kernel_init_freeable+0xb4/0x250
	[e1011f20] [c0007e34] kernel_init+0x24/0x140
	[e1011f30] [c0016268] ret_from_kernel_thread+0x5c/0x64
	Instruction dump:
	7fe3fb78 48019689 80010014 7c630034 83e1000c 5463d97e 7c0803a6 38210010
	4e800020 81250000 712a0001 41820008 <0fe00000> 9421ffe0 93e1001c 48000030

	Implement unmap_kernel_page() which clears an existing pte.

	The Linux kernel CVE team has assigned CVE-2021-47623 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.10.101 with commit 67baac10dd5ad1e9f50e8f2659984b3b0728d54e
	Fixed in 5.15.24 with commit 43ae0ccc4d2722b833fb59b905af129428e06d03
	Fixed in 5.16.10 with commit 033fd42c18d9b2121595b6f1e8419a115f9ac5b7
	Fixed in 5.17 with commit aec982603aa8cc0a21143681feb5f60ecc69d718

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47623
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/powerpc/include/asm/book3s/32/pgtable.h
	arch/powerpc/include/asm/book3s/64/pgtable.h
	arch/powerpc/include/asm/fixmap.h
	arch/powerpc/include/asm/nohash/32/pgtable.h
	arch/powerpc/include/asm/nohash/64/pgtable.h
	arch/powerpc/mm/pgtable.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/67baac10dd5ad1e9f50e8f2659984b3b0728d54e
	https://git.kernel.org/stable/c/43ae0ccc4d2722b833fb59b905af129428e06d03
	https://git.kernel.org/stable/c/033fd42c18d9b2121595b6f1e8419a115f9ac5b7
	https://git.kernel.org/stable/c/aec982603aa8cc0a21143681feb5f60ecc69d718