cve/published/2024/CVE-2024-26618.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26618: arm64/sme: Always exit sme_alloc() early with existing storage

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 arm64/sme: Always exit sme_alloc() early with existing storage

 When sme_alloc() is called with existing storage and we are not flushing we
 will always allocate new storage, both leaking the existing storage and
 corrupting the state. Fix this by separating the checks for flushing and
 for existing storage as we do for SVE.

 Callers that reallocate (eg, due to changing the vector length) should
 call sme_free() themselves.

 The Linux kernel CVE team has assigned CVE-2024-26618 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.1.47 with commit 21614ba60883eb93b99a7ee4b41cb927f93b39ae and fixed in 6.1.140 with commit f6421555dbd7cb3d4d70b69f33f998aaeca1e3b5
 	Issue introduced in 6.5 with commit 5d0a8d2fba50e9c07cde4aad7fba28c008b07a5b and fixed in 6.6.15 with commit 569156e4fa347237f8fa2a7e935d860109c55ac4
 	Issue introduced in 6.5 with commit 5d0a8d2fba50e9c07cde4aad7fba28c008b07a5b and fixed in 6.7.3 with commit 814af6b4e6000e574e74d92197190edf07cc3680
 	Issue introduced in 6.5 with commit 5d0a8d2fba50e9c07cde4aad7fba28c008b07a5b and fixed in 6.8 with commit dc7eb8755797ed41a0d1b5c0c39df3c8f401b3d9
 	Issue introduced in 6.4.12 with commit e01af8e26c23a08625a3dd6c8c472a1752d76cce

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26618
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/arm64/kernel/fpsimd.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/f6421555dbd7cb3d4d70b69f33f998aaeca1e3b5
 	https://git.kernel.org/stable/c/569156e4fa347237f8fa2a7e935d860109c55ac4
 	https://git.kernel.org/stable/c/814af6b4e6000e574e74d92197190edf07cc3680
 	https://git.kernel.org/stable/c/dc7eb8755797ed41a0d1b5c0c39df3c8f401b3d9
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26618: arm64/sme: Always exit sme_alloc() early with existing storage

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	arm64/sme: Always exit sme_alloc() early with existing storage

	When sme_alloc() is called with existing storage and we are not flushing we
	will always allocate new storage, both leaking the existing storage and
	corrupting the state. Fix this by separating the checks for flushing and
	for existing storage as we do for SVE.

	Callers that reallocate (eg, due to changing the vector length) should
	call sme_free() themselves.

	The Linux kernel CVE team has assigned CVE-2024-26618 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.1.47 with commit 21614ba60883eb93b99a7ee4b41cb927f93b39ae and fixed in 6.1.140 with commit f6421555dbd7cb3d4d70b69f33f998aaeca1e3b5
	Issue introduced in 6.5 with commit 5d0a8d2fba50e9c07cde4aad7fba28c008b07a5b and fixed in 6.6.15 with commit 569156e4fa347237f8fa2a7e935d860109c55ac4
	Issue introduced in 6.5 with commit 5d0a8d2fba50e9c07cde4aad7fba28c008b07a5b and fixed in 6.7.3 with commit 814af6b4e6000e574e74d92197190edf07cc3680
	Issue introduced in 6.5 with commit 5d0a8d2fba50e9c07cde4aad7fba28c008b07a5b and fixed in 6.8 with commit dc7eb8755797ed41a0d1b5c0c39df3c8f401b3d9
	Issue introduced in 6.4.12 with commit e01af8e26c23a08625a3dd6c8c472a1752d76cce

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26618
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/arm64/kernel/fpsimd.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/f6421555dbd7cb3d4d70b69f33f998aaeca1e3b5
	https://git.kernel.org/stable/c/569156e4fa347237f8fa2a7e935d860109c55ac4
	https://git.kernel.org/stable/c/814af6b4e6000e574e74d92197190edf07cc3680
	https://git.kernel.org/stable/c/dc7eb8755797ed41a0d1b5c0c39df3c8f401b3d9