cve/published/2024/CVE-2024-26620.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26620: s390/vfio-ap: always filter entire AP matrix

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 s390/vfio-ap: always filter entire AP matrix

 The vfio_ap_mdev_filter_matrix function is called whenever a new adapter or
 domain is assigned to the mdev. The purpose of the function is to update
 the guest's AP configuration by filtering the matrix of adapters and
 domains assigned to the mdev. When an adapter or domain is assigned, only
 the APQNs associated with the APID of the new adapter or APQI of the new
 domain are inspected. If an APQN does not reference a queue device bound to
 the vfio_ap device driver, then it's APID will be filtered from the mdev's
 matrix when updating the guest's AP configuration.

 Inspecting only the APID of the new adapter or APQI of the new domain will
 result in passing AP queues through to a guest that are not bound to the
 vfio_ap device driver under certain circumstances. Consider the following:

 guest's AP configuration (all also assigned to the mdev's matrix):
 14.0004
 14.0005
 14.0006
 16.0004
 16.0005
 16.0006

 unassign domain 4
 unbind queue 16.0005
 assign domain 4

 When domain 4 is re-assigned, since only domain 4 will be inspected, the
 APQNs that will be examined will be:
 14.0004
 16.0004

 Since both of those APQNs reference queue devices that are bound to the
 vfio_ap device driver, nothing will get filtered from the mdev's matrix
 when updating the guest's AP configuration. Consequently, queue 16.0005
 will get passed through despite not being bound to the driver. This
 violates the linux device model requirement that a guest shall only be
 given access to devices bound to the device driver facilitating their
 pass-through.

 To resolve this problem, every adapter and domain assigned to the mdev will
 be inspected when filtering the mdev's matrix.

 The Linux kernel CVE team has assigned CVE-2024-26620 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.0 with commit 48cae940c31d2407d860d87c41d5f9871c0521db and fixed in 6.1.76 with commit d6b8d034b576f406af920a7bee81606c027b24c6
 	Issue introduced in 6.0 with commit 48cae940c31d2407d860d87c41d5f9871c0521db and fixed in 6.6.15 with commit c69d821197611678533fb3eb784fc823b921349a
 	Issue introduced in 6.0 with commit 48cae940c31d2407d860d87c41d5f9871c0521db and fixed in 6.7.3 with commit cdd134d56138302976685e6c7bc4755450b3880e
 	Issue introduced in 6.0 with commit 48cae940c31d2407d860d87c41d5f9871c0521db and fixed in 6.8 with commit 850fb7fa8c684a4c6bf0e4b6978f4ddcc5d43d11

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26620
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/s390/crypto/vfio_ap_ops.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/d6b8d034b576f406af920a7bee81606c027b24c6
 	https://git.kernel.org/stable/c/c69d821197611678533fb3eb784fc823b921349a
 	https://git.kernel.org/stable/c/cdd134d56138302976685e6c7bc4755450b3880e
 	https://git.kernel.org/stable/c/850fb7fa8c684a4c6bf0e4b6978f4ddcc5d43d11
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26620: s390/vfio-ap: always filter entire AP matrix

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	s390/vfio-ap: always filter entire AP matrix

	The vfio_ap_mdev_filter_matrix function is called whenever a new adapter or
	domain is assigned to the mdev. The purpose of the function is to update
	the guest's AP configuration by filtering the matrix of adapters and
	domains assigned to the mdev. When an adapter or domain is assigned, only
	the APQNs associated with the APID of the new adapter or APQI of the new
	domain are inspected. If an APQN does not reference a queue device bound to
	the vfio_ap device driver, then it's APID will be filtered from the mdev's
	matrix when updating the guest's AP configuration.

	Inspecting only the APID of the new adapter or APQI of the new domain will
	result in passing AP queues through to a guest that are not bound to the
	vfio_ap device driver under certain circumstances. Consider the following:

	guest's AP configuration (all also assigned to the mdev's matrix):
	14.0004
	14.0005
	14.0006
	16.0004
	16.0005
	16.0006

	unassign domain 4
	unbind queue 16.0005
	assign domain 4

	When domain 4 is re-assigned, since only domain 4 will be inspected, the
	APQNs that will be examined will be:
	14.0004
	16.0004

	Since both of those APQNs reference queue devices that are bound to the
	vfio_ap device driver, nothing will get filtered from the mdev's matrix
	when updating the guest's AP configuration. Consequently, queue 16.0005
	will get passed through despite not being bound to the driver. This
	violates the linux device model requirement that a guest shall only be
	given access to devices bound to the device driver facilitating their
	pass-through.

	To resolve this problem, every adapter and domain assigned to the mdev will
	be inspected when filtering the mdev's matrix.

	The Linux kernel CVE team has assigned CVE-2024-26620 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.0 with commit 48cae940c31d2407d860d87c41d5f9871c0521db and fixed in 6.1.76 with commit d6b8d034b576f406af920a7bee81606c027b24c6
	Issue introduced in 6.0 with commit 48cae940c31d2407d860d87c41d5f9871c0521db and fixed in 6.6.15 with commit c69d821197611678533fb3eb784fc823b921349a
	Issue introduced in 6.0 with commit 48cae940c31d2407d860d87c41d5f9871c0521db and fixed in 6.7.3 with commit cdd134d56138302976685e6c7bc4755450b3880e
	Issue introduced in 6.0 with commit 48cae940c31d2407d860d87c41d5f9871c0521db and fixed in 6.8 with commit 850fb7fa8c684a4c6bf0e4b6978f4ddcc5d43d11

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26620
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/s390/crypto/vfio_ap_ops.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/d6b8d034b576f406af920a7bee81606c027b24c6
	https://git.kernel.org/stable/c/c69d821197611678533fb3eb784fc823b921349a
	https://git.kernel.org/stable/c/cdd134d56138302976685e6c7bc4755450b3880e
	https://git.kernel.org/stable/c/850fb7fa8c684a4c6bf0e4b6978f4ddcc5d43d11