cve/published/2024/CVE-2024-26768.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26768: LoongArch: Change acpi_core_pic[NR_CPUS] to acpi_core_pic[MAX_CORE_PIC]

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 LoongArch: Change acpi_core_pic[NR_CPUS] to acpi_core_pic[MAX_CORE_PIC]

 With default config, the value of NR_CPUS is 64. When HW platform has
 more then 64 cpus, system will crash on these platforms. MAX_CORE_PIC
 is the maximum cpu number in MADT table (max physical number) which can
 exceed the supported maximum cpu number (NR_CPUS, max logical number),
 but kernel should not crash. Kernel should boot cpus with NR_CPUS, let
 the remainder cpus stay in BIOS.

 The potential crash reason is that the array acpi_core_pic[NR_CPUS] can
 be overflowed when parsing MADT table, and it is obvious that CORE_PIC
 should be corresponding to physical core rather than logical core, so it
 is better to define the array as acpi_core_pic[MAX_CORE_PIC].

 With the patch, system can boot up 64 vcpus with qemu parameter -smp 128,
 otherwise system will crash with the following message.

 [    0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000420000004259, era == 90000000037a5f0c, ra == 90000000037a46ec
 [    0.000000] Oops[#1]:
 [    0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.8.0-rc2+ #192
 [    0.000000] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022
 [    0.000000] pc 90000000037a5f0c ra 90000000037a46ec tp 9000000003c90000 sp 9000000003c93d60
 [    0.000000] a0 0000000000000019 a1 9000000003d93bc0 a2 0000000000000000 a3 9000000003c93bd8
 [    0.000000] a4 9000000003c93a74 a5 9000000083c93a67 a6 9000000003c938f0 a7 0000000000000005
 [    0.000000] t0 0000420000004201 t1 0000000000000000 t2 0000000000000001 t3 0000000000000001
 [    0.000000] t4 0000000000000003 t5 0000000000000000 t6 0000000000000030 t7 0000000000000063
 [    0.000000] t8 0000000000000014 u0 ffffffffffffffff s9 0000000000000000 s0 9000000003caee98
 [    0.000000] s1 90000000041b0480 s2 9000000003c93da0 s3 9000000003c93d98 s4 9000000003c93d90
 [    0.000000] s5 9000000003caa000 s6 000000000a7fd000 s7 000000000f556b60 s8 000000000e0a4330
 [    0.000000]    ra: 90000000037a46ec platform_init+0x214/0x250
 [    0.000000]   ERA: 90000000037a5f0c efi_runtime_init+0x30/0x94
 [    0.000000]  CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)
 [    0.000000]  PRMD: 00000000 (PPLV0 -PIE -PWE)
 [    0.000000]  EUEN: 00000000 (-FPE -SXE -ASXE -BTE)
 [    0.000000]  ECFG: 00070800 (LIE=11 VS=7)
 [    0.000000] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)
 [    0.000000]  BADV: 0000420000004259
 [    0.000000]  PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)
 [    0.000000] Modules linked in:
 [    0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____))
 [    0.000000] Stack : 9000000003c93a14 9000000003800898 90000000041844f8 90000000037a46ec
 [    0.000000]         000000000a7fd000 0000000008290000 0000000000000000 0000000000000000
 [    0.000000]         0000000000000000 0000000000000000 00000000019d8000 000000000f556b60
 [    0.000000]         000000000a7fd000 000000000f556b08 9000000003ca7700 9000000003800000
 [    0.000000]         9000000003c93e50 9000000003800898 9000000003800108 90000000037a484c
 [    0.000000]         000000000e0a4330 000000000f556b60 000000000a7fd000 000000000f556b08
 [    0.000000]         9000000003ca7700 9000000004184000 0000000000200000 000000000e02b018
 [    0.000000]         000000000a7fd000 90000000037a0790 9000000003800108 0000000000000000
 [    0.000000]         0000000000000000 000000000e0a4330 000000000f556b60 000000000a7fd000
 [    0.000000]         000000000f556b08 000000000eaae298 000000000eaa5040 0000000000200000
 [    0.000000]         ...
 [    0.000000] Call Trace:
 [    0.000000] [<90000000037a5f0c>] efi_runtime_init+0x30/0x94
 [    0.000000] [<90000000037a46ec>] platform_init+0x214/0x250
 [    0.000000] [<90000000037a484c>] setup_arch+0x124/0x45c
 [    0.000000] [<90000000037a0790>] start_kernel+0x90/0x670
 [    0.000000] [<900000000378b0d8>] kernel_entry+0xd8/0xdc

 The Linux kernel CVE team has assigned CVE-2024-26768 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.19 with commit fa96b57c149061f71a70bd6582d995f6424fbbf4 and fixed in 6.6.19 with commit 88e189bd16e5889e44a41b3309558ebab78b9280
 	Issue introduced in 5.19 with commit fa96b57c149061f71a70bd6582d995f6424fbbf4 and fixed in 6.7.7 with commit 0f6810e39898af2d2cabd9313e4dbc945fb5dfdd
 	Issue introduced in 5.19 with commit fa96b57c149061f71a70bd6582d995f6424fbbf4 and fixed in 6.8 with commit 4551b30525cf3d2f026b92401ffe241eb04dfebe

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26768
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/loongarch/include/asm/acpi.h
 	arch/loongarch/kernel/acpi.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/88e189bd16e5889e44a41b3309558ebab78b9280
 	https://git.kernel.org/stable/c/0f6810e39898af2d2cabd9313e4dbc945fb5dfdd
 	https://git.kernel.org/stable/c/4551b30525cf3d2f026b92401ffe241eb04dfebe
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26768: LoongArch: Change acpi_core_pic[NR_CPUS] to acpi_core_pic[MAX_CORE_PIC]

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	LoongArch: Change acpi_core_pic[NR_CPUS] to acpi_core_pic[MAX_CORE_PIC]

	With default config, the value of NR_CPUS is 64. When HW platform has
	more then 64 cpus, system will crash on these platforms. MAX_CORE_PIC
	is the maximum cpu number in MADT table (max physical number) which can
	exceed the supported maximum cpu number (NR_CPUS, max logical number),
	but kernel should not crash. Kernel should boot cpus with NR_CPUS, let
	the remainder cpus stay in BIOS.

	The potential crash reason is that the array acpi_core_pic[NR_CPUS] can
	be overflowed when parsing MADT table, and it is obvious that CORE_PIC
	should be corresponding to physical core rather than logical core, so it
	is better to define the array as acpi_core_pic[MAX_CORE_PIC].

	With the patch, system can boot up 64 vcpus with qemu parameter -smp 128,
	otherwise system will crash with the following message.

	[ 0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000420000004259, era == 90000000037a5f0c, ra == 90000000037a46ec
	[ 0.000000] Oops[#1]:
	[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.8.0-rc2+ #192
	[ 0.000000] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022
	[ 0.000000] pc 90000000037a5f0c ra 90000000037a46ec tp 9000000003c90000 sp 9000000003c93d60
	[ 0.000000] a0 0000000000000019 a1 9000000003d93bc0 a2 0000000000000000 a3 9000000003c93bd8
	[ 0.000000] a4 9000000003c93a74 a5 9000000083c93a67 a6 9000000003c938f0 a7 0000000000000005
	[ 0.000000] t0 0000420000004201 t1 0000000000000000 t2 0000000000000001 t3 0000000000000001
	[ 0.000000] t4 0000000000000003 t5 0000000000000000 t6 0000000000000030 t7 0000000000000063
	[ 0.000000] t8 0000000000000014 u0 ffffffffffffffff s9 0000000000000000 s0 9000000003caee98
	[ 0.000000] s1 90000000041b0480 s2 9000000003c93da0 s3 9000000003c93d98 s4 9000000003c93d90
	[ 0.000000] s5 9000000003caa000 s6 000000000a7fd000 s7 000000000f556b60 s8 000000000e0a4330
	[ 0.000000] ra: 90000000037a46ec platform_init+0x214/0x250
	[ 0.000000] ERA: 90000000037a5f0c efi_runtime_init+0x30/0x94
	[ 0.000000] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)
	[ 0.000000] PRMD: 00000000 (PPLV0 -PIE -PWE)
	[ 0.000000] EUEN: 00000000 (-FPE -SXE -ASXE -BTE)
	[ 0.000000] ECFG: 00070800 (LIE=11 VS=7)
	[ 0.000000] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)
	[ 0.000000] BADV: 0000420000004259
	[ 0.000000] PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)
	[ 0.000000] Modules linked in:
	[ 0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____))
	[ 0.000000] Stack : 9000000003c93a14 9000000003800898 90000000041844f8 90000000037a46ec
	[ 0.000000] 000000000a7fd000 0000000008290000 0000000000000000 0000000000000000
	[ 0.000000] 0000000000000000 0000000000000000 00000000019d8000 000000000f556b60
	[ 0.000000] 000000000a7fd000 000000000f556b08 9000000003ca7700 9000000003800000
	[ 0.000000] 9000000003c93e50 9000000003800898 9000000003800108 90000000037a484c
	[ 0.000000] 000000000e0a4330 000000000f556b60 000000000a7fd000 000000000f556b08
	[ 0.000000] 9000000003ca7700 9000000004184000 0000000000200000 000000000e02b018
	[ 0.000000] 000000000a7fd000 90000000037a0790 9000000003800108 0000000000000000
	[ 0.000000] 0000000000000000 000000000e0a4330 000000000f556b60 000000000a7fd000
	[ 0.000000] 000000000f556b08 000000000eaae298 000000000eaa5040 0000000000200000
	[ 0.000000] ...
	[ 0.000000] Call Trace:
	[ 0.000000] [<90000000037a5f0c>] efi_runtime_init+0x30/0x94
	[ 0.000000] [<90000000037a46ec>] platform_init+0x214/0x250
	[ 0.000000] [<90000000037a484c>] setup_arch+0x124/0x45c
	[ 0.000000] [<90000000037a0790>] start_kernel+0x90/0x670
	[ 0.000000] [<900000000378b0d8>] kernel_entry+0xd8/0xdc

	The Linux kernel CVE team has assigned CVE-2024-26768 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.19 with commit fa96b57c149061f71a70bd6582d995f6424fbbf4 and fixed in 6.6.19 with commit 88e189bd16e5889e44a41b3309558ebab78b9280
	Issue introduced in 5.19 with commit fa96b57c149061f71a70bd6582d995f6424fbbf4 and fixed in 6.7.7 with commit 0f6810e39898af2d2cabd9313e4dbc945fb5dfdd
	Issue introduced in 5.19 with commit fa96b57c149061f71a70bd6582d995f6424fbbf4 and fixed in 6.8 with commit 4551b30525cf3d2f026b92401ffe241eb04dfebe

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26768
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/loongarch/include/asm/acpi.h
	arch/loongarch/kernel/acpi.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/88e189bd16e5889e44a41b3309558ebab78b9280
	https://git.kernel.org/stable/c/0f6810e39898af2d2cabd9313e4dbc945fb5dfdd
	https://git.kernel.org/stable/c/4551b30525cf3d2f026b92401ffe241eb04dfebe