cve/published/2024/CVE-2024-35980.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-35980: arm64: tlb: Fix TLBI RANGE operand

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 arm64: tlb: Fix TLBI RANGE operand

 KVM/arm64 relies on TLBI RANGE feature to flush TLBs when the dirty
 pages are collected by VMM and the page table entries become write
 protected during live migration. Unfortunately, the operand passed
 to the TLBI RANGE instruction isn't correctly sorted out due to the
 commit 117940aa6e5f ("KVM: arm64: Define kvm_tlb_flush_vmid_range()").
 It leads to crash on the destination VM after live migration because
 TLBs aren't flushed completely and some of the dirty pages are missed.

 For example, I have a VM where 8GB memory is assigned, starting from
 0x40000000 (1GB). Note that the host has 4KB as the base page size.
 In the middile of migration, kvm_tlb_flush_vmid_range() is executed
 to flush TLBs. It passes MAX_TLBI_RANGE_PAGES as the argument to
 __kvm_tlb_flush_vmid_range() and __flush_s2_tlb_range_op(). SCALE#3
 and NUM#31, corresponding to MAX_TLBI_RANGE_PAGES, isn't supported
 by __TLBI_RANGE_NUM(). In this specific case, -1 has been returned
 from __TLBI_RANGE_NUM() for SCALE#3/2/1/0 and rejected by the loop
 in the __flush_tlb_range_op() until the variable @scale underflows
 and becomes -9, 0xffff708000040000 is set as the operand. The operand
 is wrong since it's sorted out by __TLBI_VADDR_RANGE() according to
 invalid @scale and @num.

 Fix it by extending __TLBI_RANGE_NUM() to support the combination of
 SCALE#3 and NUM#31. With the changes, [-1 31] instead of [-1 30] can
 be returned from the macro, meaning the TLBs for 0x200000 pages in the
 above example can be flushed in one shoot with SCALE#3 and NUM#31. The
 macro TLBI_RANGE_MASK is dropped since no one uses it any more. The
 comments are also adjusted accordingly.

 The Linux kernel CVE team has assigned CVE-2024-35980 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.6 with commit 117940aa6e5f8308f1529e1313660980f1dae771 and fixed in 6.6.29 with commit ac4ad513de4fba18b4ac0ace132777d0910e8cfa
 	Issue introduced in 6.6 with commit 117940aa6e5f8308f1529e1313660980f1dae771 and fixed in 6.8.7 with commit 944db7b536baaf49d7e576af36a94f4719552b07
 	Issue introduced in 6.6 with commit 117940aa6e5f8308f1529e1313660980f1dae771 and fixed in 6.9 with commit e3ba51ab24fddef79fc212f9840de54db8fd1685

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-35980
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/arm64/include/asm/tlbflush.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/ac4ad513de4fba18b4ac0ace132777d0910e8cfa
 	https://git.kernel.org/stable/c/944db7b536baaf49d7e576af36a94f4719552b07
 	https://git.kernel.org/stable/c/e3ba51ab24fddef79fc212f9840de54db8fd1685
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-35980: arm64: tlb: Fix TLBI RANGE operand

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	arm64: tlb: Fix TLBI RANGE operand

	KVM/arm64 relies on TLBI RANGE feature to flush TLBs when the dirty
	pages are collected by VMM and the page table entries become write
	protected during live migration. Unfortunately, the operand passed
	to the TLBI RANGE instruction isn't correctly sorted out due to the
	commit 117940aa6e5f ("KVM: arm64: Define kvm_tlb_flush_vmid_range()").
	It leads to crash on the destination VM after live migration because
	TLBs aren't flushed completely and some of the dirty pages are missed.

	For example, I have a VM where 8GB memory is assigned, starting from
	0x40000000 (1GB). Note that the host has 4KB as the base page size.
	In the middile of migration, kvm_tlb_flush_vmid_range() is executed
	to flush TLBs. It passes MAX_TLBI_RANGE_PAGES as the argument to
	__kvm_tlb_flush_vmid_range() and __flush_s2_tlb_range_op(). SCALE#3
	and NUM#31, corresponding to MAX_TLBI_RANGE_PAGES, isn't supported
	by __TLBI_RANGE_NUM(). In this specific case, -1 has been returned
	from __TLBI_RANGE_NUM() for SCALE#3/2/1/0 and rejected by the loop
	in the __flush_tlb_range_op() until the variable @scale underflows
	and becomes -9, 0xffff708000040000 is set as the operand. The operand
	is wrong since it's sorted out by __TLBI_VADDR_RANGE() according to
	invalid @scale and @num.

	Fix it by extending __TLBI_RANGE_NUM() to support the combination of
	SCALE#3 and NUM#31. With the changes, [-1 31] instead of [-1 30] can
	be returned from the macro, meaning the TLBs for 0x200000 pages in the
	above example can be flushed in one shoot with SCALE#3 and NUM#31. The
	macro TLBI_RANGE_MASK is dropped since no one uses it any more. The
	comments are also adjusted accordingly.

	The Linux kernel CVE team has assigned CVE-2024-35980 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.6 with commit 117940aa6e5f8308f1529e1313660980f1dae771 and fixed in 6.6.29 with commit ac4ad513de4fba18b4ac0ace132777d0910e8cfa
	Issue introduced in 6.6 with commit 117940aa6e5f8308f1529e1313660980f1dae771 and fixed in 6.8.7 with commit 944db7b536baaf49d7e576af36a94f4719552b07
	Issue introduced in 6.6 with commit 117940aa6e5f8308f1529e1313660980f1dae771 and fixed in 6.9 with commit e3ba51ab24fddef79fc212f9840de54db8fd1685

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-35980
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/arm64/include/asm/tlbflush.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/ac4ad513de4fba18b4ac0ace132777d0910e8cfa
	https://git.kernel.org/stable/c/944db7b536baaf49d7e576af36a94f4719552b07
	https://git.kernel.org/stable/c/e3ba51ab24fddef79fc212f9840de54db8fd1685