cve/published/2024/CVE-2024-35995.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-35995: ACPI: CPPC: Use access_width over bit_width for system memory accesses

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ACPI: CPPC: Use access_width over bit_width for system memory accesses

 To align with ACPI 6.3+, since bit_width can be any 8-bit value, it
 cannot be depended on to be always on a clean 8b boundary. This was
 uncovered on the Cobalt 100 platform.

 SError Interrupt on CPU26, code 0xbe000011 -- SError
  CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted 5.15.2.1-13 #1
  Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION
  pstate: 62400009 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
  pc : cppc_get_perf_caps+0xec/0x410
  lr : cppc_get_perf_caps+0xe8/0x410
  sp : ffff8000155ab730
  x29: ffff8000155ab730 x28: ffff0080139d0038 x27: ffff0080139d0078
  x26: 0000000000000000 x25: ffff0080139d0058 x24: 00000000ffffffff
  x23: ffff0080139d0298 x22: ffff0080139d0278 x21: 0000000000000000
  x20: ffff00802b251910 x19: ffff0080139d0000 x18: ffffffffffffffff
  x17: 0000000000000000 x16: ffffdc7e111bad04 x15: ffff00802b251008
  x14: ffffffffffffffff x13: ffff013f1fd63300 x12: 0000000000000006
  x11: ffffdc7e128f4420 x10: 0000000000000000 x9 : ffffdc7e111badec
  x8 : ffff00802b251980 x7 : 0000000000000000 x6 : ffff0080139d0028
  x5 : 0000000000000000 x4 : ffff0080139d0018 x3 : 00000000ffffffff
  x2 : 0000000000000008 x1 : ffff8000155ab7a0 x0 : 0000000000000000
  Kernel panic - not syncing: Asynchronous SError Interrupt
  CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted
 5.15.2.1-13 #1
  Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION
  Call trace:
   dump_backtrace+0x0/0x1e0
   show_stack+0x24/0x30
   dump_stack_lvl+0x8c/0xb8
   dump_stack+0x18/0x34
   panic+0x16c/0x384
   add_taint+0x0/0xc0
   arm64_serror_panic+0x7c/0x90
   arm64_is_fatal_ras_serror+0x34/0xa4
   do_serror+0x50/0x6c
   el1h_64_error_handler+0x40/0x74
   el1h_64_error+0x7c/0x80
   cppc_get_perf_caps+0xec/0x410
   cppc_cpufreq_cpu_init+0x74/0x400 [cppc_cpufreq]
   cpufreq_online+0x2dc/0xa30
   cpufreq_add_dev+0xc0/0xd4
   subsys_interface_register+0x134/0x14c
   cpufreq_register_driver+0x1b0/0x354
   cppc_cpufreq_init+0x1a8/0x1000 [cppc_cpufreq]
   do_one_initcall+0x50/0x250
   do_init_module+0x60/0x27c
   load_module+0x2300/0x2570
   __do_sys_finit_module+0xa8/0x114
   __arm64_sys_finit_module+0x2c/0x3c
   invoke_syscall+0x78/0x100
   el0_svc_common.constprop.0+0x180/0x1a0
   do_el0_svc+0x84/0xa0
   el0_svc+0x2c/0xc0
   el0t_64_sync_handler+0xa4/0x12c
   el0t_64_sync+0x1a4/0x1a8

 Instead, use access_width to determine the size and use the offset and
 width to shift and mask the bits to read/write out. Make sure to add a
 check for system memory since pcc redefines the access_width to
 subspace id.

 If access_width is not set, then fall back to using bit_width.

 [ rjw: Subject and changelog edits, comment adjustments ]

 The Linux kernel CVE team has assigned CVE-2024-35995 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 6.1.90 with commit 01fc53be672acae37e611c80cc0b4f3939584de3
 	Fixed in 6.6.30 with commit 1b890ae474d19800a6be1696df7fb4d9a41676e4
 	Fixed in 6.8.9 with commit 6cb6b12b78dcd8867a3fdbb1b6d0ed1df2b208d1
 	Fixed in 6.9 with commit 2f4a4d63a193be6fd530d180bb13c3592052904c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-35995
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/acpi/cppc_acpi.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/01fc53be672acae37e611c80cc0b4f3939584de3
 	https://git.kernel.org/stable/c/1b890ae474d19800a6be1696df7fb4d9a41676e4
 	https://git.kernel.org/stable/c/6cb6b12b78dcd8867a3fdbb1b6d0ed1df2b208d1
 	https://git.kernel.org/stable/c/2f4a4d63a193be6fd530d180bb13c3592052904c
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-35995: ACPI: CPPC: Use access_width over bit_width for system memory accesses

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ACPI: CPPC: Use access_width over bit_width for system memory accesses

	To align with ACPI 6.3+, since bit_width can be any 8-bit value, it
	cannot be depended on to be always on a clean 8b boundary. This was
	uncovered on the Cobalt 100 platform.

	SError Interrupt on CPU26, code 0xbe000011 -- SError
	CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted 5.15.2.1-13 #1
	Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION
	pstate: 62400009 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
	pc : cppc_get_perf_caps+0xec/0x410
	lr : cppc_get_perf_caps+0xe8/0x410
	sp : ffff8000155ab730
	x29: ffff8000155ab730 x28: ffff0080139d0038 x27: ffff0080139d0078
	x26: 0000000000000000 x25: ffff0080139d0058 x24: 00000000ffffffff
	x23: ffff0080139d0298 x22: ffff0080139d0278 x21: 0000000000000000
	x20: ffff00802b251910 x19: ffff0080139d0000 x18: ffffffffffffffff
	x17: 0000000000000000 x16: ffffdc7e111bad04 x15: ffff00802b251008
	x14: ffffffffffffffff x13: ffff013f1fd63300 x12: 0000000000000006
	x11: ffffdc7e128f4420 x10: 0000000000000000 x9 : ffffdc7e111badec
	x8 : ffff00802b251980 x7 : 0000000000000000 x6 : ffff0080139d0028
	x5 : 0000000000000000 x4 : ffff0080139d0018 x3 : 00000000ffffffff
	x2 : 0000000000000008 x1 : ffff8000155ab7a0 x0 : 0000000000000000
	Kernel panic - not syncing: Asynchronous SError Interrupt
	CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted
	5.15.2.1-13 #1
	Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION
	Call trace:
	dump_backtrace+0x0/0x1e0
	show_stack+0x24/0x30
	dump_stack_lvl+0x8c/0xb8
	dump_stack+0x18/0x34
	panic+0x16c/0x384
	add_taint+0x0/0xc0
	arm64_serror_panic+0x7c/0x90
	arm64_is_fatal_ras_serror+0x34/0xa4
	do_serror+0x50/0x6c
	el1h_64_error_handler+0x40/0x74
	el1h_64_error+0x7c/0x80
	cppc_get_perf_caps+0xec/0x410
	cppc_cpufreq_cpu_init+0x74/0x400 [cppc_cpufreq]
	cpufreq_online+0x2dc/0xa30
	cpufreq_add_dev+0xc0/0xd4
	subsys_interface_register+0x134/0x14c
	cpufreq_register_driver+0x1b0/0x354
	cppc_cpufreq_init+0x1a8/0x1000 [cppc_cpufreq]
	do_one_initcall+0x50/0x250
	do_init_module+0x60/0x27c
	load_module+0x2300/0x2570
	__do_sys_finit_module+0xa8/0x114
	__arm64_sys_finit_module+0x2c/0x3c
	invoke_syscall+0x78/0x100
	el0_svc_common.constprop.0+0x180/0x1a0
	do_el0_svc+0x84/0xa0
	el0_svc+0x2c/0xc0
	el0t_64_sync_handler+0xa4/0x12c
	el0t_64_sync+0x1a4/0x1a8

	Instead, use access_width to determine the size and use the offset and
	width to shift and mask the bits to read/write out. Make sure to add a
	check for system memory since pcc redefines the access_width to
	subspace id.

	If access_width is not set, then fall back to using bit_width.

	[ rjw: Subject and changelog edits, comment adjustments ]

	The Linux kernel CVE team has assigned CVE-2024-35995 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 6.1.90 with commit 01fc53be672acae37e611c80cc0b4f3939584de3
	Fixed in 6.6.30 with commit 1b890ae474d19800a6be1696df7fb4d9a41676e4
	Fixed in 6.8.9 with commit 6cb6b12b78dcd8867a3fdbb1b6d0ed1df2b208d1
	Fixed in 6.9 with commit 2f4a4d63a193be6fd530d180bb13c3592052904c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-35995
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/acpi/cppc_acpi.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/01fc53be672acae37e611c80cc0b4f3939584de3
	https://git.kernel.org/stable/c/1b890ae474d19800a6be1696df7fb4d9a41676e4
	https://git.kernel.org/stable/c/6cb6b12b78dcd8867a3fdbb1b6d0ed1df2b208d1
	https://git.kernel.org/stable/c/2f4a4d63a193be6fd530d180bb13c3592052904c