cve/published/2024/CVE-2024-41065.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-41065: powerpc/pseries: Whitelist dtl slub object for copying to userspace

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 powerpc/pseries: Whitelist dtl slub object for copying to userspace

 Reading the dispatch trace log from /sys/kernel/debug/powerpc/dtl/cpu-*
 results in a BUG() when the config CONFIG_HARDENED_USERCOPY is enabled as
 shown below.

     kernel BUG at mm/usercopy.c:102!
     Oops: Exception in kernel mode, sig: 5 [#1]
     LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries
     Modules linked in: xfs libcrc32c dm_service_time sd_mod t10_pi sg ibmvfc
     scsi_transport_fc ibmveth pseries_wdt dm_multipath dm_mirror dm_region_hash dm_log dm_mod fuse
     CPU: 27 PID: 1815 Comm: python3 Not tainted 6.10.0-rc3 #85
     Hardware name: IBM,9040-MRX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NM1060_042) hv:phyp pSeries
     NIP:  c0000000005d23d4 LR: c0000000005d23d0 CTR: 00000000006ee6f8
     REGS: c000000120c078c0 TRAP: 0700   Not tainted  (6.10.0-rc3)
     MSR:  8000000000029033 <SF,EE,ME,IR,DR,RI,LE>  CR: 2828220f  XER: 0000000e
     CFAR: c0000000001fdc80 IRQMASK: 0
     [ ... GPRs omitted ... ]
     NIP [c0000000005d23d4] usercopy_abort+0x78/0xb0
     LR [c0000000005d23d0] usercopy_abort+0x74/0xb0
     Call Trace:
      usercopy_abort+0x74/0xb0 (unreliable)
      __check_heap_object+0xf8/0x120
      check_heap_object+0x218/0x240
      __check_object_size+0x84/0x1a4
      dtl_file_read+0x17c/0x2c4
      full_proxy_read+0x8c/0x110
      vfs_read+0xdc/0x3a0
      ksys_read+0x84/0x144
      system_call_exception+0x124/0x330
      system_call_vectored_common+0x15c/0x2ec
     --- interrupt: 3000 at 0x7fff81f3ab34

 Commit 6d07d1cd300f ("usercopy: Restrict non-usercopy caches to size 0")
 requires that only whitelisted areas in slab/slub objects can be copied to
 userspace when usercopy hardening is enabled using CONFIG_HARDENED_USERCOPY.
 Dtl contains hypervisor dispatch events which are expected to be read by
 privileged users. Hence mark this safe for user access.
 Specify useroffset=0 and usersize=DISPATCH_LOG_BYTES to whitelist the
 entire object.

 The Linux kernel CVE team has assigned CVE-2024-41065 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.4.281 with commit a7b952941ce07e1e7a2cafd08c64a98e14f553e6
 	Fixed in 5.10.223 with commit 6b16098148ea58a67430d90e20476be2377c3acd
 	Fixed in 5.15.164 with commit e59822f9d700349cd17968d22c979db23a2d347f
 	Fixed in 6.1.101 with commit 1ee68686d1e2a5da35d5650be0be1ce06fe2ceb2
 	Fixed in 6.6.42 with commit e512a59b472684d8585125101ab03b86c2c1348a
 	Fixed in 6.9.11 with commit 0f5892212c27be31792ef1daa89c8dac1b3047e4
 	Fixed in 6.10 with commit 1a14150e1656f7a332a943154fc486504db4d586

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-41065
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/powerpc/platforms/pseries/setup.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/a7b952941ce07e1e7a2cafd08c64a98e14f553e6
 	https://git.kernel.org/stable/c/6b16098148ea58a67430d90e20476be2377c3acd
 	https://git.kernel.org/stable/c/e59822f9d700349cd17968d22c979db23a2d347f
 	https://git.kernel.org/stable/c/1ee68686d1e2a5da35d5650be0be1ce06fe2ceb2
 	https://git.kernel.org/stable/c/e512a59b472684d8585125101ab03b86c2c1348a
 	https://git.kernel.org/stable/c/0f5892212c27be31792ef1daa89c8dac1b3047e4
 	https://git.kernel.org/stable/c/1a14150e1656f7a332a943154fc486504db4d586
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-41065: powerpc/pseries: Whitelist dtl slub object for copying to userspace

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	powerpc/pseries: Whitelist dtl slub object for copying to userspace

	Reading the dispatch trace log from /sys/kernel/debug/powerpc/dtl/cpu-*
	results in a BUG() when the config CONFIG_HARDENED_USERCOPY is enabled as
	shown below.

	kernel BUG at mm/usercopy.c:102!
	Oops: Exception in kernel mode, sig: 5 [#1]
	LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries
	Modules linked in: xfs libcrc32c dm_service_time sd_mod t10_pi sg ibmvfc
	scsi_transport_fc ibmveth pseries_wdt dm_multipath dm_mirror dm_region_hash dm_log dm_mod fuse
	CPU: 27 PID: 1815 Comm: python3 Not tainted 6.10.0-rc3 #85
	Hardware name: IBM,9040-MRX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NM1060_042) hv:phyp pSeries
	NIP: c0000000005d23d4 LR: c0000000005d23d0 CTR: 00000000006ee6f8
	REGS: c000000120c078c0 TRAP: 0700 Not tainted (6.10.0-rc3)
	MSR: 8000000000029033 <SF,EE,ME,IR,DR,RI,LE> CR: 2828220f XER: 0000000e
	CFAR: c0000000001fdc80 IRQMASK: 0
	[ ... GPRs omitted ... ]
	NIP [c0000000005d23d4] usercopy_abort+0x78/0xb0
	LR [c0000000005d23d0] usercopy_abort+0x74/0xb0
	Call Trace:
	usercopy_abort+0x74/0xb0 (unreliable)
	__check_heap_object+0xf8/0x120
	check_heap_object+0x218/0x240
	__check_object_size+0x84/0x1a4
	dtl_file_read+0x17c/0x2c4
	full_proxy_read+0x8c/0x110
	vfs_read+0xdc/0x3a0
	ksys_read+0x84/0x144
	system_call_exception+0x124/0x330
	system_call_vectored_common+0x15c/0x2ec
	--- interrupt: 3000 at 0x7fff81f3ab34

	Commit 6d07d1cd300f ("usercopy: Restrict non-usercopy caches to size 0")
	requires that only whitelisted areas in slab/slub objects can be copied to
	userspace when usercopy hardening is enabled using CONFIG_HARDENED_USERCOPY.
	Dtl contains hypervisor dispatch events which are expected to be read by
	privileged users. Hence mark this safe for user access.
	Specify useroffset=0 and usersize=DISPATCH_LOG_BYTES to whitelist the
	entire object.

	The Linux kernel CVE team has assigned CVE-2024-41065 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.4.281 with commit a7b952941ce07e1e7a2cafd08c64a98e14f553e6
	Fixed in 5.10.223 with commit 6b16098148ea58a67430d90e20476be2377c3acd
	Fixed in 5.15.164 with commit e59822f9d700349cd17968d22c979db23a2d347f
	Fixed in 6.1.101 with commit 1ee68686d1e2a5da35d5650be0be1ce06fe2ceb2
	Fixed in 6.6.42 with commit e512a59b472684d8585125101ab03b86c2c1348a
	Fixed in 6.9.11 with commit 0f5892212c27be31792ef1daa89c8dac1b3047e4
	Fixed in 6.10 with commit 1a14150e1656f7a332a943154fc486504db4d586

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-41065
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/powerpc/platforms/pseries/setup.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/a7b952941ce07e1e7a2cafd08c64a98e14f553e6
	https://git.kernel.org/stable/c/6b16098148ea58a67430d90e20476be2377c3acd
	https://git.kernel.org/stable/c/e59822f9d700349cd17968d22c979db23a2d347f
	https://git.kernel.org/stable/c/1ee68686d1e2a5da35d5650be0be1ce06fe2ceb2
	https://git.kernel.org/stable/c/e512a59b472684d8585125101ab03b86c2c1348a
	https://git.kernel.org/stable/c/0f5892212c27be31792ef1daa89c8dac1b3047e4
	https://git.kernel.org/stable/c/1a14150e1656f7a332a943154fc486504db4d586