cve/published/2024/CVE-2024-42240.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-42240: x86/bhi: Avoid warning in #DB handler due to BHI mitigation

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 x86/bhi: Avoid warning in #DB handler due to BHI mitigation

 When BHI mitigation is enabled, if SYSENTER is invoked with the TF flag set
 then entry_SYSENTER_compat() uses CLEAR_BRANCH_HISTORY and calls the
 clear_bhb_loop() before the TF flag is cleared. This causes the #DB handler
 (exc_debug_kernel()) to issue a warning because single-step is used outside the
 entry_SYSENTER_compat() function.

 To address this issue, entry_SYSENTER_compat() should use CLEAR_BRANCH_HISTORY
 after making sure the TF flag is cleared.

 The problem can be reproduced with the following sequence:

   $ cat sysenter_step.c
   int main()
   { asm("pushf; pop %ax; bts $8,%ax; push %ax; popf; sysenter"); }

   $ gcc -o sysenter_step sysenter_step.c

   $ ./sysenter_step
   Segmentation fault (core dumped)

 The program is expected to crash, and the #DB handler will issue a warning.

 Kernel log:

   WARNING: CPU: 27 PID: 7000 at arch/x86/kernel/traps.c:1009 exc_debug_kernel+0xd2/0x160
   ...
   RIP: 0010:exc_debug_kernel+0xd2/0x160
   ...
   Call Trace:
   <#DB>
    ? show_regs+0x68/0x80
    ? __warn+0x8c/0x140
    ? exc_debug_kernel+0xd2/0x160
    ? report_bug+0x175/0x1a0
    ? handle_bug+0x44/0x90
    ? exc_invalid_op+0x1c/0x70
    ? asm_exc_invalid_op+0x1f/0x30
    ? exc_debug_kernel+0xd2/0x160
    exc_debug+0x43/0x50
    asm_exc_debug+0x1e/0x40
   RIP: 0010:clear_bhb_loop+0x0/0xb0
   ...
   </#DB>
   <TASK>
    ? entry_SYSENTER_compat_after_hwframe+0x6e/0x8d
   </TASK>

   [ bp: Massage commit message. ]

 The Linux kernel CVE team has assigned CVE-2024-42240 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.15.154 with commit bd53ec80f21839cfd4d852a6088279d602d67e5b and fixed in 5.15.163 with commit db56615e96c439e13783d7715330e824b4fd4b84
 	Issue introduced in 6.1.85 with commit 07dbb10f153f483e8249acebdffedf922e2ec2e1 and fixed in 6.1.100 with commit a765679defe1dc1b8fa01928a6ad6361e72a1364
 	Issue introduced in 6.6.26 with commit eb36b0dce2138581bc6b5e39d0273cb4c96ded81 and fixed in 6.6.41 with commit dae3543db8f0cf8ac1a198c3bb4b6e3c24d576cf
 	Issue introduced in 6.9 with commit 7390db8aea0d64e9deb28b8e1ce716f5020c7ee5 and fixed in 6.9.10 with commit 08518d48e5b744620524f0acd7c26c19bda7f513
 	Issue introduced in 6.9 with commit 7390db8aea0d64e9deb28b8e1ce716f5020c7ee5 and fixed in 6.10 with commit ac8b270b61d48fcc61f052097777e3b5e11591e0
 	Issue introduced in 6.8.5 with commit 8f51637712e4da5be410a1666f8aee0d86eef898

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-42240
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/x86/entry/entry_64_compat.S


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/db56615e96c439e13783d7715330e824b4fd4b84
 	https://git.kernel.org/stable/c/a765679defe1dc1b8fa01928a6ad6361e72a1364
 	https://git.kernel.org/stable/c/dae3543db8f0cf8ac1a198c3bb4b6e3c24d576cf
 	https://git.kernel.org/stable/c/08518d48e5b744620524f0acd7c26c19bda7f513
 	https://git.kernel.org/stable/c/ac8b270b61d48fcc61f052097777e3b5e11591e0
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-42240: x86/bhi: Avoid warning in #DB handler due to BHI mitigation

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	x86/bhi: Avoid warning in #DB handler due to BHI mitigation

	When BHI mitigation is enabled, if SYSENTER is invoked with the TF flag set
	then entry_SYSENTER_compat() uses CLEAR_BRANCH_HISTORY and calls the
	clear_bhb_loop() before the TF flag is cleared. This causes the #DB handler
	(exc_debug_kernel()) to issue a warning because single-step is used outside the
	entry_SYSENTER_compat() function.

	To address this issue, entry_SYSENTER_compat() should use CLEAR_BRANCH_HISTORY
	after making sure the TF flag is cleared.

	The problem can be reproduced with the following sequence:

	$ cat sysenter_step.c
	int main()
	{ asm("pushf; pop %ax; bts $8,%ax; push %ax; popf; sysenter"); }

	$ gcc -o sysenter_step sysenter_step.c

	$ ./sysenter_step
	Segmentation fault (core dumped)

	The program is expected to crash, and the #DB handler will issue a warning.

	Kernel log:

	WARNING: CPU: 27 PID: 7000 at arch/x86/kernel/traps.c:1009 exc_debug_kernel+0xd2/0x160
	...
	RIP: 0010:exc_debug_kernel+0xd2/0x160
	...
	Call Trace:
	<#DB>
	? show_regs+0x68/0x80
	? __warn+0x8c/0x140
	? exc_debug_kernel+0xd2/0x160
	? report_bug+0x175/0x1a0
	? handle_bug+0x44/0x90
	? exc_invalid_op+0x1c/0x70
	? asm_exc_invalid_op+0x1f/0x30
	? exc_debug_kernel+0xd2/0x160
	exc_debug+0x43/0x50
	asm_exc_debug+0x1e/0x40
	RIP: 0010:clear_bhb_loop+0x0/0xb0
	...
	</#DB>
	<TASK>
	? entry_SYSENTER_compat_after_hwframe+0x6e/0x8d
	</TASK>

	[ bp: Massage commit message. ]

	The Linux kernel CVE team has assigned CVE-2024-42240 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.15.154 with commit bd53ec80f21839cfd4d852a6088279d602d67e5b and fixed in 5.15.163 with commit db56615e96c439e13783d7715330e824b4fd4b84
	Issue introduced in 6.1.85 with commit 07dbb10f153f483e8249acebdffedf922e2ec2e1 and fixed in 6.1.100 with commit a765679defe1dc1b8fa01928a6ad6361e72a1364
	Issue introduced in 6.6.26 with commit eb36b0dce2138581bc6b5e39d0273cb4c96ded81 and fixed in 6.6.41 with commit dae3543db8f0cf8ac1a198c3bb4b6e3c24d576cf
	Issue introduced in 6.9 with commit 7390db8aea0d64e9deb28b8e1ce716f5020c7ee5 and fixed in 6.9.10 with commit 08518d48e5b744620524f0acd7c26c19bda7f513
	Issue introduced in 6.9 with commit 7390db8aea0d64e9deb28b8e1ce716f5020c7ee5 and fixed in 6.10 with commit ac8b270b61d48fcc61f052097777e3b5e11591e0
	Issue introduced in 6.8.5 with commit 8f51637712e4da5be410a1666f8aee0d86eef898

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-42240
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/x86/entry/entry_64_compat.S


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/db56615e96c439e13783d7715330e824b4fd4b84
	https://git.kernel.org/stable/c/a765679defe1dc1b8fa01928a6ad6361e72a1364
	https://git.kernel.org/stable/c/dae3543db8f0cf8ac1a198c3bb4b6e3c24d576cf
	https://git.kernel.org/stable/c/08518d48e5b744620524f0acd7c26c19bda7f513
	https://git.kernel.org/stable/c/ac8b270b61d48fcc61f052097777e3b5e11591e0