cve/published/2024/CVE-2024-44965.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-44965: x86/mm: Fix pti_clone_pgtable() alignment assumption

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 x86/mm: Fix pti_clone_pgtable() alignment assumption

 Guenter reported dodgy crashes on an i386-nosmp build using GCC-11
 that had the form of endless traps until entry stack exhaust and then
 #DF from the stack guard.

 It turned out that pti_clone_pgtable() had alignment assumptions on
 the start address, notably it hard assumes start is PMD aligned. This
 is true on x86_64, but very much not true on i386.

 These assumptions can cause the end condition to malfunction, leading
 to a 'short' clone. Guess what happens when the user mapping has a
 short copy of the entry text?

 Use the correct increment form for addr to avoid alignment
 assumptions.

 The Linux kernel CVE team has assigned CVE-2024-44965 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.19 with commit 16a3fe634f6a568c6234b8747e5d50487fed3526 and fixed in 4.19.320 with commit 18da1b27ce16a14a9b636af9232acb4fb24f4c9e
 	Issue introduced in 4.19 with commit 16a3fe634f6a568c6234b8747e5d50487fed3526 and fixed in 5.4.282 with commit 25a727233a40a9b33370eec9f0cad67d8fd312f8
 	Issue introduced in 4.19 with commit 16a3fe634f6a568c6234b8747e5d50487fed3526 and fixed in 5.10.224 with commit d00c9b4bbc442d99e1dafbdfdab848bc1ead73f6
 	Issue introduced in 4.19 with commit 16a3fe634f6a568c6234b8747e5d50487fed3526 and fixed in 5.15.165 with commit 4d143ae782009b43b4f366402e5c37f59d4e4346
 	Issue introduced in 4.19 with commit 16a3fe634f6a568c6234b8747e5d50487fed3526 and fixed in 6.1.105 with commit 5c580c1050bcbc15c3e78090859d798dcf8c9763
 	Issue introduced in 4.19 with commit 16a3fe634f6a568c6234b8747e5d50487fed3526 and fixed in 6.6.46 with commit ca07aab70dd3b5e7fddb62d7a6ecd7a7d6d0b2ed
 	Issue introduced in 4.19 with commit 16a3fe634f6a568c6234b8747e5d50487fed3526 and fixed in 6.10.5 with commit df3eecb5496f87263d171b254ca6e2758ab3c35c
 	Issue introduced in 4.19 with commit 16a3fe634f6a568c6234b8747e5d50487fed3526 and fixed in 6.11 with commit 41e71dbb0e0a0fe214545fe64af031303a08524c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-44965
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/x86/mm/pti.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/18da1b27ce16a14a9b636af9232acb4fb24f4c9e
 	https://git.kernel.org/stable/c/25a727233a40a9b33370eec9f0cad67d8fd312f8
 	https://git.kernel.org/stable/c/d00c9b4bbc442d99e1dafbdfdab848bc1ead73f6
 	https://git.kernel.org/stable/c/4d143ae782009b43b4f366402e5c37f59d4e4346
 	https://git.kernel.org/stable/c/5c580c1050bcbc15c3e78090859d798dcf8c9763
 	https://git.kernel.org/stable/c/ca07aab70dd3b5e7fddb62d7a6ecd7a7d6d0b2ed
 	https://git.kernel.org/stable/c/df3eecb5496f87263d171b254ca6e2758ab3c35c
 	https://git.kernel.org/stable/c/41e71dbb0e0a0fe214545fe64af031303a08524c
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-44965: x86/mm: Fix pti_clone_pgtable() alignment assumption

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	x86/mm: Fix pti_clone_pgtable() alignment assumption

	Guenter reported dodgy crashes on an i386-nosmp build using GCC-11
	that had the form of endless traps until entry stack exhaust and then
	#DF from the stack guard.

	It turned out that pti_clone_pgtable() had alignment assumptions on
	the start address, notably it hard assumes start is PMD aligned. This
	is true on x86_64, but very much not true on i386.

	These assumptions can cause the end condition to malfunction, leading
	to a 'short' clone. Guess what happens when the user mapping has a
	short copy of the entry text?

	Use the correct increment form for addr to avoid alignment
	assumptions.

	The Linux kernel CVE team has assigned CVE-2024-44965 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.19 with commit 16a3fe634f6a568c6234b8747e5d50487fed3526 and fixed in 4.19.320 with commit 18da1b27ce16a14a9b636af9232acb4fb24f4c9e
	Issue introduced in 4.19 with commit 16a3fe634f6a568c6234b8747e5d50487fed3526 and fixed in 5.4.282 with commit 25a727233a40a9b33370eec9f0cad67d8fd312f8
	Issue introduced in 4.19 with commit 16a3fe634f6a568c6234b8747e5d50487fed3526 and fixed in 5.10.224 with commit d00c9b4bbc442d99e1dafbdfdab848bc1ead73f6
	Issue introduced in 4.19 with commit 16a3fe634f6a568c6234b8747e5d50487fed3526 and fixed in 5.15.165 with commit 4d143ae782009b43b4f366402e5c37f59d4e4346
	Issue introduced in 4.19 with commit 16a3fe634f6a568c6234b8747e5d50487fed3526 and fixed in 6.1.105 with commit 5c580c1050bcbc15c3e78090859d798dcf8c9763
	Issue introduced in 4.19 with commit 16a3fe634f6a568c6234b8747e5d50487fed3526 and fixed in 6.6.46 with commit ca07aab70dd3b5e7fddb62d7a6ecd7a7d6d0b2ed
	Issue introduced in 4.19 with commit 16a3fe634f6a568c6234b8747e5d50487fed3526 and fixed in 6.10.5 with commit df3eecb5496f87263d171b254ca6e2758ab3c35c
	Issue introduced in 4.19 with commit 16a3fe634f6a568c6234b8747e5d50487fed3526 and fixed in 6.11 with commit 41e71dbb0e0a0fe214545fe64af031303a08524c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-44965
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/x86/mm/pti.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/18da1b27ce16a14a9b636af9232acb4fb24f4c9e
	https://git.kernel.org/stable/c/25a727233a40a9b33370eec9f0cad67d8fd312f8
	https://git.kernel.org/stable/c/d00c9b4bbc442d99e1dafbdfdab848bc1ead73f6
	https://git.kernel.org/stable/c/4d143ae782009b43b4f366402e5c37f59d4e4346
	https://git.kernel.org/stable/c/5c580c1050bcbc15c3e78090859d798dcf8c9763
	https://git.kernel.org/stable/c/ca07aab70dd3b5e7fddb62d7a6ecd7a7d6d0b2ed
	https://git.kernel.org/stable/c/df3eecb5496f87263d171b254ca6e2758ab3c35c
	https://git.kernel.org/stable/c/41e71dbb0e0a0fe214545fe64af031303a08524c