cve/published/2024/CVE-2024-50072.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50072: x86/bugs: Use code segment selector for VERW operand

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 x86/bugs: Use code segment selector for VERW operand

 Robert Gill reported below #GP in 32-bit mode when dosemu software was
 executing vm86() system call:

   general protection fault: 0000 [#1] PREEMPT SMP
   CPU: 4 PID: 4610 Comm: dosemu.bin Not tainted 6.6.21-gentoo-x86 #1
   Hardware name: Dell Inc. PowerEdge 1950/0H723K, BIOS 2.7.0 10/30/2010
   EIP: restore_all_switch_stack+0xbe/0xcf
   EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: 00000000
   ESI: 00000000 EDI: 00000000 EBP: 00000000 ESP: ff8affdc
   DS: 0000 ES: 0000 FS: 0000 GS: 0033 SS: 0068 EFLAGS: 00010046
   CR0: 80050033 CR2: 00c2101c CR3: 04b6d000 CR4: 000406d0
   Call Trace:
    show_regs+0x70/0x78
    die_addr+0x29/0x70
    exc_general_protection+0x13c/0x348
    exc_bounds+0x98/0x98
    handle_exception+0x14d/0x14d
    exc_bounds+0x98/0x98
    restore_all_switch_stack+0xbe/0xcf
    exc_bounds+0x98/0x98
    restore_all_switch_stack+0xbe/0xcf

 This only happens in 32-bit mode when VERW based mitigations like MDS/RFDS
 are enabled. This is because segment registers with an arbitrary user value
 can result in #GP when executing VERW. Intel SDM vol. 2C documents the
 following behavior for VERW instruction:

   #GP(0) - If a memory operand effective address is outside the CS, DS, ES,
 	   FS, or GS segment limit.

 CLEAR_CPU_BUFFERS macro executes VERW instruction before returning to user
 space. Use %cs selector to reference VERW operand. This ensures VERW will
 not #GP for an arbitrary user %ds.

 [ mingo: Fixed the SOB chain. ]

 The Linux kernel CVE team has assigned CVE-2024-50072 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.10.215 with commit 50f021f0b985629accf10481a6e89af8b9700583 and fixed in 5.10.229 with commit bfd1d223d80cb29a210caa1bd5e21f0816d58f02
 	Issue introduced in 5.15.154 with commit d54de9f2a127090f2017184e8257795b487d5312 and fixed in 5.15.171 with commit ada431c6c31a2c8c37991c46089af5caa23a9c6e
 	Issue introduced in 6.1.81 with commit 2e3087505ddb8ba2d3d4c81306cca11e868fcdb9 and fixed in 6.1.116 with commit 38c5fe74f3bef98f75d16effa49836d50c9b6097
 	Issue introduced in 6.6.21 with commit ca13d8cd8dac25558da4ee8df4dc70e8e7f9d762 and fixed in 6.6.58 with commit 481b477ab63c7245715a3e57ba79eb87c2dc0d02
 	Issue introduced in 6.8 with commit a0e2dab44d22b913b4c228c8b52b2a104434b0b3 and fixed in 6.11.5 with commit bc576fbaf82deded606e69a00efe9752136bf91d
 	Issue introduced in 6.8 with commit a0e2dab44d22b913b4c228c8b52b2a104434b0b3 and fixed in 6.12 with commit e4d2102018542e3ae5e297bc6e229303abff8a0f
 	Issue introduced in 6.7.9 with commit 51eca9f1fd047b500137d021f882d93f03280118

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50072
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/x86/include/asm/nospec-branch.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/bfd1d223d80cb29a210caa1bd5e21f0816d58f02
 	https://git.kernel.org/stable/c/ada431c6c31a2c8c37991c46089af5caa23a9c6e
 	https://git.kernel.org/stable/c/38c5fe74f3bef98f75d16effa49836d50c9b6097
 	https://git.kernel.org/stable/c/481b477ab63c7245715a3e57ba79eb87c2dc0d02
 	https://git.kernel.org/stable/c/bc576fbaf82deded606e69a00efe9752136bf91d
 	https://git.kernel.org/stable/c/e4d2102018542e3ae5e297bc6e229303abff8a0f
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50072: x86/bugs: Use code segment selector for VERW operand

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	x86/bugs: Use code segment selector for VERW operand

	Robert Gill reported below #GP in 32-bit mode when dosemu software was
	executing vm86() system call:

	general protection fault: 0000 [#1] PREEMPT SMP
	CPU: 4 PID: 4610 Comm: dosemu.bin Not tainted 6.6.21-gentoo-x86 #1
	Hardware name: Dell Inc. PowerEdge 1950/0H723K, BIOS 2.7.0 10/30/2010
	EIP: restore_all_switch_stack+0xbe/0xcf
	EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: 00000000
	ESI: 00000000 EDI: 00000000 EBP: 00000000 ESP: ff8affdc
	DS: 0000 ES: 0000 FS: 0000 GS: 0033 SS: 0068 EFLAGS: 00010046
	CR0: 80050033 CR2: 00c2101c CR3: 04b6d000 CR4: 000406d0
	Call Trace:
	show_regs+0x70/0x78
	die_addr+0x29/0x70
	exc_general_protection+0x13c/0x348
	exc_bounds+0x98/0x98
	handle_exception+0x14d/0x14d
	exc_bounds+0x98/0x98
	restore_all_switch_stack+0xbe/0xcf
	exc_bounds+0x98/0x98
	restore_all_switch_stack+0xbe/0xcf

	This only happens in 32-bit mode when VERW based mitigations like MDS/RFDS
	are enabled. This is because segment registers with an arbitrary user value
	can result in #GP when executing VERW. Intel SDM vol. 2C documents the
	following behavior for VERW instruction:

	#GP(0) - If a memory operand effective address is outside the CS, DS, ES,
	FS, or GS segment limit.

	CLEAR_CPU_BUFFERS macro executes VERW instruction before returning to user
	space. Use %cs selector to reference VERW operand. This ensures VERW will
	not #GP for an arbitrary user %ds.

	[ mingo: Fixed the SOB chain. ]

	The Linux kernel CVE team has assigned CVE-2024-50072 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.10.215 with commit 50f021f0b985629accf10481a6e89af8b9700583 and fixed in 5.10.229 with commit bfd1d223d80cb29a210caa1bd5e21f0816d58f02
	Issue introduced in 5.15.154 with commit d54de9f2a127090f2017184e8257795b487d5312 and fixed in 5.15.171 with commit ada431c6c31a2c8c37991c46089af5caa23a9c6e
	Issue introduced in 6.1.81 with commit 2e3087505ddb8ba2d3d4c81306cca11e868fcdb9 and fixed in 6.1.116 with commit 38c5fe74f3bef98f75d16effa49836d50c9b6097
	Issue introduced in 6.6.21 with commit ca13d8cd8dac25558da4ee8df4dc70e8e7f9d762 and fixed in 6.6.58 with commit 481b477ab63c7245715a3e57ba79eb87c2dc0d02
	Issue introduced in 6.8 with commit a0e2dab44d22b913b4c228c8b52b2a104434b0b3 and fixed in 6.11.5 with commit bc576fbaf82deded606e69a00efe9752136bf91d
	Issue introduced in 6.8 with commit a0e2dab44d22b913b4c228c8b52b2a104434b0b3 and fixed in 6.12 with commit e4d2102018542e3ae5e297bc6e229303abff8a0f
	Issue introduced in 6.7.9 with commit 51eca9f1fd047b500137d021f882d93f03280118

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50072
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/x86/include/asm/nospec-branch.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/bfd1d223d80cb29a210caa1bd5e21f0816d58f02
	https://git.kernel.org/stable/c/ada431c6c31a2c8c37991c46089af5caa23a9c6e
	https://git.kernel.org/stable/c/38c5fe74f3bef98f75d16effa49836d50c9b6097
	https://git.kernel.org/stable/c/481b477ab63c7245715a3e57ba79eb87c2dc0d02
	https://git.kernel.org/stable/c/bc576fbaf82deded606e69a00efe9752136bf91d
	https://git.kernel.org/stable/c/e4d2102018542e3ae5e297bc6e229303abff8a0f