cve/published/2024/CVE-2024-50275.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50275: arm64/sve: Discard stale CPU state when handling SVE traps

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 arm64/sve: Discard stale CPU state when handling SVE traps

 The logic for handling SVE traps manipulates saved FPSIMD/SVE state
 incorrectly, and a race with preemption can result in a task having
 TIF_SVE set and TIF_FOREIGN_FPSTATE clear even though the live CPU state
 is stale (e.g. with SVE traps enabled). This has been observed to result
 in warnings from do_sve_acc() where SVE traps are not expected while
 TIF_SVE is set:

 |         if (test_and_set_thread_flag(TIF_SVE))
 |                 WARN_ON(1); /* SVE access shouldn't have trapped */

 Warnings of this form have been reported intermittently, e.g.

   https://lore.kernel.org/linux-arm-kernel/CA+G9fYtEGe_DhY2Ms7+L7NKsLYUomGsgqpdBj+QwDLeSg=JhGg@mail.gmail.com/
   https://lore.kernel.org/linux-arm-kernel/000000000000511e9a060ce5a45c@google.com/

 The race can occur when the SVE trap handler is preempted before and
 after manipulating the saved FPSIMD/SVE state, starting and ending on
 the same CPU, e.g.

 | void do_sve_acc(unsigned long esr, struct pt_regs *regs)
 | {
 |         // Trap on CPU 0 with TIF_SVE clear, SVE traps enabled
 |         // task->fpsimd_cpu is 0.
 |         // per_cpu_ptr(&fpsimd_last_state, 0) is task.
 |
 |         ...
 |
 |         // Preempted; migrated from CPU 0 to CPU 1.
 |         // TIF_FOREIGN_FPSTATE is set.
 |
 |         get_cpu_fpsimd_context();
 |
 |         if (test_and_set_thread_flag(TIF_SVE))
 |                 WARN_ON(1); /* SVE access shouldn't have trapped */
 |
 |         sve_init_regs() {
 |                 if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) {
 |                         ...
 |                 } else {
 |                         fpsimd_to_sve(current);
 |                         current->thread.fp_type = FP_STATE_SVE;
 |                 }
 |         }
 |
 |         put_cpu_fpsimd_context();
 |
 |         // Preempted; migrated from CPU 1 to CPU 0.
 |         // task->fpsimd_cpu is still 0
 |         // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then:
 |         // - Stale HW state is reused (with SVE traps enabled)
 |         // - TIF_FOREIGN_FPSTATE is cleared
 |         // - A return to userspace skips HW state restore
 | }

 Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set
 by calling fpsimd_flush_task_state() to detach from the saved CPU
 state. This ensures that a subsequent context switch will not reuse the
 stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the
 new state to be reloaded from memory prior to a return to userspace.

 The Linux kernel CVE team has assigned CVE-2024-50275 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.13 with commit cccb78ce89c45a4414db712be4986edfb92434bd and fixed in 5.15.174 with commit 51d3d80a6dc314982a9a0aeb0961085922a1aa15
 	Issue introduced in 5.13 with commit cccb78ce89c45a4414db712be4986edfb92434bd and fixed in 6.1.120 with commit de529504b3274d57caf8f66800b714b0d3ee235a
 	Issue introduced in 5.13 with commit cccb78ce89c45a4414db712be4986edfb92434bd and fixed in 6.6.61 with commit 51d11ea0250d6ee461987403bbfd4b2abb5613a7
 	Issue introduced in 5.13 with commit cccb78ce89c45a4414db712be4986edfb92434bd and fixed in 6.11.8 with commit fa9ce027b3ce37a2bb173bf2553b5caa438fd8c9
 	Issue introduced in 5.13 with commit cccb78ce89c45a4414db712be4986edfb92434bd and fixed in 6.12 with commit 751ecf6afd6568adc98f2a6052315552c0483d18

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50275
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/arm64/kernel/fpsimd.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/51d3d80a6dc314982a9a0aeb0961085922a1aa15
 	https://git.kernel.org/stable/c/de529504b3274d57caf8f66800b714b0d3ee235a
 	https://git.kernel.org/stable/c/51d11ea0250d6ee461987403bbfd4b2abb5613a7
 	https://git.kernel.org/stable/c/fa9ce027b3ce37a2bb173bf2553b5caa438fd8c9
 	https://git.kernel.org/stable/c/751ecf6afd6568adc98f2a6052315552c0483d18
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50275: arm64/sve: Discard stale CPU state when handling SVE traps

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	arm64/sve: Discard stale CPU state when handling SVE traps

	The logic for handling SVE traps manipulates saved FPSIMD/SVE state
	incorrectly, and a race with preemption can result in a task having
	TIF_SVE set and TIF_FOREIGN_FPSTATE clear even though the live CPU state
	is stale (e.g. with SVE traps enabled). This has been observed to result
	in warnings from do_sve_acc() where SVE traps are not expected while
	TIF_SVE is set:

	\| if (test_and_set_thread_flag(TIF_SVE))
	\| WARN_ON(1); /* SVE access shouldn't have trapped */

	Warnings of this form have been reported intermittently, e.g.

	https://lore.kernel.org/linux-arm-kernel/CA+G9fYtEGe_DhY2Ms7+L7NKsLYUomGsgqpdBj+QwDLeSg=JhGg@mail.gmail.com/
	https://lore.kernel.org/linux-arm-kernel/000000000000511e9a060ce5a45c@google.com/

	The race can occur when the SVE trap handler is preempted before and
	after manipulating the saved FPSIMD/SVE state, starting and ending on
	the same CPU, e.g.

	\| void do_sve_acc(unsigned long esr, struct pt_regs *regs)
	\| {
	\| // Trap on CPU 0 with TIF_SVE clear, SVE traps enabled
	\| // task->fpsimd_cpu is 0.
	\| // per_cpu_ptr(&fpsimd_last_state, 0) is task.
	\|
	\| ...
	\|
	\| // Preempted; migrated from CPU 0 to CPU 1.
	\| // TIF_FOREIGN_FPSTATE is set.
	\|
	\| get_cpu_fpsimd_context();
	\|
	\| if (test_and_set_thread_flag(TIF_SVE))
	\| WARN_ON(1); /* SVE access shouldn't have trapped */
	\|
	\| sve_init_regs() {
	\| if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) {
	\| ...
	\| } else {
	\| fpsimd_to_sve(current);
	\| current->thread.fp_type = FP_STATE_SVE;
	\| }
	\| }
	\|
	\| put_cpu_fpsimd_context();
	\|
	\| // Preempted; migrated from CPU 1 to CPU 0.
	\| // task->fpsimd_cpu is still 0
	\| // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then:
	\| // - Stale HW state is reused (with SVE traps enabled)
	\| // - TIF_FOREIGN_FPSTATE is cleared
	\| // - A return to userspace skips HW state restore
	\| }

	Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set
	by calling fpsimd_flush_task_state() to detach from the saved CPU
	state. This ensures that a subsequent context switch will not reuse the
	stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the
	new state to be reloaded from memory prior to a return to userspace.

	The Linux kernel CVE team has assigned CVE-2024-50275 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.13 with commit cccb78ce89c45a4414db712be4986edfb92434bd and fixed in 5.15.174 with commit 51d3d80a6dc314982a9a0aeb0961085922a1aa15
	Issue introduced in 5.13 with commit cccb78ce89c45a4414db712be4986edfb92434bd and fixed in 6.1.120 with commit de529504b3274d57caf8f66800b714b0d3ee235a
	Issue introduced in 5.13 with commit cccb78ce89c45a4414db712be4986edfb92434bd and fixed in 6.6.61 with commit 51d11ea0250d6ee461987403bbfd4b2abb5613a7
	Issue introduced in 5.13 with commit cccb78ce89c45a4414db712be4986edfb92434bd and fixed in 6.11.8 with commit fa9ce027b3ce37a2bb173bf2553b5caa438fd8c9
	Issue introduced in 5.13 with commit cccb78ce89c45a4414db712be4986edfb92434bd and fixed in 6.12 with commit 751ecf6afd6568adc98f2a6052315552c0483d18

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50275
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/arm64/kernel/fpsimd.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/51d3d80a6dc314982a9a0aeb0961085922a1aa15
	https://git.kernel.org/stable/c/de529504b3274d57caf8f66800b714b0d3ee235a
	https://git.kernel.org/stable/c/51d11ea0250d6ee461987403bbfd4b2abb5613a7
	https://git.kernel.org/stable/c/fa9ce027b3ce37a2bb173bf2553b5caa438fd8c9
	https://git.kernel.org/stable/c/751ecf6afd6568adc98f2a6052315552c0483d18