cve/published/2024/CVE-2024-56677.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-56677: powerpc/fadump: Move fadump_cma_init to setup_arch() after initmem_init()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 powerpc/fadump: Move fadump_cma_init to setup_arch() after initmem_init()

 During early init CMA_MIN_ALIGNMENT_BYTES can be PAGE_SIZE,
 since pageblock_order is still zero and it gets initialized
 later during initmem_init() e.g.
 setup_arch() -> initmem_init() -> sparse_init() -> set_pageblock_order()

 One such use case where this causes issue is -
 early_setup() -> early_init_devtree() -> fadump_reserve_mem() -> fadump_cma_init()

 This causes CMA memory alignment check to be bypassed in
 cma_init_reserved_mem(). Then later cma_activate_area() can hit
 a VM_BUG_ON_PAGE(pfn & ((1 << order) - 1)) if the reserved memory
 area was not pageblock_order aligned.

 Fix it by moving the fadump_cma_init() after initmem_init(),
 where other such cma reservations also gets called.

 <stack trace>
 ==============
 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10010
 flags: 0x13ffff800000000(node=1|zone=0|lastcpupid=0x7ffff) CMA
 raw: 013ffff800000000 5deadbeef0000100 5deadbeef0000122 0000000000000000
 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
 page dumped because: VM_BUG_ON_PAGE(pfn & ((1 << order) - 1))
 ------------[ cut here ]------------
 kernel BUG at mm/page_alloc.c:778!

 Call Trace:
 __free_one_page+0x57c/0x7b0 (unreliable)
 free_pcppages_bulk+0x1a8/0x2c8
 free_unref_page_commit+0x3d4/0x4e4
 free_unref_page+0x458/0x6d0
 init_cma_reserved_pageblock+0x114/0x198
 cma_init_reserved_areas+0x270/0x3e0
 do_one_initcall+0x80/0x2f8
 kernel_init_freeable+0x33c/0x530
 kernel_init+0x34/0x26c
 ret_from_kernel_user_thread+0x14/0x1c

 The Linux kernel CVE team has assigned CVE-2024-56677 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.19 with commit 11ac3e87ce09c27f4587a8c4fe0829d814021a82 and fixed in 6.1.120 with commit aabef6301dcf410dfd2b8759cd413b2a003c7e3f
 	Issue introduced in 5.19 with commit 11ac3e87ce09c27f4587a8c4fe0829d814021a82 and fixed in 6.6.64 with commit c5c1d1ef70834013fc3bd12b6a0f4664c6d75a74
 	Issue introduced in 5.19 with commit 11ac3e87ce09c27f4587a8c4fe0829d814021a82 and fixed in 6.11.11 with commit f551637fe9bf863386309e03f9d148d97f535ad1
 	Issue introduced in 5.19 with commit 11ac3e87ce09c27f4587a8c4fe0829d814021a82 and fixed in 6.12.2 with commit 7351c5a6507b4401aeecadb5959131410a339520
 	Issue introduced in 5.19 with commit 11ac3e87ce09c27f4587a8c4fe0829d814021a82 and fixed in 6.13 with commit 05b94cae1c47f94588c3e7096963c1007c4d9c1d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-56677
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/powerpc/include/asm/fadump.h
 	arch/powerpc/kernel/fadump.c
 	arch/powerpc/kernel/setup-common.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/aabef6301dcf410dfd2b8759cd413b2a003c7e3f
 	https://git.kernel.org/stable/c/c5c1d1ef70834013fc3bd12b6a0f4664c6d75a74
 	https://git.kernel.org/stable/c/f551637fe9bf863386309e03f9d148d97f535ad1
 	https://git.kernel.org/stable/c/7351c5a6507b4401aeecadb5959131410a339520
 	https://git.kernel.org/stable/c/05b94cae1c47f94588c3e7096963c1007c4d9c1d
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-56677: powerpc/fadump: Move fadump_cma_init to setup_arch() after initmem_init()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	powerpc/fadump: Move fadump_cma_init to setup_arch() after initmem_init()

	During early init CMA_MIN_ALIGNMENT_BYTES can be PAGE_SIZE,
	since pageblock_order is still zero and it gets initialized
	later during initmem_init() e.g.
	setup_arch() -> initmem_init() -> sparse_init() -> set_pageblock_order()

	One such use case where this causes issue is -
	early_setup() -> early_init_devtree() -> fadump_reserve_mem() -> fadump_cma_init()

	This causes CMA memory alignment check to be bypassed in
	cma_init_reserved_mem(). Then later cma_activate_area() can hit
	a VM_BUG_ON_PAGE(pfn & ((1 << order) - 1)) if the reserved memory
	area was not pageblock_order aligned.

	Fix it by moving the fadump_cma_init() after initmem_init(),
	where other such cma reservations also gets called.

	<stack trace>
	==============
	page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10010
	flags: 0x13ffff800000000(node=1\|zone=0\|lastcpupid=0x7ffff) CMA
	raw: 013ffff800000000 5deadbeef0000100 5deadbeef0000122 0000000000000000
	raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
	page dumped because: VM_BUG_ON_PAGE(pfn & ((1 << order) - 1))
	------------[ cut here ]------------
	kernel BUG at mm/page_alloc.c:778!

	Call Trace:
	__free_one_page+0x57c/0x7b0 (unreliable)
	free_pcppages_bulk+0x1a8/0x2c8
	free_unref_page_commit+0x3d4/0x4e4
	free_unref_page+0x458/0x6d0
	init_cma_reserved_pageblock+0x114/0x198
	cma_init_reserved_areas+0x270/0x3e0
	do_one_initcall+0x80/0x2f8
	kernel_init_freeable+0x33c/0x530
	kernel_init+0x34/0x26c
	ret_from_kernel_user_thread+0x14/0x1c

	The Linux kernel CVE team has assigned CVE-2024-56677 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.19 with commit 11ac3e87ce09c27f4587a8c4fe0829d814021a82 and fixed in 6.1.120 with commit aabef6301dcf410dfd2b8759cd413b2a003c7e3f
	Issue introduced in 5.19 with commit 11ac3e87ce09c27f4587a8c4fe0829d814021a82 and fixed in 6.6.64 with commit c5c1d1ef70834013fc3bd12b6a0f4664c6d75a74
	Issue introduced in 5.19 with commit 11ac3e87ce09c27f4587a8c4fe0829d814021a82 and fixed in 6.11.11 with commit f551637fe9bf863386309e03f9d148d97f535ad1
	Issue introduced in 5.19 with commit 11ac3e87ce09c27f4587a8c4fe0829d814021a82 and fixed in 6.12.2 with commit 7351c5a6507b4401aeecadb5959131410a339520
	Issue introduced in 5.19 with commit 11ac3e87ce09c27f4587a8c4fe0829d814021a82 and fixed in 6.13 with commit 05b94cae1c47f94588c3e7096963c1007c4d9c1d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-56677
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/powerpc/include/asm/fadump.h
	arch/powerpc/kernel/fadump.c
	arch/powerpc/kernel/setup-common.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/aabef6301dcf410dfd2b8759cd413b2a003c7e3f
	https://git.kernel.org/stable/c/c5c1d1ef70834013fc3bd12b6a0f4664c6d75a74
	https://git.kernel.org/stable/c/f551637fe9bf863386309e03f9d148d97f535ad1
	https://git.kernel.org/stable/c/7351c5a6507b4401aeecadb5959131410a339520
	https://git.kernel.org/stable/c/05b94cae1c47f94588c3e7096963c1007c4d9c1d