cve/published/2024/CVE-2024-57951.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-57951: hrtimers: Handle CPU state correctly on hotplug

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 hrtimers: Handle CPU state correctly on hotplug

 Consider a scenario where a CPU transitions from CPUHP_ONLINE to halfway
 through a CPU hotunplug down to CPUHP_HRTIMERS_PREPARE, and then back to
 CPUHP_ONLINE:

 Since hrtimers_prepare_cpu() does not run, cpu_base.hres_active remains set
 to 1 throughout. However, during a CPU unplug operation, the tick and the
 clockevents are shut down at CPUHP_AP_TICK_DYING. On return to the online
 state, for instance CFS incorrectly assumes that the hrtick is already
 active, and the chance of the clockevent device to transition to oneshot
 mode is also lost forever for the CPU, unless it goes back to a lower state
 than CPUHP_HRTIMERS_PREPARE once.

 This round-trip reveals another issue; cpu_base.online is not set to 1
 after the transition, which appears as a WARN_ON_ONCE in enqueue_hrtimer().

 Aside of that, the bulk of the per CPU state is not reset either, which
 means there are dangling pointers in the worst case.

 Address this by adding a corresponding startup() callback, which resets the
 stale per CPU state and sets the online flag.

 [ tglx: Make the new callback unconditionally available, remove the online
   	modification in the prepare() callback and clear the remaining
   	state in the starting callback instead of the prepare callback ]

 The Linux kernel CVE team has assigned CVE-2024-57951 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.4.264 with commit 54d0d83a53508d687fd4a225f8aa1f18559562d0 and fixed in 5.4.290 with commit 95e4f62df23f4df1ce6ef897d44b8e23c260921a
 	Issue introduced in 5.10.204 with commit 7f4c89400d2997939f6971c7981cc780a219e36b and fixed in 5.10.234 with commit 14984139f1f2768883332965db566ef26db609e7
 	Issue introduced in 5.15.143 with commit 6fcbcc6c8e52650749692c7613cbe71bf601670d and fixed in 5.15.177 with commit 15b453db41d36184cf0ccc21e7df624014ab6a1a
 	Issue introduced in 6.1.68 with commit 75b5016ce325f1ef9c63e5398a1064cf8a7a7354 and fixed in 6.1.127 with commit 3d41dbf82e10c44e53ea602398ab002baec27e75
 	Issue introduced in 6.6.7 with commit 53f408cad05bb987af860af22f4151e5a18e6ee8 and fixed in 6.6.74 with commit a5cbbea145b400e40540c34816d16d36e0374fbc
 	Issue introduced in 6.7 with commit 5c0930ccaad5a74d74e8b18b648c5eb21ed2fe94 and fixed in 6.12.11 with commit 38492f6ee883c7b1d33338bf531a62cff69b4b28
 	Issue introduced in 6.7 with commit 5c0930ccaad5a74d74e8b18b648c5eb21ed2fe94 and fixed in 6.13 with commit 2f8dea1692eef2b7ba6a256246ed82c365fdc686
 	Issue introduced in 4.19.302 with commit 9a2fc41acb69dd4e2a58d0c04346c3333c2341fc

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-57951
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	include/linux/hrtimer.h
 	kernel/cpu.c
 	kernel/time/hrtimer.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/95e4f62df23f4df1ce6ef897d44b8e23c260921a
 	https://git.kernel.org/stable/c/14984139f1f2768883332965db566ef26db609e7
 	https://git.kernel.org/stable/c/15b453db41d36184cf0ccc21e7df624014ab6a1a
 	https://git.kernel.org/stable/c/3d41dbf82e10c44e53ea602398ab002baec27e75
 	https://git.kernel.org/stable/c/a5cbbea145b400e40540c34816d16d36e0374fbc
 	https://git.kernel.org/stable/c/38492f6ee883c7b1d33338bf531a62cff69b4b28
 	https://git.kernel.org/stable/c/2f8dea1692eef2b7ba6a256246ed82c365fdc686
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-57951: hrtimers: Handle CPU state correctly on hotplug

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	hrtimers: Handle CPU state correctly on hotplug

	Consider a scenario where a CPU transitions from CPUHP_ONLINE to halfway
	through a CPU hotunplug down to CPUHP_HRTIMERS_PREPARE, and then back to
	CPUHP_ONLINE:

	Since hrtimers_prepare_cpu() does not run, cpu_base.hres_active remains set
	to 1 throughout. However, during a CPU unplug operation, the tick and the
	clockevents are shut down at CPUHP_AP_TICK_DYING. On return to the online
	state, for instance CFS incorrectly assumes that the hrtick is already
	active, and the chance of the clockevent device to transition to oneshot
	mode is also lost forever for the CPU, unless it goes back to a lower state
	than CPUHP_HRTIMERS_PREPARE once.

	This round-trip reveals another issue; cpu_base.online is not set to 1
	after the transition, which appears as a WARN_ON_ONCE in enqueue_hrtimer().

	Aside of that, the bulk of the per CPU state is not reset either, which
	means there are dangling pointers in the worst case.

	Address this by adding a corresponding startup() callback, which resets the
	stale per CPU state and sets the online flag.

	[ tglx: Make the new callback unconditionally available, remove the online
	modification in the prepare() callback and clear the remaining
	state in the starting callback instead of the prepare callback ]

	The Linux kernel CVE team has assigned CVE-2024-57951 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.4.264 with commit 54d0d83a53508d687fd4a225f8aa1f18559562d0 and fixed in 5.4.290 with commit 95e4f62df23f4df1ce6ef897d44b8e23c260921a
	Issue introduced in 5.10.204 with commit 7f4c89400d2997939f6971c7981cc780a219e36b and fixed in 5.10.234 with commit 14984139f1f2768883332965db566ef26db609e7
	Issue introduced in 5.15.143 with commit 6fcbcc6c8e52650749692c7613cbe71bf601670d and fixed in 5.15.177 with commit 15b453db41d36184cf0ccc21e7df624014ab6a1a
	Issue introduced in 6.1.68 with commit 75b5016ce325f1ef9c63e5398a1064cf8a7a7354 and fixed in 6.1.127 with commit 3d41dbf82e10c44e53ea602398ab002baec27e75
	Issue introduced in 6.6.7 with commit 53f408cad05bb987af860af22f4151e5a18e6ee8 and fixed in 6.6.74 with commit a5cbbea145b400e40540c34816d16d36e0374fbc
	Issue introduced in 6.7 with commit 5c0930ccaad5a74d74e8b18b648c5eb21ed2fe94 and fixed in 6.12.11 with commit 38492f6ee883c7b1d33338bf531a62cff69b4b28
	Issue introduced in 6.7 with commit 5c0930ccaad5a74d74e8b18b648c5eb21ed2fe94 and fixed in 6.13 with commit 2f8dea1692eef2b7ba6a256246ed82c365fdc686
	Issue introduced in 4.19.302 with commit 9a2fc41acb69dd4e2a58d0c04346c3333c2341fc

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-57951
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	include/linux/hrtimer.h
	kernel/cpu.c
	kernel/time/hrtimer.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/95e4f62df23f4df1ce6ef897d44b8e23c260921a
	https://git.kernel.org/stable/c/14984139f1f2768883332965db566ef26db609e7
	https://git.kernel.org/stable/c/15b453db41d36184cf0ccc21e7df624014ab6a1a
	https://git.kernel.org/stable/c/3d41dbf82e10c44e53ea602398ab002baec27e75
	https://git.kernel.org/stable/c/a5cbbea145b400e40540c34816d16d36e0374fbc
	https://git.kernel.org/stable/c/38492f6ee883c7b1d33338bf531a62cff69b4b28
	https://git.kernel.org/stable/c/2f8dea1692eef2b7ba6a256246ed82c365fdc686