cve/published/2024/CVE-2024-57999.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-57999: powerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 powerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW

 Power Hypervisor can possibily allocate MMIO window intersecting with
 Dynamic DMA Window (DDW) range, which is over 32-bit addressing.

 These MMIO pages needs to be marked as reserved so that IOMMU doesn't map
 DMA buffers in this range.

 The current code is not marking these pages correctly which is resulting
 in LPAR to OOPS while booting. The stack is at below

 BUG: Unable to handle kernel data access on read at 0xc00800005cd40000
 Faulting instruction address: 0xc00000000005cdac
 Oops: Kernel access of bad area, sig: 11 [#1]
 LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
 Modules linked in: af_packet rfkill ibmveth(X) lpfc(+) nvmet_fc nvmet nvme_keyring crct10dif_vpmsum nvme_fc nvme_fabrics nvme_core be2net(+) nvme_auth rtc_generic nfsd auth_rpcgss nfs_acl lockd grace sunrpc fuse configfs ip_tables x_tables xfs libcrc32c dm_service_time ibmvfc(X) scsi_transport_fc vmx_crypto gf128mul crc32c_vpmsum dm_mirror dm_region_hash dm_log dm_multipath dm_mod sd_mod scsi_dh_emc scsi_dh_rdac scsi_dh_alua t10_pi crc64_rocksoft_generic crc64_rocksoft sg crc64 scsi_mod
 Supported: Yes, External
 CPU: 8 PID: 241 Comm: kworker/8:1 Kdump: loaded Not tainted 6.4.0-150600.23.14-default #1 SLE15-SP6 b44ee71c81261b9e4bab5e0cde1f2ed891d5359b
 Hardware name: IBM,9080-M9S POWER9 (raw) 0x4e2103 0xf000005 of:IBM,FW950.B0 (VH950_149) hv:phyp pSeries
 Workqueue: events work_for_cpu_fn
 NIP:  c00000000005cdac LR: c00000000005e830 CTR: 0000000000000000
 REGS: c00001400c9ff770 TRAP: 0300   Not tainted  (6.4.0-150600.23.14-default)
 MSR:  800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE>  CR: 24228448  XER: 00000001
 CFAR: c00000000005cdd4 DAR: c00800005cd40000 DSISR: 40000000 IRQMASK: 0
 GPR00: c00000000005e830 c00001400c9ffa10 c000000001987d00 c00001400c4fe800
 GPR04: 0000080000000000 0000000000000001 0000000004000000 0000000000800000
 GPR08: 0000000004000000 0000000000000001 c00800005cd40000 ffffffffffffffff
 GPR12: 0000000084228882 c00000000a4c4f00 0000000000000010 0000080000000000
 GPR16: c00001400c4fe800 0000000004000000 0800000000000000 c00000006088b800
 GPR20: c00001401a7be980 c00001400eff3800 c000000002a2da68 000000000000002b
 GPR24: c0000000026793a8 c000000002679368 000000000000002a c0000000026793c8
 GPR28: 000008007effffff 0000080000000000 0000000000800000 c00001400c4fe800
 NIP [c00000000005cdac] iommu_table_reserve_pages+0xac/0x100
 LR [c00000000005e830] iommu_init_table+0x80/0x1e0
 Call Trace:
 [c00001400c9ffa10] [c00000000005e810] iommu_init_table+0x60/0x1e0 (unreliable)
 [c00001400c9ffa90] [c00000000010356c] iommu_bypass_supported_pSeriesLP+0x9cc/0xe40
 [c00001400c9ffc30] [c00000000005c300] dma_iommu_dma_supported+0xf0/0x230
 [c00001400c9ffcb0] [c00000000024b0c4] dma_supported+0x44/0x90
 [c00001400c9ffcd0] [c00000000024b14c] dma_set_mask+0x3c/0x80
 [c00001400c9ffd00] [c0080000555b715c] be_probe+0xc4/0xb90 [be2net]
 [c00001400c9ffdc0] [c000000000986f3c] local_pci_probe+0x6c/0x110
 [c00001400c9ffe40] [c000000000188f28] work_for_cpu_fn+0x38/0x60
 [c00001400c9ffe70] [c00000000018e454] process_one_work+0x314/0x620
 [c00001400c9fff10] [c00000000018f280] worker_thread+0x2b0/0x620
 [c00001400c9fff90] [c00000000019bb18] kthread+0x148/0x150
 [c00001400c9fffe0] [c00000000000ded8] start_kernel_thread+0x14/0x18

 There are 2 issues in the code

 1. The index is "int" while the address is "unsigned long". This results in
    negative value when setting the bitmap.

 2. The DMA offset is page shifted but the MMIO range is used as-is (64-bit
    address). MMIO address needs to be page shifted as well.

 The Linux kernel CVE team has assigned CVE-2024-57999 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.15 with commit 3c33066a21903076722a2881556a92aa3cd7d359 and fixed in 6.12.13 with commit 7043d58ecd1381674f5b2c894deb6986a1a4896b
 	Issue introduced in 5.15 with commit 3c33066a21903076722a2881556a92aa3cd7d359 and fixed in 6.13.2 with commit d8cc20a8cceb3b5e8ad2e11365e3100ba36a27e9
 	Issue introduced in 5.15 with commit 3c33066a21903076722a2881556a92aa3cd7d359 and fixed in 6.14 with commit 8f70caad82e9c088ed93b4fea48d941ab6441886

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-57999
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/powerpc/kernel/iommu.c
 	arch/powerpc/platforms/pseries/iommu.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/7043d58ecd1381674f5b2c894deb6986a1a4896b
 	https://git.kernel.org/stable/c/d8cc20a8cceb3b5e8ad2e11365e3100ba36a27e9
 	https://git.kernel.org/stable/c/8f70caad82e9c088ed93b4fea48d941ab6441886
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-57999: powerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	powerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW

	Power Hypervisor can possibily allocate MMIO window intersecting with
	Dynamic DMA Window (DDW) range, which is over 32-bit addressing.

	These MMIO pages needs to be marked as reserved so that IOMMU doesn't map
	DMA buffers in this range.

	The current code is not marking these pages correctly which is resulting
	in LPAR to OOPS while booting. The stack is at below

	BUG: Unable to handle kernel data access on read at 0xc00800005cd40000
	Faulting instruction address: 0xc00000000005cdac
	Oops: Kernel access of bad area, sig: 11 [#1]
	LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
	Modules linked in: af_packet rfkill ibmveth(X) lpfc(+) nvmet_fc nvmet nvme_keyring crct10dif_vpmsum nvme_fc nvme_fabrics nvme_core be2net(+) nvme_auth rtc_generic nfsd auth_rpcgss nfs_acl lockd grace sunrpc fuse configfs ip_tables x_tables xfs libcrc32c dm_service_time ibmvfc(X) scsi_transport_fc vmx_crypto gf128mul crc32c_vpmsum dm_mirror dm_region_hash dm_log dm_multipath dm_mod sd_mod scsi_dh_emc scsi_dh_rdac scsi_dh_alua t10_pi crc64_rocksoft_generic crc64_rocksoft sg crc64 scsi_mod
	Supported: Yes, External
	CPU: 8 PID: 241 Comm: kworker/8:1 Kdump: loaded Not tainted 6.4.0-150600.23.14-default #1 SLE15-SP6 b44ee71c81261b9e4bab5e0cde1f2ed891d5359b
	Hardware name: IBM,9080-M9S POWER9 (raw) 0x4e2103 0xf000005 of:IBM,FW950.B0 (VH950_149) hv:phyp pSeries
	Workqueue: events work_for_cpu_fn
	NIP: c00000000005cdac LR: c00000000005e830 CTR: 0000000000000000
	REGS: c00001400c9ff770 TRAP: 0300 Not tainted (6.4.0-150600.23.14-default)
	MSR: 800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 24228448 XER: 00000001
	CFAR: c00000000005cdd4 DAR: c00800005cd40000 DSISR: 40000000 IRQMASK: 0
	GPR00: c00000000005e830 c00001400c9ffa10 c000000001987d00 c00001400c4fe800
	GPR04: 0000080000000000 0000000000000001 0000000004000000 0000000000800000
	GPR08: 0000000004000000 0000000000000001 c00800005cd40000 ffffffffffffffff
	GPR12: 0000000084228882 c00000000a4c4f00 0000000000000010 0000080000000000
	GPR16: c00001400c4fe800 0000000004000000 0800000000000000 c00000006088b800
	GPR20: c00001401a7be980 c00001400eff3800 c000000002a2da68 000000000000002b
	GPR24: c0000000026793a8 c000000002679368 000000000000002a c0000000026793c8
	GPR28: 000008007effffff 0000080000000000 0000000000800000 c00001400c4fe800
	NIP [c00000000005cdac] iommu_table_reserve_pages+0xac/0x100
	LR [c00000000005e830] iommu_init_table+0x80/0x1e0
	Call Trace:
	[c00001400c9ffa10] [c00000000005e810] iommu_init_table+0x60/0x1e0 (unreliable)
	[c00001400c9ffa90] [c00000000010356c] iommu_bypass_supported_pSeriesLP+0x9cc/0xe40
	[c00001400c9ffc30] [c00000000005c300] dma_iommu_dma_supported+0xf0/0x230
	[c00001400c9ffcb0] [c00000000024b0c4] dma_supported+0x44/0x90
	[c00001400c9ffcd0] [c00000000024b14c] dma_set_mask+0x3c/0x80
	[c00001400c9ffd00] [c0080000555b715c] be_probe+0xc4/0xb90 [be2net]
	[c00001400c9ffdc0] [c000000000986f3c] local_pci_probe+0x6c/0x110
	[c00001400c9ffe40] [c000000000188f28] work_for_cpu_fn+0x38/0x60
	[c00001400c9ffe70] [c00000000018e454] process_one_work+0x314/0x620
	[c00001400c9fff10] [c00000000018f280] worker_thread+0x2b0/0x620
	[c00001400c9fff90] [c00000000019bb18] kthread+0x148/0x150
	[c00001400c9fffe0] [c00000000000ded8] start_kernel_thread+0x14/0x18

	There are 2 issues in the code

	1. The index is "int" while the address is "unsigned long". This results in
	negative value when setting the bitmap.

	2. The DMA offset is page shifted but the MMIO range is used as-is (64-bit
	address). MMIO address needs to be page shifted as well.

	The Linux kernel CVE team has assigned CVE-2024-57999 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.15 with commit 3c33066a21903076722a2881556a92aa3cd7d359 and fixed in 6.12.13 with commit 7043d58ecd1381674f5b2c894deb6986a1a4896b
	Issue introduced in 5.15 with commit 3c33066a21903076722a2881556a92aa3cd7d359 and fixed in 6.13.2 with commit d8cc20a8cceb3b5e8ad2e11365e3100ba36a27e9
	Issue introduced in 5.15 with commit 3c33066a21903076722a2881556a92aa3cd7d359 and fixed in 6.14 with commit 8f70caad82e9c088ed93b4fea48d941ab6441886

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-57999
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/powerpc/kernel/iommu.c
	arch/powerpc/platforms/pseries/iommu.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/7043d58ecd1381674f5b2c894deb6986a1a4896b
	https://git.kernel.org/stable/c/d8cc20a8cceb3b5e8ad2e11365e3100ba36a27e9
	https://git.kernel.org/stable/c/8f70caad82e9c088ed93b4fea48d941ab6441886