cve/rejected/2024/CVE-2024-35802.json - pub/scm/linux/security/vulns - Git at Google

 {
    "containers": {
       "cna": {
          "providerMetadata": {
             "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
          },
          "descriptions": [
             {
                "lang": "en",
                "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/sev: Fix position dependent variable references in startup code\n\nThe early startup code executes from a 1:1 mapping of memory, which\ndiffers from the mapping that the code was linked and/or relocated to\nrun at. The latter mapping is not active yet at this point, and so\nsymbol references that rely on it will fault.\n\nGiven that the core kernel is built without -fPIC, symbol references are\ntypically emitted as absolute, and so any such references occuring in\nthe early startup code will therefore crash the kernel.\n\nWhile an attempt was made to work around this for the early SEV/SME\nstartup code, by forcing RIP-relative addressing for certain global\nSEV/SME variables via inline assembly (see snp_cpuid_get_table() for\nexample), RIP-relative addressing must be pervasively enforced for\nSEV/SME global variables when accessed prior to page table fixups.\n\n__startup_64() already handles this issue for select non-SEV/SME global\nvariables using fixup_pointer(), which adjusts the pointer relative to a\n`physaddr` argument. To avoid having to pass around this `physaddr`\nargument across all functions needing to apply pointer fixups, introduce\na macro RIP_RELATIVE_REF() which generates a RIP-relative reference to\na given global variable. It is used where necessary to force\nRIP-relative accesses to global variables.\n\nFor backporting purposes, this patch makes no attempt at cleaning up\nother occurrences of this pattern, involving either inline asm or\nfixup_pointer(). Those will be addressed later.\n\n  [ bp: Call it \"rip_rel_ref\" everywhere like other code shortens\n    \"rIP-relative reference\" and make the asm wrapper __always_inline. ]"
             }
          ],
          "affected": [
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "unaffected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "versions": [
                   {
                      "version": "1da177e4c3f4",
                      "lessThan": "fe272b61506b",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "1da177e4c3f4",
                      "lessThan": "0982fd6bf0b8",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "1da177e4c3f4",
                      "lessThan": "66fa3fcb474b",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "1da177e4c3f4",
                      "lessThan": "954a4a878144",
                      "status": "affected",
                      "versionType": "git"
                   },
                   {
                      "version": "1da177e4c3f4",
                      "lessThan": "1c811d403afd",
                      "status": "affected",
                      "versionType": "git"
                   }
                ]
             },
             {
                "product": "Linux",
                "vendor": "Linux",
                "defaultStatus": "affected",
                "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                "versions": [
                   {
                      "version": "6.1.84",
                      "lessThanOrEqual": "6.1.*",
                      "status": "unaffected",
                      "versionType": "custom"
                   },
                   {
                      "version": "6.6.24",
                      "lessThanOrEqual": "6.6.*",
                      "status": "unaffected",
                      "versionType": "custom"
                   },
                   {
                      "version": "6.7.12",
                      "lessThanOrEqual": "6.7.*",
                      "status": "unaffected",
                      "versionType": "custom"
                   },
                   {
                      "version": "6.8.3",
                      "lessThanOrEqual": "6.8.*",
                      "status": "unaffected",
                      "versionType": "custom"
                   },
                   {
                      "version": "6.9",
                      "lessThanOrEqual": "*",
                      "status": "unaffected",
                      "versionType": "original_commit_for_fix"
                   }
                ]
             }
          ],
          "references": [
             {
                "url": "https://git.kernel.org/stable/c/fe272b61506bb1534922ef07aa165fd3c37a6a90"
             },
             {
                "url": "https://git.kernel.org/stable/c/0982fd6bf0b822876f2e93ec782c4c28a3f85535"
             },
             {
                "url": "https://git.kernel.org/stable/c/66fa3fcb474b2b892fe42d455a6f7ec5aaa98fb9"
             },
             {
                "url": "https://git.kernel.org/stable/c/954a4a87814465ad61cc97c1cd3de1525baaaf07"
             },
             {
                "url": "https://git.kernel.org/stable/c/1c811d403afd73f04bde82b83b24c754011bd0e8"
             }
          ],
          "title": "x86/sev: Fix position dependent variable references in startup code",
          "x_generator": {
             "engine": "bippy-d175d3acf727"
          }
       }
    },
    "cveMetadata": {
       "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
       "cveID": "CVE-2024-35802",
       "requesterUserId": "gregkh@kernel.org",
       "serial": "1",
       "state": "PUBLISHED"
    },
    "dataType": "CVE_RECORD",
    "dataVersion": "5.0"
 }
	{
	"containers": {
	"cna": {
	"providerMetadata": {
	"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
	},
	"descriptions": [
	{
	"lang": "en",
	"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/sev: Fix position dependent variable references in startup code\n\nThe early startup code executes from a 1:1 mapping of memory, which\ndiffers from the mapping that the code was linked and/or relocated to\nrun at. The latter mapping is not active yet at this point, and so\nsymbol references that rely on it will fault.\n\nGiven that the core kernel is built without -fPIC, symbol references are\ntypically emitted as absolute, and so any such references occuring in\nthe early startup code will therefore crash the kernel.\n\nWhile an attempt was made to work around this for the early SEV/SME\nstartup code, by forcing RIP-relative addressing for certain global\nSEV/SME variables via inline assembly (see snp_cpuid_get_table() for\nexample), RIP-relative addressing must be pervasively enforced for\nSEV/SME global variables when accessed prior to page table fixups.\n\n__startup_64() already handles this issue for select non-SEV/SME global\nvariables using fixup_pointer(), which adjusts the pointer relative to a\n`physaddr` argument. To avoid having to pass around this `physaddr`\nargument across all functions needing to apply pointer fixups, introduce\na macro RIP_RELATIVE_REF() which generates a RIP-relative reference to\na given global variable. It is used where necessary to force\nRIP-relative accesses to global variables.\n\nFor backporting purposes, this patch makes no attempt at cleaning up\nother occurrences of this pattern, involving either inline asm or\nfixup_pointer(). Those will be addressed later.\n\n [ bp: Call it \"rip_rel_ref\" everywhere like other code shortens\n \"rIP-relative reference\" and make the asm wrapper __always_inline. ]"
	}
	],
	"affected": [
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "unaffected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"versions": [
	{
	"version": "1da177e4c3f4",
	"lessThan": "fe272b61506b",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "1da177e4c3f4",
	"lessThan": "0982fd6bf0b8",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "1da177e4c3f4",
	"lessThan": "66fa3fcb474b",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "1da177e4c3f4",
	"lessThan": "954a4a878144",
	"status": "affected",
	"versionType": "git"
	},
	{
	"version": "1da177e4c3f4",
	"lessThan": "1c811d403afd",
	"status": "affected",
	"versionType": "git"
	}
	]
	},
	{
	"product": "Linux",
	"vendor": "Linux",
	"defaultStatus": "affected",
	"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
	"versions": [
	{
	"version": "6.1.84",
	"lessThanOrEqual": "6.1.*",
	"status": "unaffected",
	"versionType": "custom"
	},
	{
	"version": "6.6.24",
	"lessThanOrEqual": "6.6.*",
	"status": "unaffected",
	"versionType": "custom"
	},
	{
	"version": "6.7.12",
	"lessThanOrEqual": "6.7.*",
	"status": "unaffected",
	"versionType": "custom"
	},
	{
	"version": "6.8.3",
	"lessThanOrEqual": "6.8.*",
	"status": "unaffected",
	"versionType": "custom"
	},
	{
	"version": "6.9",
	"lessThanOrEqual": "*",
	"status": "unaffected",
	"versionType": "original_commit_for_fix"
	}
	]
	}
	],
	"references": [
	{
	"url": "https://git.kernel.org/stable/c/fe272b61506bb1534922ef07aa165fd3c37a6a90"
	},
	{
	"url": "https://git.kernel.org/stable/c/0982fd6bf0b822876f2e93ec782c4c28a3f85535"
	},
	{
	"url": "https://git.kernel.org/stable/c/66fa3fcb474b2b892fe42d455a6f7ec5aaa98fb9"
	},
	{
	"url": "https://git.kernel.org/stable/c/954a4a87814465ad61cc97c1cd3de1525baaaf07"
	},
	{
	"url": "https://git.kernel.org/stable/c/1c811d403afd73f04bde82b83b24c754011bd0e8"
	}
	],
	"title": "x86/sev: Fix position dependent variable references in startup code",
	"x_generator": {
	"engine": "bippy-d175d3acf727"
	}
	}
	},
	"cveMetadata": {
	"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
	"cveID": "CVE-2024-35802",
	"requesterUserId": "gregkh@kernel.org",
	"serial": "1",
	"state": "PUBLISHED"
	},
	"dataType": "CVE_RECORD",
	"dataVersion": "5.0"
	}