cve/published/2022/CVE-2022-49001.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49001: riscv: fix race when vmap stack overflow

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 riscv: fix race when vmap stack overflow

 Currently, when detecting vmap stack overflow, riscv firstly switches
 to the so called shadow stack, then use this shadow stack to call the
 get_overflow_stack() to get the overflow stack. However, there's
 a race here if two or more harts use the same shadow stack at the same
 time.

 To solve this race, we introduce spin_shadow_stack atomic var, which
 will be swap between its own address and 0 in atomic way, when the
 var is set, it means the shadow_stack is being used; when the var
 is cleared, it means the shadow_stack isn't being used.

 [Palmer: Add AQ to the swap, and also some comments.]

 The Linux kernel CVE team has assigned CVE-2022-49001 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.14 with commit 31da94c25aea835ceac00575a9fd206c5a833fed and fixed in 5.15.82 with commit ac00301adb19df54f2eae1efc4bad7447c0156ce
 	Issue introduced in 5.14 with commit 31da94c25aea835ceac00575a9fd206c5a833fed and fixed in 6.0.12 with commit 879fabc5a95401d9bce357e4b1d24ae4a360a81f
 	Issue introduced in 5.14 with commit 31da94c25aea835ceac00575a9fd206c5a833fed and fixed in 6.1 with commit 7e1864332fbc1b993659eab7974da9fe8bf8c128

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49001
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/riscv/include/asm/asm.h
 	arch/riscv/kernel/entry.S
 	arch/riscv/kernel/traps.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/ac00301adb19df54f2eae1efc4bad7447c0156ce
 	https://git.kernel.org/stable/c/879fabc5a95401d9bce357e4b1d24ae4a360a81f
 	https://git.kernel.org/stable/c/7e1864332fbc1b993659eab7974da9fe8bf8c128
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49001: riscv: fix race when vmap stack overflow

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	riscv: fix race when vmap stack overflow

	Currently, when detecting vmap stack overflow, riscv firstly switches
	to the so called shadow stack, then use this shadow stack to call the
	get_overflow_stack() to get the overflow stack. However, there's
	a race here if two or more harts use the same shadow stack at the same
	time.

	To solve this race, we introduce spin_shadow_stack atomic var, which
	will be swap between its own address and 0 in atomic way, when the
	var is set, it means the shadow_stack is being used; when the var
	is cleared, it means the shadow_stack isn't being used.

	[Palmer: Add AQ to the swap, and also some comments.]

	The Linux kernel CVE team has assigned CVE-2022-49001 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.14 with commit 31da94c25aea835ceac00575a9fd206c5a833fed and fixed in 5.15.82 with commit ac00301adb19df54f2eae1efc4bad7447c0156ce
	Issue introduced in 5.14 with commit 31da94c25aea835ceac00575a9fd206c5a833fed and fixed in 6.0.12 with commit 879fabc5a95401d9bce357e4b1d24ae4a360a81f
	Issue introduced in 5.14 with commit 31da94c25aea835ceac00575a9fd206c5a833fed and fixed in 6.1 with commit 7e1864332fbc1b993659eab7974da9fe8bf8c128

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49001
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/riscv/include/asm/asm.h
	arch/riscv/kernel/entry.S
	arch/riscv/kernel/traps.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/ac00301adb19df54f2eae1efc4bad7447c0156ce
	https://git.kernel.org/stable/c/879fabc5a95401d9bce357e4b1d24ae4a360a81f
	https://git.kernel.org/stable/c/7e1864332fbc1b993659eab7974da9fe8bf8c128