cve/published/2022/CVE-2022-49666.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49666: powerpc/memhotplug: Add add_pages override for PPC

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 powerpc/memhotplug: Add add_pages override for PPC

 With commit ffa0b64e3be5 ("powerpc: Fix virt_addr_valid() for 64-bit Book3E & 32-bit")
 the kernel now validate the addr against high_memory value. This results
 in the below BUG_ON with dax pfns.

 [  635.798741][T26531] kernel BUG at mm/page_alloc.c:5521!
 1:mon> e
 cpu 0x1: Vector: 700 (Program Check) at [c000000007287630]
     pc: c00000000055ed48: free_pages.part.0+0x48/0x110
     lr: c00000000053ca70: tlb_finish_mmu+0x80/0xd0
     sp: c0000000072878d0
    msr: 800000000282b033
   current = 0xc00000000afabe00
   paca    = 0xc00000037ffff300   irqmask: 0x03   irq_happened: 0x05
     pid   = 26531, comm = 50-landscape-sy
 kernel BUG at :5521!
 Linux version 5.19.0-rc3-14659-g4ec05be7c2e1 (kvaneesh@ltc-boston8) (gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #625 SMP Thu Jun 23 00:35:43 CDT 2022
 1:mon> t
 [link register   ] c00000000053ca70 tlb_finish_mmu+0x80/0xd0
 [c0000000072878d0] c00000000053ca54 tlb_finish_mmu+0x64/0xd0 (unreliable)
 [c000000007287900] c000000000539424 exit_mmap+0xe4/0x2a0
 [c0000000072879e0] c00000000019fc1c mmput+0xcc/0x210
 [c000000007287a20] c000000000629230 begin_new_exec+0x5e0/0xf40
 [c000000007287ae0] c00000000070b3cc load_elf_binary+0x3ac/0x1e00
 [c000000007287c10] c000000000627af0 bprm_execve+0x3b0/0xaf0
 [c000000007287cd0] c000000000628414 do_execveat_common.isra.0+0x1e4/0x310
 [c000000007287d80] c00000000062858c sys_execve+0x4c/0x60
 [c000000007287db0] c00000000002c1b0 system_call_exception+0x160/0x2c0
 [c000000007287e10] c00000000000c53c system_call_common+0xec/0x250

 The fix is to make sure we update high_memory on memory hotplug.
 This is similar to what x86 does in commit 3072e413e305 ("mm/memory_hotplug: introduce add_pages")

 The Linux kernel CVE team has assigned CVE-2022-49666 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.15.34 with commit fddb88bd266f4513abab7c36bca98935c9148a98 and fixed in 5.15.53 with commit 89296ac435e2cf8a5101f7fab8f0c7b754b92052
 	Issue introduced in 5.18 with commit ffa0b64e3be58519ae472ea29a1a1ad681e32f48 and fixed in 5.18.10 with commit 84d146fd35a01b08e9515041de60f0f915a417d5
 	Issue introduced in 5.18 with commit ffa0b64e3be58519ae472ea29a1a1ad681e32f48 and fixed in 5.19 with commit ac790d09885d36143076e7e02825c541e8eee899
 	Issue introduced in 5.4.190 with commit deab81144d5a043f42804207fb76cfbd8a806978
 	Issue introduced in 5.10.111 with commit d36febbcd537fcc50284e8b89609632d0146529f
 	Issue introduced in 5.16.20 with commit a3727c25eacd7e437c4f560957fa3a376fe93e6b
 	Issue introduced in 5.17.3 with commit cbc065efcba000ad8f615f506ebe61b6d3c5145b

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49666
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/powerpc/Kconfig
 	arch/powerpc/mm/mem.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/89296ac435e2cf8a5101f7fab8f0c7b754b92052
 	https://git.kernel.org/stable/c/84d146fd35a01b08e9515041de60f0f915a417d5
 	https://git.kernel.org/stable/c/ac790d09885d36143076e7e02825c541e8eee899
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49666: powerpc/memhotplug: Add add_pages override for PPC

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	powerpc/memhotplug: Add add_pages override for PPC

	With commit ffa0b64e3be5 ("powerpc: Fix virt_addr_valid() for 64-bit Book3E & 32-bit")
	the kernel now validate the addr against high_memory value. This results
	in the below BUG_ON with dax pfns.

	[ 635.798741][T26531] kernel BUG at mm/page_alloc.c:5521!
	1:mon> e
	cpu 0x1: Vector: 700 (Program Check) at [c000000007287630]
	pc: c00000000055ed48: free_pages.part.0+0x48/0x110
	lr: c00000000053ca70: tlb_finish_mmu+0x80/0xd0
	sp: c0000000072878d0
	msr: 800000000282b033
	current = 0xc00000000afabe00
	paca = 0xc00000037ffff300 irqmask: 0x03 irq_happened: 0x05
	pid = 26531, comm = 50-landscape-sy
	kernel BUG at :5521!
	Linux version 5.19.0-rc3-14659-g4ec05be7c2e1 (kvaneesh@ltc-boston8) (gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #625 SMP Thu Jun 23 00:35:43 CDT 2022
	1:mon> t
	[link register ] c00000000053ca70 tlb_finish_mmu+0x80/0xd0
	[c0000000072878d0] c00000000053ca54 tlb_finish_mmu+0x64/0xd0 (unreliable)
	[c000000007287900] c000000000539424 exit_mmap+0xe4/0x2a0
	[c0000000072879e0] c00000000019fc1c mmput+0xcc/0x210
	[c000000007287a20] c000000000629230 begin_new_exec+0x5e0/0xf40
	[c000000007287ae0] c00000000070b3cc load_elf_binary+0x3ac/0x1e00
	[c000000007287c10] c000000000627af0 bprm_execve+0x3b0/0xaf0
	[c000000007287cd0] c000000000628414 do_execveat_common.isra.0+0x1e4/0x310
	[c000000007287d80] c00000000062858c sys_execve+0x4c/0x60
	[c000000007287db0] c00000000002c1b0 system_call_exception+0x160/0x2c0
	[c000000007287e10] c00000000000c53c system_call_common+0xec/0x250

	The fix is to make sure we update high_memory on memory hotplug.
	This is similar to what x86 does in commit 3072e413e305 ("mm/memory_hotplug: introduce add_pages")

	The Linux kernel CVE team has assigned CVE-2022-49666 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.15.34 with commit fddb88bd266f4513abab7c36bca98935c9148a98 and fixed in 5.15.53 with commit 89296ac435e2cf8a5101f7fab8f0c7b754b92052
	Issue introduced in 5.18 with commit ffa0b64e3be58519ae472ea29a1a1ad681e32f48 and fixed in 5.18.10 with commit 84d146fd35a01b08e9515041de60f0f915a417d5
	Issue introduced in 5.18 with commit ffa0b64e3be58519ae472ea29a1a1ad681e32f48 and fixed in 5.19 with commit ac790d09885d36143076e7e02825c541e8eee899
	Issue introduced in 5.4.190 with commit deab81144d5a043f42804207fb76cfbd8a806978
	Issue introduced in 5.10.111 with commit d36febbcd537fcc50284e8b89609632d0146529f
	Issue introduced in 5.16.20 with commit a3727c25eacd7e437c4f560957fa3a376fe93e6b
	Issue introduced in 5.17.3 with commit cbc065efcba000ad8f615f506ebe61b6d3c5145b

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49666
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/powerpc/Kconfig
	arch/powerpc/mm/mem.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/89296ac435e2cf8a5101f7fab8f0c7b754b92052
	https://git.kernel.org/stable/c/84d146fd35a01b08e9515041de60f0f915a417d5
	https://git.kernel.org/stable/c/ac790d09885d36143076e7e02825c541e8eee899