cve/published/2023/CVE-2023-52476.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52476: perf/x86/lbr: Filter vsyscall addresses

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 perf/x86/lbr: Filter vsyscall addresses

 We found that a panic can occur when a vsyscall is made while LBR sampling
 is active. If the vsyscall is interrupted (NMI) for perf sampling, this
 call sequence can occur (most recent at top):

     __insn_get_emulate_prefix()
     insn_get_emulate_prefix()
     insn_get_prefixes()
     insn_get_opcode()
     decode_branch_type()
     get_branch_type()
     intel_pmu_lbr_filter()
     intel_pmu_handle_irq()
     perf_event_nmi_handler()

 Within __insn_get_emulate_prefix() at frame 0, a macro is called:

     peek_nbyte_next(insn_byte_t, insn, i)

 Within this macro, this dereference occurs:

     (insn)->next_byte

 Inspecting registers at this point, the value of the next_byte field is the
 address of the vsyscall made, for example the location of the vsyscall
 version of gettimeofday() at 0xffffffffff600000. The access to an address
 in the vsyscall region will trigger an oops due to an unhandled page fault.

 To fix the bug, filtering for vsyscalls can be done when
 determining the branch type. This patch will return
 a "none" branch if a kernel address if found to lie in the
 vsyscall region.

 The Linux kernel CVE team has assigned CVE-2023-52476 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.15.137 with commit 403d201d1fd144cb249836dafb222f6375871c6c
 	Fixed in 6.1.59 with commit 3863989497652488a50f00e96de4331e5efabc6c
 	Fixed in 6.5.8 with commit f71edacbd4f99c0e12fe4a4007ab4d687d0688db
 	Fixed in 6.6 with commit e53899771a02f798d436655efbd9d4b46c0f9265

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52476
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/x86/events/utils.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/403d201d1fd144cb249836dafb222f6375871c6c
 	https://git.kernel.org/stable/c/3863989497652488a50f00e96de4331e5efabc6c
 	https://git.kernel.org/stable/c/f71edacbd4f99c0e12fe4a4007ab4d687d0688db
 	https://git.kernel.org/stable/c/e53899771a02f798d436655efbd9d4b46c0f9265
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52476: perf/x86/lbr: Filter vsyscall addresses

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	perf/x86/lbr: Filter vsyscall addresses

	We found that a panic can occur when a vsyscall is made while LBR sampling
	is active. If the vsyscall is interrupted (NMI) for perf sampling, this
	call sequence can occur (most recent at top):

	__insn_get_emulate_prefix()
	insn_get_emulate_prefix()
	insn_get_prefixes()
	insn_get_opcode()
	decode_branch_type()
	get_branch_type()
	intel_pmu_lbr_filter()
	intel_pmu_handle_irq()
	perf_event_nmi_handler()

	Within __insn_get_emulate_prefix() at frame 0, a macro is called:

	peek_nbyte_next(insn_byte_t, insn, i)

	Within this macro, this dereference occurs:

	(insn)->next_byte

	Inspecting registers at this point, the value of the next_byte field is the
	address of the vsyscall made, for example the location of the vsyscall
	version of gettimeofday() at 0xffffffffff600000. The access to an address
	in the vsyscall region will trigger an oops due to an unhandled page fault.

	To fix the bug, filtering for vsyscalls can be done when
	determining the branch type. This patch will return
	a "none" branch if a kernel address if found to lie in the
	vsyscall region.

	The Linux kernel CVE team has assigned CVE-2023-52476 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.15.137 with commit 403d201d1fd144cb249836dafb222f6375871c6c
	Fixed in 6.1.59 with commit 3863989497652488a50f00e96de4331e5efabc6c
	Fixed in 6.5.8 with commit f71edacbd4f99c0e12fe4a4007ab4d687d0688db
	Fixed in 6.6 with commit e53899771a02f798d436655efbd9d4b46c0f9265

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52476
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/x86/events/utils.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/403d201d1fd144cb249836dafb222f6375871c6c
	https://git.kernel.org/stable/c/3863989497652488a50f00e96de4331e5efabc6c
	https://git.kernel.org/stable/c/f71edacbd4f99c0e12fe4a4007ab4d687d0688db
	https://git.kernel.org/stable/c/e53899771a02f798d436655efbd9d4b46c0f9265