cve/published/2024/CVE-2024-26603.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26603: x86/fpu: Stop relying on userspace for info to fault in xsave buffer

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 x86/fpu: Stop relying on userspace for info to fault in xsave buffer

 Before this change, the expected size of the user space buffer was
 taken from fx_sw->xstate_size. fx_sw->xstate_size can be changed
 from user-space, so it is possible construct a sigreturn frame where:

  * fx_sw->xstate_size is smaller than the size required by valid bits in
    fx_sw->xfeatures.
  * user-space unmaps parts of the sigrame fpu buffer so that not all of
    the buffer required by xrstor is accessible.

 In this case, xrstor tries to restore and accesses the unmapped area
 which results in a fault. But fault_in_readable succeeds because buf +
 fx_sw->xstate_size is within the still mapped area, so it goes back and
 tries xrstor again. It will spin in this loop forever.

 Instead, fault in the maximum size which can be touched by XRSTOR (taken
 from fpstate->user_size).

 [ dhansen: tweak subject / changelog ]

 The Linux kernel CVE team has assigned CVE-2024-26603 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.14 with commit fcb3635f5018e53024c6be3c3213737f469f74ff and fixed in 5.15.150 with commit 8bd3eee7720c14b59a206bd05b98d7586bccf99a
 	Issue introduced in 5.14 with commit fcb3635f5018e53024c6be3c3213737f469f74ff and fixed in 6.1.79 with commit 627339cccdc9166792ecf96bc3c9f711a60ce996
 	Issue introduced in 5.14 with commit fcb3635f5018e53024c6be3c3213737f469f74ff and fixed in 6.6.18 with commit b2479ab426cef7ab79a13005650eff956223ced2
 	Issue introduced in 5.14 with commit fcb3635f5018e53024c6be3c3213737f469f74ff and fixed in 6.7.6 with commit 627e28cbb65564e55008315d9e02fbb90478beda
 	Issue introduced in 5.14 with commit fcb3635f5018e53024c6be3c3213737f469f74ff and fixed in 6.8 with commit d877550eaf2dc9090d782864c96939397a3c6835

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26603
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/x86/kernel/fpu/signal.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/8bd3eee7720c14b59a206bd05b98d7586bccf99a
 	https://git.kernel.org/stable/c/627339cccdc9166792ecf96bc3c9f711a60ce996
 	https://git.kernel.org/stable/c/b2479ab426cef7ab79a13005650eff956223ced2
 	https://git.kernel.org/stable/c/627e28cbb65564e55008315d9e02fbb90478beda
 	https://git.kernel.org/stable/c/d877550eaf2dc9090d782864c96939397a3c6835
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26603: x86/fpu: Stop relying on userspace for info to fault in xsave buffer

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	x86/fpu: Stop relying on userspace for info to fault in xsave buffer

	Before this change, the expected size of the user space buffer was
	taken from fx_sw->xstate_size. fx_sw->xstate_size can be changed
	from user-space, so it is possible construct a sigreturn frame where:

	* fx_sw->xstate_size is smaller than the size required by valid bits in
	fx_sw->xfeatures.
	* user-space unmaps parts of the sigrame fpu buffer so that not all of
	the buffer required by xrstor is accessible.

	In this case, xrstor tries to restore and accesses the unmapped area
	which results in a fault. But fault_in_readable succeeds because buf +
	fx_sw->xstate_size is within the still mapped area, so it goes back and
	tries xrstor again. It will spin in this loop forever.

	Instead, fault in the maximum size which can be touched by XRSTOR (taken
	from fpstate->user_size).

	[ dhansen: tweak subject / changelog ]

	The Linux kernel CVE team has assigned CVE-2024-26603 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.14 with commit fcb3635f5018e53024c6be3c3213737f469f74ff and fixed in 5.15.150 with commit 8bd3eee7720c14b59a206bd05b98d7586bccf99a
	Issue introduced in 5.14 with commit fcb3635f5018e53024c6be3c3213737f469f74ff and fixed in 6.1.79 with commit 627339cccdc9166792ecf96bc3c9f711a60ce996
	Issue introduced in 5.14 with commit fcb3635f5018e53024c6be3c3213737f469f74ff and fixed in 6.6.18 with commit b2479ab426cef7ab79a13005650eff956223ced2
	Issue introduced in 5.14 with commit fcb3635f5018e53024c6be3c3213737f469f74ff and fixed in 6.7.6 with commit 627e28cbb65564e55008315d9e02fbb90478beda
	Issue introduced in 5.14 with commit fcb3635f5018e53024c6be3c3213737f469f74ff and fixed in 6.8 with commit d877550eaf2dc9090d782864c96939397a3c6835

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26603
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/x86/kernel/fpu/signal.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/8bd3eee7720c14b59a206bd05b98d7586bccf99a
	https://git.kernel.org/stable/c/627339cccdc9166792ecf96bc3c9f711a60ce996
	https://git.kernel.org/stable/c/b2479ab426cef7ab79a13005650eff956223ced2
	https://git.kernel.org/stable/c/627e28cbb65564e55008315d9e02fbb90478beda
	https://git.kernel.org/stable/c/d877550eaf2dc9090d782864c96939397a3c6835