cve/published/2024/CVE-2024-26947.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26947: ARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses

 Since commit a4d5613c4dc6 ("arm: extend pfn_valid to take into account
 freed memory map alignment") changes the semantics of pfn_valid() to check
 presence of the memory map for a PFN. A valid page for an address which
 is reserved but not mapped by the kernel[1], the system crashed during
 some uio test with the following memory layout:

  node   0: [mem 0x00000000c0a00000-0x00000000cc8fffff]
  node   0: [mem 0x00000000d0000000-0x00000000da1fffff]
  the uio layout is：0xc0900000, 0x100000

 the crash backtrace like:

   Unable to handle kernel paging request at virtual address bff00000
   [...]
   CPU: 1 PID: 465 Comm: startapp.bin Tainted: G           O      5.10.0 #1
   Hardware name: Generic DT based system
   PC is at b15_flush_kern_dcache_area+0x24/0x3c
   LR is at __sync_icache_dcache+0x6c/0x98
   [...]
    (b15_flush_kern_dcache_area) from (__sync_icache_dcache+0x6c/0x98)
    (__sync_icache_dcache) from (set_pte_at+0x28/0x54)
    (set_pte_at) from (remap_pfn_range+0x1a0/0x274)
    (remap_pfn_range) from (uio_mmap+0x184/0x1b8 [uio])
    (uio_mmap [uio]) from (__mmap_region+0x264/0x5f4)
    (__mmap_region) from (__do_mmap_mm+0x3ec/0x440)
    (__do_mmap_mm) from (do_mmap+0x50/0x58)
    (do_mmap) from (vm_mmap_pgoff+0xfc/0x188)
    (vm_mmap_pgoff) from (ksys_mmap_pgoff+0xac/0xc4)
    (ksys_mmap_pgoff) from (ret_fast_syscall+0x0/0x5c)
   Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e)
   ---[ end trace 09cf0734c3805d52 ]---
   Kernel panic - not syncing: Fatal exception

 So check if PG_reserved was set to solve this issue.

 [1]: https://lore.kernel.org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/

 The Linux kernel CVE team has assigned CVE-2024-26947 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.14 with commit a4d5613c4dc6d413e0733e37db9d116a2a36b9f3 and fixed in 6.6.24 with commit 0c027c2bad7f5111c51a358b5d392e1a695dabff
 	Issue introduced in 5.14 with commit a4d5613c4dc6d413e0733e37db9d116a2a36b9f3 and fixed in 6.7.12 with commit 9f7ddc222cae8254e93d5c169a8ae11a49d912a7
 	Issue introduced in 5.14 with commit a4d5613c4dc6d413e0733e37db9d116a2a36b9f3 and fixed in 6.8.3 with commit fb3a122a978626b33de3367ee1762da934c0f512
 	Issue introduced in 5.14 with commit a4d5613c4dc6d413e0733e37db9d116a2a36b9f3 and fixed in 6.9 with commit 0c66c6f4e21cb22220cbd8821c5c73fc157d20dc
 	Issue introduced in 5.4.167 with commit 6026d4032dbbe3d7f4ac2c8daa923fe74dcf41c4
 	Issue introduced in 5.10.87 with commit 65c578935bcc26ddc04e6757b2c7be95bf235b31

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26947
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/arm/mm/flush.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/0c027c2bad7f5111c51a358b5d392e1a695dabff
 	https://git.kernel.org/stable/c/9f7ddc222cae8254e93d5c169a8ae11a49d912a7
 	https://git.kernel.org/stable/c/fb3a122a978626b33de3367ee1762da934c0f512
 	https://git.kernel.org/stable/c/0c66c6f4e21cb22220cbd8821c5c73fc157d20dc
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26947: ARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses

	Since commit a4d5613c4dc6 ("arm: extend pfn_valid to take into account
	freed memory map alignment") changes the semantics of pfn_valid() to check
	presence of the memory map for a PFN. A valid page for an address which
	is reserved but not mapped by the kernel[1], the system crashed during
	some uio test with the following memory layout:

	node 0: [mem 0x00000000c0a00000-0x00000000cc8fffff]
	node 0: [mem 0x00000000d0000000-0x00000000da1fffff]
	the uio layout is：0xc0900000, 0x100000

	the crash backtrace like:

	Unable to handle kernel paging request at virtual address bff00000
	[...]
	CPU: 1 PID: 465 Comm: startapp.bin Tainted: G O 5.10.0 #1
	Hardware name: Generic DT based system
	PC is at b15_flush_kern_dcache_area+0x24/0x3c
	LR is at __sync_icache_dcache+0x6c/0x98
	[...]
	(b15_flush_kern_dcache_area) from (__sync_icache_dcache+0x6c/0x98)
	(__sync_icache_dcache) from (set_pte_at+0x28/0x54)
	(set_pte_at) from (remap_pfn_range+0x1a0/0x274)
	(remap_pfn_range) from (uio_mmap+0x184/0x1b8 [uio])
	(uio_mmap [uio]) from (__mmap_region+0x264/0x5f4)
	(__mmap_region) from (__do_mmap_mm+0x3ec/0x440)
	(__do_mmap_mm) from (do_mmap+0x50/0x58)
	(do_mmap) from (vm_mmap_pgoff+0xfc/0x188)
	(vm_mmap_pgoff) from (ksys_mmap_pgoff+0xac/0xc4)
	(ksys_mmap_pgoff) from (ret_fast_syscall+0x0/0x5c)
	Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e)
	---[ end trace 09cf0734c3805d52 ]---
	Kernel panic - not syncing: Fatal exception

	So check if PG_reserved was set to solve this issue.

	[1]: https://lore.kernel.org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/

	The Linux kernel CVE team has assigned CVE-2024-26947 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.14 with commit a4d5613c4dc6d413e0733e37db9d116a2a36b9f3 and fixed in 6.6.24 with commit 0c027c2bad7f5111c51a358b5d392e1a695dabff
	Issue introduced in 5.14 with commit a4d5613c4dc6d413e0733e37db9d116a2a36b9f3 and fixed in 6.7.12 with commit 9f7ddc222cae8254e93d5c169a8ae11a49d912a7
	Issue introduced in 5.14 with commit a4d5613c4dc6d413e0733e37db9d116a2a36b9f3 and fixed in 6.8.3 with commit fb3a122a978626b33de3367ee1762da934c0f512
	Issue introduced in 5.14 with commit a4d5613c4dc6d413e0733e37db9d116a2a36b9f3 and fixed in 6.9 with commit 0c66c6f4e21cb22220cbd8821c5c73fc157d20dc
	Issue introduced in 5.4.167 with commit 6026d4032dbbe3d7f4ac2c8daa923fe74dcf41c4
	Issue introduced in 5.10.87 with commit 65c578935bcc26ddc04e6757b2c7be95bf235b31

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26947
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/arm/mm/flush.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/0c027c2bad7f5111c51a358b5d392e1a695dabff
	https://git.kernel.org/stable/c/9f7ddc222cae8254e93d5c169a8ae11a49d912a7
	https://git.kernel.org/stable/c/fb3a122a978626b33de3367ee1762da934c0f512
	https://git.kernel.org/stable/c/0c66c6f4e21cb22220cbd8821c5c73fc157d20dc