cve/published/2024/CVE-2024-35814.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-35814: swiotlb: Fix double-allocation of slots due to broken alignment handling

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 swiotlb: Fix double-allocation of slots due to broken alignment handling

 Commit bbb73a103fbb ("swiotlb: fix a braino in the alignment check fix"),
 which was a fix for commit 0eee5ae10256 ("swiotlb: fix slot alignment
 checks"), causes a functional regression with vsock in a virtual machine
 using bouncing via a restricted DMA SWIOTLB pool.

 When virtio allocates the virtqueues for the vsock device using
 dma_alloc_coherent(), the SWIOTLB search can return page-unaligned
 allocations if 'area->index' was left unaligned by a previous allocation
 from the buffer:

  # Final address in brackets is the SWIOTLB address returned to the caller
  | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1645-1649/7168 (0x98326800)
  | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1649-1653/7168 (0x98328800)
  | virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1653-1657/7168 (0x9832a800)

 This ends badly (typically buffer corruption and/or a hang) because
 swiotlb_alloc() is expecting a page-aligned allocation and so blindly
 returns a pointer to the 'struct page' corresponding to the allocation,
 therefore double-allocating the first half (2KiB slot) of the 4KiB page.

 Fix the problem by treating the allocation alignment separately to any
 additional alignment requirements from the device, using the maximum
 of the two as the stride to search the buffer slots and taking care
 to ensure a minimum of page-alignment for buffers larger than a page.

 This also resolves swiotlb allocation failures occuring due to the
 inclusion of ~PAGE_MASK in 'iotlb_align_mask' for large allocations and
 resulting in alignment requirements exceeding swiotlb_max_mapping_size().

 The Linux kernel CVE team has assigned CVE-2024-35814 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.3 with commit 0eee5ae1025699ea93d44fdb6ef2365505082103 and fixed in 6.6.24 with commit 3e7acd6e25ba77dde48c3b721c54c89cd6a10534
 	Issue introduced in 6.3 with commit 0eee5ae1025699ea93d44fdb6ef2365505082103 and fixed in 6.7.12 with commit c88668aa6c1da240ea3eb4d128b7906e740d3cb8
 	Issue introduced in 6.3 with commit 0eee5ae1025699ea93d44fdb6ef2365505082103 and fixed in 6.8.3 with commit 777391743771040e12cc40d3d0d178f70c616491
 	Issue introduced in 6.3 with commit 0eee5ae1025699ea93d44fdb6ef2365505082103 and fixed in 6.9 with commit 04867a7a33324c9c562ee7949dbcaab7aaad1fb4

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-35814
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/dma/swiotlb.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/3e7acd6e25ba77dde48c3b721c54c89cd6a10534
 	https://git.kernel.org/stable/c/c88668aa6c1da240ea3eb4d128b7906e740d3cb8
 	https://git.kernel.org/stable/c/777391743771040e12cc40d3d0d178f70c616491
 	https://git.kernel.org/stable/c/04867a7a33324c9c562ee7949dbcaab7aaad1fb4
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-35814: swiotlb: Fix double-allocation of slots due to broken alignment handling

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	swiotlb: Fix double-allocation of slots due to broken alignment handling

	Commit bbb73a103fbb ("swiotlb: fix a braino in the alignment check fix"),
	which was a fix for commit 0eee5ae10256 ("swiotlb: fix slot alignment
	checks"), causes a functional regression with vsock in a virtual machine
	using bouncing via a restricted DMA SWIOTLB pool.

	When virtio allocates the virtqueues for the vsock device using
	dma_alloc_coherent(), the SWIOTLB search can return page-unaligned
	allocations if 'area->index' was left unaligned by a previous allocation
	from the buffer:

	# Final address in brackets is the SWIOTLB address returned to the caller
	\| virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1645-1649/7168 (0x98326800)
	\| virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1649-1653/7168 (0x98328800)
	\| virtio-pci 0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot 1653-1657/7168 (0x9832a800)

	This ends badly (typically buffer corruption and/or a hang) because
	swiotlb_alloc() is expecting a page-aligned allocation and so blindly
	returns a pointer to the 'struct page' corresponding to the allocation,
	therefore double-allocating the first half (2KiB slot) of the 4KiB page.

	Fix the problem by treating the allocation alignment separately to any
	additional alignment requirements from the device, using the maximum
	of the two as the stride to search the buffer slots and taking care
	to ensure a minimum of page-alignment for buffers larger than a page.

	This also resolves swiotlb allocation failures occuring due to the
	inclusion of ~PAGE_MASK in 'iotlb_align_mask' for large allocations and
	resulting in alignment requirements exceeding swiotlb_max_mapping_size().

	The Linux kernel CVE team has assigned CVE-2024-35814 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.3 with commit 0eee5ae1025699ea93d44fdb6ef2365505082103 and fixed in 6.6.24 with commit 3e7acd6e25ba77dde48c3b721c54c89cd6a10534
	Issue introduced in 6.3 with commit 0eee5ae1025699ea93d44fdb6ef2365505082103 and fixed in 6.7.12 with commit c88668aa6c1da240ea3eb4d128b7906e740d3cb8
	Issue introduced in 6.3 with commit 0eee5ae1025699ea93d44fdb6ef2365505082103 and fixed in 6.8.3 with commit 777391743771040e12cc40d3d0d178f70c616491
	Issue introduced in 6.3 with commit 0eee5ae1025699ea93d44fdb6ef2365505082103 and fixed in 6.9 with commit 04867a7a33324c9c562ee7949dbcaab7aaad1fb4

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-35814
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/dma/swiotlb.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/3e7acd6e25ba77dde48c3b721c54c89cd6a10534
	https://git.kernel.org/stable/c/c88668aa6c1da240ea3eb4d128b7906e740d3cb8
	https://git.kernel.org/stable/c/777391743771040e12cc40d3d0d178f70c616491
	https://git.kernel.org/stable/c/04867a7a33324c9c562ee7949dbcaab7aaad1fb4