cve/published/2024/CVE-2024-46689.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-46689: soc: qcom: cmd-db: Map shared memory as WC, not WB

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 soc: qcom: cmd-db: Map shared memory as WC, not WB

 Linux does not write into cmd-db region. This region of memory is write
 protected by XPU. XPU may sometime falsely detect clean cache eviction
 as "write" into the write protected region leading to secure interrupt
 which causes an endless loop somewhere in Trust Zone.

 The only reason it is working right now is because Qualcomm Hypervisor
 maps the same region as Non-Cacheable memory in Stage 2 translation
 tables. The issue manifests if we want to use another hypervisor (like
 Xen or KVM), which does not know anything about those specific mappings.

 Changing the mapping of cmd-db memory from MEMREMAP_WB to MEMREMAP_WT/WC
 removes dependency on correct mappings in Stage 2 tables. This patch
 fixes the issue by updating the mapping to MEMREMAP_WC.

 I tested this on SA8155P with Xen.

 The Linux kernel CVE team has assigned CVE-2024-46689 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.18 with commit 312416d9171a1460b7ed8d182b5b540c910ce80d and fixed in 5.4.283 with commit 0ee9594c974368a17e85a431e9fe1c14fb65c278
 	Issue introduced in 4.18 with commit 312416d9171a1460b7ed8d182b5b540c910ce80d and fixed in 5.10.225 with commit f5a5a5a0e95f36e2792d48e6e4b64e665eb01374
 	Issue introduced in 4.18 with commit 312416d9171a1460b7ed8d182b5b540c910ce80d and fixed in 5.15.166 with commit eaff392c1e34fb77cc61505a31b0191e5e46e271
 	Issue introduced in 4.18 with commit 312416d9171a1460b7ed8d182b5b540c910ce80d and fixed in 6.1.108 with commit d9d48d70e922b272875cda60d2ada89291c840cf
 	Issue introduced in 4.18 with commit 312416d9171a1460b7ed8d182b5b540c910ce80d and fixed in 6.6.49 with commit ef80520be0ff78ae5ed44cb6eee1525e65bebe70
 	Issue introduced in 4.18 with commit 312416d9171a1460b7ed8d182b5b540c910ce80d and fixed in 6.10.8 with commit 62c2d63605ca25b5db78a347ed303c0a0a77d5b4
 	Issue introduced in 4.18 with commit 312416d9171a1460b7ed8d182b5b540c910ce80d and fixed in 6.11 with commit f9bb896eab221618927ae6a2f1d566567999839d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-46689
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/soc/qcom/cmd-db.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/0ee9594c974368a17e85a431e9fe1c14fb65c278
 	https://git.kernel.org/stable/c/f5a5a5a0e95f36e2792d48e6e4b64e665eb01374
 	https://git.kernel.org/stable/c/eaff392c1e34fb77cc61505a31b0191e5e46e271
 	https://git.kernel.org/stable/c/d9d48d70e922b272875cda60d2ada89291c840cf
 	https://git.kernel.org/stable/c/ef80520be0ff78ae5ed44cb6eee1525e65bebe70
 	https://git.kernel.org/stable/c/62c2d63605ca25b5db78a347ed303c0a0a77d5b4
 	https://git.kernel.org/stable/c/f9bb896eab221618927ae6a2f1d566567999839d
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-46689: soc: qcom: cmd-db: Map shared memory as WC, not WB

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	soc: qcom: cmd-db: Map shared memory as WC, not WB

	Linux does not write into cmd-db region. This region of memory is write
	protected by XPU. XPU may sometime falsely detect clean cache eviction
	as "write" into the write protected region leading to secure interrupt
	which causes an endless loop somewhere in Trust Zone.

	The only reason it is working right now is because Qualcomm Hypervisor
	maps the same region as Non-Cacheable memory in Stage 2 translation
	tables. The issue manifests if we want to use another hypervisor (like
	Xen or KVM), which does not know anything about those specific mappings.

	Changing the mapping of cmd-db memory from MEMREMAP_WB to MEMREMAP_WT/WC
	removes dependency on correct mappings in Stage 2 tables. This patch
	fixes the issue by updating the mapping to MEMREMAP_WC.

	I tested this on SA8155P with Xen.

	The Linux kernel CVE team has assigned CVE-2024-46689 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.18 with commit 312416d9171a1460b7ed8d182b5b540c910ce80d and fixed in 5.4.283 with commit 0ee9594c974368a17e85a431e9fe1c14fb65c278
	Issue introduced in 4.18 with commit 312416d9171a1460b7ed8d182b5b540c910ce80d and fixed in 5.10.225 with commit f5a5a5a0e95f36e2792d48e6e4b64e665eb01374
	Issue introduced in 4.18 with commit 312416d9171a1460b7ed8d182b5b540c910ce80d and fixed in 5.15.166 with commit eaff392c1e34fb77cc61505a31b0191e5e46e271
	Issue introduced in 4.18 with commit 312416d9171a1460b7ed8d182b5b540c910ce80d and fixed in 6.1.108 with commit d9d48d70e922b272875cda60d2ada89291c840cf
	Issue introduced in 4.18 with commit 312416d9171a1460b7ed8d182b5b540c910ce80d and fixed in 6.6.49 with commit ef80520be0ff78ae5ed44cb6eee1525e65bebe70
	Issue introduced in 4.18 with commit 312416d9171a1460b7ed8d182b5b540c910ce80d and fixed in 6.10.8 with commit 62c2d63605ca25b5db78a347ed303c0a0a77d5b4
	Issue introduced in 4.18 with commit 312416d9171a1460b7ed8d182b5b540c910ce80d and fixed in 6.11 with commit f9bb896eab221618927ae6a2f1d566567999839d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-46689
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/soc/qcom/cmd-db.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/0ee9594c974368a17e85a431e9fe1c14fb65c278
	https://git.kernel.org/stable/c/f5a5a5a0e95f36e2792d48e6e4b64e665eb01374
	https://git.kernel.org/stable/c/eaff392c1e34fb77cc61505a31b0191e5e46e271
	https://git.kernel.org/stable/c/d9d48d70e922b272875cda60d2ada89291c840cf
	https://git.kernel.org/stable/c/ef80520be0ff78ae5ed44cb6eee1525e65bebe70
	https://git.kernel.org/stable/c/62c2d63605ca25b5db78a347ed303c0a0a77d5b4
	https://git.kernel.org/stable/c/f9bb896eab221618927ae6a2f1d566567999839d