| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-46790: codetag: debug: mark codetags for poisoned page as empty |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| codetag: debug: mark codetags for poisoned page as empty |
| |
| When PG_hwpoison pages are freed they are treated differently in |
| free_pages_prepare() and instead of being released they are isolated. |
| |
| Page allocation tag counters are decremented at this point since the page |
| is considered not in use. Later on when such pages are released by |
| unpoison_memory(), the allocation tag counters will be decremented again |
| and the following warning gets reported: |
| |
| [ 113.930443][ T3282] ------------[ cut here ]------------ |
| [ 113.931105][ T3282] alloc_tag was not set |
| [ 113.931576][ T3282] WARNING: CPU: 2 PID: 3282 at ./include/linux/alloc_tag.h:130 pgalloc_tag_sub.part.66+0x154/0x164 |
| [ 113.932866][ T3282] Modules linked in: hwpoison_inject fuse ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 xt_conntrack ebtable_nat ebtable_broute ip6table_nat ip6table_man4 |
| [ 113.941638][ T3282] CPU: 2 UID: 0 PID: 3282 Comm: madvise11 Kdump: loaded Tainted: G W 6.11.0-rc4-dirty #18 |
| [ 113.943003][ T3282] Tainted: [W]=WARN |
| [ 113.943453][ T3282] Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022 |
| [ 113.944378][ T3282] pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) |
| [ 113.945319][ T3282] pc : pgalloc_tag_sub.part.66+0x154/0x164 |
| [ 113.946016][ T3282] lr : pgalloc_tag_sub.part.66+0x154/0x164 |
| [ 113.946706][ T3282] sp : ffff800087093a10 |
| [ 113.947197][ T3282] x29: ffff800087093a10 x28: ffff0000d7a9d400 x27: ffff80008249f0a0 |
| [ 113.948165][ T3282] x26: 0000000000000000 x25: ffff80008249f2b0 x24: 0000000000000000 |
| [ 113.949134][ T3282] x23: 0000000000000001 x22: 0000000000000001 x21: 0000000000000000 |
| [ 113.950597][ T3282] x20: ffff0000c08fcad8 x19: ffff80008251e000 x18: ffffffffffffffff |
| [ 113.952207][ T3282] x17: 0000000000000000 x16: 0000000000000000 x15: ffff800081746210 |
| [ 113.953161][ T3282] x14: 0000000000000000 x13: 205d323832335420 x12: 5b5d353031313339 |
| [ 113.954120][ T3282] x11: ffff800087093500 x10: 000000000000005d x9 : 00000000ffffffd0 |
| [ 113.955078][ T3282] x8 : 7f7f7f7f7f7f7f7f x7 : ffff80008236ba90 x6 : c0000000ffff7fff |
| [ 113.956036][ T3282] x5 : ffff000b34bf4dc8 x4 : ffff8000820aba90 x3 : 0000000000000001 |
| [ 113.956994][ T3282] x2 : ffff800ab320f000 x1 : 841d1e35ac932e00 x0 : 0000000000000000 |
| [ 113.957962][ T3282] Call trace: |
| [ 113.958350][ T3282] pgalloc_tag_sub.part.66+0x154/0x164 |
| [ 113.959000][ T3282] pgalloc_tag_sub+0x14/0x1c |
| [ 113.959539][ T3282] free_unref_page+0xf4/0x4b8 |
| [ 113.960096][ T3282] __folio_put+0xd4/0x120 |
| [ 113.960614][ T3282] folio_put+0x24/0x50 |
| [ 113.961103][ T3282] unpoison_memory+0x4f0/0x5b0 |
| [ 113.961678][ T3282] hwpoison_unpoison+0x30/0x48 [hwpoison_inject] |
| [ 113.962436][ T3282] simple_attr_write_xsigned.isra.34+0xec/0x1cc |
| [ 113.963183][ T3282] simple_attr_write+0x38/0x48 |
| [ 113.963750][ T3282] debugfs_attr_write+0x54/0x80 |
| [ 113.964330][ T3282] full_proxy_write+0x68/0x98 |
| [ 113.964880][ T3282] vfs_write+0xdc/0x4d0 |
| [ 113.965372][ T3282] ksys_write+0x78/0x100 |
| [ 113.965875][ T3282] __arm64_sys_write+0x24/0x30 |
| [ 113.966440][ T3282] invoke_syscall+0x7c/0x104 |
| [ 113.966984][ T3282] el0_svc_common.constprop.1+0x88/0x104 |
| [ 113.967652][ T3282] do_el0_svc+0x2c/0x38 |
| [ 113.968893][ T3282] el0_svc+0x3c/0x1b8 |
| [ 113.969379][ T3282] el0t_64_sync_handler+0x98/0xbc |
| [ 113.969980][ T3282] el0t_64_sync+0x19c/0x1a0 |
| [ 113.970511][ T3282] ---[ end trace 0000000000000000 ]--- |
| |
| To fix this, clear the page tag reference after the page got isolated |
| and accounted for. |
| |
| The Linux kernel CVE team has assigned CVE-2024-46790 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 6.10 with commit d224eb0287fbd84f4f13eca042c7f08f87138f3b and fixed in 6.10.10 with commit 16ad36c8e66a26626e7d0224100b433483a2acef |
| Issue introduced in 6.10 with commit d224eb0287fbd84f4f13eca042c7f08f87138f3b and fixed in 6.11 with commit 5e9784e997620af7c1399029282f5d6964b41942 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-46790 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| mm/page_alloc.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/16ad36c8e66a26626e7d0224100b433483a2acef |
| https://git.kernel.org/stable/c/5e9784e997620af7c1399029282f5d6964b41942 |
