cve/published/2024/CVE-2024-46824.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-46824: iommufd: Require drivers to supply the cache_invalidate_user ops

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 iommufd: Require drivers to supply the cache_invalidate_user ops

 If drivers don't do this then iommufd will oops invalidation ioctls with
 something like:

   Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
   Mem abort info:
     ESR = 0x0000000086000004
     EC = 0x21: IABT (current EL), IL = 32 bits
     SET = 0, FnV = 0
     EA = 0, S1PTW = 0
     FSC = 0x04: level 0 translation fault
   user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101059000
   [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
   Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP
   Modules linked in:
   CPU: 2 PID: 371 Comm: qemu-system-aar Not tainted 6.8.0-rc7-gde77230ac23a #9
   Hardware name: linux,dummy-virt (DT)
   pstate: 81400809 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=-c)
   pc : 0x0
   lr : iommufd_hwpt_invalidate+0xa4/0x204
   sp : ffff800080f3bcc0
   x29: ffff800080f3bcf0 x28: ffff0000c369b300 x27: 0000000000000000
   x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000
   x23: 0000000000000000 x22: 00000000c1e334a0 x21: ffff0000c1e334a0
   x20: ffff800080f3bd38 x19: ffff800080f3bd58 x18: 0000000000000000
   x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8240d6d8
   x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
   x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
   x8 : 0000001000000002 x7 : 0000fffeac1ec950 x6 : 0000000000000000
   x5 : ffff800080f3bd78 x4 : 0000000000000003 x3 : 0000000000000002
   x2 : 0000000000000000 x1 : ffff800080f3bcc8 x0 : ffff0000c6034d80
   Call trace:
    0x0
    iommufd_fops_ioctl+0x154/0x274
    __arm64_sys_ioctl+0xac/0xf0
    invoke_syscall+0x48/0x110
    el0_svc_common.constprop.0+0x40/0xe0
    do_el0_svc+0x1c/0x28
    el0_svc+0x34/0xb4
    el0t_64_sync_handler+0x120/0x12c
    el0t_64_sync+0x190/0x194

 All existing drivers implement this op for nesting, this is mostly a
 bisection aid.

 The Linux kernel CVE team has assigned CVE-2024-46824 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.8 with commit 8c6eabae3807e048b9f17733af5e20500fbf858c and fixed in 6.10.10 with commit 89827a4de802765b1ebb401fc1e73a90108c7520
 	Issue introduced in 6.8 with commit 8c6eabae3807e048b9f17733af5e20500fbf858c and fixed in 6.11 with commit a11dda723c6493bb1853bbc61c093377f96e2d47

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-46824
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/iommu/iommufd/hw_pagetable.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/89827a4de802765b1ebb401fc1e73a90108c7520
 	https://git.kernel.org/stable/c/a11dda723c6493bb1853bbc61c093377f96e2d47
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-46824: iommufd: Require drivers to supply the cache_invalidate_user ops

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	iommufd: Require drivers to supply the cache_invalidate_user ops

	If drivers don't do this then iommufd will oops invalidation ioctls with
	something like:

	Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
	Mem abort info:
	ESR = 0x0000000086000004
	EC = 0x21: IABT (current EL), IL = 32 bits
	SET = 0, FnV = 0
	EA = 0, S1PTW = 0
	FSC = 0x04: level 0 translation fault
	user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101059000
	[0000000000000000] pgd=0000000000000000, p4d=0000000000000000
	Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP
	Modules linked in:
	CPU: 2 PID: 371 Comm: qemu-system-aar Not tainted 6.8.0-rc7-gde77230ac23a #9
	Hardware name: linux,dummy-virt (DT)
	pstate: 81400809 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=-c)
	pc : 0x0
	lr : iommufd_hwpt_invalidate+0xa4/0x204
	sp : ffff800080f3bcc0
	x29: ffff800080f3bcf0 x28: ffff0000c369b300 x27: 0000000000000000
	x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000
	x23: 0000000000000000 x22: 00000000c1e334a0 x21: ffff0000c1e334a0
	x20: ffff800080f3bd38 x19: ffff800080f3bd58 x18: 0000000000000000
	x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8240d6d8
	x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
	x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
	x8 : 0000001000000002 x7 : 0000fffeac1ec950 x6 : 0000000000000000
	x5 : ffff800080f3bd78 x4 : 0000000000000003 x3 : 0000000000000002
	x2 : 0000000000000000 x1 : ffff800080f3bcc8 x0 : ffff0000c6034d80
	Call trace:
	0x0
	iommufd_fops_ioctl+0x154/0x274
	__arm64_sys_ioctl+0xac/0xf0
	invoke_syscall+0x48/0x110
	el0_svc_common.constprop.0+0x40/0xe0
	do_el0_svc+0x1c/0x28
	el0_svc+0x34/0xb4
	el0t_64_sync_handler+0x120/0x12c
	el0t_64_sync+0x190/0x194

	All existing drivers implement this op for nesting, this is mostly a
	bisection aid.

	The Linux kernel CVE team has assigned CVE-2024-46824 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.8 with commit 8c6eabae3807e048b9f17733af5e20500fbf858c and fixed in 6.10.10 with commit 89827a4de802765b1ebb401fc1e73a90108c7520
	Issue introduced in 6.8 with commit 8c6eabae3807e048b9f17733af5e20500fbf858c and fixed in 6.11 with commit a11dda723c6493bb1853bbc61c093377f96e2d47

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-46824
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/iommu/iommufd/hw_pagetable.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/89827a4de802765b1ebb401fc1e73a90108c7520
	https://git.kernel.org/stable/c/a11dda723c6493bb1853bbc61c093377f96e2d47