| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-49935: ACPI: PAD: fix crash in exit_round_robin() |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| ACPI: PAD: fix crash in exit_round_robin() |
| |
| The kernel occasionally crashes in cpumask_clear_cpu(), which is called |
| within exit_round_robin(), because when executing clear_bit(nr, addr) with |
| nr set to 0xffffffff, the address calculation may cause misalignment within |
| the memory, leading to access to an invalid memory address. |
| |
| ---------- |
| BUG: unable to handle kernel paging request at ffffffffe0740618 |
| ... |
| CPU: 3 PID: 2919323 Comm: acpi_pad/14 Kdump: loaded Tainted: G OE X --------- - - 4.18.0-425.19.2.el8_7.x86_64 #1 |
| ... |
| RIP: 0010:power_saving_thread+0x313/0x411 [acpi_pad] |
| Code: 89 cd 48 89 d3 eb d1 48 c7 c7 55 70 72 c0 e8 64 86 b0 e4 c6 05 0d a1 02 00 01 e9 bc fd ff ff 45 89 e4 42 8b 04 a5 20 82 72 c0 <f0> 48 0f b3 05 f4 9c 01 00 42 c7 04 a5 20 82 72 c0 ff ff ff ff 31 |
| RSP: 0018:ff72a5d51fa77ec8 EFLAGS: 00010202 |
| RAX: 00000000ffffffff RBX: ff462981e5d8cb80 RCX: 0000000000000000 |
| RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246 |
| RBP: ff46297556959d80 R08: 0000000000000382 R09: ff46297c8d0f38d8 |
| R10: 0000000000000000 R11: 0000000000000001 R12: 000000000000000e |
| R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000000000e |
| FS: 0000000000000000(0000) GS:ff46297a800c0000(0000) knlGS:0000000000000000 |
| CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 |
| CR2: ffffffffe0740618 CR3: 0000007e20410004 CR4: 0000000000771ee0 |
| DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 |
| DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 |
| PKRU: 55555554 |
| Call Trace: |
| ? acpi_pad_add+0x120/0x120 [acpi_pad] |
| kthread+0x10b/0x130 |
| ? set_kthread_struct+0x50/0x50 |
| ret_from_fork+0x1f/0x40 |
| ... |
| CR2: ffffffffe0740618 |
| |
| crash> dis -lr ffffffffc0726923 |
| ... |
| /usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 114 |
| 0xffffffffc0726918 <power_saving_thread+776>: mov %r12d,%r12d |
| /usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 325 |
| 0xffffffffc072691b <power_saving_thread+779>: mov -0x3f8d7de0(,%r12,4),%eax |
| /usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./arch/x86/include/asm/bitops.h: 80 |
| 0xffffffffc0726923 <power_saving_thread+787>: lock btr %rax,0x19cf4(%rip) # 0xffffffffc0740620 <pad_busy_cpus_bits> |
| |
| crash> px tsk_in_cpu[14] |
| $66 = 0xffffffff |
| |
| crash> px 0xffffffffc072692c+0x19cf4 |
| $99 = 0xffffffffc0740620 |
| |
| crash> sym 0xffffffffc0740620 |
| ffffffffc0740620 (b) pad_busy_cpus_bits [acpi_pad] |
| |
| crash> px pad_busy_cpus_bits[0] |
| $42 = 0xfffc0 |
| ---------- |
| |
| To fix this, ensure that tsk_in_cpu[tsk_index] != -1 before calling |
| cpumask_clear_cpu() in exit_round_robin(), just as it is done in |
| round_robin_cpu(). |
| |
| [ rjw: Subject edit, avoid updates to the same value ] |
| |
| The Linux kernel CVE team has assigned CVE-2024-49935 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Fixed in 5.15.168 with commit 92e5661b7d0727ab912b76625a88b33fdb9b609a |
| Fixed in 6.1.113 with commit 68a599da16ebad442ce295d8d2d5c488e3992822 |
| Fixed in 6.6.55 with commit 68a8e45743d6a120f863fb14b72dc59616597019 |
| Fixed in 6.10.14 with commit 03593dbb0b272ef7b0358b099841e65735422aca |
| Fixed in 6.11.3 with commit 27c045f868f0e5052c6b532868a65e0cd250c8fc |
| Fixed in 6.12 with commit 0a2ed70a549e61c5181bad5db418d223b68ae932 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-49935 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/acpi/acpi_pad.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/92e5661b7d0727ab912b76625a88b33fdb9b609a |
| https://git.kernel.org/stable/c/68a599da16ebad442ce295d8d2d5c488e3992822 |
| https://git.kernel.org/stable/c/68a8e45743d6a120f863fb14b72dc59616597019 |
| https://git.kernel.org/stable/c/03593dbb0b272ef7b0358b099841e65735422aca |
| https://git.kernel.org/stable/c/27c045f868f0e5052c6b532868a65e0cd250c8fc |
| https://git.kernel.org/stable/c/0a2ed70a549e61c5181bad5db418d223b68ae932 |
