cve/published/2024/CVE-2024-50102.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50102: x86: fix user address masking non-canonical speculation issue

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 x86: fix user address masking non-canonical speculation issue

 It turns out that AMD has a "Meltdown Lite(tm)" issue with non-canonical
 accesses in kernel space.  And so using just the high bit to decide
 whether an access is in user space or kernel space ends up with the good
 old "leak speculative data" if you have the right gadget using the
 result:

   CVE-2020-12965 “Transient Execution of Non-Canonical Accesses“

 Now, the kernel surrounds the access with a STAC/CLAC pair, and those
 instructions end up serializing execution on older Zen architectures,
 which closes the speculation window.

 But that was true only up until Zen 5, which renames the AC bit [1].
 That improves performance of STAC/CLAC a lot, but also means that the
 speculation window is now open.

 Note that this affects not just the new address masking, but also the
 regular valid_user_address() check used by access_ok(), and the asm
 version of the sign bit check in the get_user() helpers.

 It does not affect put_user() or clear_user() variants, since there's no
 speculative result to be used in a gadget for those operations.

 The Linux kernel CVE team has assigned CVE-2024-50102 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.4 with commit b19b74bc99b1501a550f4448d04d59b946dc617a and fixed in 6.11.6 with commit 291313693677a345d4f50aae3c68e28b469f601e
 	Issue introduced in 6.4 with commit b19b74bc99b1501a550f4448d04d59b946dc617a and fixed in 6.12 with commit 86e6b1547b3d013bc392adf775b89318441403c2

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50102
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/x86/include/asm/uaccess_64.h
 	arch/x86/kernel/cpu/common.c
 	arch/x86/kernel/vmlinux.lds.S
 	arch/x86/lib/getuser.S


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/291313693677a345d4f50aae3c68e28b469f601e
 	https://git.kernel.org/stable/c/86e6b1547b3d013bc392adf775b89318441403c2
	From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50102: x86: fix user address masking non-canonical speculation issue

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	x86: fix user address masking non-canonical speculation issue

	It turns out that AMD has a "Meltdown Lite(tm)" issue with non-canonical
	accesses in kernel space. And so using just the high bit to decide
	whether an access is in user space or kernel space ends up with the good
	old "leak speculative data" if you have the right gadget using the
	result:

	CVE-2020-12965 “Transient Execution of Non-Canonical Accesses“

	Now, the kernel surrounds the access with a STAC/CLAC pair, and those
	instructions end up serializing execution on older Zen architectures,
	which closes the speculation window.

	But that was true only up until Zen 5, which renames the AC bit [1].
	That improves performance of STAC/CLAC a lot, but also means that the
	speculation window is now open.

	Note that this affects not just the new address masking, but also the
	regular valid_user_address() check used by access_ok(), and the asm
	version of the sign bit check in the get_user() helpers.

	It does not affect put_user() or clear_user() variants, since there's no
	speculative result to be used in a gadget for those operations.

	The Linux kernel CVE team has assigned CVE-2024-50102 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.4 with commit b19b74bc99b1501a550f4448d04d59b946dc617a and fixed in 6.11.6 with commit 291313693677a345d4f50aae3c68e28b469f601e
	Issue introduced in 6.4 with commit b19b74bc99b1501a550f4448d04d59b946dc617a and fixed in 6.12 with commit 86e6b1547b3d013bc392adf775b89318441403c2

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50102
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/x86/include/asm/uaccess_64.h
	arch/x86/kernel/cpu/common.c
	arch/x86/kernel/vmlinux.lds.S
	arch/x86/lib/getuser.S


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/291313693677a345d4f50aae3c68e28b469f601e
	https://git.kernel.org/stable/c/86e6b1547b3d013bc392adf775b89318441403c2