cve/published/2024/CVE-2024-50303.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50303: resource,kexec: walk_system_ram_res_rev must retain resource flags

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 resource,kexec: walk_system_ram_res_rev must retain resource flags

 walk_system_ram_res_rev() erroneously discards resource flags when passing
 the information to the callback.

 This causes systems with IORESOURCE_SYSRAM_DRIVER_MANAGED memory to have
 these resources selected during kexec to store kexec buffers if that
 memory happens to be at placed above normal system ram.

 This leads to undefined behavior after reboot.  If the kexec buffer is
 never touched, nothing happens.  If the kexec buffer is touched, it could
 lead to a crash (like below) or undefined behavior.

 Tested on a system with CXL memory expanders with driver managed memory,
 TPM enabled, and CONFIG_IMA_KEXEC=y.  Adding printk's showed the flags
 were being discarded and as a result the check for
 IORESOURCE_SYSRAM_DRIVER_MANAGED passes.

 find_next_iomem_res: name(System RAM (kmem))
 		     start(10000000000)
 		     end(1034fffffff)
 		     flags(83000200)

 locate_mem_hole_top_down: start(10000000000) end(1034fffffff) flags(0)

 [.] BUG: unable to handle page fault for address: ffff89834ffff000
 [.] #PF: supervisor read access in kernel mode
 [.] #PF: error_code(0x0000) - not-present page
 [.] PGD c04c8bf067 P4D c04c8bf067 PUD c04c8be067 PMD 0
 [.] Oops: 0000 [#1] SMP
 [.] RIP: 0010:ima_restore_measurement_list+0x95/0x4b0
 [.] RSP: 0018:ffffc900000d3a80 EFLAGS: 00010286
 [.] RAX: 0000000000001000 RBX: 0000000000000000 RCX: ffff89834ffff000
 [.] RDX: 0000000000000018 RSI: ffff89834ffff000 RDI: ffff89834ffff018
 [.] RBP: ffffc900000d3ba0 R08: 0000000000000020 R09: ffff888132b8a900
 [.] R10: 4000000000000000 R11: 000000003a616d69 R12: 0000000000000000
 [.] R13: ffffffff8404ac28 R14: 0000000000000000 R15: ffff89834ffff000
 [.] FS:  0000000000000000(0000) GS:ffff893d44640000(0000) knlGS:0000000000000000
 [.] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 [.] ata5: SATA link down (SStatus 0 SControl 300)
 [.] CR2: ffff89834ffff000 CR3: 000001034d00f001 CR4: 0000000000770ef0
 [.] PKRU: 55555554
 [.] Call Trace:
 [.]  <TASK>
 [.]  ? __die+0x78/0xc0
 [.]  ? page_fault_oops+0x2a8/0x3a0
 [.]  ? exc_page_fault+0x84/0x130
 [.]  ? asm_exc_page_fault+0x22/0x30
 [.]  ? ima_restore_measurement_list+0x95/0x4b0
 [.]  ? template_desc_init_fields+0x317/0x410
 [.]  ? crypto_alloc_tfm_node+0x9c/0xc0
 [.]  ? init_ima_lsm+0x30/0x30
 [.]  ima_load_kexec_buffer+0x72/0xa0
 [.]  ima_init+0x44/0xa0
 [.]  __initstub__kmod_ima__373_1201_init_ima7+0x1e/0xb0
 [.]  ? init_ima_lsm+0x30/0x30
 [.]  do_one_initcall+0xad/0x200
 [.]  ? idr_alloc_cyclic+0xaa/0x110
 [.]  ? new_slab+0x12c/0x420
 [.]  ? new_slab+0x12c/0x420
 [.]  ? number+0x12a/0x430
 [.]  ? sysvec_apic_timer_interrupt+0xa/0x80
 [.]  ? asm_sysvec_apic_timer_interrupt+0x16/0x20
 [.]  ? parse_args+0xd4/0x380
 [.]  ? parse_args+0x14b/0x380
 [.]  kernel_init_freeable+0x1c1/0x2b0
 [.]  ? rest_init+0xb0/0xb0
 [.]  kernel_init+0x16/0x1a0
 [.]  ret_from_fork+0x2f/0x40
 [.]  ? rest_init+0xb0/0xb0
 [.]  ret_from_fork_asm+0x11/0x20
 [.]  </TASK>

 The Linux kernel CVE team has assigned CVE-2024-50303 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.8 with commit 7acf164b259d9007264d9d8501da1023f140a3b4 and fixed in 6.11.7 with commit dc9031b7919bd346514ea9a720f433b8daf3970d
 	Issue introduced in 6.8 with commit 7acf164b259d9007264d9d8501da1023f140a3b4 and fixed in 6.12 with commit b125a0def25a082ae944c9615208bf359abdb61c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50303
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/resource.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/dc9031b7919bd346514ea9a720f433b8daf3970d
 	https://git.kernel.org/stable/c/b125a0def25a082ae944c9615208bf359abdb61c
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50303: resource,kexec: walk_system_ram_res_rev must retain resource flags

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	resource,kexec: walk_system_ram_res_rev must retain resource flags

	walk_system_ram_res_rev() erroneously discards resource flags when passing
	the information to the callback.

	This causes systems with IORESOURCE_SYSRAM_DRIVER_MANAGED memory to have
	these resources selected during kexec to store kexec buffers if that
	memory happens to be at placed above normal system ram.

	This leads to undefined behavior after reboot. If the kexec buffer is
	never touched, nothing happens. If the kexec buffer is touched, it could
	lead to a crash (like below) or undefined behavior.

	Tested on a system with CXL memory expanders with driver managed memory,
	TPM enabled, and CONFIG_IMA_KEXEC=y. Adding printk's showed the flags
	were being discarded and as a result the check for
	IORESOURCE_SYSRAM_DRIVER_MANAGED passes.

	find_next_iomem_res: name(System RAM (kmem))
	start(10000000000)
	end(1034fffffff)
	flags(83000200)

	locate_mem_hole_top_down: start(10000000000) end(1034fffffff) flags(0)

	[.] BUG: unable to handle page fault for address: ffff89834ffff000
	[.] #PF: supervisor read access in kernel mode
	[.] #PF: error_code(0x0000) - not-present page
	[.] PGD c04c8bf067 P4D c04c8bf067 PUD c04c8be067 PMD 0
	[.] Oops: 0000 [#1] SMP
	[.] RIP: 0010:ima_restore_measurement_list+0x95/0x4b0
	[.] RSP: 0018:ffffc900000d3a80 EFLAGS: 00010286
	[.] RAX: 0000000000001000 RBX: 0000000000000000 RCX: ffff89834ffff000
	[.] RDX: 0000000000000018 RSI: ffff89834ffff000 RDI: ffff89834ffff018
	[.] RBP: ffffc900000d3ba0 R08: 0000000000000020 R09: ffff888132b8a900
	[.] R10: 4000000000000000 R11: 000000003a616d69 R12: 0000000000000000
	[.] R13: ffffffff8404ac28 R14: 0000000000000000 R15: ffff89834ffff000
	[.] FS: 0000000000000000(0000) GS:ffff893d44640000(0000) knlGS:0000000000000000
	[.] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	[.] ata5: SATA link down (SStatus 0 SControl 300)
	[.] CR2: ffff89834ffff000 CR3: 000001034d00f001 CR4: 0000000000770ef0
	[.] PKRU: 55555554
	[.] Call Trace:
	[.] <TASK>
	[.] ? __die+0x78/0xc0
	[.] ? page_fault_oops+0x2a8/0x3a0
	[.] ? exc_page_fault+0x84/0x130
	[.] ? asm_exc_page_fault+0x22/0x30
	[.] ? ima_restore_measurement_list+0x95/0x4b0
	[.] ? template_desc_init_fields+0x317/0x410
	[.] ? crypto_alloc_tfm_node+0x9c/0xc0
	[.] ? init_ima_lsm+0x30/0x30
	[.] ima_load_kexec_buffer+0x72/0xa0
	[.] ima_init+0x44/0xa0
	[.] __initstub__kmod_ima__373_1201_init_ima7+0x1e/0xb0
	[.] ? init_ima_lsm+0x30/0x30
	[.] do_one_initcall+0xad/0x200
	[.] ? idr_alloc_cyclic+0xaa/0x110
	[.] ? new_slab+0x12c/0x420
	[.] ? new_slab+0x12c/0x420
	[.] ? number+0x12a/0x430
	[.] ? sysvec_apic_timer_interrupt+0xa/0x80
	[.] ? asm_sysvec_apic_timer_interrupt+0x16/0x20
	[.] ? parse_args+0xd4/0x380
	[.] ? parse_args+0x14b/0x380
	[.] kernel_init_freeable+0x1c1/0x2b0
	[.] ? rest_init+0xb0/0xb0
	[.] kernel_init+0x16/0x1a0
	[.] ret_from_fork+0x2f/0x40
	[.] ? rest_init+0xb0/0xb0
	[.] ret_from_fork_asm+0x11/0x20
	[.] </TASK>

	The Linux kernel CVE team has assigned CVE-2024-50303 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.8 with commit 7acf164b259d9007264d9d8501da1023f140a3b4 and fixed in 6.11.7 with commit dc9031b7919bd346514ea9a720f433b8daf3970d
	Issue introduced in 6.8 with commit 7acf164b259d9007264d9d8501da1023f140a3b4 and fixed in 6.12 with commit b125a0def25a082ae944c9615208bf359abdb61c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50303
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/resource.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/dc9031b7919bd346514ea9a720f433b8daf3970d
	https://git.kernel.org/stable/c/b125a0def25a082ae944c9615208bf359abdb61c