cve/published/2024/CVE-2024-56617.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-56617: cacheinfo: Allocate memory during CPU hotplug if not done from the primary CPU

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 cacheinfo: Allocate memory during CPU hotplug if not done from the primary CPU

 Commit

   5944ce092b97 ("arch_topology: Build cacheinfo from primary CPU")

 adds functionality that architectures can use to optionally allocate and
 build cacheinfo early during boot. Commit

   6539cffa9495 ("cacheinfo: Add arch specific early level initializer")

 lets secondary CPUs correct (and reallocate memory) cacheinfo data if
 needed.

 If the early build functionality is not used and cacheinfo does not need
 correction, memory for cacheinfo is never allocated. x86 does not use
 the early build functionality. Consequently, during the cacheinfo CPU
 hotplug callback, last_level_cache_is_valid() attempts to dereference
 a NULL pointer:

   BUG: kernel NULL pointer dereference, address: 0000000000000100
   #PF: supervisor read access in kernel mode
   #PF: error_code(0x0000) - not present page
   PGD 0 P4D 0
   Oops: 0000 [#1] PREEPMT SMP NOPTI
   CPU: 0 PID 19 Comm: cpuhp/0 Not tainted 6.4.0-rc2 #1
   RIP: 0010: last_level_cache_is_valid+0x95/0xe0a

 Allocate memory for cacheinfo during the cacheinfo CPU hotplug callback
 if not done earlier.

 Moreover, before determining the validity of the last-level cache info,
 ensure that it has been allocated. Simply checking for non-zero
 cache_leaves() is not sufficient, as some architectures (e.g., Intel
 processors) have non-zero cache_leaves() before allocation.

 Dereferencing NULL cacheinfo can occur in update_per_cpu_data_slice_size().
 This function iterates over all online CPUs. However, a CPU may have come
 online recently, but its cacheinfo may not have been allocated yet.

 While here, remove an unnecessary indentation in allocate_cache_info().

   [ bp: Massage. ]

 The Linux kernel CVE team has assigned CVE-2024-56617 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.4 with commit 6539cffa94957241c096099a57d05fa4d8c7db8a and fixed in 6.6.66 with commit 23b5908b11b77ff8d7b8f7b8f11cbab2e1f4bfc2
 	Issue introduced in 6.4 with commit 6539cffa94957241c096099a57d05fa4d8c7db8a and fixed in 6.12.5 with commit 95e197354e0de07e9a20819bdae6562e4dda0f20
 	Issue introduced in 6.4 with commit 6539cffa94957241c096099a57d05fa4d8c7db8a and fixed in 6.13 with commit b3fce429a1e030b50c1c91351d69b8667eef627b

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-56617
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/base/cacheinfo.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/23b5908b11b77ff8d7b8f7b8f11cbab2e1f4bfc2
 	https://git.kernel.org/stable/c/95e197354e0de07e9a20819bdae6562e4dda0f20
 	https://git.kernel.org/stable/c/b3fce429a1e030b50c1c91351d69b8667eef627b
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-56617: cacheinfo: Allocate memory during CPU hotplug if not done from the primary CPU

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	cacheinfo: Allocate memory during CPU hotplug if not done from the primary CPU

	Commit

	5944ce092b97 ("arch_topology: Build cacheinfo from primary CPU")

	adds functionality that architectures can use to optionally allocate and
	build cacheinfo early during boot. Commit

	6539cffa9495 ("cacheinfo: Add arch specific early level initializer")

	lets secondary CPUs correct (and reallocate memory) cacheinfo data if
	needed.

	If the early build functionality is not used and cacheinfo does not need
	correction, memory for cacheinfo is never allocated. x86 does not use
	the early build functionality. Consequently, during the cacheinfo CPU
	hotplug callback, last_level_cache_is_valid() attempts to dereference
	a NULL pointer:

	BUG: kernel NULL pointer dereference, address: 0000000000000100
	#PF: supervisor read access in kernel mode
	#PF: error_code(0x0000) - not present page
	PGD 0 P4D 0
	Oops: 0000 [#1] PREEPMT SMP NOPTI
	CPU: 0 PID 19 Comm: cpuhp/0 Not tainted 6.4.0-rc2 #1
	RIP: 0010: last_level_cache_is_valid+0x95/0xe0a

	Allocate memory for cacheinfo during the cacheinfo CPU hotplug callback
	if not done earlier.

	Moreover, before determining the validity of the last-level cache info,
	ensure that it has been allocated. Simply checking for non-zero
	cache_leaves() is not sufficient, as some architectures (e.g., Intel
	processors) have non-zero cache_leaves() before allocation.

	Dereferencing NULL cacheinfo can occur in update_per_cpu_data_slice_size().
	This function iterates over all online CPUs. However, a CPU may have come
	online recently, but its cacheinfo may not have been allocated yet.

	While here, remove an unnecessary indentation in allocate_cache_info().

	[ bp: Massage. ]

	The Linux kernel CVE team has assigned CVE-2024-56617 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.4 with commit 6539cffa94957241c096099a57d05fa4d8c7db8a and fixed in 6.6.66 with commit 23b5908b11b77ff8d7b8f7b8f11cbab2e1f4bfc2
	Issue introduced in 6.4 with commit 6539cffa94957241c096099a57d05fa4d8c7db8a and fixed in 6.12.5 with commit 95e197354e0de07e9a20819bdae6562e4dda0f20
	Issue introduced in 6.4 with commit 6539cffa94957241c096099a57d05fa4d8c7db8a and fixed in 6.13 with commit b3fce429a1e030b50c1c91351d69b8667eef627b

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-56617
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/base/cacheinfo.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/23b5908b11b77ff8d7b8f7b8f11cbab2e1f4bfc2
	https://git.kernel.org/stable/c/95e197354e0de07e9a20819bdae6562e4dda0f20
	https://git.kernel.org/stable/c/b3fce429a1e030b50c1c91351d69b8667eef627b