cve/published/2024/CVE-2024-57945.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-57945: riscv: mm: Fix the out of bound issue of vmemmap address

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 riscv: mm: Fix the out of bound issue of vmemmap address

 In sparse vmemmap model, the virtual address of vmemmap is calculated as:
 ((struct page *)VMEMMAP_START - (phys_ram_base >> PAGE_SHIFT)).
 And the struct page's va can be calculated with an offset:
 (vmemmap + (pfn)).

 However, when initializing struct pages, kernel actually starts from the
 first page from the same section that phys_ram_base belongs to. If the
 first page's physical address is not (phys_ram_base >> PAGE_SHIFT), then
 we get an va below VMEMMAP_START when calculating va for it's struct page.

 For example, if phys_ram_base starts from 0x82000000 with pfn 0x82000, the
 first page in the same section is actually pfn 0x80000. During
 init_unavailable_range(), we will initialize struct page for pfn 0x80000
 with virtual address ((struct page *)VMEMMAP_START - 0x2000), which is
 below VMEMMAP_START as well as PCI_IO_END.

 This commit fixes this bug by introducing a new variable
 'vmemmap_start_pfn' which is aligned with memory section size and using
 it to calculate vmemmap address instead of phys_ram_base.

 The Linux kernel CVE team has assigned CVE-2024-57945 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.1.81 with commit 8310080799b40fd9f2a8b808c657269678c149af and fixed in 6.1.140 with commit 92f08673d3f1893191323572f60e3c62f2e57c2f
 	Issue introduced in 6.6.21 with commit a278d5c60f21aa15d540abb2f2da6e6d795c3e6e and fixed in 6.6.72 with commit a4a7ac3d266008018f05fae53060fcb331151a14
 	Issue introduced in 6.8 with commit a11dd49dcb9376776193e15641f84fcc1e5980c9 and fixed in 6.12.10 with commit d2bd51954ac8377c2f1eb1813e694788998add66
 	Issue introduced in 6.8 with commit a11dd49dcb9376776193e15641f84fcc1e5980c9 and fixed in 6.13 with commit f754f27e98f88428aaf6be6e00f5cbce97f62d4b
 	Issue introduced in 5.10.212 with commit 8af1c121b0102041809bc137ec600d1865eaeedd
 	Issue introduced in 5.15.151 with commit 5941a90c55d3bfba732b32208d58d997600b44ef
 	Issue introduced in 6.7.9 with commit 2a1728c15ec4f45ed9248ae22f626541c179bfbe

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-57945
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/riscv/include/asm/page.h
 	arch/riscv/include/asm/pgtable.h
 	arch/riscv/mm/init.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/92f08673d3f1893191323572f60e3c62f2e57c2f
 	https://git.kernel.org/stable/c/a4a7ac3d266008018f05fae53060fcb331151a14
 	https://git.kernel.org/stable/c/d2bd51954ac8377c2f1eb1813e694788998add66
 	https://git.kernel.org/stable/c/f754f27e98f88428aaf6be6e00f5cbce97f62d4b
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-57945: riscv: mm: Fix the out of bound issue of vmemmap address

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	riscv: mm: Fix the out of bound issue of vmemmap address

	In sparse vmemmap model, the virtual address of vmemmap is calculated as:
	((struct page *)VMEMMAP_START - (phys_ram_base >> PAGE_SHIFT)).
	And the struct page's va can be calculated with an offset:
	(vmemmap + (pfn)).

	However, when initializing struct pages, kernel actually starts from the
	first page from the same section that phys_ram_base belongs to. If the
	first page's physical address is not (phys_ram_base >> PAGE_SHIFT), then
	we get an va below VMEMMAP_START when calculating va for it's struct page.

	For example, if phys_ram_base starts from 0x82000000 with pfn 0x82000, the
	first page in the same section is actually pfn 0x80000. During
	init_unavailable_range(), we will initialize struct page for pfn 0x80000
	with virtual address ((struct page *)VMEMMAP_START - 0x2000), which is
	below VMEMMAP_START as well as PCI_IO_END.

	This commit fixes this bug by introducing a new variable
	'vmemmap_start_pfn' which is aligned with memory section size and using
	it to calculate vmemmap address instead of phys_ram_base.

	The Linux kernel CVE team has assigned CVE-2024-57945 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.1.81 with commit 8310080799b40fd9f2a8b808c657269678c149af and fixed in 6.1.140 with commit 92f08673d3f1893191323572f60e3c62f2e57c2f
	Issue introduced in 6.6.21 with commit a278d5c60f21aa15d540abb2f2da6e6d795c3e6e and fixed in 6.6.72 with commit a4a7ac3d266008018f05fae53060fcb331151a14
	Issue introduced in 6.8 with commit a11dd49dcb9376776193e15641f84fcc1e5980c9 and fixed in 6.12.10 with commit d2bd51954ac8377c2f1eb1813e694788998add66
	Issue introduced in 6.8 with commit a11dd49dcb9376776193e15641f84fcc1e5980c9 and fixed in 6.13 with commit f754f27e98f88428aaf6be6e00f5cbce97f62d4b
	Issue introduced in 5.10.212 with commit 8af1c121b0102041809bc137ec600d1865eaeedd
	Issue introduced in 5.15.151 with commit 5941a90c55d3bfba732b32208d58d997600b44ef
	Issue introduced in 6.7.9 with commit 2a1728c15ec4f45ed9248ae22f626541c179bfbe

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-57945
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/riscv/include/asm/page.h
	arch/riscv/include/asm/pgtable.h
	arch/riscv/mm/init.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/92f08673d3f1893191323572f60e3c62f2e57c2f
	https://git.kernel.org/stable/c/a4a7ac3d266008018f05fae53060fcb331151a14
	https://git.kernel.org/stable/c/d2bd51954ac8377c2f1eb1813e694788998add66
	https://git.kernel.org/stable/c/f754f27e98f88428aaf6be6e00f5cbce97f62d4b