| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024122831-CVE-2024-56677-f922@gregkh> Date: Sat, 28 Dec 2024 10:45:29 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2024-56677: powerpc/fadump: Move fadump_cma_init to setup_arch() after initmem_init() Description =========== In the Linux kernel, the following vulnerability has been resolved: powerpc/fadump: Move fadump_cma_init to setup_arch() after initmem_init() During early init CMA_MIN_ALIGNMENT_BYTES can be PAGE_SIZE, since pageblock_order is still zero and it gets initialized later during initmem_init() e.g. setup_arch() -> initmem_init() -> sparse_init() -> set_pageblock_order() One such use case where this causes issue is - early_setup() -> early_init_devtree() -> fadump_reserve_mem() -> fadump_cma_init() This causes CMA memory alignment check to be bypassed in cma_init_reserved_mem(). Then later cma_activate_area() can hit a VM_BUG_ON_PAGE(pfn & ((1 << order) - 1)) if the reserved memory area was not pageblock_order aligned. Fix it by moving the fadump_cma_init() after initmem_init(), where other such cma reservations also gets called. <stack trace> ============== page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10010 flags: 0x13ffff800000000(node=1|zone=0|lastcpupid=0x7ffff) CMA raw: 013ffff800000000 5deadbeef0000100 5deadbeef0000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: VM_BUG_ON_PAGE(pfn & ((1 << order) - 1)) ------------[ cut here ]------------ kernel BUG at mm/page_alloc.c:778! Call Trace: __free_one_page+0x57c/0x7b0 (unreliable) free_pcppages_bulk+0x1a8/0x2c8 free_unref_page_commit+0x3d4/0x4e4 free_unref_page+0x458/0x6d0 init_cma_reserved_pageblock+0x114/0x198 cma_init_reserved_areas+0x270/0x3e0 do_one_initcall+0x80/0x2f8 kernel_init_freeable+0x33c/0x530 kernel_init+0x34/0x26c ret_from_kernel_user_thread+0x14/0x1c The Linux kernel CVE team has assigned CVE-2024-56677 to this issue. Affected and fixed versions =========================== Issue introduced in 5.19 with commit 11ac3e87ce09c27f4587a8c4fe0829d814021a82 and fixed in 6.1.120 with commit aabef6301dcf410dfd2b8759cd413b2a003c7e3f Issue introduced in 5.19 with commit 11ac3e87ce09c27f4587a8c4fe0829d814021a82 and fixed in 6.6.64 with commit c5c1d1ef70834013fc3bd12b6a0f4664c6d75a74 Issue introduced in 5.19 with commit 11ac3e87ce09c27f4587a8c4fe0829d814021a82 and fixed in 6.11.11 with commit f551637fe9bf863386309e03f9d148d97f535ad1 Issue introduced in 5.19 with commit 11ac3e87ce09c27f4587a8c4fe0829d814021a82 and fixed in 6.12.2 with commit 7351c5a6507b4401aeecadb5959131410a339520 Issue introduced in 5.19 with commit 11ac3e87ce09c27f4587a8c4fe0829d814021a82 and fixed in 6.13-rc1 with commit 05b94cae1c47f94588c3e7096963c1007c4d9c1d Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-56677 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: arch/powerpc/include/asm/fadump.h arch/powerpc/kernel/fadump.c arch/powerpc/kernel/setup-common.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/aabef6301dcf410dfd2b8759cd413b2a003c7e3f https://git.kernel.org/stable/c/c5c1d1ef70834013fc3bd12b6a0f4664c6d75a74 https://git.kernel.org/stable/c/f551637fe9bf863386309e03f9d148d97f535ad1 https://git.kernel.org/stable/c/7351c5a6507b4401aeecadb5959131410a339520 https://git.kernel.org/stable/c/05b94cae1c47f94588c3e7096963c1007c4d9c1d
Powered by blists - more mailing lists