| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025012130-CVE-2024-57945-248b@gregkh> Date: Tue, 21 Jan 2025 13:18:34 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2024-57945: riscv: mm: Fix the out of bound issue of vmemmap address Description =========== In the Linux kernel, the following vulnerability has been resolved: riscv: mm: Fix the out of bound issue of vmemmap address In sparse vmemmap model, the virtual address of vmemmap is calculated as: ((struct page *)VMEMMAP_START - (phys_ram_base >> PAGE_SHIFT)). And the struct page's va can be calculated with an offset: (vmemmap + (pfn)). However, when initializing struct pages, kernel actually starts from the first page from the same section that phys_ram_base belongs to. If the first page's physical address is not (phys_ram_base >> PAGE_SHIFT), then we get an va below VMEMMAP_START when calculating va for it's struct page. For example, if phys_ram_base starts from 0x82000000 with pfn 0x82000, the first page in the same section is actually pfn 0x80000. During init_unavailable_range(), we will initialize struct page for pfn 0x80000 with virtual address ((struct page *)VMEMMAP_START - 0x2000), which is below VMEMMAP_START as well as PCI_IO_END. This commit fixes this bug by introducing a new variable 'vmemmap_start_pfn' which is aligned with memory section size and using it to calculate vmemmap address instead of phys_ram_base. The Linux kernel CVE team has assigned CVE-2024-57945 to this issue. Affected and fixed versions =========================== Issue introduced in 6.6.21 with commit a278d5c60f21aa15d540abb2f2da6e6d795c3e6e and fixed in 6.6.72 with commit a4a7ac3d266008018f05fae53060fcb331151a14 Issue introduced in 6.8 with commit a11dd49dcb9376776193e15641f84fcc1e5980c9 and fixed in 6.12.10 with commit d2bd51954ac8377c2f1eb1813e694788998add66 Issue introduced in 6.8 with commit a11dd49dcb9376776193e15641f84fcc1e5980c9 and fixed in 6.13 with commit f754f27e98f88428aaf6be6e00f5cbce97f62d4b Issue introduced in 5.10.212 with commit 8af1c121b0102041809bc137ec600d1865eaeedd Issue introduced in 5.15.151 with commit 5941a90c55d3bfba732b32208d58d997600b44ef Issue introduced in 6.1.81 with commit 8310080799b40fd9f2a8b808c657269678c149af Issue introduced in 6.7.9 with commit 2a1728c15ec4f45ed9248ae22f626541c179bfbe Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-57945 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: arch/riscv/include/asm/page.h arch/riscv/include/asm/pgtable.h arch/riscv/mm/init.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/a4a7ac3d266008018f05fae53060fcb331151a14 https://git.kernel.org/stable/c/d2bd51954ac8377c2f1eb1813e694788998add66 https://git.kernel.org/stable/c/f754f27e98f88428aaf6be6e00f5cbce97f62d4b
Powered by blists - more mailing lists