| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022614-CVE-2022-49181-8181@gregkh> Date: Wed, 26 Feb 2025 02:56:26 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2022-49181: xen: fix is_xen_pmu() Description =========== In the Linux kernel, the following vulnerability has been resolved: xen: fix is_xen_pmu() is_xen_pmu() is taking the cpu number as parameter, but it is not using it. Instead it just tests whether the Xen PMU initialization on the current cpu did succeed. As this test is done by checking a percpu pointer, preemption needs to be disabled in order to avoid switching the cpu while doing the test. While resuming from suspend() this seems not to be the case: [ 88.082751] ACPI: PM: Low-level resume complete [ 88.087933] ACPI: EC: EC started [ 88.091464] ACPI: PM: Restoring platform NVS memory [ 88.097166] xen_acpi_processor: Uploading Xen processor PM info [ 88.103850] Enabling non-boot CPUs ... [ 88.108128] installing Xen timer for CPU 1 [ 88.112763] BUG: using smp_processor_id() in preemptible [00000000] code: systemd-sleep/7138 [ 88.122256] caller is is_xen_pmu+0x12/0x30 [ 88.126937] CPU: 0 PID: 7138 Comm: systemd-sleep Tainted: G W 5.16.13-2.fc32.qubes.x86_64 #1 [ 88.137939] Hardware name: Star Labs StarBook/StarBook, BIOS 7.97 03/21/2022 [ 88.145930] Call Trace: [ 88.148757] <TASK> [ 88.151193] dump_stack_lvl+0x48/0x5e [ 88.155381] check_preemption_disabled+0xde/0xe0 [ 88.160641] is_xen_pmu+0x12/0x30 [ 88.164441] xen_smp_intr_init_pv+0x75/0x100 Fix that by replacing is_xen_pmu() by a simple boolean variable which reflects the Xen PMU initialization state on cpu 0. Modify xen_pmu_init() to return early in case it is being called for a cpu other than cpu 0 and the boolean variable not being set. The Linux kernel CVE team has assigned CVE-2022-49181 to this issue. Affected and fixed versions =========================== Issue introduced in 4.3 with commit bf6dfb154d935725c9a2005033ca33017b9df439 and fixed in 4.14.276 with commit e9f72105cf4a16bb185093b60fc12dbc82fe15b5 Issue introduced in 4.3 with commit bf6dfb154d935725c9a2005033ca33017b9df439 and fixed in 4.19.238 with commit d533c4a2e8c4ca3a0fe84d295a7bd43af1931028 Issue introduced in 4.3 with commit bf6dfb154d935725c9a2005033ca33017b9df439 and fixed in 5.4.189 with commit ab2c789d1c0a3d0a682f7aa287754193471ff9f8 Issue introduced in 4.3 with commit bf6dfb154d935725c9a2005033ca33017b9df439 and fixed in 5.10.110 with commit e9445a7a59d84ed3ae6c85f299d2a6c4930b1ee9 Issue introduced in 4.3 with commit bf6dfb154d935725c9a2005033ca33017b9df439 and fixed in 5.15.33 with commit af884b276b08e2b7e74c2b9208df35f36fa6a54c Issue introduced in 4.3 with commit bf6dfb154d935725c9a2005033ca33017b9df439 and fixed in 5.16.19 with commit 980bc42812c0a4788aee4b519bc911bfb911c23c Issue introduced in 4.3 with commit bf6dfb154d935725c9a2005033ca33017b9df439 and fixed in 5.17.2 with commit 26911a822148bef5dcfc55e7df49cb05a18737e3 Issue introduced in 4.3 with commit bf6dfb154d935725c9a2005033ca33017b9df439 and fixed in 5.18 with commit de2ae403b4c0e79a3410e63bc448542fbb9f9bfc Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-49181 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: arch/x86/xen/pmu.c arch/x86/xen/pmu.h arch/x86/xen/smp_pv.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/e9f72105cf4a16bb185093b60fc12dbc82fe15b5 https://git.kernel.org/stable/c/d533c4a2e8c4ca3a0fe84d295a7bd43af1931028 https://git.kernel.org/stable/c/ab2c789d1c0a3d0a682f7aa287754193471ff9f8 https://git.kernel.org/stable/c/e9445a7a59d84ed3ae6c85f299d2a6c4930b1ee9 https://git.kernel.org/stable/c/af884b276b08e2b7e74c2b9208df35f36fa6a54c https://git.kernel.org/stable/c/980bc42812c0a4788aee4b519bc911bfb911c23c https://git.kernel.org/stable/c/26911a822148bef5dcfc55e7df49cb05a18737e3 https://git.kernel.org/stable/c/de2ae403b4c0e79a3410e63bc448542fbb9f9bfc
Powered by blists - more mailing lists