| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025061825-CVE-2022-50159-a387@gregkh> Date: Wed, 18 Jun 2025 13:03:44 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2022-50159: of: check previous kernel's ima-kexec-buffer against memory bounds From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: of: check previous kernel's ima-kexec-buffer against memory bounds Presently ima_get_kexec_buffer() doesn't check if the previous kernel's ima-kexec-buffer lies outside the addressable memory range. This can result in a kernel panic if the new kernel is booted with 'mem=X' arg and the ima-kexec-buffer was allocated beyond that range by the previous kernel. The panic is usually of the form below: $ sudo kexec --initrd initrd vmlinux --append='mem=16G' <snip> BUG: Unable to handle kernel data access on read at 0xc000c01fff7f0000 Faulting instruction address: 0xc000000000837974 Oops: Kernel access of bad area, sig: 11 [#1] <snip> NIP [c000000000837974] ima_restore_measurement_list+0x94/0x6c0 LR [c00000000083b55c] ima_load_kexec_buffer+0xac/0x160 Call Trace: [c00000000371fa80] [c00000000083b55c] ima_load_kexec_buffer+0xac/0x160 [c00000000371fb00] [c0000000020512c4] ima_init+0x80/0x108 [c00000000371fb70] [c0000000020514dc] init_ima+0x4c/0x120 [c00000000371fbf0] [c000000000012240] do_one_initcall+0x60/0x2c0 [c00000000371fcc0] [c000000002004ad0] kernel_init_freeable+0x344/0x3ec [c00000000371fda0] [c0000000000128a4] kernel_init+0x34/0x1b0 [c00000000371fe10] [c00000000000ce64] ret_from_kernel_thread+0x5c/0x64 Instruction dump: f92100b8 f92100c0 90e10090 910100a0 4182050c 282a0017 3bc00000 40810330 7c0802a6 fb610198 7c9b2378 f80101d0 <a1240000> 2c090001 40820614 e9240010 ---[ end trace 0000000000000000 ]--- Fix this issue by checking returned PFN range of previous kernel's ima-kexec-buffer with page_is_ram() to ensure correct memory bounds. The Linux kernel CVE team has assigned CVE-2022-50159 to this issue. Affected and fixed versions =========================== Issue introduced in 4.10 with commit 467d27824920e866af148132f555d40ca1fb199e and fixed in 5.15.61 with commit beb5bba5dd132650c073f815c685c60c3e5b783b Issue introduced in 4.10 with commit 467d27824920e866af148132f555d40ca1fb199e and fixed in 5.18.18 with commit dc3b8525f83ac6bbc885bb24bbb8a76f4622200e Issue introduced in 4.10 with commit 467d27824920e866af148132f555d40ca1fb199e and fixed in 5.19.2 with commit 1b2263d6c86fca8f30e18231778393bfc287bb27 Issue introduced in 4.10 with commit 467d27824920e866af148132f555d40ca1fb199e and fixed in 6.0 with commit cbf9c4b9617b6767886a913705ca14b7600c77db Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-50159 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/of/kexec.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/beb5bba5dd132650c073f815c685c60c3e5b783b https://git.kernel.org/stable/c/dc3b8525f83ac6bbc885bb24bbb8a76f4622200e https://git.kernel.org/stable/c/1b2263d6c86fca8f30e18231778393bfc287bb27 https://git.kernel.org/stable/c/cbf9c4b9617b6767886a913705ca14b7600c77db
Powered by blists - more mailing lists