| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ad2dda77-5322-4182-a9ee-ee9f173a6e36@nsa.green> Date: Sun, 9 Feb 2025 22:49:29 +0200 From: Igor Sakulin <is@....green> To: cve@...nel.org, linux-kernel@...r.kernel.org, linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: Re: CVE-2024-57939: riscv: Fix sleeping in invalid context in die() On 1/21/25 14:18, Greg Kroah-Hartman wrote: > Description > =========== > > In the Linux kernel, the following vulnerability has been resolved: > > riscv: Fix sleeping in invalid context in die() > > die() can be called in exception handler, and therefore cannot sleep. > However, die() takes spinlock_t which can sleep with PREEMPT_RT enabled. > That causes the following warning: > > BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 > in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 285, name: mutex > preempt_count: 110001, expected: 0 > RCU nest depth: 0, expected: 0 > CPU: 0 UID: 0 PID: 285 Comm: mutex Not tainted 6.12.0-rc7-00022-ge19049cf7d56-dirty #234 > Hardware name: riscv-virtio,qemu (DT) > Call Trace: > dump_backtrace+0x1c/0x24 > show_stack+0x2c/0x38 > dump_stack_lvl+0x5a/0x72 > dump_stack+0x14/0x1c > __might_resched+0x130/0x13a > rt_spin_lock+0x2a/0x5c > die+0x24/0x112 > do_trap_insn_illegal+0xa0/0xea > _new_vmalloc_restore_context_a0+0xcc/0xd8 > Oops - illegal instruction [#1] Seems related: [ +1.057529] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 [ +0.000016] in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 25709, name: java [ +0.000006] preempt_count: 0, expected: 0 [ +0.000004] RCU nest depth: 0, expected: 0 [ +0.000009] CPU: 2 UID: 1001 PID: 25709 Comm: java Tainted: G W T 6.12.13-gentoo-riscv64 #12 [ +0.000010] Tainted: [W]=WARN, [T]=RANDSTRUCT [ +0.000004] Hardware name: milkv Milk-V Mars CM/Milk-V Mars CM, BIOS 2025.01-00001-gced64a332cea 01/01/2025 [ +0.000005] Call Trace: [ +0.000004] [<ffffffff80006136>] dump_backtrace+0x26/0x3c [ +0.000017] [<ffffffff8087409e>] show_stack+0x2c/0x3e [ +0.000009] [<ffffffff808823f2>] dump_stack_lvl+0x52/0x7a [ +0.000010] [<ffffffff8088242e>] dump_stack+0x14/0x1e [ +0.000008] [<ffffffff8004e6c2>] __might_resched+0x14a/0x154 [ +0.000010] [<ffffffff8088c31a>] rt_spin_lock+0x2c/0x66 [ +0.000009] [<ffffffff80032c28>] force_sig_info_to_task+0x2c/0x140 [ +0.000008] [<ffffffff80033388>] force_sig_fault+0x60/0x8e [ +0.000007] [<ffffffff80005d0a>] do_trap+0x28/0xbe [ +0.000007] [<ffffffff80882864>] do_trap_insn_illegal+0xde/0x100 [ +0.000008] [<ffffffff8088e934>] handle_exception+0x150/0x15c 6.12.13 kernel with PREEMPT_RT. Happens only with Java code on OpenJDK. Maybe related, GCC flags on this host's portage: CFLAGS="-O3 -mabi=lp64d -march=rv64imafdc_zicsr_zba_zbb -mcpu=sifive-u74 -mtune=sifive-7-series --param l1-cache-size=32 --param l2-cache-size=2048 -frecord-gcc-switches -flimit-function-alignment -feliminate-unused-debug-types -ftree-vectorize -ftree-loop-vectorize -ftree-loop-distribution -ftree-loop-distribute-patterns -fasynchronous-unwind-tables -fstack-protector-strong -fstack-clash-protection -fexceptions --param=ssp-buffer-size=32 -flto=2 -fuse-linker-plugin -fgraphite-identity -floop-nest-optimize -fipa-pta -fno-semantic-interposition -fno-common -fdevirtualize-at-ltrans -pipe" > > Switch to use raw_spinlock_t, which does not sleep even with PREEMPT_RT > enabled. > > The Linux kernel CVE team has assigned CVE-2024-57939 to this issue. > > Affected and fixed versions > =========================== > > Issue introduced in 4.15 with commit 76d2a0493a17d4c8ecc781366850c3c4f8e1a446 and fixed in 6.1.125 with commit c21df31fc2a4afc02a6e56511364e9e793ea92ec > Issue introduced in 4.15 with commit 76d2a0493a17d4c8ecc781366850c3c4f8e1a446 and fixed in 6.6.72 with commit f48f060a4b36b5e96628f6c3fb1540f1e8dedb69 > Issue introduced in 4.15 with commit 76d2a0493a17d4c8ecc781366850c3c4f8e1a446 and fixed in 6.12.10 with commit 76ab0afcdbe8c9685b589016ee1c0e25fe596707 > Issue introduced in 4.15 with commit 76d2a0493a17d4c8ecc781366850c3c4f8e1a446 and fixed in 6.13 with commit 6a97f4118ac07cfdc316433f385dbdc12af5025e > > Please see https://www.kernel.org for a full list of currently supported > kernel versions by the kernel community. > > Unaffected versions might change over time as fixes are backported to > older supported kernel versions. The official CVE entry at > https://cve.org/CVERecord/?id=CVE-2024-57939 > will be updated if fixes are backported, please check that for the most > up to date information about this issue. > > > Affected files > ============== > > The file(s) affected by this issue are: > arch/riscv/kernel/traps.c > > > Mitigation > ========== > > The Linux kernel CVE team recommends that you update to the latest > stable kernel version for this, and many other bugfixes. Individual > changes are never tested alone, but rather are part of a larger kernel > release. Cherry-picking individual commits is not recommended or > supported by the Linux kernel community at all. If however, updating to > the latest release is impossible, the individual changes to resolve this > issue can be found at these commits: > https://git.kernel.org/stable/c/c21df31fc2a4afc02a6e56511364e9e793ea92ec > https://git.kernel.org/stable/c/f48f060a4b36b5e96628f6c3fb1540f1e8dedb69 > https://git.kernel.org/stable/c/76ab0afcdbe8c9685b589016ee1c0e25fe596707 > https://git.kernel.org/stable/c/6a97f4118ac07cfdc316433f385dbdc12af5025e
Powered by blists - more mailing lists