[SRU Focal 0/6] CVE-2023-0597

[Cengiz Can]

[Impact]
A flaw possibility of memory leak in the Linux kernel cpu_entry_area mapping
of X86 CPU data to memory was found in the way user can guess location of
exception stack(s) or other important data. A local user could use this flaw
to get access to some important data with expected location in memory.

[Fix]
Following is a prerequisite for the fix:

- 3f148f331814 ("x86/kasan: Map shadow for percpu pages on demand")

This is the actual fix that needed a careful backport:

- 97e3d26b5e5f ("x86/mm: Randomize per-cpu entry area")

These are Fixes to the prerequisite:

- 80d72a8f76e8 ("x86/mm: Recompute physical address for every page of per-CPU CEA mapping")
- 97650148a15e ("x86/mm: Populate KASAN shadow for entire per-CPU range of CPU entry area")

This is a Fixes to the fix:

- a3f547addcaa ("x86/mm: Do not shuffle CPU entry areas without KASLR")

And lastly, without this commit, `prandom_u32_max` always returns 0 due to lack 
of entropy and the kernel won't boot at all:

- 3744741adab6 ("random32: add noise from network and scheduling activity")

[Test case]
Due to insufficient entropy, Bionic and Focal were not able to boot with the fix 
commit. The missing early boot entropy introducer commit was only identified
after a few dozen debug builds, painful remote gdb sessions, earlyprintk lines
et al.

Once that commit was applied, compile and boot tests completed with both kaslr 
and nokaslr. 

[Potential regression]
High regression potential due to two reasons.

1) Commit 3744741adab6 ("random32: add noise from network and scheduling 
activity") tries to create some early boot entropy using timers, network
activity etc. That can be problematic and may not be enough in certain hardware 
configurations. 

2) per-cpu entry offset randomization logic that comes with commit 97e3d26b5e5f
 ("x86/mm: Randomize per-cpu entry area") is prone to infinite loops as
demonstrated. This O(n^2) logic should be improved in upstream.

Andrey Ryabinin (1):
  x86/kasan: Map shadow for percpu pages on demand

Michal Koutný (1):
  x86/mm: Do not shuffle CPU entry areas without KASLR

Peter Zijlstra (1):
  x86/mm: Randomize per-cpu entry area

Sean Christopherson (2):
  x86/mm: Recompute physical address for every page of per-CPU CEA
    mapping
  x86/mm: Populate KASAN shadow for entire per-CPU range of CPU entry
    area

Willy Tarreau (1):
  random32: add noise from network and scheduling activity

 arch/x86/include/asm/cpu_entry_area.h | 13 +++---
 arch/x86/include/asm/kasan.h          |  3 ++
 arch/x86/mm/cpu_entry_area.c          | 58 ++++++++++++++++++++++++++-
 arch/x86/mm/kasan_init_64.c           | 15 +++++--
 include/linux/prandom.h               | 19 +++++++++
 kernel/time/timer.c                   |  2 +
 lib/random32.c                        |  5 +++
 net/core/dev.c                        |  4 ++
 8 files changed, 108 insertions(+), 11 deletions(-)

-- 
2.39.2