ACK: [SRU Focal 0/6] CVE-2023-0597

Tim Gardner tim.gardner at canonical.com
Mon Sep 4 12:36:28 UTC 2023 

On 9/3/23 5:45 PM, Cengiz Can wrote:
> [Impact]
> A flaw possibility of memory leak in the Linux kernel cpu_entry_area mapping
> of X86 CPU data to memory was found in the way user can guess location of
> exception stack(s) or other important data. A local user could use this flaw
> to get access to some important data with expected location in memory.
> 
> [Fix]
> Following is a prerequisite for the fix:
> 
> - 3f148f331814 ("x86/kasan: Map shadow for percpu pages on demand")
> 
> This is the actual fix that needed a careful backport:
> 
> - 97e3d26b5e5f ("x86/mm: Randomize per-cpu entry area")
> 
> These are Fixes to the prerequisite:
> 
> - 80d72a8f76e8 ("x86/mm: Recompute physical address for every page of per-CPU CEA mapping")
> - 97650148a15e ("x86/mm: Populate KASAN shadow for entire per-CPU range of CPU entry area")
> 
> This is a Fixes to the fix:
> 
> - a3f547addcaa ("x86/mm: Do not shuffle CPU entry areas without KASLR")
> 
> And lastly, without this commit, `prandom_u32_max` always returns 0 due to lack
> of entropy and the kernel won't boot at all:
> 
> - 3744741adab6 ("random32: add noise from network and scheduling activity")
> 
> [Test case]
> Due to insufficient entropy, Bionic and Focal were not able to boot with the fix
> commit. The missing early boot entropy introducer commit was only identified
> after a few dozen debug builds, painful remote gdb sessions, earlyprintk lines
> et al.
> 
> Once that commit was applied, compile and boot tests completed with both kaslr
> and nokaslr.
> 
> [Potential regression]
> High regression potential due to two reasons.
> 
> 1) Commit 3744741adab6 ("random32: add noise from network and scheduling
> activity") tries to create some early boot entropy using timers, network
> activity etc. That can be problematic and may not be enough in certain hardware
> configurations.
> 
> 2) per-cpu entry offset randomization logic that comes with commit 97e3d26b5e5f
>   ("x86/mm: Randomize per-cpu entry area") is prone to infinite loops as
> demonstrated. This O(n^2) logic should be improved in upstream.
> 
> Andrey Ryabinin (1):
>    x86/kasan: Map shadow for percpu pages on demand
> 
> Michal Koutný (1):
>    x86/mm: Do not shuffle CPU entry areas without KASLR
> 
> Peter Zijlstra (1):
>    x86/mm: Randomize per-cpu entry area
> 
> Sean Christopherson (2):
>    x86/mm: Recompute physical address for every page of per-CPU CEA
>      mapping
>    x86/mm: Populate KASAN shadow for entire per-CPU range of CPU entry
>      area
> 
> Willy Tarreau (1):
>    random32: add noise from network and scheduling activity
> 
>   arch/x86/include/asm/cpu_entry_area.h | 13 +++---
>   arch/x86/include/asm/kasan.h          |  3 ++
>   arch/x86/mm/cpu_entry_area.c          | 58 ++++++++++++++++++++++++++-
>   arch/x86/mm/kasan_init_64.c           | 15 +++++--
>   include/linux/prandom.h               | 19 +++++++++
>   kernel/time/timer.c                   |  2 +
>   lib/random32.c                        |  5 +++
>   net/core/dev.c                        |  4 ++
>   8 files changed, 108 insertions(+), 11 deletions(-)
> 
Acked-by: Tim Gardner <tim.gardner at canonical.com>
-- 
-----------
Tim Gardner
Canonical, Inc

More information about the kernel-team mailing list