APPLIED: [SRU Focal 0/6] CVE-2023-0597

Fri Sep 15 08:34:12 UTC 2023

On 04.09.23 01:45, Cengiz Can wrote:
> [Impact]
> A flaw possibility of memory leak in the Linux kernel cpu_entry_area mapping
> of X86 CPU data to memory was found in the way user can guess location of
> exception stack(s) or other important data. A local user could use this flaw
> to get access to some important data with expected location in memory.
> 
> [Fix]
> Following is a prerequisite for the fix:
> 
> - 3f148f331814 ("x86/kasan: Map shadow for percpu pages on demand")
> 
> This is the actual fix that needed a careful backport:
> 
> - 97e3d26b5e5f ("x86/mm: Randomize per-cpu entry area")
> 
> These are Fixes to the prerequisite:
> 
> - 80d72a8f76e8 ("x86/mm: Recompute physical address for every page of per-CPU CEA mapping")
> - 97650148a15e ("x86/mm: Populate KASAN shadow for entire per-CPU range of CPU entry area")
> 
> This is a Fixes to the fix:
> 
> - a3f547addcaa ("x86/mm: Do not shuffle CPU entry areas without KASLR")
> 
> And lastly, without this commit, `prandom_u32_max` always returns 0 due to lack
> of entropy and the kernel won't boot at all:
> 
> - 3744741adab6 ("random32: add noise from network and scheduling activity")
> 
> [Test case]
> Due to insufficient entropy, Bionic and Focal were not able to boot with the fix
> commit. The missing early boot entropy introducer commit was only identified
> after a few dozen debug builds, painful remote gdb sessions, earlyprintk lines
> et al.
> 
> Once that commit was applied, compile and boot tests completed with both kaslr
> and nokaslr.
> 
> [Potential regression]
> High regression potential due to two reasons.
> 
> 1) Commit 3744741adab6 ("random32: add noise from network and scheduling
> activity") tries to create some early boot entropy using timers, network
> activity etc. That can be problematic and may not be enough in certain hardware
> configurations.
> 
> 2) per-cpu entry offset randomization logic that comes with commit 97e3d26b5e5f
>   ("x86/mm: Randomize per-cpu entry area") is prone to infinite loops as
> demonstrated. This O(n^2) logic should be improved in upstream.
> 
> Andrey Ryabinin (1):
>    x86/kasan: Map shadow for percpu pages on demand
> 
> Michal Koutný (1):
>    x86/mm: Do not shuffle CPU entry areas without KASLR
> 
> Peter Zijlstra (1):
>    x86/mm: Randomize per-cpu entry area
> 
> Sean Christopherson (2):
>    x86/mm: Recompute physical address for every page of per-CPU CEA
>      mapping
>    x86/mm: Populate KASAN shadow for entire per-CPU range of CPU entry
>      area
> 
> Willy Tarreau (1):
>    random32: add noise from network and scheduling activity
> 
>   arch/x86/include/asm/cpu_entry_area.h | 13 +++---
>   arch/x86/include/asm/kasan.h          |  3 ++
>   arch/x86/mm/cpu_entry_area.c          | 58 ++++++++++++++++++++++++++-
>   arch/x86/mm/kasan_init_64.c           | 15 +++++--
>   include/linux/prandom.h               | 19 +++++++++
>   kernel/time/timer.c                   |  2 +
>   lib/random32.c                        |  5 +++
>   net/core/dev.c                        |  4 ++
>   8 files changed, 108 insertions(+), 11 deletions(-)
> 

Applied to focal:linux/master-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 44613 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230915/c6e58e5e/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230915/c6e58e5e/attachment-0001.sig>