[SRU][M/F][PATCH 0/1] CVE-2024-26712
Bethany Jamison
bethany.jamison at canonical.com
Mon Apr 22 17:07:40 UTC 2024
[Impact]
In the Linux kernel, the following vulnerability has been resolved:
powerpc/kasan: Fix addr error caused by page alignment
In kasan_init_region, when k_start is not page aligned, at the begin of
for loop, k_cur = k_start & PAGE_MASK is less than k_start, and then
`va = block + k_cur - k_start` is less than block, the addr va is invalid,
because the memory address space from va to block is not alloced by
memblock_alloc, which will not be reserved by memblock_reserve later, it
will be used by other places.
As a result, memory overwriting occurs.
for example:
int __init __weak kasan_init_region(void *start, size_t size)
{
[...]
/* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */
block = memblock_alloc(k_end - k_start, PAGE_SIZE);
[...]
for (k_cur = k_start & PAGE_MASK; k_cur < k_end; k_cur += PAGE_SIZE) {
/* at the begin of for loop
* block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400)
* va(dcd96c00) is less than block(dcd97000), va is invalid
*/
void *va = block + k_cur - k_start;
[...]
}
[...]
}
Therefore, page alignment is performed on k_start before
memblock_alloc() to ensure the validity of the VA address.
[Fix]
Mantic: Clean cherry-pick from linux-6.6.y
Jammy: pending
Focal: Backport - manually added the k_start realignment right before
memblock_alloc despite the context conflicts with the surrounding
code.
Bionic: not-affected
Xenial: not-affected
Trusty: not-affected
[Test Case]
Compile and boot tested.
[Where problems could occur]
This fix affects those who use KASAN on PowerPC when initializing a
memory region, an issue with this fix would be visable to the user via
data corruption or a system crash.
Jiangfeng Xiao (1):
powerpc/kasan: Fix addr error caused by page alignment
arch/powerpc/mm/kasan/init_32.c | 1 +
1 file changed, 1 insertion(+)
--
2.34.1
More information about the kernel-team
mailing list