ACK: [SRU][M/F][PATCH 0/1] CVE-2024-26712

Roxana Nicolescu roxana.nicolescu at canonical.com
Tue Apr 23 12:38:05 UTC 2024 

On 22/04/2024 19:07, Bethany Jamison wrote:
> [Impact]
>
>   In the Linux kernel, the following vulnerability has been resolved:
>
>   powerpc/kasan: Fix addr error caused by page alignment
>
>   In kasan_init_region, when k_start is not page aligned, at the begin of
>   for loop, k_cur = k_start & PAGE_MASK is less than k_start, and then
>   `va = block + k_cur - k_start` is less than block, the addr va is invalid,
>   because the memory address space from va to block is not alloced by
>   memblock_alloc, which will not be reserved by memblock_reserve later, it
>   will be used by other places.
>
>   As a result, memory overwriting occurs.
>
>   for example:
>   int __init __weak kasan_init_region(void *start, size_t size)
>   {
>   [...]
>          /* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */
>          block = memblock_alloc(k_end - k_start, PAGE_SIZE);
>          [...]
>          for (k_cur = k_start & PAGE_MASK; k_cur < k_end; k_cur += PAGE_SIZE) {
>                  /* at the begin of for loop
>                   * block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400)
>                   * va(dcd96c00) is less than block(dcd97000), va is invalid
>                   */
>                  void *va = block + k_cur - k_start;
>                  [...]
>          }
>   [...]
>   }
>
>   Therefore, page alignment is performed on k_start before
>   memblock_alloc() to ensure the validity of the VA address.
>
> [Fix]
>
> Mantic: Clean cherry-pick from linux-6.6.y
> Jammy:	pending
> Focal:	Backport - manually added the k_start realignment right before
> 	memblock_alloc despite the context conflicts with the surrounding
> 	code.
> Bionic:	not-affected
> Xenial:	not-affected
> Trusty:	not-affected
>
> [Test Case]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> This fix affects those who use KASAN on PowerPC when initializing a
> memory region, an issue with this fix would be visable to the user via
> data corruption or a system crash.
>
> Jiangfeng Xiao (1):
>    powerpc/kasan: Fix addr error caused by page alignment
>
>   arch/powerpc/mm/kasan/init_32.c | 1 +
>   1 file changed, 1 insertion(+)
>
Acked-by: Roxana Nicolescu <roxana.nicolescu at canonical.com>

More information about the kernel-team mailing list