APPLIED: [SRU][M/F][PATCH v2 0/1] CVE-2024-26712

Roxana Nicolescu roxana.nicolescu at canonical.com
Thu Apr 25 17:07:24 UTC 2024 

On 23/04/2024 22:47, Bethany Jamison wrote:
> [Impact]
>
>   In the Linux kernel, the following vulnerability has been resolved:
>
>   powerpc/kasan: Fix addr error caused by page alignment
>
>   In kasan_init_region, when k_start is not page aligned, at the begin of
>   for loop, k_cur = k_start & PAGE_MASK is less than k_start, and then
>   `va = block + k_cur - k_start` is less than block, the addr va is invalid,
>   because the memory address space from va to block is not alloced by
>   memblock_alloc, which will not be reserved by memblock_reserve later, it
>   will be used by other places.
>
>   As a result, memory overwriting occurs.
>
>   for example:
>   int __init __weak kasan_init_region(void *start, size_t size)
>   {
>   [...]
>          /* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */
>          block = memblock_alloc(k_end - k_start, PAGE_SIZE);
>          [...]
>          for (k_cur = k_start & PAGE_MASK; k_cur < k_end; k_cur += PAGE_SIZE) {
>                  /* at the begin of for loop
>                   * block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400)
>                   * va(dcd96c00) is less than block(dcd97000), va is invalid
>                   */
>                  void *va = block + k_cur - k_start;
>                  [...]
>          }
>   [...]
>   }
>
>   Therefore, page alignment is performed on k_start before
>   memblock_alloc() to ensure the validity of the VA address.
>
> [Fix]
>
> Mantic: Clean cherry-pick from linux-6.6.y
> Jammy:	pending
> Focal:	Backport - manually added the k_start realignment right before
> 	memblock_alloc despite the context conflicts with the surrounding
> 	code. Also added curly brackets around the contents of the if-statement
> 	since it's no longer just 1 line.
> Bionic:	not-affected
> Xenial:	not-affected
> Trusty:	not-affected
>
> [Test Case]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> This fix affects those who use KASAN on PowerPC when initializing a
> memory region, an issue with this fix would be visable to the user via
> data corruption or a system crash.
>
> v1: sent Mantic/Focal fix
>
> v2: resubmitted Mantic (unchanged)
>      resumbitted Focal - added curly brackets to the if-statement I had added
>      to since it was no longer a single line
>
> Jiangfeng Xiao (1):
>    powerpc/kasan: Fix addr error caused by page alignment
>
>   arch/powerpc/mm/kasan/kasan_init_32.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
>
Mantic already had it. I added the CVE no there.

Applied to focal master-next branch. Thanks!

More information about the kernel-team mailing list