APPLIED: [SRU][M/F][PATCH v2 0/1] CVE-2024-26712
Roxana Nicolescu
roxana.nicolescu at canonical.com
Thu Apr 25 17:07:24 UTC 2024
On 23/04/2024 22:47, Bethany Jamison wrote:
> [Impact]
>
> In the Linux kernel, the following vulnerability has been resolved:
>
> powerpc/kasan: Fix addr error caused by page alignment
>
> In kasan_init_region, when k_start is not page aligned, at the begin of
> for loop, k_cur = k_start & PAGE_MASK is less than k_start, and then
> `va = block + k_cur - k_start` is less than block, the addr va is invalid,
> because the memory address space from va to block is not alloced by
> memblock_alloc, which will not be reserved by memblock_reserve later, it
> will be used by other places.
>
> As a result, memory overwriting occurs.
>
> for example:
> int __init __weak kasan_init_region(void *start, size_t size)
> {
> [...]
> /* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */
> block = memblock_alloc(k_end - k_start, PAGE_SIZE);
> [...]
> for (k_cur = k_start & PAGE_MASK; k_cur < k_end; k_cur += PAGE_SIZE) {
> /* at the begin of for loop
> * block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400)
> * va(dcd96c00) is less than block(dcd97000), va is invalid
> */
> void *va = block + k_cur - k_start;
> [...]
> }
> [...]
> }
>
> Therefore, page alignment is performed on k_start before
> memblock_alloc() to ensure the validity of the VA address.
>
> [Fix]
>
> Mantic: Clean cherry-pick from linux-6.6.y
> Jammy: pending
> Focal: Backport - manually added the k_start realignment right before
> memblock_alloc despite the context conflicts with the surrounding
> code. Also added curly brackets around the contents of the if-statement
> since it's no longer just 1 line.
> Bionic: not-affected
> Xenial: not-affected
> Trusty: not-affected
>
> [Test Case]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> This fix affects those who use KASAN on PowerPC when initializing a
> memory region, an issue with this fix would be visable to the user via
> data corruption or a system crash.
>
> v1: sent Mantic/Focal fix
>
> v2: resubmitted Mantic (unchanged)
> resumbitted Focal - added curly brackets to the if-statement I had added
> to since it was no longer a single line
>
> Jiangfeng Xiao (1):
> powerpc/kasan: Fix addr error caused by page alignment
>
> arch/powerpc/mm/kasan/kasan_init_32.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
Mantic already had it. I added the CVE no there.
Applied to focal master-next branch. Thanks!
More information about the kernel-team
mailing list