[SRU][J][PATCH v2 0/1] CVE-2024-38667
Koichiro Den
koichiro.den at canonical.com
Wed Sep 18 05:21:26 UTC 2024
[Impact]
riscv: prevent pt_regs corruption for secondary idle threads
Top of the kernel thread stack should be reserved for pt_regs. However
this is not the case for the idle threads of the secondary boot harts.
Their stacks overlap with their pt_regs, so both may get corrupted.
Similar issue has been fixed for the primary hart, see c7cdd96eca28
("riscv: prevent stack corruption by reserving task_pt_regs(p) early").
However that fix was not propagated to the secondary harts. The problem
has been noticed in some CPU hotplug tests with V enabled. The function
smp_callin stored several registers on stack, corrupting top of pt_regs
structure including status field. As a result, kernel attempted to save
or restore inexistent V context.
[Backport]
Sparse HART id support added many changes on upstream:
https://lore.kernel.org/all/20220120090918.2646626-1-atishp@rivosinc.com/
and the primary fix commmit a638b0461b58 depends on them. Directly
conflicting commits from the series are as follows:
- 9a2451f18663 ("RISC-V: Avoid using per cpu array for ordered booting")
- c78f94f35cf6 ("RISC-V: Use __cpu_up_stack/task_pointer only for spinwait method")
We opted not to backport the entire series, minimizing changes around
the primary security fix. Otherwise, we would not only introduce
unnecessary changes and new features, but also need to backport multiple
fix commits for them, which were discovered later on upstream. This
indicates that the fix is needed only for __cpu_up_stack_pointer, which
still serves dual purposes for both spinwait and ordered methods,
without supporting Sparse HART id.
[Fix]
Noble: fixed via stable (pending)
Jammy: Backport - adjusted contexts due to missing commits, see [Backport]
Focal: not affected
Bionic: not affected
Xenial: not affected
Trusty: not affected
[Test case]
Compile and boot tested.
Additionally, I conducted CPU hotplug testing on a RISC-V 64-bit QEMU
instance with V enabled, verifying the modified
cpu_update_secondary_bootdata() functions with no issue.
[Where problem could occur]
This fix affects RISC-V, an issue with this fix would be visible to the
user via unpredicted system behavior or a system crash.
[Notes]
v2:
- Fix commit message and cover letter
Sergey Matyukevich (1):
riscv: prevent pt_regs corruption for secondary idle threads
arch/riscv/kernel/cpu_ops.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--
2.43.0
More information about the kernel-team
mailing list