ACK: [SRU][J][PATCH v2 0/1] CVE-2024-38667

Mehmet Basaran mehmet.basaran at canonical.com
Tue Sep 24 09:23:51 UTC 2024 

Acked-by: Mehmet Basaran <mehmet.basaran at canonical.com>

-------------- next part --------------
Koichiro Den <koichiro.den at canonical.com> writes:

> [Impact]
>
> riscv: prevent pt_regs corruption for secondary idle threads
>
> Top of the kernel thread stack should be reserved for pt_regs. However
> this is not the case for the idle threads of the secondary boot harts.
> Their stacks overlap with their pt_regs, so both may get corrupted.
>
> Similar issue has been fixed for the primary hart, see c7cdd96eca28
> ("riscv: prevent stack corruption by reserving task_pt_regs(p) early").
> However that fix was not propagated to the secondary harts. The problem
> has been noticed in some CPU hotplug tests with V enabled. The function
> smp_callin stored several registers on stack, corrupting top of pt_regs
> structure including status field. As a result, kernel attempted to save
> or restore inexistent V context.
>
> [Backport]
>
> Sparse HART id support added many changes on upstream:
> https://lore.kernel.org/all/20220120090918.2646626-1-atishp@rivosinc.com/
> and the primary fix commmit a638b0461b58 depends on them. Directly
> conflicting commits from the series are as follows:
> - 9a2451f18663 ("RISC-V: Avoid using per cpu array for ordered booting")
> - c78f94f35cf6 ("RISC-V: Use __cpu_up_stack/task_pointer only for spinwait method")
>
> We opted not to backport the entire series, minimizing changes around
> the primary security fix. Otherwise, we would not only introduce
> unnecessary changes and new features, but also need to backport multiple
> fix commits for them, which were discovered later on upstream. This
> indicates that the fix is needed only for __cpu_up_stack_pointer, which
> still serves dual purposes for both spinwait and ordered methods,
> without supporting Sparse HART id.
>
> [Fix]
>
> Noble:  fixed via stable (pending)
> Jammy:  Backport - adjusted contexts due to missing commits, see [Backport]
> Focal:  not affected
> Bionic: not affected
> Xenial: not affected
> Trusty: not affected
>
> [Test case]
>
> Compile and boot tested.
>
> Additionally, I conducted CPU hotplug testing on a RISC-V 64-bit QEMU
> instance with V enabled, verifying the modified
> cpu_update_secondary_bootdata() functions with no issue.
>
> [Where problem could occur]
>
> This fix affects RISC-V, an issue with this fix would be visible to the
> user via unpredicted system behavior or a system crash.
>
> [Notes]
>
> v2:
>   - Fix commit message and cover letter
>
>
> Sergey Matyukevich (1):
>   riscv: prevent pt_regs corruption for secondary idle threads
>
>  arch/riscv/kernel/cpu_ops.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
>
> -- 
> 2.43.0
>
>
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240924/0a46ab1f/attachment.sig>

More information about the kernel-team mailing list