ACK/Cmnt: [SRU][M/F][PATCH v2 0/1] CVE-2024-26712

Stefan Bader stefan.bader at canonical.com
Wed Apr 24 14:52:20 UTC 2024 

On 23.04.24 22:47, Bethany Jamison wrote:
> [Impact]
> 
>   In the Linux kernel, the following vulnerability has been resolved:
> 
>   powerpc/kasan: Fix addr error caused by page alignment
> 
>   In kasan_init_region, when k_start is not page aligned, at the begin of
>   for loop, k_cur = k_start & PAGE_MASK is less than k_start, and then
>   `va = block + k_cur - k_start` is less than block, the addr va is invalid,
>   because the memory address space from va to block is not alloced by
>   memblock_alloc, which will not be reserved by memblock_reserve later, it
>   will be used by other places.
> 
>   As a result, memory overwriting occurs.
> 
>   for example:
>   int __init __weak kasan_init_region(void *start, size_t size)
>   {
>   [...]
>          /* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */
>          block = memblock_alloc(k_end - k_start, PAGE_SIZE);
>          [...]
>          for (k_cur = k_start & PAGE_MASK; k_cur < k_end; k_cur += PAGE_SIZE) {
>                  /* at the begin of for loop
>                   * block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400)
>                   * va(dcd96c00) is less than block(dcd97000), va is invalid
>                   */
>                  void *va = block + k_cur - k_start;
>                  [...]
>          }
>   [...]
>   }
> 
>   Therefore, page alignment is performed on k_start before
>   memblock_alloc() to ensure the validity of the VA address.
> 
> [Fix]
> 
> Mantic: Clean cherry-pick from linux-6.6.y
> Jammy:	pending
> Focal:	Backport - manually added the k_start realignment right before
> 	memblock_alloc despite the context conflicts with the surrounding
> 	code. Also added curly brackets around the contents of the if-statement
> 	since it's no longer just 1 line.
> Bionic:	not-affected
> Xenial:	not-affected
> Trusty:	not-affected
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> This fix affects those who use KASAN on PowerPC when initializing a
> memory region, an issue with this fix would be visable to the user via
> data corruption or a system crash.
> 
> v1: sent Mantic/Focal fix
> 
> v2: resubmitted Mantic (unchanged)
>      resumbitted Focal - added curly brackets to the if-statement I had added
>      to since it was no longer a single line
> 
> Jiangfeng Xiao (1):
>    powerpc/kasan: Fix addr error caused by page alignment
> 
>   arch/powerpc/mm/kasan/kasan_init_32.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 
For Focal, k_start is used again below (outside the if statement where 
the new code gets added. Luckily k_start & PAGE_MASK is the same, no 
matter how often its done...

Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240424/5d2e8b60/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240424/5d2e8b60/attachment-0001.sig>

More information about the kernel-team mailing list