Bug 1214289 (CVE-2023-21264) - VUL-0: CVE-2023-21264: kernel-source,kernel-source-rt,kernel-source-azure: In multiple functions of mem_protect.c, there is a possible way to access hypervisor memory due to a memory access check in the wrong place
Summary: VUL-0: CVE-2023-21264: kernel-source,kernel-source-rt,kernel-source-azure: In...
Status: RESOLVED INVALID
Alias: CVE-2023-21264
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/375319/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-08-15 10:21 UTC by Cathy Hu
Modified: 2023-08-15 13:44 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Cathy Hu 2023-08-15 10:21:57 UTC 
CVE-2023-21264

In multiple functions of mem_protect.c, there is a possible way to access
hypervisor memory due to a memory access check in the wrong place. This could
lead to local escalation of privilege with System execution privileges needed.
User interaction is not needed for exploitation.



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-21264
https://www.cve.org/CVERecord?id=CVE-2023-21264
https://android.googlesource.com/kernel/common/+/53625a846a7b4
https://android.googlesource.com/kernel/common/+/b35a06182451f
https://source.android.com/security/bulletin/2023-08-01
Comment 1 Cathy Hu 2023-08-15 10:31:26 UTC 
I will track the following:

Not affected (no arch/arm64/kvm/hyp/nvhe/mem_protect.c):
- cve/linux-3.0
- cve/linux-4.12
- cve/linux-4.4
- cve/linux-5.3

Not affected (arch/arm64/kvm/hyp/nvhe/mem_protect.c is quite different)
- SLE12-SP5
- SLE15-SP4-AZURE
- SLE15-SP4-RT
- SLE15-SP4
- SLE15-SP5
- SLE15-SP5-AZURE
- SLE15-SP5-RT

Already fixed: 
- ALP-current
- stable

Please let me know in case you have any concerns :) Thank you!
Comment 2 Chester Lin 2023-08-15 12:16:28 UTC 
(In reply to Hu from comment #1)
> I will track the following:
> 
> Not affected (no arch/arm64/kvm/hyp/nvhe/mem_protect.c):
> - cve/linux-3.0
> - cve/linux-4.12
> - cve/linux-4.4
> - cve/linux-5.3
> 
> Not affected (arch/arm64/kvm/hyp/nvhe/mem_protect.c is quite different)
> - SLE12-SP5
> - SLE15-SP4-AZURE
> - SLE15-SP4-RT
> - SLE15-SP4
> - SLE15-SP5
> - SLE15-SP5-AZURE
> - SLE15-SP5-RT
> 
> Already fixed: 
> - ALP-current
> - stable
> 
> Please let me know in case you have any concerns :) Thank you!

Reassigning to a concrete person to ensure progress [1] (feel free to pass to the next one), see also the process at [2].
 
Hi Juergen and Li,

Could you please confirm if SUSE kernels are not affected by this CVE? It contains two fixes that solve the exploitation caused by improper memory access checks found in the AOSP kernel's ARM64 KVM.

Thanks!
 
[1] https://confluence.suse.com/display/KSS/Kernel+Security+Sentinel
[2] https://wiki.suse.net/index.php/SUSE-Labs/Kernel/Security
Comment 3 Chester Lin 2023-08-15 12:57:53 UTC 
(In reply to Hu from comment #1)
> I will track the following:
> 
> Not affected (no arch/arm64/kvm/hyp/nvhe/mem_protect.c):
> - cve/linux-3.0
> - cve/linux-4.12
> - cve/linux-4.4
> - cve/linux-5.3
> 
> Not affected (arch/arm64/kvm/hyp/nvhe/mem_protect.c is quite different)
> - SLE12-SP5
> - SLE15-SP4-AZURE
> - SLE15-SP4-RT
> - SLE15-SP4
> - SLE15-SP5
> - SLE15-SP5-AZURE
> - SLE15-SP5-RT
> 
> Already fixed: 
> - ALP-current
> - stable
> 
> Please let me know in case you have any concerns :) Thank you!

The Android patches listed in the CVE page seem to be merged and revised in upstream kernel v6.4-rc5:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=09cce60bddd6461a93a5bf434265a47827d1bc6f

As Hu mentioned that both stable and ALP-current have this patch.
Comment 4 Jürgen Groß 2023-08-15 13:10:47 UTC 
I can confirm that the patch introducing the issue (commit e82edcc75c4e) hasn't been backported to any of our kernel branches.
Comment 5 Cathy Hu 2023-08-15 13:44:26 UTC 
thanks, closing