Bug 1223662 (CVE-2024-26947) - VUL-0: CVE-2024-26947: kernel: ARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses
Summary: VUL-0: CVE-2024-26947: kernel: ARM: 9359/1: flush: check if the folio is rese...
Status: NEW
Alias: CVE-2024-26947
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/403716/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-26947:5.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-05-02 08:30 UTC by SMASH SMASH
Modified: 2024-05-30 13:23 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-05-02 08:30:04 UTC 
In the Linux kernel, the following vulnerability has been resolved:

ARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses

Since commit a4d5613c4dc6 ("arm: extend pfn_valid to take into account
freed memory map alignment") changes the semantics of pfn_valid() to check
presence of the memory map for a PFN. A valid page for an address which
is reserved but not mapped by the kernel[1], the system crashed during
some uio test with the following memory layout:

 node   0: [mem 0x00000000c0a00000-0x00000000cc8fffff]
 node   0: [mem 0x00000000d0000000-0x00000000da1fffff]
 the uio layout is?0xc0900000, 0x100000

the crash backtrace like:

  Unable to handle kernel paging request at virtual address bff00000
  [...]
  CPU: 1 PID: 465 Comm: startapp.bin Tainted: G           O      5.10.0 #1
  Hardware name: Generic DT based system
  PC is at b15_flush_kern_dcache_area+0x24/0x3c
  LR is at __sync_icache_dcache+0x6c/0x98
  [...]
   (b15_flush_kern_dcache_area) from (__sync_icache_dcache+0x6c/0x98)
   (__sync_icache_dcache) from (set_pte_at+0x28/0x54)
   (set_pte_at) from (remap_pfn_range+0x1a0/0x274)
   (remap_pfn_range) from (uio_mmap+0x184/0x1b8 [uio])
   (uio_mmap [uio]) from (__mmap_region+0x264/0x5f4)
   (__mmap_region) from (__do_mmap_mm+0x3ec/0x440)
   (__do_mmap_mm) from (do_mmap+0x50/0x58)
   (do_mmap) from (vm_mmap_pgoff+0xfc/0x188)
   (vm_mmap_pgoff) from (ksys_mmap_pgoff+0xac/0xc4)
   (ksys_mmap_pgoff) from (ret_fast_syscall+0x0/0x5c)
  Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e)
  ---[ end trace 09cf0734c3805d52 ]---
  Kernel panic - not syncing: Fatal exception

So check if PG_reserved was set to solve this issue.

[1]: https://lore.kernel.org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26947
https://www.cve.org/CVERecord?id=CVE-2024-26947
https://git.kernel.org/stable/c/0c027c2bad7f5111c51a358b5d392e1a695dabff
https://git.kernel.org/stable/c/0c66c6f4e21cb22220cbd8821c5c73fc157d20dc
https://git.kernel.org/stable/c/9f7ddc222cae8254e93d5c169a8ae11a49d912a7
https://git.kernel.org/stable/c/fb3a122a978626b33de3367ee1762da934c0f512
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-26947.mbox
https://bugzilla.redhat.com/show_bug.cgi?id=2278167
Comment 3 Matthias Brugger 2024-05-30 13:23:43 UTC 
balcklisted both, as not applicable due to missing folio support in our kernels.