Bug 1224737 (CVE-2024-35802) - VUL-0: REJECTED: CVE-2024-35802: kernel: x86/sev: Fix position dependent variable references in startup code
Summary: VUL-0: REJECTED: CVE-2024-35802: kernel: x86/sev: Fix position dependent vari...
Status: RESOLVED FIXED
Alias: CVE-2024-35802
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Joerg Roedel
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/406457/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-35802:5.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-05-20 16:23 UTC by SMASH SMASH
Modified: 2024-05-29 06:32 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-05-20 16:23:47 UTC 
In the Linux kernel, the following vulnerability has been resolved:

x86/sev: Fix position dependent variable references in startup code

The early startup code executes from a 1:1 mapping of memory, which
differs from the mapping that the code was linked and/or relocated to
run at. The latter mapping is not active yet at this point, and so
symbol references that rely on it will fault.

Given that the core kernel is built without -fPIC, symbol references are
typically emitted as absolute, and so any such references occuring in
the early startup code will therefore crash the kernel.

While an attempt was made to work around this for the early SEV/SME
startup code, by forcing RIP-relative addressing for certain global
SEV/SME variables via inline assembly (see snp_cpuid_get_table() for
example), RIP-relative addressing must be pervasively enforced for
SEV/SME global variables when accessed prior to page table fixups.

__startup_64() already handles this issue for select non-SEV/SME global
variables using fixup_pointer(), which adjusts the pointer relative to a
`physaddr` argument. To avoid having to pass around this `physaddr`
argument across all functions needing to apply pointer fixups, introduce
a macro RIP_RELATIVE_REF() which generates a RIP-relative reference to
a given global variable. It is used where necessary to force
RIP-relative accesses to global variables.

For backporting purposes, this patch makes no attempt at cleaning up
other occurrences of this pattern, involving either inline asm or
fixup_pointer(). Those will be addressed later.

  [ bp: Call it "rip_rel_ref" everywhere like other code shortens
    "rIP-relative reference" and make the asm wrapper __always_inline. ]

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-35802
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-35802.mbox
https://git.kernel.org/stable/c/fe272b61506bb1534922ef07aa165fd3c37a6a90
https://git.kernel.org/stable/c/0982fd6bf0b822876f2e93ec782c4c28a3f85535
https://git.kernel.org/stable/c/66fa3fcb474b2b892fe42d455a6f7ec5aaa98fb9
https://git.kernel.org/stable/c/954a4a87814465ad61cc97c1cd3de1525baaaf07
https://git.kernel.org/stable/c/1c811d403afd73f04bde82b83b24c754011bd0e8
https://www.cve.org/CVERecord?id=CVE-2024-35802
https://bugzilla.redhat.com/show_bug.cgi?id=2281232
Comment 1 Joey Lee 2024-05-21 06:55:12 UTC 
https://www.suse.com/security/cve/CVE-2024-35802.html
cvss 5.5
Comment 6 Michal Hocko 2024-05-28 07:58:13 UTC 
I have hard time to follow the changelog. Is this a functional fix or there are some real security consequences?
Comment 9 Thomas Leroy 2024-05-28 08:35:46 UTC 
Affecting clang builds only, closing as not affected
Comment 10 Michal Hocko 2024-05-29 06:20:33 UTC 
(In reply to Thomas Leroy from comment #9)
> Affecting clang builds only, closing as not affected

and CVE rejected as well