Ubuntu.comUB:CVE-2024-26639CVE-2024-26639
In the Linux kernel, the following vulnerability has been resolved: mm,
kmsan: fix infinite recursion due to RCU critical section Alexander
Potapenko writes in [1]: “For every memory access in the code instrumented
by KMSAN we call kmsan_get_metadata() to obtain the metadata for the memory
being accessed. For virtual memory the metadata pointers are stored in the
corresponding struct page, therefore we need to call virt_to_page() to
get them. According to the comment in arch/x86/include/asm/page.h,
virt_to_page(kaddr) returns a valid pointer iff virt_addr_valid(kaddr) is
true, so KMSAN needs to call virt_addr_valid() as well. To avoid recursion,
kmsan_get_metadata() must not call instrumented code, therefore
./arch/x86/include/asm/kmsan.h forks parts of arch/x86/mm/physaddr.c to
check whether a virtual address is valid or not. But the introduction of
rcu_read_lock() to pfn_valid() added instrumented RCU API calls to
virt_to_page_or_null(), which is called by kmsan_get_metadata(), so there
is an infinite recursion now. I do not think it is correct to stop that
recursion by doing kmsan_enter_runtime()/kmsan_exit_runtime() in
kmsan_get_metadata(): that would prevent instrumented functions called from
within the runtime from tracking the shadow values, which might introduce
false positives.” Fix the issue by switching pfn_valid() to the _sched()
variant of rcu_read_lock/unlock(), which does not require calling into RCU.
Given the critical section in pfn_valid() is very small, this is a
reasonable trade-off (with preemptible RCU). KMSAN further needs to be
careful to suppress calls into the scheduler, which would be another source
of recursion. This can be done by wrapping the call to pfn_valid() into
preempt_disable/enable_no_resched(). The downside is that this sacrifices
breaking scheduling guarantees; however, a kernel compiled with KMSAN has
already given up any performance guarantees due to being heavily
instrumented. Note, KMSAN code already disables tracing via Makefile, and
since mmzone.h is included, it is not necessary to use the notrace variant,
which is generally preferred in all other cases.
Notes
| Author | Note |
|---|---|
| rodrigo-zaiden | introduced with the fix for CVE-2023-52489. |
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ubuntu | 18.04 | noarch | linux | < any | UNKNOWN |
| ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
| ubuntu | 22.04 | noarch | linux | < any | UNKNOWN |
| ubuntu | 23.10 | noarch | linux | < any | UNKNOWN |
| ubuntu | 24.04 | noarch | linux | < any | UNKNOWN |
| ubuntu | 14.04 | noarch | linux | < any | UNKNOWN |
| ubuntu | 16.04 | noarch | linux | < any | UNKNOWN |
| ubuntu | 18.04 | noarch | linux-aws | < any | UNKNOWN |
| ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
| ubuntu | 22.04 | noarch | linux-aws | < any | UNKNOWN |
References
git.kernel.org/linus/f6564fce256a3944aa1bc76cb3c40e792d97c1eb (6.8-rc3)
git.kernel.org/stable/c/5a33420599fa0288792537e6872fd19cc8607ea6
git.kernel.org/stable/c/6335c0cdb2ea0ea02c999e04d34fd84f69fb27ff
git.kernel.org/stable/c/dc904345e3771aa01d0b8358b550802fdc6fe00b
launchpad.net/bugs/cve/CVE-2024-26639
nvd.nist.gov/vuln/detail/CVE-2024-26639
security-tracker.debian.org/tracker/CVE-2024-26639
www.cve.org/CVERecord?id=CVE-2024-26639
Related
