In the Linux kernel, the following vulnerability has been resolved: arm64:
entry: fix ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD Currently the
ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD workaround isn’t quite right, as
it is supposed to be applied after the last explicit memory access, but is
immediately followed by an LDR. The
ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD workaround is used to handle
Cortex-A520 erratum 2966298 and Cortex-A510 erratum 3117295, which are
described in: *
https://developer.arm.com/documentation/SDEN2444153/0600/?lang=en *
https://developer.arm.com/documentation/SDEN1873361/1600/?lang=en In both
cases the workaround is described as: | If pagetable isolation is disabled,
the context switch logic in the | kernel can be updated to execute the
following sequence on affected | cores before exiting to EL0, and after all
explicit memory accesses: | | 1. A non-shareable TLBI to any context and/or
address, including | unused contexts or addresses, such as a TLBI VALE1 Xzr
. | | 2. A DSB NSH to guarantee completion of the TLBI. The important
part being that the TLBI+DSB must be placed “after all explicit memory
accesses”. Unfortunately, as-implemented, the TLBI+DSB is immediately
followed by an LDR, as we have: | alternative_if
ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD | tlbi vale1, xzr | dsb nsh |
alternative_else_nop_endif | alternative_if_not ARM64_UNMAP_KERNEL_AT_EL0 |
ldr lr, [sp, #S_LR] | add sp, sp, #PT_REGS_SIZE // restore sp | eret |
alternative_else_nop_endif | | [ … KPTI exception return path … ] This
patch fixes this by reworking the logic to place the TLBI+DSB immediately
before the ERET, after all explicit memory accesses. The ERET is currently
in a separate alternative block, and alternatives cannot be nested. To
account for this, the alternative block for ARM64_UNMAP_KERNEL_AT_EL0 is
replaced with a single alternative branch to skip the KPTI logic, with the
new shape of the logic being: | alternative_insn “b .L_skip_tramp_exit_@”,
nop, ARM64_UNMAP_KERNEL_AT_EL0 | [ … KPTI exception return path … ] |
.L_skip_tramp_exit_@: | | ldr lr, [sp, #S_LR] | add sp, sp, #PT_REGS_SIZE
// restore sp | | alternative_if ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD |
tlbi vale1, xzr | dsb nsh | alternative_else_nop_endif | eret The new
structure means that the workaround is only applied when KPTI is not in
use; this is fine as noted in the documented implications of the erratum: |
Pagetable isolation between EL0 and higher level ELs prevents the | issue
from occurring. … and as per the workaround description quoted above, the
workaround is only necessary “If pagetable isolation is disabled”.
Author | Note |
---|---|
rodrigo-zaiden | USN-6765-1 for linux-oem-6.5 wrongly stated that this CVE was fixed in version 6.5.0-1022.23. The mentioned notice was revoked and the state of the fix for linux-oem-6.5 was recovered to the previous state. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 23.10 | noarch | linux | < 6.5.0-41.41 | UNKNOWN |
ubuntu | 23.10 | noarch | linux-aws | < 6.5.0-1021.21 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
ubuntu | 23.10 | noarch | linux-azure | < 6.5.0-1022.23 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure-6.5 | < 6.5.0-1022.23~22.04.1 | UNKNOWN |
ubuntu | 23.10 | noarch | linux-gcp | < 6.5.0-1022.24 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-gcp-6.5 | < 6.5.0-1022.24~22.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-hwe-6.5 | < 6.5.0-41.41~22.04.2 | UNKNOWN |
ubuntu | 23.10 | noarch | linux-laptop | < 6.5.0-1017.20 | UNKNOWN |
ubuntu | 23.10 | noarch | linux-lowlatency | < 6.5.0-41.41.1 | UNKNOWN |
git.kernel.org/linus/832dd634bd1b4e3bbe9f10b9c9ba5db6f6f2b97f (6.8-rc1)
git.kernel.org/stable/c/58eb5c07f41704464b9acc09ab0707b6769db6c0
git.kernel.org/stable/c/832dd634bd1b4e3bbe9f10b9c9ba5db6f6f2b97f
git.kernel.org/stable/c/baa0aaac16432019651e0d60c41cd34a0c3c3477
launchpad.net/bugs/cve/CVE-2024-26670
nvd.nist.gov/vuln/detail/CVE-2024-26670
security-tracker.debian.org/tracker/CVE-2024-26670
ubuntu.com/security/notices/USN-6818-1
ubuntu.com/security/notices/USN-6818-2
ubuntu.com/security/notices/USN-6818-3
ubuntu.com/security/notices/USN-6818-4
ubuntu.com/security/notices/USN-6819-1
ubuntu.com/security/notices/USN-6819-2
ubuntu.com/security/notices/USN-6819-3
ubuntu.com/security/notices/USN-6819-4
www.cve.org/CVERecord?id=CVE-2024-26670