CVE-2024-40918

一、漏洞信息
 漏洞编号：[CVE-2024-40918](https://nvd.nist.gov/vuln/detail/CVE-2024-40918)
 漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)
 漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0,6.6.0
 CVSS V2.0分值：
  BaseScore：0.0 Low
  Vector：CVSS：2.0/
 漏洞简述：
  In the Linux kernel, the following vulnerability has been resolved:parisc: Try to fix random segmentation faults in package buildsPA-RISC systems with PA8800 and PA8900 processors have had problemswith random segmentation faults for many years.  Systems with earlierprocessors are much more stable.Systems with PA8800 and PA8900 processors have a large L2 cache whichneeds per page flushing for decent performance when a large range isflushed. The combined cache in these systems is also more sensitive tonon-equivalent aliases than the caches in earlier systems.The majority of random segmentation faults that I have looked atappear to be memory corruption in memory allocated using mmap andmalloc.My first attempt at fixing the random faults didn t work. Onreviewing the cache code, I realized that there were two issueswhich the existing code didn t handle correctly. Both relateto cache move-in. Another issue is that the present bit in PTEsis racy.1) PA-RISC caches have a mind of their own and they can speculativelyload data and instructions for a page as long as there is a entry inthe TLB for the page which allows move-in. TLBs are local to eachCPU. Thus, the TLB entry for a page must be purged before flushingthe page. This is particularly important on SMP systems.In some of the flush routines, the flush routine would be calledand then the TLB entry would be purged. This was because the flushroutine needed the TLB entry to do the flush.2) My initial approach to trying the fix the random faults was totry and use flush_cache_page_if_present for all flush operations.This actually made things worse and led to a couple of hardwarelockups. It finally dawned on me that some lines weren t beingflushed because the pte check code was racy. This resulted inrandom inequivalent mappings to physical pages.The __flush_cache_page tmpalias flush sets up its own TLB entryand it doesn t need the existing TLB entry. As long as we can findthe pte pointer for the vm page, we can get the pfn and physicaladdress of the page. We can also purge the TLB entry for the pagebefore doing the flush. Further, __flush_cache_page uses a specialTLB entry that inhibits cache move-in.When switching page mappings, we need to ensure that lines areremoved from the cache.  It is not sufficient to just flush thelines to memory as they may come back.This made it clear that we needed to implement all the requiredflush operations using tmpalias routines. This includes flushesfor user and kernel pages.After modifying the code to use tmpalias flushes, it became clearthat the random segmentation faults were not fully resolved. Thefrequency of faults was worse on systems with a 64 MB L2 (PA8900)and systems with more CPUs (rp4440).The warning that I added to flush_cache_page_if_present to detectpages that couldn t be flushed triggered frequently on some systems.Helge and I looked at the pages that couldn t be flushed and foundthat the PTE was either cleared or for a swap page. Ignoring pagesthat were swapped out seemed okay but pages with cleared PTEs seemedproblematic.I looked at routines related to pte_clear and noticed ptep_clear_flush.The default implementation just flushes the TLB entry. However, it wasobvious that on parisc we need to flush the cache page as well. Ifwe don t flush the cache page, stale lines will be left in the cacheand cause random corruption. Once a PTE is cleared, there is no wayto find the physical address associated with the PTE and flush theassociated page at a later time.I implemented an updated change with a parisc specific version ofptep_clear_flush. It fixed the random data corruption on Helge s rp4440and rp3440, as well as on my c8000.At this point, I realized that I could restore the code where we onlyflush in flush_cache_page_if_present if the page has been accessed.However, for this, we also need to flush the cache when the accessedbit is cleared in---truncated---
 漏洞公开时间：2024-07-12 21:15:14
 漏洞创建时间：2024-07-15 13:50:39
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2024-40918
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/5bf196f1936bf93df31112fbdfb78c03537c07b0 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/72d95924ee35c8cd16ef52f912483ee938a34d49 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/d66f2607d89f760cdffed88b22f309c895a2af20 |  |
| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-40918 | https://bugzilla.suse.com/show_bug.cgi?id=1227848 |
| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2024-40918 | https://bugzilla.suse.com/show_bug.cgi?id=1227848 |
| suse_bugzilla | https://git.kernel.org/stable/c/5bf196f1936bf93df31112fbdfb78c03537c07b0 | https://bugzilla.suse.com/show_bug.cgi?id=1227848 |
| suse_bugzilla | https://git.kernel.org/stable/c/72d95924ee35c8cd16ef52f912483ee938a34d49 | https://bugzilla.suse.com/show_bug.cgi?id=1227848 |
| suse_bugzilla | https://git.kernel.org/stable/c/d66f2607d89f760cdffed88b22f309c895a2af20 | https://bugzilla.suse.com/show_bug.cgi?id=1227848 |
| suse_bugzilla | https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-40918.mbox | https://bugzilla.suse.com/show_bug.cgi?id=1227848 |
| ubuntu | https://www.cve.org/CVERecord?id=CVE-2024-40918 | https://ubuntu.com/security/CVE-2024-40918 |
| ubuntu | https://git.kernel.org/linus/72d95924ee35c8cd16ef52f912483ee938a34d49 (6.10-rc4) | https://ubuntu.com/security/CVE-2024-40918 |
| ubuntu | https://git.kernel.org/stable/c/5bf196f1936bf93df31112fbdfb78c03537c07b0 | https://ubuntu.com/security/CVE-2024-40918 |
| ubuntu | https://git.kernel.org/stable/c/d66f2607d89f760cdffed88b22f309c895a2af20 | https://ubuntu.com/security/CVE-2024-40918 |
| ubuntu | https://git.kernel.org/stable/c/72d95924ee35c8cd16ef52f912483ee938a34d49 | https://ubuntu.com/security/CVE-2024-40918 |
| ubuntu | https://nvd.nist.gov/vuln/detail/CVE-2024-40918 | https://ubuntu.com/security/CVE-2024-40918 |
| ubuntu | https://launchpad.net/bugs/cve/CVE-2024-40918 | https://ubuntu.com/security/CVE-2024-40918 |
| ubuntu | https://security-tracker.debian.org/tracker/CVE-2024-40918 | https://ubuntu.com/security/CVE-2024-40918 |
| debian |  | https://security-tracker.debian.org/tracker/CVE-2024-40918 |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  openBrain开源漏洞感知系统
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源  |
| ------- | -------- | ------- | -------- | --------- |
| linux |  | https://git.kernel.org/linus/72d95924ee35c8cd16ef52f912483ee938a34d49 | https://git.kernel.org/linus/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 | ubuntu |

</details>

二、漏洞分析结构反馈
 影响性分析说明：
  In the Linux kernel, the following vulnerability has been resolved:parisc: Try to fix random segmentation faults in package buildsPA-RISC systems with PA8800 and PA8900 processors have had problemswith random segmentation faults for many years.  Systems with earlierprocessors are much more stable.Systems with PA8800 and PA8900 processors have a large L2 cache whichneeds per page flushing for decent performance when a large range isflushed. The combined cache in these systems is also more sensitive tonon-equivalent aliases than the caches in earlier systems.The majority of random segmentation faults that I have looked atappear to be memory corruption in memory allocated using mmap andmalloc.My first attempt at fixing the random faults didn&#39;t work. Onreviewing the cache code, I realized that there were two issueswhich the existing code didn&#39;t handle correctly. Both relateto cache move-in. Another issue is that the present bit in PTEsis racy.1) PA-RISC caches have a mind of their own and they can speculativelyload data and instructions for a page as long as there is a entry inthe TLB for the page which allows move-in. TLBs are local to eachCPU. Thus, the TLB entry for a page must be purged before flushingthe page. This is particularly important on SMP systems.In some of the flush routines, the flush routine would be calledand then the TLB entry would be purged. This was because the flushroutine needed the TLB entry to do the flush.2) My initial approach to trying the fix the random faults was totry and use flush_cache_page_if_present for all flush operations.This actually made things worse and led to a couple of hardwarelockups. It finally dawned on me that some lines weren&#39;t beingflushed because the pte check code was racy. This resulted inrandom inequivalent mappings to physical pages.The __flush_cache_page tmpalias flush sets up its own TLB entryand it doesn&#39;t need the existing TLB entry. As long as we can findthe pte pointer for the vm page, we can get the pfn and physicaladdress of the page. We can also purge the TLB entry for the pagebefore doing the flush. Further, __flush_cache_page uses a specialTLB entry that inhibits cache move-in.When switching page mappings, we need to ensure that lines areremoved from the cache.  It is not sufficient to just flush thelines to memory as they may come back.This made it clear that we needed to implement all the requiredflush operations using tmpalias routines. This includes flushesfor user and kernel pages.After modifying the code to use tmpalias flushes, it became clearthat the random segmentation faults were not fully resolved. Thefrequency of faults was worse on systems with a 64 MB L2 (PA8900)and systems with more CPUs (rp4440).The warning that I added to flush_cache_page_if_present to detectpages that couldn&#39;t be flushed triggered frequently on some systems.Helge and I looked at the pages that couldn&#39;t be flushed and foundthat the PTE was either cleared or for a swap page. Ignoring pagesthat were swapped out seemed okay but pages with cleared PTEs seemedproblematic.I looked at routines related to pte_clear and noticed ptep_clear_flush.The default implementation just flushes the TLB entry. However, it wasobvious that on parisc we need to flush the cache page as well. Ifwe don&#39;t flush the cache page, stale lines will be left in the cacheand cause random corruption. Once a PTE is cleared, there is no wayto find the physical address associated with the PTE and flush theassociated page at a later time.I implemented an updated change with a parisc specific version ofptep_clear_flush. It fixed the random data corruption on Helge&#39;s rp4440and rp3440, as well as on my c8000.At this point, I realized that I could restore the code where we onlyflush in flush_cache_page_if_present if the page has been accessed.However, for this, we also need to flush the cache when the accessedbit is cleared in ptep_clear_flush_young to keep things synchronized.The default implementation only flushes the TLB entry.Other changes in this version are:1) Implement parisc speci
 openEuler评分：
  3.9
 Vector：CVSS：3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
 受影响版本排查(受影响/不受影响)：
  1.openEuler-24.03-LTS(6.6.0):受影响
2.openEuler-20.03-LTS-SP4(4.19.90):不受影响
3.openEuler-22.03-LTS-SP1(5.10.0):不受影响
4.openEuler-22.03-LTS-SP3(5.10.0):不受影响
5.openEuler-22.03-LTS-SP4(5.10.0):不受影响
6.master(6.1.0):不受影响
7.openEuler-24.03-LTS-Next(6.6.0):不受影响

修复是否涉及abi变化(是/否)：
  1.openEuler-20.03-LTS-SP4(4.19.90):否
2.openEuler-22.03-LTS-SP1(5.10.0):否
3.openEuler-22.03-LTS-SP3(5.10.0):否
4.master(6.1.0):否
5.openEuler-24.03-LTS(6.6.0):否
6.openEuler-24.03-LTS-Next(6.6.0):否
7.openEuler-22.03-LTS-SP4(5.10.0):否

三、漏洞修复
安全公告链接：https://www.openeuler.org/zh/security/safety-bulletin/detail/?id=openEuler-SA-2024-1897

src-openEuler/kernel

内容风险标识

评论 (7)

src-openEuler/kernel .gitee-modal { width: 500px !important; }

内容风险标识

CVE-2024-40918

评论 (7)

搜索帮助

src-openEuler/kernel