CVE-2024-26670

CVE Details

Release Date:

2024-04-02

Description

In the Linux kernel, the following vulnerability has been resolved:\narm64: entry: fix ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD\nCurrently the ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD workaround isn't\nquite right, as it is supposed to be applied after the last explicit\nmemory access, but is immediately followed by an LDR.\nThe ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD workaround is used to\nhandle Cortex-A520 erratum 2966298 and Cortex-A510 erratum 3117295,\nwhich are described in:\n* https://developer.arm.com/documentation/SDEN2444153/0600/?lang=en\n* https://developer.arm.com/documentation/SDEN1873361/1600/?lang=en\nIn both cases the workaround is described as:\n| If pagetable isolation is disabled, the context switch logic in the\n| kernel can be updated to execute the following sequence on affected\n| cores before exiting to EL0, and after all explicit memory accesses:\n|\n| 1. A non-shareable TLBI to any context and/or address, including\n| unused contexts or addresses, such as a `TLBI VALE1 Xzr`.\n|\n| 2. A DSB NSH to guarantee completion of the TLBI.\nThe important part being that the TLBI+DSB must be placed 'after all\nexplicit memory accesses'.\nUnfortunately, as-implemented, the TLBI+DSB is immediately followed by\nan LDR, as we have:\n| alternative_if ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD\n| tlbivale1, xzr\n| dsbnsh\n| alternative_else_nop_endif\n| alternative_if_not ARM64_UNMAP_KERNEL_AT_EL0\n| ldrlr, [sp, #S_LR]\n| addsp, sp, #PT_REGS_SIZE// restore sp\n| eret\n| alternative_else_nop_endif\n|\n| [ ... KPTI exception return path ... ]\nThis patch fixes this by reworking the logic to place the TLBI+DSB\nimmediately before the ERET, after all explicit memory accesses.\nThe ERET is currently in a separate alternative block, and alternatives\ncannot be nested. To account for this, the alternative block for\nARM64_UNMAP_KERNEL_AT_EL0 is replaced with a single alternative branch\nto skip the KPTI logic, with the new shape of the logic being:\n| alternative_insn 'b .L_skip_tramp_exit_\@', nop, ARM64_UNMAP_KERNEL_AT_EL0\n| [ ... KPTI exception return path ... ]\n| .L_skip_tramp_exit_\@:\n|\n| ldrlr, [sp, #S_LR]\n| addsp, sp, #PT_REGS_SIZE// restore sp\n|\n| alternative_if ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD\n| tlbivale1, xzr\n| dsbnsh\n| alternative_else_nop_endif\n| eret\nThe new structure means that the workaround is only applied when KPTI is\nnot in use; this is fine as noted in the documented implications of the\nerratum:\n| Pagetable isolation between EL0 and higher level ELs prevents the\n| issue from occurring.\n... and as per the workaround description quoted above, the workaround\nis only necessary 'If pagetable isolation is disabled'.

See more information about CVE-2024-26670 from MITRE CVE dictionary and NIST NVD

CVSS Scoring

NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.

Base Score:	4.4	CVSS Vector:	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Attack Vector:	Local network	Attack Complexity:	Low
Privileges Required:	High	User Interaction:	None
Scope:	Unchanged	Confidentiality Impact:	None
Integrity Impact:	None	Availability Impact:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 9 (kernel)	ELSA-2024-9315	2024-11-14