CVE-2024-49878

CVE Details

Release Date:

2024-10-21

Description

In the Linux kernel, the following vulnerability has been resolved:\nresource: fix region_intersects() vs add_memory_driver_managed()\nOn a system with CXL memory, the resource tree (/proc/iomem) related to\nCXL memory may look like something as follows.\n490000000-50fffffff : CXL Window 0\n490000000-50fffffff : region0\n490000000-50fffffff : dax0.0\n490000000-50fffffff : System RAM (kmem)\nBecause drivers/dax/kmem.c calls add_memory_driver_managed() during\nonlining CXL memory, which makes 'System RAM (kmem)' a descendant of 'CXL\nWindow X'. This confuses region_intersects(), which expects all 'System\nRAM' resources to be at the top level of iomem_resource. This can lead to\nbugs.\nFor example, when the following command line is executed to write some\nmemory in CXL memory range via /dev/mem,\n$ dd if=data of=/dev/mem bs=1024 seek=19136512 count=1\ndd: error writing '/dev/mem': Bad address\n1+0 records in\n0+0 records out\n0 bytes copied, 0.0283507 s, 0.0 kB/s\nthe command fails as expected. However, the error code is wrong. It\nshould be 'Operation not permitted' instead of 'Bad address'. More\nseriously, the /dev/mem permission checking in devmem_is_allowed() passes\nincorrectly. Although the accessing is prevented later because ioremap()\nisn't allowed to map system RAM, it is a potential security issue. During\ncommand executing, the following warning is reported in the kernel log for\ncalling ioremap() on system RAM.\nioremap on RAM at 0x0000000490000000 - 0x0000000490000fff\nWARNING: CPU: 2 PID: 416 at arch/x86/mm/ioremap.c:216 __ioremap_caller.constprop.0+0x131/0x35d\nCall Trace:\nmemremap+0xcb/0x184\nxlate_dev_mem_ptr+0x25/0x2f\nwrite_mem+0x94/0xfb\nvfs_write+0x128/0x26d\nksys_write+0xac/0xfe\ndo_syscall_64+0x9a/0xfd\nentry_SYSCALL_64_after_hwframe+0x4b/0x53\nThe details of command execution process are as follows. In the above\nresource tree, 'System RAM' is a descendant of 'CXL Window 0' instead of a\ntop level resource. So, region_intersects() will report no System RAM\nresources in the CXL memory region incorrectly, because it only checks the\ntop level resources. Consequently, devmem_is_allowed() will return 1\n(allow access via /dev/mem) for CXL memory region incorrectly. \nFortunately, ioremap() doesn't allow to map System RAM and reject the\naccess.\nSo, region_intersects() needs to be fixed to work correctly with the\nresource tree with 'System RAM' not at top level as above. To fix it, if\nwe found a unmatched resource in the top level, we will continue to search\nmatched resources in its descendant resources. So, we will not miss any\nmatched resources in resource tree anymore.\nIn the new implementation, an example resource tree\n|------------- 'CXL Window 0' ------------|\n|-- 'System RAM' --|\nwill behave similar as the following fake resource tree for\nregion_intersects(, IORESOURCE_SYSTEM_RAM, ),\n|-- 'System RAM' --||-- 'CXL Window 0a' --|\nWhere 'CXL Window 0a' is part of the original 'CXL Window 0' that\nisn't covered by 'System RAM'.

See more information about CVE-2024-49878 from MITRE CVE dictionary and NIST NVD

NOTE: The following CVSS metrics and score provided are preliminary and subject to review.

CVSS v3 metrics

Base Score:	5.5
Vector String:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Version:	3.1
Attack Vector:	Local
Attack Complexity:	Low
Privileges Required:	Low
User Interaction:	None
Scope:	Unchanged
Confidentiality:	None
Integrity:	None
Availability:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 7 (kernel-uek)	ELSA-2024-12884	2024-12-16
Oracle Linux version 8 (kernel-uek)	ELSA-2024-12884	2024-12-16
Oracle Linux version 8 (kernel-uek)	ELSA-2024-12887	2024-12-18
Oracle Linux version 9 (kernel-uek)	ELSA-2024-12887	2024-12-18