cvelist/2024/49xxx/CVE-2024-49878.json

{
    "data_version": "4.0",
    "data_type": "CVE",
    "data_format": "MITRE",
    "CVE_data_meta": {
        "ID": "CVE-2024-49878",
        "ASSIGNER": "cve@kernel.org",
        "STATE": "PUBLIC"
    },
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nresource: fix region_intersects() vs add_memory_driver_managed()\n\nOn a system with CXL memory, the resource tree (/proc/iomem) related to\nCXL memory may look like something as follows.\n\n490000000-50fffffff : CXL Window 0\n  490000000-50fffffff : region0\n    490000000-50fffffff : dax0.0\n      490000000-50fffffff : System RAM (kmem)\n\nBecause drivers/dax/kmem.c calls add_memory_driver_managed() during\nonlining CXL memory, which makes \"System RAM (kmem)\" a descendant of \"CXL\nWindow X\".  This confuses region_intersects(), which expects all \"System\nRAM\" resources to be at the top level of iomem_resource.  This can lead to\nbugs.\n\nFor example, when the following command line is executed to write some\nmemory in CXL memory range via /dev/mem,\n\n $ dd if=data of=/dev/mem bs=$((1 << 10)) seek=$((0x490000000 >> 10)) count=1\n dd: error writing '/dev/mem': Bad address\n 1+0 records in\n 0+0 records out\n 0 bytes copied, 0.0283507 s, 0.0 kB/s\n\nthe command fails as expected.  However, the error code is wrong.  It\nshould be \"Operation not permitted\" instead of \"Bad address\".  More\nseriously, the /dev/mem permission checking in devmem_is_allowed() passes\nincorrectly.  Although the accessing is prevented later because ioremap()\nisn't allowed to map system RAM, it is a potential security issue.  During\ncommand executing, the following warning is reported in the kernel log for\ncalling ioremap() on system RAM.\n\n ioremap on RAM at 0x0000000490000000 - 0x0000000490000fff\n WARNING: CPU: 2 PID: 416 at arch/x86/mm/ioremap.c:216 __ioremap_caller.constprop.0+0x131/0x35d\n Call Trace:\n  memremap+0xcb/0x184\n  xlate_dev_mem_ptr+0x25/0x2f\n  write_mem+0x94/0xfb\n  vfs_write+0x128/0x26d\n  ksys_write+0xac/0xfe\n  do_syscall_64+0x9a/0xfd\n  entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nThe details of command execution process are as follows.  In the above\nresource tree, \"System RAM\" is a descendant of \"CXL Window 0\" instead of a\ntop level resource.  So, region_intersects() will report no System RAM\nresources in the CXL memory region incorrectly, because it only checks the\ntop level resources.  Consequently, devmem_is_allowed() will return 1\n(allow access via /dev/mem) for CXL memory region incorrectly. \nFortunately, ioremap() doesn't allow to map System RAM and reject the\naccess.\n\nSo, region_intersects() needs to be fixed to work correctly with the\nresource tree with \"System RAM\" not at top level as above.  To fix it, if\nwe found a unmatched resource in the top level, we will continue to search\nmatched resources in its descendant resources.  So, we will not miss any\nmatched resources in resource tree anymore.\n\nIn the new implementation, an example resource tree\n\n|------------- \"CXL Window 0\" ------------|\n|-- \"System RAM\" --|\n\nwill behave similar as the following fake resource tree for\nregion_intersects(, IORESOURCE_SYSTEM_RAM, ),\n\n|-- \"System RAM\" --||-- \"CXL Window 0a\" --|\n\nWhere \"CXL Window 0a\" is part of the original \"CXL Window 0\" that\nisn't covered by \"System RAM\"."
            }
        ]
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "n/a"
                    }
                ]
            }
        ]
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "vendor_name": "Linux",
                    "product": {
                        "product_data": [
                            {
                                "product_name": "Linux",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "<",
                                            "version_name": "c221c0b0308f",
                                            "version_value": "333fbaf6864a"
                                        },
                                        {
                                            "version_value": "not down converted",
                                            "x_cve_json_5_version_data": {
                                                "versions": [
                                                    {
                                                        "version": "5.1",
                                                        "status": "affected"
                                                    },
                                                    {
                                                        "version": "0",
                                                        "lessThan": "5.1",
                                                        "status": "unaffected",
                                                        "versionType": "semver"
                                                    },
                                                    {
                                                        "version": "5.4.285",
                                                        "lessThanOrEqual": "5.4.*",
                                                        "status": "unaffected",
                                                        "versionType": "semver"
                                                    },
                                                    {
                                                        "version": "5.10.227",
                                                        "lessThanOrEqual": "5.10.*",
                                                        "status": "unaffected",
                                                        "versionType": "semver"
                                                    },
                                                    {
                                                        "version": "5.15.168",
                                                        "lessThanOrEqual": "5.15.*",
                                                        "status": "unaffected",
                                                        "versionType": "semver"
                                                    },
                                                    {
                                                        "version": "6.1.113",
                                                        "lessThanOrEqual": "6.1.*",
                                                        "status": "unaffected",
                                                        "versionType": "semver"
                                                    },
                                                    {
                                                        "version": "6.6.55",
                                                        "lessThanOrEqual": "6.6.*",
                                                        "status": "unaffected",
                                                        "versionType": "semver"
                                                    },
                                                    {
                                                        "version": "6.10.14",
                                                        "lessThanOrEqual": "6.10.*",
                                                        "status": "unaffected",
                                                        "versionType": "semver"
                                                    },
                                                    {
                                                        "version": "6.11.3",
                                                        "lessThanOrEqual": "6.11.*",
                                                        "status": "unaffected",
                                                        "versionType": "semver"
                                                    },
                                                    {
                                                        "version": "6.12",
                                                        "lessThanOrEqual": "*",
                                                        "status": "unaffected",
                                                        "versionType": "original_commit_for_fix"
                                                    }
                                                ],
                                                "defaultStatus": "affected"
                                            }
                                        }
                                    ]
                                }
                            }
                        ]
                    }
                }
            ]
        }
    },
    "references": {
        "reference_data": [
            {
                "url": "https://git.kernel.org/stable/c/333fbaf6864a4ca031367eb947961a1f3484d337",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/333fbaf6864a4ca031367eb947961a1f3484d337"
            },
            {
                "url": "https://git.kernel.org/stable/c/1d5f85f1b7db79c75c9e07d6571ce2a7bdf725c4",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/1d5f85f1b7db79c75c9e07d6571ce2a7bdf725c4"
            },
            {
                "url": "https://git.kernel.org/stable/c/8a6fef7d22a1d952aed68584d3fcc0d018d2bdc3",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/8a6fef7d22a1d952aed68584d3fcc0d018d2bdc3"
            },
            {
                "url": "https://git.kernel.org/stable/c/4b90d2eb451b357681063ba4552b10b39d7ad885",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/4b90d2eb451b357681063ba4552b10b39d7ad885"
            },
            {
                "url": "https://git.kernel.org/stable/c/393331e16ce205e036e58b3d8ca4ee2e635f21d9",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/393331e16ce205e036e58b3d8ca4ee2e635f21d9"
            },
            {
                "url": "https://git.kernel.org/stable/c/06ff97a20b8c9e9d256b0d2c3e87f78f8ccea3de",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/06ff97a20b8c9e9d256b0d2c3e87f78f8ccea3de"
            },
            {
                "url": "https://git.kernel.org/stable/c/927abc5b7d6d2c2e936bec5a2f71d9512c5e72f7",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/927abc5b7d6d2c2e936bec5a2f71d9512c5e72f7"
            },
            {
                "url": "https://git.kernel.org/stable/c/b4afe4183ec77f230851ea139d91e5cf2644c68b",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/b4afe4183ec77f230851ea139d91e5cf2644c68b"
            }
        ]
    },
    "generator": {
        "engine": "bippy-8e903de6a542"
    }
}