CVE-2024-26989

In the Linux kernel, the following vulnerability has been resolved:

arm64: hibernate: Fix level3 translation fault in swsusp_save()

On arm64 machines, swsuspsave() faults if it attempts to access MEMBLOCKNOMAP memory ranges. This can be reproduced in QEMU using UEFI when booting with rodata=off debugpagealloc=off and CONFIGKFENCE=n:

Unable to handle kernel paging request at virtual address ffffff8000000000 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault Data abort info: ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 39-bit VAs, pgdp=00000000eeb0b000 [ffffff8000000000] pgd=180000217fff9803, p4d=180000217fff9803, pud=180000217fff9803, pmd=180000217fff8803, pte=0000000000000000 Internal error: Oops: 0000000096000007 [#1] SMP Internal error: Oops: 0000000096000007 [#1] SMP Modules linked in: xtmultiport iptREJECT nfrejectipv4 xtconntrack nfconntrack nfdefragipv6 nfdefragipv4 libcrc32c iptablefilter bpfilter rfkill at803x sndhdacodechdmi sndhdaintel sndinteldspcfg dwmacgeneric stmmacplatform sndhdacodec stmmac joydev pcsxpcs sndhdacore phylink ppdev lp parport ramoops reedsolomon iptables xtables nlsiso88591 vfat multipath linear amdgpu amdxcp drmexec gpusched drmbuddy hidgeneric usbhid hid radeon video drmsuballochelper drmttmhelper ttm i2calgobit drmdisplayhelper cec drmkmshelper drm CPU: 0 PID: 3663 Comm: systemd-sleep Not tainted 6.6.2+ #76 Source Version: 4e22ed63a0a48e7a7cff9b98b7806d8d4add7dc0 Hardware name: Greatwall GW-XXXXXX-XXX/GW-XXXXXX-XXX, BIOS KunLun BIOS V4.0 01/19/2021 pstate: 600003c5 (nZCv DAIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : swsuspsave+0x280/0x538 lr : swsuspsave+0x280/0x538 sp : ffffffa034a3fa40 x29: ffffffa034a3fa40 x28: ffffff8000001000 x27: 0000000000000000 x26: ffffff8001400000 x25: ffffffc08113e248 x24: 0000000000000000 x23: 0000000000080000 x22: ffffffc08113e280 x21: 00000000000c69f2 x20: ffffff8000000000 x19: ffffffc081ae2500 x18: 0000000000000000 x17: 6666662074736420 x16: 3030303030303030 x15: 3038666666666666 x14: 0000000000000b69 x13: ffffff9f89088530 x12: 00000000ffffffea x11: 00000000ffff7fff x10: 00000000ffff7fff x9 : ffffffc08193f0d0 x8 : 00000000000bffe8 x7 : c0000000ffff7fff x6 : 0000000000000001 x5 : ffffffa0fff09dc8 x4 : 0000000000000000 x3 : 0000000000000027 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 000000000000004e Call trace: swsuspsave+0x280/0x538 swsusparchsuspend+0x148/0x190 hibernationsnapshot+0x240/0x39c hibernate+0xc4/0x378 statestore+0xf0/0x10c kobjattr_store+0x14/0x24

The reason is swsuspsave() -> copydatapages() -> pageissaveable() -> kernelpagepresent() assuming that a page is always present when cansetdirectmap() is false (all of rodatafull, debugpageallocenabled() and arm64kfencecansetdirectmap() false), irrespective of the MEMBLOCKNOMAP ranges. Such MEMBLOCKNOMAP regions should not be saved during hibernation.

This problem was introduced by changes to the pfnvalid() logic in commit a7d9f306ba70 ("arm64: drop pfnvalidwithin() and simplify pfnvalid()").

Similar to other architectures, drop the !cansetdirectmap() check in kernelpagepresent() so that pageis_savable() skips such pages.

[catalin.marinas@arm.com: rework commit message]