CVE-2022-49851

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> riscv: fix reserved memory setup<br /> <br /> Currently, RISC-V sets up reserved memory using the "early" copy of the<br /> device tree. As a result, when trying to get a reserved memory region<br /> using of_reserved_mem_lookup(), the pointer to reserved memory regions<br /> is using the early, pre-virtual-memory address which causes a kernel<br /> panic when trying to use the buffer&amp;#39;s name:<br /> <br /> Unable to handle kernel paging request at virtual address 00000000401c31ac<br /> Oops [#1]<br /> Modules linked in:<br /> CPU: 0 PID: 0 Comm: swapper Not tainted 6.0.0-rc1-00001-g0d9d6953d834 #1<br /> Hardware name: Microchip PolarFire-SoC Icicle Kit (DT)<br /> epc : string+0x4a/0xea<br /> ra : vsnprintf+0x1e4/0x336<br /> epc : ffffffff80335ea0 ra : ffffffff80338936 sp : ffffffff81203be0<br /> gp : ffffffff812e0a98 tp : ffffffff8120de40 t0 : 0000000000000000<br /> t1 : ffffffff81203e28 t2 : 7265736572203a46 s0 : ffffffff81203c20<br /> s1 : ffffffff81203e28 a0 : ffffffff81203d22 a1 : 0000000000000000<br /> a2 : ffffffff81203d08 a3 : 0000000081203d21 a4 : ffffffffffffffff<br /> a5 : 00000000401c31ac a6 : ffff0a00ffffff04 a7 : ffffffffffffffff<br /> s2 : ffffffff81203d08 s3 : ffffffff81203d00 s4 : 0000000000000008<br /> s5 : ffffffff000000ff s6 : 0000000000ffffff s7 : 00000000ffffff00<br /> s8 : ffffffff80d9821a s9 : ffffffff81203d22 s10: 0000000000000002<br /> s11: ffffffff80d9821c t3 : ffffffff812f3617 t4 : ffffffff812f3617<br /> t5 : ffffffff812f3618 t6 : ffffffff81203d08<br /> status: 0000000200000100 badaddr: 00000000401c31ac cause: 000000000000000d<br /> [] vsnprintf+0x1e4/0x336<br /> [] vprintk_store+0xf6/0x344<br /> [] vprintk_emit+0x56/0x192<br /> [] vprintk_default+0x16/0x1e<br /> [] vprintk+0x72/0x80<br /> [] _printk+0x36/0x50<br /> [] print_reserved_mem+0x1c/0x24<br /> [] paging_init+0x528/0x5bc<br /> [] setup_arch+0xd0/0x592<br /> [] start_kernel+0x82/0x73c<br /> <br /> early_init_fdt_scan_reserved_mem() takes no arguments as it operates on<br /> initial_boot_params, which is populated by early_init_dt_verify(). On<br /> RISC-V, early_init_dt_verify() is called twice. Once, directly, in<br /> setup_arch() if CONFIG_BUILTIN_DTB is not enabled and once indirectly,<br /> very early in the boot process, by parse_dtb() when it calls<br /> early_init_dt_scan_nodes().<br /> <br /> This first call uses dtb_early_va to set initial_boot_params, which is<br /> not usable later in the boot process when<br /> early_init_fdt_scan_reserved_mem() is called. On arm64 for example, the<br /> corresponding call to early_init_dt_scan_nodes() uses fixmap addresses<br /> and doesn&amp;#39;t suffer the same fate.<br /> <br /> Move early_init_fdt_scan_reserved_mem() further along the boot sequence,<br /> after the direct call to early_init_dt_verify() in setup_arch() so that<br /> the names use the correct virtual memory addresses. The above supposed<br /> that CONFIG_BUILTIN_DTB was not set, but should work equally in the case<br /> where it is - unflatted_and_copy_device_tree() also updates<br /> initial_boot_params.