CVE-2024-47716

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ARM: 9410/1: vfp: Use asm volatile in fmrx/fmxr macros<br /> <br /> Floating point instructions in userspace can crash some arm kernels<br /> built with clang/LLD 17.0.6:<br /> <br /> BUG: unsupported FP instruction in kernel mode<br /> FPEXC == 0xc0000780<br /> Internal error: Oops - undefined instruction: 0 [#1] ARM<br /> CPU: 0 PID: 196 Comm: vfp-reproducer Not tainted 6.10.0 #1<br /> Hardware name: BCM2835<br /> PC is at vfp_support_entry+0xc8/0x2cc<br /> LR is at do_undefinstr+0xa8/0x250<br /> pc : [] lr : [] psr: a0000013<br /> sp : dc8d1f68 ip : 60000013 fp : bedea19c<br /> r10: ec532b17 r9 : 00000010 r8 : 0044766c<br /> r7 : c0000780 r6 : ec532b17 r5 : c1c13800 r4 : dc8d1fb0<br /> r3 : c10072c4 r2 : c0101c88 r1 : ec532b17 r0 : 0044766c<br /> Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none<br /> Control: 00c5387d Table: 0251c008 DAC: 00000051<br /> Register r0 information: non-paged memory<br /> Register r1 information: vmalloc memory<br /> Register r2 information: non-slab/vmalloc memory<br /> Register r3 information: non-slab/vmalloc memory<br /> Register r4 information: 2-page vmalloc region<br /> Register r5 information: slab kmalloc-cg-2k<br /> Register r6 information: vmalloc memory<br /> Register r7 information: non-slab/vmalloc memory<br /> Register r8 information: non-paged memory<br /> Register r9 information: zero-size pointer<br /> Register r10 information: vmalloc memory<br /> Register r11 information: non-paged memory<br /> Register r12 information: non-paged memory<br /> Process vfp-reproducer (pid: 196, stack limit = 0x61aaaf8b)<br /> Stack: (0xdc8d1f68 to 0xdc8d2000)<br /> 1f60: 0000081f b6f69300 0000000f c10073f4 c10072c4 dc8d1fb0<br /> 1f80: ec532b17 0c532b17 0044766c b6f9ccd8 00000000 c010a80c 00447670 60000010<br /> 1fa0: ffffffff c1c13800 00c5387d c0100f10 b6f68af8 00448fc0 00000000 bedea188<br /> 1fc0: bedea314 00000001 00448ebc b6f9d000 00447608 b6f9ccd8 00000000 bedea19c<br /> 1fe0: bede9198 bedea188 b6e1061c 0044766c 60000010 ffffffff 00000000 00000000<br /> Call trace:<br /> [] (vfp_support_entry) from [] (do_undefinstr+0xa8/0x250)<br /> [] (do_undefinstr) from [] (__und_usr+0x70/0x80)<br /> Exception stack(0xdc8d1fb0 to 0xdc8d1ff8)<br /> 1fa0: b6f68af8 00448fc0 00000000 bedea188<br /> 1fc0: bedea314 00000001 00448ebc b6f9d000 00447608 b6f9ccd8 00000000 bedea19c<br /> 1fe0: bede9198 bedea188 b6e1061c 0044766c 60000010 ffffffff<br /> Code: 0a000061 e3877202 e594003c e3a09010 (eef16a10)<br /> ---[ end trace 0000000000000000 ]---<br /> Kernel panic - not syncing: Fatal exception in interrupt<br /> ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---<br /> <br /> This is a minimal userspace reproducer on a Raspberry Pi Zero W:<br /> <br /> #include <br /> #include <br /> <br /> int main(void)<br /> {<br /> double v = 1.0;<br /> printf("%fn", NAN + *(volatile double *)&amp;v);<br /> return 0;<br /> }<br /> <br /> Another way to consistently trigger the oops is:<br /> <br /> calvin@raspberry-pi-zero-w ~$ python -c "import json"<br /> <br /> The bug reproduces only when the kernel is built with DYNAMIC_DEBUG=n,<br /> because the pr_debug() calls act as barriers even when not activated.<br /> <br /> This is the output from the same kernel source built with the same<br /> compiler and DYNAMIC_DEBUG=y, where the userspace reproducer works as<br /> expected:<br /> <br /> VFP: bounce: trigger ec532b17 fpexc c0000780<br /> VFP: emulate: INST=0xee377b06 SCR=0x00000000<br /> VFP: bounce: trigger eef1fa10 fpexc c0000780<br /> VFP: emulate: INST=0xeeb40b40 SCR=0x00000000<br /> VFP: raising exceptions 30000000<br /> <br /> calvin@raspberry-pi-zero-w ~$ ./vfp-reproducer<br /> nan<br /> <br /> Crudely grepping for vmsr/vmrs instructions in the otherwise nearly<br /> idential text for vfp_support_entry() makes the problem obvious:<br /> <br /> vmlinux.llvm.good [0xc0101cb8] : vmrs r7, fpexc<br /> vmlinux.llvm.good [0xc0101cd8] : vmsr fpexc, r0<br /> vmlinux.llvm.good [0xc0101d20<br /> ---truncated---