CVE-2024-54031

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext<br /> <br /> Access to genmask field in struct nft_set_ext results in unaligned<br /> atomic read:<br /> <br /> [ 72.130109] Unable to handle kernel paging request at virtual address ffff0000c2bb708c<br /> [ 72.131036] Mem abort info:<br /> [ 72.131213] ESR = 0x0000000096000021<br /> [ 72.131446] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [ 72.132209] SET = 0, FnV = 0<br /> [ 72.133216] EA = 0, S1PTW = 0<br /> [ 72.134080] FSC = 0x21: alignment fault<br /> [ 72.135593] Data abort info:<br /> [ 72.137194] ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000<br /> [ 72.142351] CM = 0, WnR = 0, TnD = 0, TagAccess = 0<br /> [ 72.145989] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br /> [ 72.150115] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000237d27000<br /> [ 72.154893] [ffff0000c2bb708c] pgd=0000000000000000, p4d=180000023ffff403, pud=180000023f84b403, pmd=180000023f835403,<br /> +pte=0068000102bb7707<br /> [ 72.163021] Internal error: Oops: 0000000096000021 [#1] SMP<br /> [...]<br /> [ 72.170041] CPU: 7 UID: 0 PID: 54 Comm: kworker/7:0 Tainted: G E 6.13.0-rc3+ #2<br /> [ 72.170509] Tainted: [E]=UNSIGNED_MODULE<br /> [ 72.170720] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-stable202302-for-qemu 03/01/2023<br /> [ 72.171192] Workqueue: events_power_efficient nft_rhash_gc [nf_tables]<br /> [ 72.171552] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)<br /> [ 72.171915] pc : nft_rhash_gc+0x200/0x2d8 [nf_tables]<br /> [ 72.172166] lr : nft_rhash_gc+0x128/0x2d8 [nf_tables]<br /> [ 72.172546] sp : ffff800081f2bce0<br /> [ 72.172724] x29: ffff800081f2bd40 x28: ffff0000c2bb708c x27: 0000000000000038<br /> [ 72.173078] x26: ffff0000c6780ef0 x25: ffff0000c643df00 x24: ffff0000c6778f78<br /> [ 72.173431] x23: 000000000000001a x22: ffff0000c4b1f000 x21: ffff0000c6780f78<br /> [ 72.173782] x20: ffff0000c2bb70dc x19: ffff0000c2bb7080 x18: 0000000000000000<br /> [ 72.174135] x17: ffff0000c0a4e1c0 x16: 0000000000003000 x15: 0000ac26d173b978<br /> [ 72.174485] x14: ffffffffffffffff x13: 0000000000000030 x12: ffff0000c6780ef0<br /> [ 72.174841] x11: 0000000000000000 x10: ffff800081f2bcf8 x9 : ffff0000c3000000<br /> [ 72.175193] x8 : 00000000000004be x7 : 0000000000000000 x6 : 0000000000000000<br /> [ 72.175544] x5 : 0000000000000040 x4 : ffff0000c3000010 x3 : 0000000000000000<br /> [ 72.175871] x2 : 0000000000003a98 x1 : ffff0000c2bb708c x0 : 0000000000000004<br /> [ 72.176207] Call trace:<br /> [ 72.176316] nft_rhash_gc+0x200/0x2d8 [nf_tables] (P)<br /> [ 72.176653] process_one_work+0x178/0x3d0<br /> [ 72.176831] worker_thread+0x200/0x3f0<br /> [ 72.176995] kthread+0xe8/0xf8<br /> [ 72.177130] ret_from_fork+0x10/0x20<br /> [ 72.177289] Code: 54fff984 d503201f d2800080 91003261 (f820303f)<br /> [ 72.177557] ---[ end trace 0000000000000000 ]---<br /> <br /> Align struct nft_set_ext to word size to address this and<br /> documentation it.<br /> <br /> pahole reports that this increases the size of elements for rhash and<br /> pipapo in 8 bytes on x86_64.