CVE-2024-57999
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/02/2025
Last modified:
27/02/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
powerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW<br />
<br />
Power Hypervisor can possibily allocate MMIO window intersecting with<br />
Dynamic DMA Window (DDW) range, which is over 32-bit addressing.<br />
<br />
These MMIO pages needs to be marked as reserved so that IOMMU doesn&#39;t map<br />
DMA buffers in this range.<br />
<br />
The current code is not marking these pages correctly which is resulting<br />
in LPAR to OOPS while booting. The stack is at below<br />
<br />
BUG: Unable to handle kernel data access on read at 0xc00800005cd40000<br />
Faulting instruction address: 0xc00000000005cdac<br />
Oops: Kernel access of bad area, sig: 11 [#1]<br />
LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries<br />
Modules linked in: af_packet rfkill ibmveth(X) lpfc(+) nvmet_fc nvmet nvme_keyring crct10dif_vpmsum nvme_fc nvme_fabrics nvme_core be2net(+) nvme_auth rtc_generic nfsd auth_rpcgss nfs_acl lockd grace sunrpc fuse configfs ip_tables x_tables xfs libcrc32c dm_service_time ibmvfc(X) scsi_transport_fc vmx_crypto gf128mul crc32c_vpmsum dm_mirror dm_region_hash dm_log dm_multipath dm_mod sd_mod scsi_dh_emc scsi_dh_rdac scsi_dh_alua t10_pi crc64_rocksoft_generic crc64_rocksoft sg crc64 scsi_mod<br />
Supported: Yes, External<br />
CPU: 8 PID: 241 Comm: kworker/8:1 Kdump: loaded Not tainted 6.4.0-150600.23.14-default #1 SLE15-SP6 b44ee71c81261b9e4bab5e0cde1f2ed891d5359b<br />
Hardware name: IBM,9080-M9S POWER9 (raw) 0x4e2103 0xf000005 of:IBM,FW950.B0 (VH950_149) hv:phyp pSeries<br />
Workqueue: events work_for_cpu_fn<br />
NIP: c00000000005cdac LR: c00000000005e830 CTR: 0000000000000000<br />
REGS: c00001400c9ff770 TRAP: 0300 Not tainted (6.4.0-150600.23.14-default)<br />
MSR: 800000000280b033 CR: 24228448 XER: 00000001<br />
CFAR: c00000000005cdd4 DAR: c00800005cd40000 DSISR: 40000000 IRQMASK: 0<br />
GPR00: c00000000005e830 c00001400c9ffa10 c000000001987d00 c00001400c4fe800<br />
GPR04: 0000080000000000 0000000000000001 0000000004000000 0000000000800000<br />
GPR08: 0000000004000000 0000000000000001 c00800005cd40000 ffffffffffffffff<br />
GPR12: 0000000084228882 c00000000a4c4f00 0000000000000010 0000080000000000<br />
GPR16: c00001400c4fe800 0000000004000000 0800000000000000 c00000006088b800<br />
GPR20: c00001401a7be980 c00001400eff3800 c000000002a2da68 000000000000002b<br />
GPR24: c0000000026793a8 c000000002679368 000000000000002a c0000000026793c8<br />
GPR28: 000008007effffff 0000080000000000 0000000000800000 c00001400c4fe800<br />
NIP [c00000000005cdac] iommu_table_reserve_pages+0xac/0x100<br />
LR [c00000000005e830] iommu_init_table+0x80/0x1e0<br />
Call Trace:<br />
[c00001400c9ffa10] [c00000000005e810] iommu_init_table+0x60/0x1e0 (unreliable)<br />
[c00001400c9ffa90] [c00000000010356c] iommu_bypass_supported_pSeriesLP+0x9cc/0xe40<br />
[c00001400c9ffc30] [c00000000005c300] dma_iommu_dma_supported+0xf0/0x230<br />
[c00001400c9ffcb0] [c00000000024b0c4] dma_supported+0x44/0x90<br />
[c00001400c9ffcd0] [c00000000024b14c] dma_set_mask+0x3c/0x80<br />
[c00001400c9ffd00] [c0080000555b715c] be_probe+0xc4/0xb90 [be2net]<br />
[c00001400c9ffdc0] [c000000000986f3c] local_pci_probe+0x6c/0x110<br />
[c00001400c9ffe40] [c000000000188f28] work_for_cpu_fn+0x38/0x60<br />
[c00001400c9ffe70] [c00000000018e454] process_one_work+0x314/0x620<br />
[c00001400c9fff10] [c00000000018f280] worker_thread+0x2b0/0x620<br />
[c00001400c9fff90] [c00000000019bb18] kthread+0x148/0x150<br />
[c00001400c9fffe0] [c00000000000ded8] start_kernel_thread+0x14/0x18<br />
<br />
There are 2 issues in the code<br />
<br />
1. The index is "int" while the address is "unsigned long". This results in<br />
negative value when setting the bitmap.<br />
<br />
2. The DMA offset is page shifted but the MMIO range is used as-is (64-bit<br />
address). MMIO address needs to be page shifted as well.