CVE-2024-57999

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/02/2025
Last modified:
27/02/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW<br /> <br /> Power Hypervisor can possibily allocate MMIO window intersecting with<br /> Dynamic DMA Window (DDW) range, which is over 32-bit addressing.<br /> <br /> These MMIO pages needs to be marked as reserved so that IOMMU doesn&amp;#39;t map<br /> DMA buffers in this range.<br /> <br /> The current code is not marking these pages correctly which is resulting<br /> in LPAR to OOPS while booting. The stack is at below<br /> <br /> BUG: Unable to handle kernel data access on read at 0xc00800005cd40000<br /> Faulting instruction address: 0xc00000000005cdac<br /> Oops: Kernel access of bad area, sig: 11 [#1]<br /> LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries<br /> Modules linked in: af_packet rfkill ibmveth(X) lpfc(+) nvmet_fc nvmet nvme_keyring crct10dif_vpmsum nvme_fc nvme_fabrics nvme_core be2net(+) nvme_auth rtc_generic nfsd auth_rpcgss nfs_acl lockd grace sunrpc fuse configfs ip_tables x_tables xfs libcrc32c dm_service_time ibmvfc(X) scsi_transport_fc vmx_crypto gf128mul crc32c_vpmsum dm_mirror dm_region_hash dm_log dm_multipath dm_mod sd_mod scsi_dh_emc scsi_dh_rdac scsi_dh_alua t10_pi crc64_rocksoft_generic crc64_rocksoft sg crc64 scsi_mod<br /> Supported: Yes, External<br /> CPU: 8 PID: 241 Comm: kworker/8:1 Kdump: loaded Not tainted 6.4.0-150600.23.14-default #1 SLE15-SP6 b44ee71c81261b9e4bab5e0cde1f2ed891d5359b<br /> Hardware name: IBM,9080-M9S POWER9 (raw) 0x4e2103 0xf000005 of:IBM,FW950.B0 (VH950_149) hv:phyp pSeries<br /> Workqueue: events work_for_cpu_fn<br /> NIP: c00000000005cdac LR: c00000000005e830 CTR: 0000000000000000<br /> REGS: c00001400c9ff770 TRAP: 0300 Not tainted (6.4.0-150600.23.14-default)<br /> MSR: 800000000280b033 CR: 24228448 XER: 00000001<br /> CFAR: c00000000005cdd4 DAR: c00800005cd40000 DSISR: 40000000 IRQMASK: 0<br /> GPR00: c00000000005e830 c00001400c9ffa10 c000000001987d00 c00001400c4fe800<br /> GPR04: 0000080000000000 0000000000000001 0000000004000000 0000000000800000<br /> GPR08: 0000000004000000 0000000000000001 c00800005cd40000 ffffffffffffffff<br /> GPR12: 0000000084228882 c00000000a4c4f00 0000000000000010 0000080000000000<br /> GPR16: c00001400c4fe800 0000000004000000 0800000000000000 c00000006088b800<br /> GPR20: c00001401a7be980 c00001400eff3800 c000000002a2da68 000000000000002b<br /> GPR24: c0000000026793a8 c000000002679368 000000000000002a c0000000026793c8<br /> GPR28: 000008007effffff 0000080000000000 0000000000800000 c00001400c4fe800<br /> NIP [c00000000005cdac] iommu_table_reserve_pages+0xac/0x100<br /> LR [c00000000005e830] iommu_init_table+0x80/0x1e0<br /> Call Trace:<br /> [c00001400c9ffa10] [c00000000005e810] iommu_init_table+0x60/0x1e0 (unreliable)<br /> [c00001400c9ffa90] [c00000000010356c] iommu_bypass_supported_pSeriesLP+0x9cc/0xe40<br /> [c00001400c9ffc30] [c00000000005c300] dma_iommu_dma_supported+0xf0/0x230<br /> [c00001400c9ffcb0] [c00000000024b0c4] dma_supported+0x44/0x90<br /> [c00001400c9ffcd0] [c00000000024b14c] dma_set_mask+0x3c/0x80<br /> [c00001400c9ffd00] [c0080000555b715c] be_probe+0xc4/0xb90 [be2net]<br /> [c00001400c9ffdc0] [c000000000986f3c] local_pci_probe+0x6c/0x110<br /> [c00001400c9ffe40] [c000000000188f28] work_for_cpu_fn+0x38/0x60<br /> [c00001400c9ffe70] [c00000000018e454] process_one_work+0x314/0x620<br /> [c00001400c9fff10] [c00000000018f280] worker_thread+0x2b0/0x620<br /> [c00001400c9fff90] [c00000000019bb18] kthread+0x148/0x150<br /> [c00001400c9fffe0] [c00000000000ded8] start_kernel_thread+0x14/0x18<br /> <br /> There are 2 issues in the code<br /> <br /> 1. The index is "int" while the address is "unsigned long". This results in<br /> negative value when setting the bitmap.<br /> <br /> 2. The DMA offset is page shifted but the MMIO range is used as-is (64-bit<br /> address). MMIO address needs to be page shifted as well.

Impact