CVE-2024-36906

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ARM: 9381/1: kasan: clear stale stack poison<br /> <br /> We found below OOB crash:<br /> <br /> [ 33.452494] ==================================================================<br /> [ 33.453513] BUG: KASAN: stack-out-of-bounds in refresh_cpu_vm_stats.constprop.0+0xcc/0x2ec<br /> [ 33.454660] Write of size 164 at addr c1d03d30 by task swapper/0/0<br /> [ 33.455515]<br /> [ 33.455767] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 6.1.25-mainline #1<br /> [ 33.456880] Hardware name: Generic DT based system<br /> [ 33.457555] unwind_backtrace from show_stack+0x18/0x1c<br /> [ 33.458326] show_stack from dump_stack_lvl+0x40/0x4c<br /> [ 33.459072] dump_stack_lvl from print_report+0x158/0x4a4<br /> [ 33.459863] print_report from kasan_report+0x9c/0x148<br /> [ 33.460616] kasan_report from kasan_check_range+0x94/0x1a0<br /> [ 33.461424] kasan_check_range from memset+0x20/0x3c<br /> [ 33.462157] memset from refresh_cpu_vm_stats.constprop.0+0xcc/0x2ec<br /> [ 33.463064] refresh_cpu_vm_stats.constprop.0 from tick_nohz_idle_stop_tick+0x180/0x53c<br /> [ 33.464181] tick_nohz_idle_stop_tick from do_idle+0x264/0x354<br /> [ 33.465029] do_idle from cpu_startup_entry+0x20/0x24<br /> [ 33.465769] cpu_startup_entry from rest_init+0xf0/0xf4<br /> [ 33.466528] rest_init from arch_post_acpi_subsys_init+0x0/0x18<br /> [ 33.467397]<br /> [ 33.467644] The buggy address belongs to stack of task swapper/0/0<br /> [ 33.468493] and is located at offset 112 in frame:<br /> [ 33.469172] refresh_cpu_vm_stats.constprop.0+0x0/0x2ec<br /> [ 33.469917]<br /> [ 33.470165] This frame has 2 objects:<br /> [ 33.470696] [32, 76) &amp;#39;global_zone_diff&amp;#39;<br /> [ 33.470729] [112, 276) &amp;#39;global_node_diff&amp;#39;<br /> [ 33.471294]<br /> [ 33.472095] The buggy address belongs to the physical page:<br /> [ 33.472862] page:3cd72da8 refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x41d03<br /> [ 33.473944] flags: 0x1000(reserved|zone=0)<br /> [ 33.474565] raw: 00001000 ed741470 ed741470 00000000 00000000 00000000 ffffffff 00000001<br /> [ 33.475656] raw: 00000000<br /> [ 33.476050] page dumped because: kasan: bad access detected<br /> [ 33.476816]<br /> [ 33.477061] Memory state around the buggy address:<br /> [ 33.477732] c1d03c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> [ 33.478630] c1d03c80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00<br /> [ 33.479526] &gt;c1d03d00: 00 04 f2 f2 f2 f2 00 00 00 00 00 00 f1 f1 f1 f1<br /> [ 33.480415] ^<br /> [ 33.481195] c1d03d80: 00 00 00 00 00 00 00 00 00 00 04 f3 f3 f3 f3 f3<br /> [ 33.482088] c1d03e00: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00<br /> [ 33.482978] ==================================================================<br /> <br /> We find the root cause of this OOB is that arm does not clear stale stack<br /> poison in the case of cpuidle.<br /> <br /> This patch refer to arch/arm64/kernel/sleep.S to resolve this issue.<br /> <br /> From cited commit [1] that explain the problem<br /> <br /> Functions which the compiler has instrumented for KASAN place poison on<br /> the stack shadow upon entry and remove this poison prior to returning.<br /> <br /> In the case of cpuidle, CPUs exit the kernel a number of levels deep in<br /> C code. Any instrumented functions on this critical path will leave<br /> portions of the stack shadow poisoned.<br /> <br /> If CPUs lose context and return to the kernel via a cold path, we<br /> restore a prior context saved in __cpu_suspend_enter are forgotten, and<br /> we never remove the poison they placed in the stack shadow area by<br /> functions calls between this and the actual exit of the kernel.<br /> <br /> Thus, (depending on stackframe layout) subsequent calls to instrumented<br /> functions may hit this stale poison, resulting in (spurious) KASAN<br /> splats to the console.<br /> <br /> To avoid this, clear any stale poison from the idle thread for a CPU<br /> prior to bringing a CPU online.<br /> <br /> From cited commit [2]<br /> <br /> Extend to check for CONFIG_KASAN_STACK<br /> <br /> [1] commit 0d97e6d8024c ("arm64: kasan: clear stale stack poison")<br /> [2] commit d56a9ef84bd0 ("kasan, arm64: unpoison stack only with CONFIG_KASAN_STACK")