CVE-2024-50303

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> resource,kexec: walk_system_ram_res_rev must retain resource flags<br /> <br /> walk_system_ram_res_rev() erroneously discards resource flags when passing<br /> the information to the callback.<br /> <br /> This causes systems with IORESOURCE_SYSRAM_DRIVER_MANAGED memory to have<br /> these resources selected during kexec to store kexec buffers if that<br /> memory happens to be at placed above normal system ram.<br /> <br /> This leads to undefined behavior after reboot. If the kexec buffer is<br /> never touched, nothing happens. If the kexec buffer is touched, it could<br /> lead to a crash (like below) or undefined behavior.<br /> <br /> Tested on a system with CXL memory expanders with driver managed memory,<br /> TPM enabled, and CONFIG_IMA_KEXEC=y. Adding printk&amp;#39;s showed the flags<br /> were being discarded and as a result the check for<br /> IORESOURCE_SYSRAM_DRIVER_MANAGED passes.<br /> <br /> find_next_iomem_res: name(System RAM (kmem))<br /> start(10000000000)<br /> end(1034fffffff)<br /> flags(83000200)<br /> <br /> locate_mem_hole_top_down: start(10000000000) end(1034fffffff) flags(0)<br /> <br /> [.] BUG: unable to handle page fault for address: ffff89834ffff000<br /> [.] #PF: supervisor read access in kernel mode<br /> [.] #PF: error_code(0x0000) - not-present page<br /> [.] PGD c04c8bf067 P4D c04c8bf067 PUD c04c8be067 PMD 0<br /> [.] Oops: 0000 [#1] SMP<br /> [.] RIP: 0010:ima_restore_measurement_list+0x95/0x4b0<br /> [.] RSP: 0018:ffffc900000d3a80 EFLAGS: 00010286<br /> [.] RAX: 0000000000001000 RBX: 0000000000000000 RCX: ffff89834ffff000<br /> [.] RDX: 0000000000000018 RSI: ffff89834ffff000 RDI: ffff89834ffff018<br /> [.] RBP: ffffc900000d3ba0 R08: 0000000000000020 R09: ffff888132b8a900<br /> [.] R10: 4000000000000000 R11: 000000003a616d69 R12: 0000000000000000<br /> [.] R13: ffffffff8404ac28 R14: 0000000000000000 R15: ffff89834ffff000<br /> [.] FS: 0000000000000000(0000) GS:ffff893d44640000(0000) knlGS:0000000000000000<br /> [.] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [.] ata5: SATA link down (SStatus 0 SControl 300)<br /> [.] CR2: ffff89834ffff000 CR3: 000001034d00f001 CR4: 0000000000770ef0<br /> [.] PKRU: 55555554<br /> [.] Call Trace:<br /> [.] <br /> [.] ? __die+0x78/0xc0<br /> [.] ? page_fault_oops+0x2a8/0x3a0<br /> [.] ? exc_page_fault+0x84/0x130<br /> [.] ? asm_exc_page_fault+0x22/0x30<br /> [.] ? ima_restore_measurement_list+0x95/0x4b0<br /> [.] ? template_desc_init_fields+0x317/0x410<br /> [.] ? crypto_alloc_tfm_node+0x9c/0xc0<br /> [.] ? init_ima_lsm+0x30/0x30<br /> [.] ima_load_kexec_buffer+0x72/0xa0<br /> [.] ima_init+0x44/0xa0<br /> [.] __initstub__kmod_ima__373_1201_init_ima7+0x1e/0xb0<br /> [.] ? init_ima_lsm+0x30/0x30<br /> [.] do_one_initcall+0xad/0x200<br /> [.] ? idr_alloc_cyclic+0xaa/0x110<br /> [.] ? new_slab+0x12c/0x420<br /> [.] ? new_slab+0x12c/0x420<br /> [.] ? number+0x12a/0x430<br /> [.] ? sysvec_apic_timer_interrupt+0xa/0x80<br /> [.] ? asm_sysvec_apic_timer_interrupt+0x16/0x20<br /> [.] ? parse_args+0xd4/0x380<br /> [.] ? parse_args+0x14b/0x380<br /> [.] kernel_init_freeable+0x1c1/0x2b0<br /> [.] ? rest_init+0xb0/0xb0<br /> [.] kernel_init+0x16/0x1a0<br /> [.] ret_from_fork+0x2f/0x40<br /> [.] ? rest_init+0xb0/0xb0<br /> [.] ret_from_fork_asm+0x11/0x20<br /> [.]