Bug 2297558 (CVE-2024-40974) - CVE-2024-40974 kernel: powerpc/pseries: Enforce hcall result buffer validity and size
Summary: CVE-2024-40974 kernel: powerpc/pseries: Enforce hcall result buffer validity ...
Keywords:
Status: NEW
Alias: CVE-2024-40974
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-07-12 13:44 UTC by OSIDB Bzimport
Modified: 2024-09-23 02:38 UTC (History)
4 users (show)

Fixed In Version: kernel 4.19.317, kernel 5.4.279, kernel 5.10.221, kernel 5.15.162, kernel 6.1.96, kernel 6.6.36, kernel 6.9.7, kernel 6.10-rc1
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:5117 0 None None None 2024-08-08 08:35:50 UTC
Red Hat Product Errata RHBA-2024:5207 0 None None None 2024-08-12 07:54:55 UTC
Red Hat Product Errata RHBA-2024:5208 0 None None None 2024-08-12 08:34:13 UTC
Red Hat Product Errata RHBA-2024:5233 0 None None None 2024-08-12 13:53:39 UTC
Red Hat Product Errata RHBA-2024:5235 0 None None None 2024-08-12 14:26:26 UTC
Red Hat Product Errata RHBA-2024:5236 0 None None None 2024-08-12 14:42:35 UTC
Red Hat Product Errata RHBA-2024:5237 0 None None None 2024-08-12 14:45:53 UTC
Red Hat Product Errata RHBA-2024:5386 0 None None None 2024-08-14 10:50:13 UTC
Red Hat Product Errata RHBA-2024:5866 0 None None None 2024-08-26 14:40:50 UTC
Red Hat Product Errata RHSA-2024:5101 0 None None None 2024-08-08 04:59:07 UTC

Description OSIDB Bzimport 2024-07-12 13:44:04 UTC 
In the Linux kernel, the following vulnerability has been resolved:

powerpc/pseries: Enforce hcall result buffer validity and size

plpar_hcall(), plpar_hcall9(), and related functions expect callers to
provide valid result buffers of certain minimum size. Currently this
is communicated only through comments in the code and the compiler has
no idea.

For example, if I write a bug like this:

  long retbuf[PLPAR_HCALL_BUFSIZE]; // should be PLPAR_HCALL9_BUFSIZE
  plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf, ...);

This compiles with no diagnostics emitted, but likely results in stack
corruption at runtime when plpar_hcall9() stores results past the end
of the array. (To be clear this is a contrived example and I have not
found a real instance yet.)

To make this class of error less likely, we can use explicitly-sized
array parameters instead of pointers in the declarations for the hcall
APIs. When compiled with -Warray-bounds[1], the code above now
provokes a diagnostic like this:

error: array argument is too small;
is of size 32, callee requires at least 72 [-Werror,-Warray-bounds]
   60 |                 plpar_hcall9(H_ALLOCATE_VAS_WINDOW, retbuf,
      |                 ^                                   ~~~~~~

[1] Enabled for LLVM builds but not GCC for now. See commit
    0da6e5fd6c37 ("gcc: disable '-Warray-bounds' for gcc-13 too") and
    related changes.
Comment 11 errata-xmlrpc 2024-08-08 04:59:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5101 https://access.redhat.com/errata/RHSA-2024:5101
Note You need to log in before you can comment on or make changes to this bug.