Bug 2312077 (CVE-2024-46689) - CVE-2024-46689 kernel: soc: qcom: cmd-db: Map shared memory as WC, not WB
Summary: CVE-2024-46689 kernel: soc: qcom: cmd-db: Map shared memory as WC, not WB
Keywords:
Status: NEW
Alias: CVE-2024-46689
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2312207
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-09-13 06:21 UTC by OSIDB Bzimport
Modified: 2024-09-13 14:46 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2024-09-13 06:21:14 UTC 
In the Linux kernel, the following vulnerability has been resolved:

soc: qcom: cmd-db: Map shared memory as WC, not WB

Linux does not write into cmd-db region. This region of memory is write
protected by XPU. XPU may sometime falsely detect clean cache eviction
as "write" into the write protected region leading to secure interrupt
which causes an endless loop somewhere in Trust Zone.

The only reason it is working right now is because Qualcomm Hypervisor
maps the same region as Non-Cacheable memory in Stage 2 translation
tables. The issue manifests if we want to use another hypervisor (like
Xen or KVM), which does not know anything about those specific mappings.

Changing the mapping of cmd-db memory from MEMREMAP_WB to MEMREMAP_WT/WC
removes dependency on correct mappings in Stage 2 tables. This patch
fixes the issue by updating the mapping to MEMREMAP_WC.

I tested this on SA8155P with Xen.
Comment 1 Michal Findra 2024-09-13 14:37:39 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024091339-CVE-2024-46689-4c19@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.