ghsa-hg7x-x4qq-cq6w
Vulnerability from github
Published
2024-04-03 18:30
Modified
2024-11-07 21:31
Details

In the Linux kernel, the following vulnerability has been resolved:

LoongArch: Change acpi_core_pic[NR_CPUS] to acpi_core_pic[MAX_CORE_PIC]

With default config, the value of NR_CPUS is 64. When HW platform has more then 64 cpus, system will crash on these platforms. MAX_CORE_PIC is the maximum cpu number in MADT table (max physical number) which can exceed the supported maximum cpu number (NR_CPUS, max logical number), but kernel should not crash. Kernel should boot cpus with NR_CPUS, let the remainder cpus stay in BIOS.

The potential crash reason is that the array acpi_core_pic[NR_CPUS] can be overflowed when parsing MADT table, and it is obvious that CORE_PIC should be corresponding to physical core rather than logical core, so it is better to define the array as acpi_core_pic[MAX_CORE_PIC].

With the patch, system can boot up 64 vcpus with qemu parameter -smp 128, otherwise system will crash with the following message.

[ 0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000420000004259, era == 90000000037a5f0c, ra == 90000000037a46ec [ 0.000000] Oops[#1]: [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.8.0-rc2+ #192 [ 0.000000] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022 [ 0.000000] pc 90000000037a5f0c ra 90000000037a46ec tp 9000000003c90000 sp 9000000003c93d60 [ 0.000000] a0 0000000000000019 a1 9000000003d93bc0 a2 0000000000000000 a3 9000000003c93bd8 [ 0.000000] a4 9000000003c93a74 a5 9000000083c93a67 a6 9000000003c938f0 a7 0000000000000005 [ 0.000000] t0 0000420000004201 t1 0000000000000000 t2 0000000000000001 t3 0000000000000001 [ 0.000000] t4 0000000000000003 t5 0000000000000000 t6 0000000000000030 t7 0000000000000063 [ 0.000000] t8 0000000000000014 u0 ffffffffffffffff s9 0000000000000000 s0 9000000003caee98 [ 0.000000] s1 90000000041b0480 s2 9000000003c93da0 s3 9000000003c93d98 s4 9000000003c93d90 [ 0.000000] s5 9000000003caa000 s6 000000000a7fd000 s7 000000000f556b60 s8 000000000e0a4330 [ 0.000000] ra: 90000000037a46ec platform_init+0x214/0x250 [ 0.000000] ERA: 90000000037a5f0c efi_runtime_init+0x30/0x94 [ 0.000000] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) [ 0.000000] PRMD: 00000000 (PPLV0 -PIE -PWE) [ 0.000000] EUEN: 00000000 (-FPE -SXE -ASXE -BTE) [ 0.000000] ECFG: 00070800 (LIE=11 VS=7) [ 0.000000] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0) [ 0.000000] BADV: 0000420000004259 [ 0.000000] PRID: 0014c010 (Loongson-64bit, Loongson-3A5000) [ 0.000000] Modules linked in: [ 0.000000] Process swapper (pid: 0, threadinfo=(_ptrval), task=(_ptrval)) [ 0.000000] Stack : 9000000003c93a14 9000000003800898 90000000041844f8 90000000037a46ec [ 0.000000] 000000000a7fd000 0000000008290000 0000000000000000 0000000000000000 [ 0.000000] 0000000000000000 0000000000000000 00000000019d8000 000000000f556b60 [ 0.000000] 000000000a7fd000 000000000f556b08 9000000003ca7700 9000000003800000 [ 0.000000] 9000000003c93e50 9000000003800898 9000000003800108 90000000037a484c [ 0.000000] 000000000e0a4330 000000000f556b60 000000000a7fd000 000000000f556b08 [ 0.000000] 9000000003ca7700 9000000004184000 0000000000200000 000000000e02b018 [ 0.000000] 000000000a7fd000 90000000037a0790 9000000003800108 0000000000000000 [ 0.000000] 0000000000000000 000000000e0a4330 000000000f556b60 000000000a7fd000 [ 0.000000] 000000000f556b08 000000000eaae298 000000000eaa5040 0000000000200000 [ 0.000000] ... [ 0.000000] Call Trace: [ 0.000000] [<90000000037a5f0c>] efi_runtime_init+0x30/0x94 [ 0.000000] [<90000000037a46ec>] platform_init+0x214/0x250 [ 0.000000] [<90000000037a484c>] setup_arch+0x124/0x45c [ 0.000000] [<90000000037a0790>] start_kernel+0x90/0x670 [ 0.000000] [<900000000378b0d8>] kernel_entry+0xd8/0xdc

Show details on source website


{
  "affected": [],
  "aliases": [
    "CVE-2024-26768"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-120"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-03T17:15:52Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Change acpi_core_pic[NR_CPUS] to acpi_core_pic[MAX_CORE_PIC]\n\nWith default config, the value of NR_CPUS is 64. When HW platform has\nmore then 64 cpus, system will crash on these platforms. MAX_CORE_PIC\nis the maximum cpu number in MADT table (max physical number) which can\nexceed the supported maximum cpu number (NR_CPUS, max logical number),\nbut kernel should not crash. Kernel should boot cpus with NR_CPUS, let\nthe remainder cpus stay in BIOS.\n\nThe potential crash reason is that the array acpi_core_pic[NR_CPUS] can\nbe overflowed when parsing MADT table, and it is obvious that CORE_PIC\nshould be corresponding to physical core rather than logical core, so it\nis better to define the array as acpi_core_pic[MAX_CORE_PIC].\n\nWith the patch, system can boot up 64 vcpus with qemu parameter -smp 128,\notherwise system will crash with the following message.\n\n[    0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000420000004259, era == 90000000037a5f0c, ra == 90000000037a46ec\n[    0.000000] Oops[#1]:\n[    0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.8.0-rc2+ #192\n[    0.000000] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022\n[    0.000000] pc 90000000037a5f0c ra 90000000037a46ec tp 9000000003c90000 sp 9000000003c93d60\n[    0.000000] a0 0000000000000019 a1 9000000003d93bc0 a2 0000000000000000 a3 9000000003c93bd8\n[    0.000000] a4 9000000003c93a74 a5 9000000083c93a67 a6 9000000003c938f0 a7 0000000000000005\n[    0.000000] t0 0000420000004201 t1 0000000000000000 t2 0000000000000001 t3 0000000000000001\n[    0.000000] t4 0000000000000003 t5 0000000000000000 t6 0000000000000030 t7 0000000000000063\n[    0.000000] t8 0000000000000014 u0 ffffffffffffffff s9 0000000000000000 s0 9000000003caee98\n[    0.000000] s1 90000000041b0480 s2 9000000003c93da0 s3 9000000003c93d98 s4 9000000003c93d90\n[    0.000000] s5 9000000003caa000 s6 000000000a7fd000 s7 000000000f556b60 s8 000000000e0a4330\n[    0.000000]    ra: 90000000037a46ec platform_init+0x214/0x250\n[    0.000000]   ERA: 90000000037a5f0c efi_runtime_init+0x30/0x94\n[    0.000000]  CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n[    0.000000]  PRMD: 00000000 (PPLV0 -PIE -PWE)\n[    0.000000]  EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n[    0.000000]  ECFG: 00070800 (LIE=11 VS=7)\n[    0.000000] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\n[    0.000000]  BADV: 0000420000004259\n[    0.000000]  PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)\n[    0.000000] Modules linked in:\n[    0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____))\n[    0.000000] Stack : 9000000003c93a14 9000000003800898 90000000041844f8 90000000037a46ec\n[    0.000000]         000000000a7fd000 0000000008290000 0000000000000000 0000000000000000\n[    0.000000]         0000000000000000 0000000000000000 00000000019d8000 000000000f556b60\n[    0.000000]         000000000a7fd000 000000000f556b08 9000000003ca7700 9000000003800000\n[    0.000000]         9000000003c93e50 9000000003800898 9000000003800108 90000000037a484c\n[    0.000000]         000000000e0a4330 000000000f556b60 000000000a7fd000 000000000f556b08\n[    0.000000]         9000000003ca7700 9000000004184000 0000000000200000 000000000e02b018\n[    0.000000]         000000000a7fd000 90000000037a0790 9000000003800108 0000000000000000\n[    0.000000]         0000000000000000 000000000e0a4330 000000000f556b60 000000000a7fd000\n[    0.000000]         000000000f556b08 000000000eaae298 000000000eaa5040 0000000000200000\n[    0.000000]         ...\n[    0.000000] Call Trace:\n[    0.000000] [\u003c90000000037a5f0c\u003e] efi_runtime_init+0x30/0x94\n[    0.000000] [\u003c90000000037a46ec\u003e] platform_init+0x214/0x250\n[    0.000000] [\u003c90000000037a484c\u003e] setup_arch+0x124/0x45c\n[    0.000000] [\u003c90000000037a0790\u003e] start_kernel+0x90/0x670\n[    0.000000] [\u003c900000000378b0d8\u003e] kernel_entry+0xd8/0xdc",
  "id": "GHSA-hg7x-x4qq-cq6w",
  "modified": "2024-11-07T21:31:37Z",
  "published": "2024-04-03T18:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26768"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0f6810e39898af2d2cabd9313e4dbc945fb5dfdd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4551b30525cf3d2f026b92401ffe241eb04dfebe"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/88e189bd16e5889e44a41b3309558ebab78b9280"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.