[LTS 9.2] CVE-2023-46813, CVE-2023-0597 #614

pvts-mat · 2025-10-08T14:49:34Z

[LTS 9.2]
CVE-2023-46813 VULN-6719
CVE-2023-0597 VULN-8044

Commits

CVE-2023-46813

3e1baae:

x86/sev: Disable MMIO emulation from user mode

jira VULN-6719
cve CVE-2023-46813
commit-author Borislav Petkov (AMD) <[email protected]>
commit a37cd2a59d0cb270b1bba568fd3a3b8668b9d3ba

c90c4a4:

x86/sev: Check IOBM for IOIO exceptions from user-space

jira VULN-6719
cve CVE-2023-46813
commit-author Joerg Roedel <[email protected]>
commit b9cb9c45583b911e0db71d09caa6b56469eb2bdf

72de94d:

x86/sev: Check for user-space IOIO pointing to kernel space

jira VULN-6719
cve CVE-2023-46813
commit-author Joerg Roedel <[email protected]>
commit 63e44bc52047f182601e7817da969a105aa1f721

CVE-2023-0597

d468641:

x86/kasan: Map shadow for percpu pages on demand

jira VULN-8044
cve-pre CVE-2023-0597
commit-author Andrey Ryabinin <[email protected]>
commit 3f148f3318140035e87decc1214795ff0755757b

198ff55:

x86/mm: Randomize per-cpu entry area

jira VULN-8044
cve CVE-2023-0597
commit-author Peter Zijlstra <[email protected]>
commit 97e3d26b5e5f371b3ee223d94dd123e6c442ba80
upstream-diff Included `linux/prandom.h' in
  `arch/x86/mm/cpu_entry_area.c' directly (compilation fails without it)

c051a40:

x86/mm: Recompute physical address for every page of per-CPU CEA mapping

jira VULN-8044
cve-bf CVE-2023-0597
commit-author Sean Christopherson <[email protected]>
commit 80d72a8f76e8f3f0b5a70b8c7022578e17bde8e7

7f0398a:

x86/mm: Populate KASAN shadow for entire per-CPU range of CPU entry area

jira VULN-8044
cve-bf CVE-2023-0597
commit-author Sean Christopherson <[email protected]>
commit 97650148a15e0b30099d6175ffe278b9f55ec66a

c861f7a:

x86/mm: Do not shuffle CPU entry areas without KASLR

jira VULN-8044
cve-bf CVE-2023-0597
commit-author Michal Koutný <[email protected]>
commit a3f547addcaa10df5a226526bc9e2d9a94542344

The solution of CVE-2023-0597 on LTS 9.2 is basically the same as on LTS 8.6, with two differences:

Commit 05b042a (1) was not picked for the solution because it's already present in ciqlts9_2 history.
From the upstream-diff for 97e3d26 (0) only the inclusion of linux/prandom.h remained, because all the missing prerequisites the ciqlts8_6 patch was manoeuvering around are conveniently present in the ciqlts9_2 version.

For comparison relate to the table from the CVE-2023-0597 PR for LTS 8.6 augmented with the ciqlts9_2 column:

Label    File
-------  -------------------------------------
A        arch/x86/include/asm/cpu_entry_area.h
B        arch/x86/include/asm/pgtable_areas.h
C        arch/x86/kernel/hw_breakpoint.c
D        arch/x86/mm/cpu_entry_area.c

| Id | ABCD | kernel-mainline                          |       Date | Descr                                                                               | ciqlts9_2                                             | ciqlts8_6                                             |
|----+------+------------------------------------------+------------+-------------------------------------------------------------------------------------+-------------------------------------------------------+-------------------------------------------------------|
|    | ---# | decb9ac4a9739c16e228f7b2918bfdca34cc89a9 | 2024-08-25 | x86/cpu_entry_area: Annotate percpu_setup_exception_stacks() as __init              |                                                       |                                                       |
|  5 | ---# | a3f547addcaa10df5a226526bc9e2d9a94542344 | 2023-03-22 | x86/mm: Do not shuffle CPU entry areas without KASLR                                |                                                       |                                                       |
|    | --#- | 7914695743d598b189d549f2f57af24aa5633705 | 2023-01-31 | x86/amd: Cache debug register values in percpu variables                            | ~ 41078e7fd24ad105eb84cc8def5aaf12a850765e 2024-09-12 |                                                       |
|    | ---# | 3c202d14a9d73fb63c3dccb18feac5618c21e1c4 | 2022-12-20 | prandom: remove prandom_u32_max()                                                   |                                                       |                                                       |
|  4 | ---# | 97650148a15e0b30099d6175ffe278b9f55ec66a | 2022-12-15 | x86/mm: Populate KASAN shadow for entire per-CPU range of CPU entry area            |                                                       |                                                       |
|  3 | ---# | 80d72a8f76e8f3f0b5a70b8c7022578e17bde8e7 | 2022-12-15 | x86/mm: Recompute physical address for every page of per-CPU CEA mapping            |                                                       |                                                       |
|  0 | #### | 97e3d26b5e5f371b3ee223d94dd123e6c442ba80 | 2022-12-15 | x86/mm: Randomize per-cpu entry area                                                |                                                       |                                                       |
|  2 | ---# | 3f148f3318140035e87decc1214795ff0755757b | 2022-12-15 | x86/kasan: Map shadow for percpu pages on demand                                    |                                                       |                                                       |
|    | ---# | d76c4f7a610ac56c5b06e34258859945e77d190c | 2022-11-22 | x86/cpu: Remove X86_FEATURE_XENPV usage in setup_cpu_entry_area()                   |                                                       |                                                       |
|    | #--- | e87f4152e542610d0b4c6c8548964a68a59d2040 | 2022-04-04 | task_stack, x86/cea: Force-inline stack helpers                                     |                                                       |                                                       |
|    | #--# | 541ac97186d9ea88491961a46284de3603c914fd | 2021-10-06 | x86/sev: Make the #VC exception stacks part of the default stacks storage           | ~ 86161372b0edbb5d30419aa09d54fa935d836f86 2022-08-08 |                                                       |
|    | --#- | 3943abf2dbfae9ea4d2da05c1db569a0603f76da | 2021-02-05 | x86/debug: Prevent data breakpoints on cpu_dr7                                      | = 3943abf2dbfae9ea4d2da05c1db569a0603f76da 2021-02-05 |                                                       |
|    | --#- | c4bed4b96918ff1d062ee81fdae4d207da4fa9b0 | 2021-02-05 | x86/debug: Prevent data breakpoints on __per_cpu_offset                             | = c4bed4b96918ff1d062ee81fdae4d207da4fa9b0 2021-02-05 |                                                       |
|    | --#- | 9ad22e165994ccb64d85b68499eaef97342c175b | 2021-02-01 | x86/debug: Fix DR6 handling                                                         | = 9ad22e165994ccb64d85b68499eaef97342c175b 2021-02-01 |                                                       |
|    | ---# | 6b27edd74a5e9669120f7bd0ae1f475d124c1042 | 2020-09-09 | x86/dumpstack/64: Add noinstr version of get_stack_info()                           | = 6b27edd74a5e9669120f7bd0ae1f475d124c1042 2020-09-09 | # 604239d6f80ebd4301c47285d7305d7262dc69a6 2024-09-11 |
|    | #--- | 02772fb9b68e6a72a5e17f994048df832fe2b15e | 2020-09-09 | x86/sev-es: Allocate and map an IST stack for #VC handler                           | = 02772fb9b68e6a72a5e17f994048df832fe2b15e 2020-09-09 | # 604239d6f80ebd4301c47285d7305d7262dc69a6 2024-09-11 |
|    | --#- | d53d9bc0cf783e93b374de3895145c7375e570ba | 2020-09-04 | x86/debug: Change thread.debugreg6 to thread.virtual_dr6                            | = d53d9bc0cf783e93b374de3895145c7375e570ba 2020-09-04 |                                                       |
|    | --#- | f4956cf83ed12271bdbd5b547f3378add72bbffb | 2020-09-04 | x86/debug: Support negative polarity DR6 bits                                       | = f4956cf83ed12271bdbd5b547f3378add72bbffb 2020-09-04 | ~ 927f65e976a77f9c9d29b4a50d4b8157aff37f26 2024-09-11 |
|    | --#- | 21d44be7b6ff4c254dc971e2c99d4082dd470afd | 2020-09-04 | x86/debug: Simplify hw_breakpoint_handler()                                         | = 21d44be7b6ff4c254dc971e2c99d4082dd470afd 2020-09-04 |                                                       |
|    | --#- | b84d42b6c6ac6a60519286e72b69f2dbf08dfb70 | 2020-09-04 | x86/debug: Remove aout_dump_debugregs()                                             | = b84d42b6c6ac6a60519286e72b69f2dbf08dfb70 2020-09-04 |                                                       |
|    | --#- | df561f6688fef775baa341a0f5d960becd248b11 | 2020-08-23 | treewide: Use fallthrough pseudo-keyword                                            | = df561f6688fef775baa341a0f5d960becd248b11 2020-08-23 | # 604239d6f80ebd4301c47285d7305d7262dc69a6 2024-09-11 |
|    | #--# | fd501d4f0399700011acde486576c7c1eb8e7a61 | 2020-06-11 | x86/entry: Remove DBn stacks                                                        | = fd501d4f0399700011acde486576c7c1eb8e7a61 2020-06-11 | # 604239d6f80ebd4301c47285d7305d7262dc69a6 2024-09-11 |
|    | --#- | 84b6a3491567a540f955e18d8e615493afa36df0 | 2020-06-11 | x86/entry: Optimize local_db_save() for virt                                        | = 84b6a3491567a540f955e18d8e615493afa36df0 2020-06-11 |                                                       |
|    | --#- | fdef24dfccb7be06e6ebe11d6c6c56987421870f | 2020-06-11 | x86/hw_breakpoint: Prevent data breakpoints on user_pcid_flush_mask                 | = fdef24dfccb7be06e6ebe11d6c6c56987421870f 2020-06-11 |                                                       |
|    | --#- | f9fe0b89f05441c6e4034e024c2c75a0d93024c1 | 2020-06-11 | x86/hw_breakpoint: Prevent data breakpoints on per_cpu cpu_tss_rw                   | = f9fe0b89f05441c6e4034e024c2c75a0d93024c1 2020-06-11 |                                                       |
|    | --#- | 97417cb9ad4ed052d7a4c5c0d75db1ff1b0981fb | 2020-06-11 | x86/hw_breakpoint: Prevent data breakpoints on direct GDT                           | = 97417cb9ad4ed052d7a4c5c0d75db1ff1b0981fb 2020-06-11 |                                                       |
|    | --#- | d390e6de89d30402bd06056c40cea72328aec9b1 | 2020-06-11 | x86/hw_breakpoint: Add within_area() to check data breakpoints                      | = d390e6de89d30402bd06056c40cea72328aec9b1 2020-06-11 |                                                       |
|    | --#- | 9f58fdde95c9509a4ded27a6d0035e79294002b4 | 2020-06-11 | x86/db: Split out dr6/7 handling                                                    | = 9f58fdde95c9509a4ded27a6d0035e79294002b4 2020-06-11 | # 604239d6f80ebd4301c47285d7305d7262dc69a6 2024-09-11 |
|    | --#- | 24ae0c91cbc57c2deb0401bd653453a508acdcee | 2020-06-11 | x86/hw_breakpoint: Prevent data breakpoints on cpu_entry_area                       | = 24ae0c91cbc57c2deb0401bd653453a508acdcee 2020-06-11 |                                                       |
|    | ---# | 65fddcfca8ad14778f71a57672fd01e8112d30fa | 2020-06-09 | mm: reorder includes after introduction of linux/pgtable.h                          | = 65fddcfca8ad14778f71a57672fd01e8112d30fa 2020-06-09 |                                                       |
|    | ---# | ca5999fde0a1761665a38e4c9a72dbcd7d190a81 | 2020-06-09 | mm: introduce include/linux/pgtable.h                                               | = ca5999fde0a1761665a38e4c9a72dbcd7d190a81 2020-06-09 |                                                       |
|    | ---# | 593309423cbad0fab659a685834416cf12d8f581 | 2020-04-14 | x86/32: Remove CONFIG_DOUBLEFAULT                                                   | = 593309423cbad0fab659a685834416cf12d8f581 2020-04-14 |                                                       |
|    | ##-- | 186525bd6b83efc592672e2d6185e4d7c810d2b4 | 2019-12-10 | mm, x86/mm: Untangle address space layout definitions from basic pgtable type…      | = 186525bd6b83efc592672e2d6185e4d7c810d2b4 2019-12-10 |                                                       |
|    | #--# | dc4e0021b00b5a4ecba56fae509217776592b0aa | 2019-11-26 | x86/doublefault/32: Move #DF stack and TSS to cpu_entry_area                        | = dc4e0021b00b5a4ecba56fae509217776592b0aa 2019-11-26 |                                                       |
|  1 | #--# | 05b042a1944322844eaae7ea596d5f154166d68a | 2019-11-25 | x86/pti/32: Calculate the various PTI cpu_entry_area sizes correctly, make the…     | = 05b042a1944322844eaae7ea596d5f154166d68a 2019-11-25 |                                                       |
|    | #--- | 880a98c339961eaa074393e3a2117cbe9125b8bb | 2019-11-21 | x86/cpu_entry_area: Add guard page for entry stack on 32bit                         | = 880a98c339961eaa074393e3a2117cbe9125b8bb 2019-11-21 |                                                       |
|    | ---# | 6b546e1c9ad2a25f874f8bc6077d0f55f9446414 | 2019-11-16 | x86/tss: Fix and move VMX BUILD_BUG_ON()                                            | = 6b546e1c9ad2a25f874f8bc6077d0f55f9446414 2019-11-16 | # a1c405ca16baa1afc756c1d4ccbcc0c3a00cb453 2024-09-11 |
|    | #--- | 6184488a19be96d89cb6c36fb4bc277198309484 | 2019-10-01 | x86: Use the correct SPDX License Identifier in headers                             | = 6184488a19be96d89cb6c36fb4bc277198309484 2019-10-01 |                                                       |
|    | --#- | 1a59d1b8e05ea6ab45f7e18897de1ef0e6bc3da6 | 2019-05-30 | treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156                  | = 1a59d1b8e05ea6ab45f7e18897de1ef0e6bc3da6 2019-05-30 |                                                       |
|    | #--# | 2a594d4ccf3f10f80b77d71bd3dad10813ac0137 | 2019-04-17 | x86/exceptions: Split debug IST stack                                               | = 2a594d4ccf3f10f80b77d71bd3dad10813ac0137 2019-04-17 | # 604239d6f80ebd4301c47285d7305d7262dc69a6 2024-09-11 |
|    | #--- | 1bdb67e5aa2d5d43c48cb7d93393fcba276c9e71 | 2019-04-17 | x86/exceptions: Enable IST guard pages                                              | = 1bdb67e5aa2d5d43c48cb7d93393fcba276c9e71 2019-04-17 | # 604239d6f80ebd4301c47285d7305d7262dc69a6 2024-09-11 |
|    | #--- | 3207426925d2b4da390be8068df1d1c2b36e5918 | 2019-04-17 | x86/exceptions: Disconnect IST index and stack order                                | = 3207426925d2b4da390be8068df1d1c2b36e5918 2019-04-17 | # 604239d6f80ebd4301c47285d7305d7262dc69a6 2024-09-11 |
|    | #--# | 7623f37e411156e6e09b95cf5c76e509c5fda640 | 2019-04-17 | x86/cpu_entry_area: Provide exception stack accessor                                | = 7623f37e411156e6e09b95cf5c76e509c5fda640 2019-04-17 | # 604239d6f80ebd4301c47285d7305d7262dc69a6 2024-09-11 |
|    | ---# | a4af767ae59cc579569bbfe49513a0037d5989ee | 2019-04-17 | x86/cpu_entry_area: Prepare for IST guard pages                                     | = a4af767ae59cc579569bbfe49513a0037d5989ee 2019-04-17 | # 604239d6f80ebd4301c47285d7305d7262dc69a6 2024-09-11 |
|    | #--# | 019b17b3ffe48100e52f609ca1c6ed6e5a40cba1 | 2019-04-17 | x86/exceptions: Add structs for exception stacks                                    | = 019b17b3ffe48100e52f609ca1c6ed6e5a40cba1 2019-04-17 | # 604239d6f80ebd4301c47285d7305d7262dc69a6 2024-09-11 |
|    | ---# | 881a463cf21dbf83aab2cf6c9a359f34f88c2491 | 2019-04-17 | x86/cpu_entry_area: Cleanup setup functions                                         | = 881a463cf21dbf83aab2cf6c9a359f34f88c2491 2019-04-17 | # 604239d6f80ebd4301c47285d7305d7262dc69a6 2024-09-11 |
|    | --#- | e898e69d6b9475bf123f99b3c5d1a67bb7cb2361 | 2019-03-22 | x86/hw_breakpoints: Make default case in hw_breakpoint_arch_parse() return an error | = e898e69d6b9475bf123f99b3c5d1a67bb7cb2361 2019-03-22 |                                                       |
|    | ---# | ba2ba356b2c849ec62d5fefa9cd4168163b13211 | 2019-02-08 | x86/cpu_entry_area: Move percpu_setup_debug_store() to __init section               | = ba2ba356b2c849ec62d5fefa9cd4168163b13211 2019-02-08 | ~ cfe70862b56bc8d9b13ca055348ca01c446ca605 2024-09-11 |
|    | --#- | fab940755d1d78377901450b6ee7c77356e06821 | 2019-01-30 | x86/hw_breakpoints, kprobes: Remove kprobes ifdeffery                               | = fab940755d1d78377901450b6ee7c77356e06821 2019-01-30 |                                                       |
|    | --#- | 6fcebf1302b43e7a610d1d2fa89f41e693249aa5 | 2019-01-26 | x86/kernel: Mark expected switch-case fall-throughs                                 | = 6fcebf1302b43e7a610d1d2fa89f41e693249aa5 2019-01-26 |                                                       |
|    | #--# | bf904d2762ee6fc1e4acfcb0772bbfb4a27ad8a6 | 2018-09-12 | x86/pti/64: Remove the SYSCALL64 entry trampoline                                   | = bf904d2762ee6fc1e4acfcb0772bbfb4a27ad8a6 2018-09-12 | ~ e2093e17c786fae6762be28d622e0dfeefb6d37a 2024-09-11 |
|    | ---# | 6855dc41b24619c3d1de3dbd27dd0546b0e45272 | 2018-08-14 | x86: Add entry trampolines to kcore                                                 | = 6855dc41b24619c3d1de3dbd27dd0546b0e45272 2018-08-14 | ~ f472db7b53074bb1e36e626e139b0afabdc5d9d0 2024-09-11 |
|    | ---# | d83212d5dd6761625fe87cc23016bbaa47303271 | 2018-08-14 | kallsyms, x86: Export addresses of PTI entry trampolines                            | = d83212d5dd6761625fe87cc23016bbaa47303271 2018-08-14 | ~ 2e5dbe65824c98ee7602b2afef51eec8fd06d93f 2024-09-11 |
|    | --#- | a0baf043c5cfa3a489a63ac50f5201c31a651e21 | 2018-06-26 | perf/arch/x86: Implement hw_breakpoint_arch_parse()                                 | = a0baf043c5cfa3a489a63ac50f5201c31a651e21 2018-06-26 | ~ 94bbfa1bcb24b573c0fababaac1574c6b947866a 2024-09-11 |
|    | --#- | 8e983ff9ac02a8fb454ed09c2462bdb3617006a8 | 2018-06-26 | perf/hw_breakpoint: Pass arch breakpoint struct to arch_check_bp_in_kernelspace()   | = 8e983ff9ac02a8fb454ed09c2462bdb3617006a8 2018-06-26 | ~ 70558b454254ddaa55838662c2d9dad5b039f07a 2024-09-11 |
|    | ---# | 0f561fce4d6979a50415616896512f87a6d1d5c8 | 2018-04-12 | x86/pti: Enable global pages for shared areas                                       | = 0f561fce4d6979a50415616896512f87a6d1d5c8 2018-04-12 | + 0f561fce4d6979a50415616896512f87a6d1d5c8 2018-04-12 |

kABI check: passed

DEBUG=1 CVE=CVE-batch-8 ./ninja.sh _kabi_checked__x86_64--test--ciqlts9_2-CVE-batch-8

[0/1] Check ABI of kernel [ciqlts9_2-CVE-batch-8]
++ uname -m
+ python3 /data/src/ctrliq-github/kernel-dist-git-el-9.2/SOURCES/check-kabi -k /data/src/ctrliq-github/kernel-dist-git-el-9.2/SOURCES/Module.kabi_x86_64 -s vms/x86_64--build--ciqlts9_2/build_files/kernel-src-tree-ciqlts9_2-CVE-batch-8/Module.symvers
kABI check passed
+ touch state/kernels/ciqlts9_2-CVE-batch-8/x86_64/kabi_checked

Boot test: passed

boot-test.log

Kselftests: passed relative

Reference

kselftests–ciqlts9_2–run1.log

Patch

kselftests–ciqlts9_2-CVE-batch-8–run1.log

Comparison

The tests results for the reference and the patch are the same.

$ ktests.xsh diff  kselftests*.log

Column    File
--------  -------------------------------------------
Status0   kselftests--ciqlts9_2--run1.log
Status1   kselftests--ciqlts9_2-CVE-batch-8--run1.log

TestCase                                               Status0  Status1  Summary
bpf:get_cgroup_id_user                                 pass     pass     same
bpf:test_bpftool.sh                                    pass     pass     same
bpf:test_bpftool_build.sh                              pass     pass     same
bpf:test_bpftool_metadata.sh                           pass     pass     same
bpf:test_cgroup_storage                                pass     pass     same
bpf:test_dev_cgroup                                    pass     pass     same
bpf:test_doc_build.sh                                  pass     pass     same
bpf:test_flow_dissector.sh                             pass     pass     same
bpf:test_lirc_mode2.sh                                 pass     pass     same
bpf:test_lpm_map                                       pass     pass     same
bpf:test_lru_map                                       pass     pass     same
bpf:test_lwt_ip_encap.sh                               pass     pass     same
bpf:test_lwt_seg6local.sh                              pass     pass     same
bpf:test_offload.py                                    pass     pass     same
bpf:test_skb_cgroup_id.sh                              pass     pass     same
bpf:test_sock                                          pass     pass     same
bpf:test_sock_addr.sh                                  pass     pass     same
bpf:test_sysctl                                        pass     pass     same
bpf:test_tag                                           pass     pass     same
bpf:test_tc_edt.sh                                     pass     pass     same
bpf:test_tc_tunnel.sh                                  pass     pass     same
bpf:test_tcp_check_syncookie.sh                        pass     pass     same
bpf:test_tcpnotify_user                                pass     pass     same
bpf:test_tunnel.sh                                     pass     pass     same
bpf:test_verifier                                      pass     pass     same
bpf:test_verifier_log                                  pass     pass     same
bpf:test_xdp_meta.sh                                   pass     pass     same
bpf:test_xdp_redirect.sh                               pass     pass     same
bpf:test_xdp_redirect_multi.sh                         pass     pass     same
bpf:test_xdp_veth.sh                                   pass     pass     same
bpf:test_xdp_vlan_mode_generic.sh                      pass     pass     same
bpf:test_xdp_vlan_mode_native.sh                       pass     pass     same
bpf:test_xdping.sh                                     pass     pass     same
bpf:urandom_read                                       pass     pass     same
breakpoints:breakpoint_test                            pass     pass     same
capabilities:test_execve                               pass     pass     same
cgroup:test_core                                       fail     fail     same
cgroup:test_cpuset_prs.sh                              pass     pass     same
cgroup:test_kill                                       pass     pass     same
cgroup:test_kmem                                       pass     pass     same
cgroup:test_stress.sh                                  fail     fail     same
clone3:clone3                                          pass     pass     same
clone3:clone3_cap_checkpoint_restore                   pass     pass     same
clone3:clone3_clear_sighand                            pass     pass     same
clone3:clone3_set_tid                                  pass     pass     same
core:close_range_test                                  pass     pass     same
cpu-hotplug:cpu-on-off-test.sh                         pass     pass     same
cpufreq:main.sh                                        fail     fail     same
drivers/dma-buf:udmabuf                                pass     pass     same
drivers/net/bonding:bond-arp-interval-causes-panic.sh  pass     pass     same
drivers/net/bonding:bond-break-lacpdu-tx.sh            pass     pass     same
drivers/net/bonding:bond-lladdr-target.sh              pass     pass     same
drivers/net/bonding:dev_addr_lists.sh                  pass     pass     same
drivers/net/bonding:mode-1-recovery-updelay.sh         pass     pass     same
drivers/net/bonding:mode-2-recovery-updelay.sh         pass     pass     same
drivers/net/team:dev_addr_lists.sh                     pass     pass     same
filesystems/binderfs:binderfs_test                     fail     fail     same
firmware:fw_run_tests.sh                               skip     skip     same
fpu:run_test_fpu.sh                                    skip     skip     same
fpu:test_fpu                                           pass     pass     same
ftrace:ftracetest                                      fail     fail     same
futex:run.sh                                           pass     pass     same
gpio:gpio-mockup.sh                                    fail     fail     same
intel_pstate:run.sh                                    pass     pass     same
ipc:msgque                                             pass     pass     same
ir:ir_loopback.sh                                      skip     skip     same
kcmp:kcmp_test                                         pass     pass     same
kexec:test_kexec_file_load.sh                          skip     skip     same
kexec:test_kexec_load.sh                               skip     skip     same
kvm:access_tracking_perf_test                          pass     pass     same
kvm:amx_test                                           fail     fail     same
kvm:cpuid_test                                         fail     fail     same
kvm:cr4_cpuid_sync_test                                fail     fail     same
kvm:debug_regs                                         fail     fail     same
kvm:demand_paging_test                                 pass     pass     same
kvm:dirty_log_perf_test                                pass     pass     same
kvm:dirty_log_test                                     fail     fail     same
kvm:emulator_error_test                                fail     fail     same
kvm:evmcs_test                                         fail     fail     same
kvm:fix_hypercall_test                                 fail     fail     same
kvm:get_msr_index_features                             fail     fail     same
kvm:hardware_disable_test                              pass     pass     same
kvm:hyperv_clock                                       fail     fail     same
kvm:hyperv_cpuid                                       fail     fail     same
kvm:hyperv_features                                    fail     fail     same
kvm:hyperv_svm_test                                    fail     fail     same
kvm:kvm_binary_stats_test                              pass     pass     same
kvm:kvm_clock_test                                     fail     fail     same
kvm:kvm_create_max_vcpus                               pass     pass     same
kvm:kvm_page_table_test                                pass     pass     same
kvm:kvm_pv_test                                        fail     fail     same
kvm:max_guest_memory_test                              pass     pass     same
kvm:max_vcpuid_cap_test                                fail     fail     same
kvm:memslot_modification_stress_test                   pass     pass     same
kvm:memslot_perf_test                                  pass     pass     same
kvm:mmio_warning_test                                  fail     fail     same
kvm:monitor_mwait_test                                 fail     fail     same
kvm:nx_huge_pages_test.sh                              fail     fail     same
kvm:platform_info_test                                 fail     fail     same
kvm:pmu_event_filter_test                              fail     fail     same
kvm:rseq_test                                          fail     fail     same
kvm:set_boot_cpu_id                                    fail     fail     same
kvm:set_memory_region_test                             pass     pass     same
kvm:set_sregs_test                                     fail     fail     same
kvm:sev_migrate_tests                                  fail     fail     same
kvm:smm_test                                           fail     fail     same
kvm:state_test                                         fail     fail     same
kvm:steal_time                                         pass     pass     same
kvm:svm_int_ctl_test                                   fail     fail     same
kvm:svm_nested_soft_inject_test                        fail     fail     same
kvm:svm_vmcall_test                                    fail     fail     same
kvm:sync_regs_test                                     fail     fail     same
kvm:system_counter_offset_test                         pass     pass     same
kvm:triple_fault_event_test                            fail     fail     same
kvm:tsc_msrs_test                                      fail     fail     same
kvm:tsc_scaling_sync                                   fail     fail     same
kvm:ucna_injection_test                                fail     fail     same
kvm:userspace_io_test                                  fail     fail     same
kvm:userspace_msr_exit_test                            fail     fail     same
kvm:vmx_apic_access_test                               fail     fail     same
kvm:vmx_close_while_nested_test                        fail     fail     same
kvm:vmx_dirty_log_test                                 fail     fail     same
kvm:vmx_exception_with_invalid_guest_state             fail     fail     same
kvm:vmx_invalid_nested_guest_state                     fail     fail     same
kvm:vmx_msrs_test                                      fail     fail     same
kvm:vmx_nested_tsc_scaling_test                        fail     fail     same
kvm:vmx_pmu_caps_test                                  fail     fail     same
kvm:vmx_preemption_timer_test                          fail     fail     same
kvm:vmx_set_nested_state_test                          fail     fail     same
kvm:vmx_tsc_adjust_test                                fail     fail     same
kvm:xapic_ipi_test                                     fail     fail     same
kvm:xapic_state_test                                   fail     fail     same
kvm:xen_shinfo_test                                    fail     fail     same
kvm:xen_vmcall_test                                    fail     fail     same
kvm:xss_msr_test                                       fail     fail     same
landlock:base_test                                     fail     fail     same
landlock:fs_test                                       fail     fail     same
landlock:ptrace_test                                   fail     fail     same
lib:bitmap.sh                                          skip     skip     same
lib:prime_numbers.sh                                   skip     skip     same
lib:printf.sh                                          skip     skip     same
lib:scanf.sh                                           skip     skip     same
lib:strscpy.sh                                         skip     skip     same
livepatch:test-callbacks.sh                            skip     skip     same
livepatch:test-ftrace.sh                               skip     skip     same
livepatch:test-livepatch.sh                            skip     skip     same
livepatch:test-shadow-vars.sh                          skip     skip     same
livepatch:test-state.sh                                skip     skip     same
membarrier:membarrier_test_multi_thread                pass     pass     same
membarrier:membarrier_test_single_thread               pass     pass     same
memfd:memfd_test                                       pass     pass     same
memfd:run_fuse_test.sh                                 pass     pass     same
memfd:run_hugetlbfs_test.sh                            pass     pass     same
memory-hotplug:mem-on-off-test.sh                      pass     pass     same
mincore:mincore_selftest                               fail     fail     same
mount:run_nosymfollow.sh                               pass     pass     same
mount:run_unprivileged_remount.sh                      pass     pass     same
mqueue:mq_open_tests                                   pass     pass     same
mqueue:mq_perf_tests                                   pass     pass     same
nci:nci_dev                                            fail     fail     same
net/forwarding:bridge_locked_port.sh                   pass     pass     same
net/forwarding:bridge_mld.sh                           fail     fail     same
net/forwarding:bridge_port_isolation.sh                pass     pass     same
net/forwarding:bridge_sticky_fdb.sh                    pass     pass     same
net/forwarding:bridge_vlan_aware.sh                    fail     fail     same
net/forwarding:bridge_vlan_mcast.sh                    fail     fail     same
net/forwarding:bridge_vlan_unaware.sh                  pass     pass     same
net/forwarding:custom_multipath_hash.sh                fail     fail     same
net/forwarding:ethtool.sh                              fail     fail     same
net/forwarding:ethtool_extended_state.sh               fail     fail     same
net/forwarding:gre_custom_multipath_hash.sh            fail     fail     same
net/forwarding:gre_inner_v4_multipath.sh               fail     fail     same
net/forwarding:gre_multipath.sh                        fail     fail     same
net/forwarding:gre_multipath_nh.sh                     fail     fail     same
net/forwarding:gre_multipath_nh_res.sh                 fail     fail     same
net/forwarding:hw_stats_l3.sh                          fail     fail     same
net/forwarding:hw_stats_l3_gre.sh                      fail     fail     same
net/forwarding:ip6_forward_instats_vrf.sh              fail     fail     same
net/forwarding:ip6gre_custom_multipath_hash.sh         fail     fail     same
net/forwarding:ip6gre_flat.sh                          pass     pass     same
net/forwarding:ip6gre_flat_key.sh                      pass     pass     same
net/forwarding:ip6gre_flat_keys.sh                     pass     pass     same
net/forwarding:ip6gre_hier.sh                          pass     pass     same
net/forwarding:ip6gre_hier_key.sh                      pass     pass     same
net/forwarding:ip6gre_hier_keys.sh                     pass     pass     same
net/forwarding:ip6gre_inner_v4_multipath.sh            fail     fail     same
net/forwarding:ip6gre_inner_v6_multipath.sh            fail     fail     same
net/forwarding:ipip_flat_gre.sh                        pass     pass     same
net/forwarding:ipip_flat_gre_key.sh                    pass     pass     same
net/forwarding:ipip_flat_gre_keys.sh                   pass     pass     same
net/forwarding:ipip_hier_gre.sh                        pass     pass     same
net/forwarding:ipip_hier_gre_key.sh                    pass     pass     same
net/forwarding:loopback.sh                             skip     skip     same
net/forwarding:mirror_gre.sh                           fail     fail     same
net/forwarding:mirror_gre_bound.sh                     pass     pass     same
net/forwarding:mirror_gre_bridge_1d.sh                 pass     pass     same
net/forwarding:mirror_gre_bridge_1q.sh                 pass     pass     same
net/forwarding:mirror_gre_bridge_1q_lag.sh             pass     pass     same
net/forwarding:mirror_gre_changes.sh                   fail     fail     same
net/forwarding:mirror_gre_flower.sh                    fail     fail     same
net/forwarding:mirror_gre_lag_lacp.sh                  pass     pass     same
net/forwarding:mirror_gre_neigh.sh                     pass     pass     same
net/forwarding:mirror_gre_nh.sh                        pass     pass     same
net/forwarding:mirror_gre_vlan.sh                      pass     pass     same
net/forwarding:mirror_vlan.sh                          pass     pass     same
net/forwarding:pedit_dsfield.sh                        pass     pass     same
net/forwarding:pedit_ip.sh                             pass     pass     same
net/forwarding:pedit_l4port.sh                         pass     pass     same
net/forwarding:q_in_vni_ipv6.sh                        pass     pass     same
net/forwarding:router.sh                               skip     skip     same
net/forwarding:router_bridge.sh                        pass     pass     same
net/forwarding:router_bridge_vlan.sh                   pass     pass     same
net/forwarding:router_broadcast.sh                     pass     pass     same
net/forwarding:router_mpath_nh.sh                      fail     fail     same
net/forwarding:router_mpath_nh_res.sh                  fail     fail     same
net/forwarding:router_multicast.sh                     skip     skip     same
net/forwarding:router_multipath.sh                     fail     fail     same
net/forwarding:router_nh.sh                            pass     pass     same
net/forwarding:router_vid_1.sh                         pass     pass     same
net/forwarding:skbedit_priority.sh                     pass     pass     same
net/forwarding:tc_chains.sh                            pass     pass     same
net/forwarding:tc_flower.sh                            pass     pass     same
net/forwarding:tc_flower_router.sh                     pass     pass     same
net/forwarding:tc_mpls_l2vpn.sh                        pass     pass     same
net/forwarding:tc_shblocks.sh                          pass     pass     same
net/forwarding:tc_vlan_modify.sh                       pass     pass     same
net/forwarding:vxlan_asymmetric.sh                     pass     pass     same
net/forwarding:vxlan_asymmetric_ipv6.sh                pass     pass     same
net/forwarding:vxlan_bridge_1d.sh                      fail     fail     same
net/forwarding:vxlan_bridge_1d_port_8472.sh            pass     pass     same
net/forwarding:vxlan_bridge_1d_port_8472_ipv6.sh       fail     fail     same
net/forwarding:vxlan_bridge_1q.sh                      fail     fail     same
net/forwarding:vxlan_bridge_1q_ipv6.sh                 fail     fail     same
net/forwarding:vxlan_bridge_1q_port_8472.sh            pass     pass     same
net/forwarding:vxlan_bridge_1q_port_8472_ipv6.sh       fail     fail     same
net/forwarding:vxlan_symmetric.sh                      pass     pass     same
net/forwarding:vxlan_symmetric_ipv6.sh                 pass     pass     same
net/mptcp:diag.sh                                      pass     pass     same
net/mptcp:mptcp_connect.sh                             pass     pass     same
net/mptcp:mptcp_sockopt.sh                             pass     pass     same
net/mptcp:pm_netlink.sh                                pass     pass     same
net:altnames.sh                                        pass     pass     same
net:bareudp.sh                                         pass     pass     same
net:cmsg_so_mark.sh                                    pass     pass     same
net:devlink_port_split.py                              pass     pass     same
net:drop_monitor_tests.sh                              skip     skip     same
net:fcnal-test.sh                                      skip     skip     same
net:fib-onlink-tests.sh                                pass     pass     same
net:fib_nexthop_multiprefix.sh                         pass     pass     same
net:fib_rule_tests.sh                                  pass     pass     same
net:fib_tests.sh                                       fail     fail     same
net:fin_ack_lat.sh                                     pass     pass     same
net:gre_gso.sh                                         skip     skip     same
net:icmp.sh                                            fail     fail     same
net:icmp_redirect.sh                                   pass     pass     same
net:ip6_gre_headroom.sh                                pass     pass     same
net:ipv6_flowlabel.sh                                  pass     pass     same
net:l2tp.sh                                            pass     pass     same
net:msg_zerocopy.sh                                    pass     pass     same
net:netdevice.sh                                       pass     pass     same
net:pmtu.sh                                            pass     pass     same
net:psock_snd.sh                                       pass     pass     same
net:reuseaddr_conflict                                 pass     pass     same
net:reuseaddr_ports_exhausted.sh                       pass     pass     same
net:reuseport_bpf                                      pass     pass     same
net:reuseport_bpf_cpu                                  pass     pass     same
net:reuseport_bpf_numa                                 pass     pass     same
net:reuseport_dualstack                                pass     pass     same
net:route_localnet.sh                                  pass     pass     same
net:rps_default_mask.sh                                fail     fail     same
net:rtnetlink.sh                                       skip     skip     same
net:run_afpackettests                                  pass     pass     same
net:run_netsocktests                                   pass     pass     same
net:rxtimestamp.sh                                     pass     pass     same
net:so_txtime.sh                                       pass     pass     same
net:stress_reuseport_listen.sh                         pass     pass     same
net:tcp_fastopen_backup_key.sh                         pass     pass     same
net:test_blackhole_dev.sh                              fail     fail     same
net:test_bpf.sh                                        pass     pass     same
net:test_vxlan_fdb_changelink.sh                       pass     pass     same
net:test_vxlan_under_vrf.sh                            pass     pass     same
net:tls                                                pass     pass     same
net:traceroute.sh                                      pass     pass     same
net:udpgro.sh                                          fail     fail     same
net:udpgro_bench.sh                                    fail     fail     same
net:udpgso.sh                                          pass     pass     same
net:unicast_extensions.sh                              pass     pass     same
net:veth.sh                                            fail     fail     same
net:vrf-xfrm-tests.sh                                  pass     pass     same
net:vrf_route_leaking.sh                               fail     fail     same
net:vrf_strict_mode_test.sh                            pass     pass     same
netfilter:bridge_brouter.sh                            skip     skip     same
netfilter:conntrack_icmp_related.sh                    fail     fail     same
netfilter:conntrack_tcp_unreplied.sh                   fail     fail     same
netfilter:conntrack_vrf.sh                             skip     skip     same
netfilter:ipip-conntrack-mtu.sh                        skip     skip     same
netfilter:ipvs.sh                                      skip     skip     same
netfilter:nf_nat_edemux.sh                             skip     skip     same
netfilter:nft_concat_range.sh                          fail     fail     same
netfilter:nft_conntrack_helper.sh                      skip     skip     same
netfilter:nft_fib.sh                                   skip     skip     same
netfilter:nft_flowtable.sh                             fail     fail     same
netfilter:nft_meta.sh                                  pass     pass     same
netfilter:nft_nat.sh                                   skip     skip     same
netfilter:nft_queue.sh                                 skip     skip     same
netfilter:rpath.sh                                     pass     pass     same
nsfs:owner                                             pass     pass     same
nsfs:pidns                                             pass     pass     same
openat2:openat2_test                                   fail     fail     same
openat2:rename_attack_test                             pass     pass     same
openat2:resolve_test                                   fail     fail     same
pid_namespace:regression_enomem                        pass     pass     same
pidfd:pidfd_fdinfo_test                                pass     pass     same
pidfd:pidfd_getfd_test                                 pass     pass     same
pidfd:pidfd_open_test                                  pass     pass     same
pidfd:pidfd_poll_test                                  pass     pass     same
pidfd:pidfd_setns_test                                 pass     pass     same
pidfd:pidfd_test                                       pass     pass     same
pidfd:pidfd_wait                                       pass     pass     same
proc:fd-001-lookup                                     pass     pass     same
proc:fd-002-posix-eq                                   pass     pass     same
proc:fd-003-kthread                                    pass     pass     same
proc:proc-fsconfig-hidepid                             pass     pass     same
proc:proc-loadavg-001                                  pass     pass     same
proc:proc-multiple-procfs                              pass     pass     same
proc:proc-self-map-files-001                           pass     pass     same
proc:proc-self-map-files-002                           pass     pass     same
proc:proc-self-syscall                                 pass     pass     same
proc:proc-self-wchan                                   pass     pass     same
proc:proc-subset-pid                                   pass     pass     same
proc:proc-uptime-002                                   pass     pass     same
proc:read                                              pass     pass     same
proc:self                                              pass     pass     same
proc:setns-dcache                                      pass     pass     same
proc:setns-sysvipc                                     pass     pass     same
proc:thread-self                                       pass     pass     same
pstore:pstore_post_reboot_tests                        skip     skip     same
pstore:pstore_tests                                    fail     fail     same
ptrace:get_syscall_info                                pass     pass     same
ptrace:peeksiginfo                                     pass     pass     same
ptrace:vmaccess                                        fail     fail     same
rlimits:rlimits-per-userns                             pass     pass     same
rseq:basic_percpu_ops_test                             pass     pass     same
rseq:basic_test                                        pass     pass     same
rseq:param_test                                        pass     pass     same
rseq:param_test_benchmark                              pass     pass     same
rseq:param_test_compare_twice                          pass     pass     same
rseq:run_param_test.sh                                 pass     pass     same
seccomp:seccomp_benchmark                              pass     pass     same
seccomp:seccomp_bpf                                    pass     pass     same
sgx:test_sgx                                           fail     fail     same
sigaltstack:sas                                        pass     pass     same
size:get_size                                          pass     pass     same
splice:default_file_splice_read.sh                     pass     pass     same
splice:short_splice_read.sh                            fail     fail     same
static_keys:test_static_keys.sh                        skip     skip     same
syscall_user_dispatch:sud_benchmark                    pass     pass     same
syscall_user_dispatch:sud_test                         pass     pass     same
tc-testing:tdc.sh                                      fail     fail     same
tdx:tdx_guest_test                                     fail     fail     same
timens:clock_nanosleep                                 pass     pass     same
timens:exec                                            pass     pass     same
timens:futex                                           pass     pass     same
timens:procfs                                          pass     pass     same
timens:timens                                          pass     pass     same
timens:timer                                           pass     pass     same
timens:timerfd                                         pass     pass     same
timens:vfork_exec                                      pass     pass     same
timers:inconsistency-check                             pass     pass     same
timers:mqueue-lat                                      pass     pass     same
timers:nanosleep                                       pass     pass     same
timers:nsleep-lat                                      pass     pass     same
timers:posix_timers                                    pass     pass     same
timers:rtcpie                                          pass     pass     same
timers:set-timer-lat                                   pass     pass     same
timers:threadtest                                      pass     pass     same
tmpfs:bug-link-o-tmpfile                               pass     pass     same
tpm2:test_smoke.sh                                     skip     skip     same
tpm2:test_space.sh                                     skip     skip     same
vDSO:vdso_standalone_test_x86                          pass     pass     same
vDSO:vdso_test_abi                                     pass     pass     same
vDSO:vdso_test_clock_getres                            pass     pass     same
vDSO:vdso_test_correctness                             pass     pass     same
vDSO:vdso_test_getcpu                                  pass     pass     same
vDSO:vdso_test_gettimeofday                            pass     pass     same
vm:run_vmtests.sh                                      skip     skip     same
x86:amx_64                                             fail     fail     same
x86:check_initial_reg_state_64                         pass     pass     same
x86:corrupt_xstate_header_64                           pass     pass     same
x86:fsgsbase_64                                        pass     pass     same
x86:fsgsbase_restore_64                                pass     pass     same
x86:ioperm_64                                          pass     pass     same
x86:iopl_64                                            pass     pass     same
x86:mov_ss_trap_64                                     pass     pass     same
x86:sigaltstack_64                                     pass     pass     same
x86:sigreturn_64                                       pass     pass     same
x86:single_step_syscall_64                             pass     pass     same
x86:syscall_arg_fault_64                               pass     pass     same
x86:syscall_nt_64                                      pass     pass     same
x86:syscall_numbering_64                               pass     pass     same
x86:sysret_rip_64                                      pass     pass     same
x86:sysret_ss_attrs_64                                 pass     pass     same
x86:test_mremap_vdso_64                                pass     pass     same
x86:test_vsyscall_64                                   pass     pass     same
zram:zram.sh                                           pass     pass     same

jira VULN-6719 cve CVE-2023-46813 commit-author Borislav Petkov (AMD) <[email protected]> commit a37cd2a A virt scenario can be constructed where MMIO memory can be user memory. When that happens, a race condition opens between when the hardware raises the #VC and when the #VC handler gets to emulate the instruction. If the MOVS is replaced with a MOVS accessing kernel memory in that small race window, then write to kernel memory happens as the access checks are not done at emulation time. Disable MMIO emulation in user mode temporarily until a sensible use case appears and justifies properly handling the race window. Fixes: 0118b60 ("x86/sev-es: Handle MMIO String Instructions") Reported-by: Tom Dohrmann <[email protected]> Signed-off-by: Borislav Petkov (AMD) <[email protected]> Tested-by: Tom Dohrmann <[email protected]> Cc: <[email protected]> (cherry picked from commit a37cd2a) Signed-off-by: Marcin Wcisło <[email protected]>

jira VULN-6719 cve CVE-2023-46813 commit-author Joerg Roedel <[email protected]> commit b9cb9c4 Check the IO permission bitmap (if present) before emulating IOIO #VC exceptions for user-space. These permissions are checked by hardware already before the #VC is raised, but due to the VC-handler decoding race it needs to be checked again in software. Fixes: 25189d0 ("x86/sev-es: Add support for handling IOIO exceptions") Reported-by: Tom Dohrmann <[email protected]> Signed-off-by: Joerg Roedel <[email protected]> Signed-off-by: Borislav Petkov (AMD) <[email protected]> Tested-by: Tom Dohrmann <[email protected]> Cc: <[email protected]> (cherry picked from commit b9cb9c4) Signed-off-by: Marcin Wcisło <[email protected]>

jira VULN-6719 cve CVE-2023-46813 commit-author Joerg Roedel <[email protected]> commit 63e44bc Check the memory operand of INS/OUTS before emulating the instruction. The #VC exception can get raised from user-space, but the memory operand can be manipulated to access kernel memory before the emulation actually begins and after the exception handler has run. [ bp: Massage commit message. ] Fixes: 597cfe4 ("x86/boot/compressed/64: Setup a GHCB-based VC Exception handler") Reported-by: Tom Dohrmann <[email protected]> Signed-off-by: Joerg Roedel <[email protected]> Signed-off-by: Borislav Petkov (AMD) <[email protected]> Cc: <[email protected]> (cherry picked from commit 63e44bc) Signed-off-by: Marcin Wcisło <[email protected]>

jira VULN-8044 cve-pre CVE-2023-0597 commit-author Andrey Ryabinin <[email protected]> commit 3f148f3 KASAN maps shadow for the entire CPU-entry-area: [CPU_ENTRY_AREA_BASE, CPU_ENTRY_AREA_BASE + CPU_ENTRY_AREA_MAP_SIZE] This will explode once the per-cpu entry areas are randomized since it will increase CPU_ENTRY_AREA_MAP_SIZE to 512 GB and KASAN fails to allocate shadow for such big area. Fix this by allocating KASAN shadow only for really used cpu entry area addresses mapped by cea_map_percpu_pages() Thanks to the 0day folks for finding and reporting this to be an issue. [ dhansen: tweak changelog since this will get committed before peterz's actual cpu-entry-area randomization ] Signed-off-by: Andrey Ryabinin <[email protected]> Signed-off-by: Dave Hansen <[email protected]> Tested-by: Yujie Liu <[email protected]> Cc: kernel test robot <[email protected]> Link: https://lore.kernel.org/r/[email protected] (cherry picked from commit 3f148f3) Signed-off-by: Marcin Wcisło <[email protected]>

jira VULN-8044 cve CVE-2023-0597 commit-author Peter Zijlstra <[email protected]> commit 97e3d26 upstream-diff Included `linux/prandom.h' in `arch/x86/mm/cpu_entry_area.c' directly (compilation fails without it) Seth found that the CPU-entry-area; the piece of per-cpu data that is mapped into the userspace page-tables for kPTI is not subject to any randomization -- irrespective of kASLR settings. On x86_64 a whole P4D (512 GB) of virtual address space is reserved for this structure, which is plenty large enough to randomize things a little. As such, use a straight forward randomization scheme that avoids duplicates to spread the existing CPUs over the available space. [ bp: Fix le build. ] Reported-by: Seth Jenkins <[email protected]> Reviewed-by: Kees Cook <[email protected]> Signed-off-by: Peter Zijlstra (Intel) <[email protected]> Signed-off-by: Dave Hansen <[email protected]> Signed-off-by: Borislav Petkov <[email protected]> (cherry picked from commit 97e3d26) Signed-off-by: Marcin Wcisło <[email protected]>

jira VULN-8044 cve-bf CVE-2023-0597 commit-author Sean Christopherson <[email protected]> commit 80d72a8 Recompute the physical address for each per-CPU page in the CPU entry area, a recent commit inadvertantly modified cea_map_percpu_pages() such that every PTE is mapped to the physical address of the first page. Fixes: 9fd429c28073 ("x86/kasan: Map shadow for percpu pages on demand") Signed-off-by: Sean Christopherson <[email protected]> Signed-off-by: Peter Zijlstra (Intel) <[email protected]> Reviewed-by: Andrey Ryabinin <[email protected]> Link: https://lkml.kernel.org/r/[email protected] (cherry picked from commit 80d72a8) Signed-off-by: Marcin Wcisło <[email protected]>

jira VULN-8044 cve-bf CVE-2023-0597 commit-author Sean Christopherson <[email protected]> commit 9765014 Populate a KASAN shadow for the entire possible per-CPU range of the CPU entry area instead of requiring that each individual chunk map a shadow. Mapping shadows individually is error prone, e.g. the per-CPU GDT mapping was left behind, which can lead to not-present page faults during KASAN validation if the kernel performs a software lookup into the GDT. The DS buffer is also likely affected. The motivation for mapping the per-CPU areas on-demand was to avoid mapping the entire 512GiB range that's reserved for the CPU entry area, shaving a few bytes by not creating shadows for potentially unused memory was not a goal. The bug is most easily reproduced by doing a sigreturn with a garbage CS in the sigcontext, e.g. int main(void) { struct sigcontext regs; syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); memset(&regs, 0, sizeof(regs)); regs.cs = 0x1d0; syscall(__NR_rt_sigreturn); return 0; } to coerce the kernel into doing a GDT lookup to compute CS.base when reading the instruction bytes on the subsequent #GP to determine whether or not the #GP is something the kernel should handle, e.g. to fixup UMIP violations or to emulate CLI/STI for IOPL=3 applications. BUG: unable to handle page fault for address: fffffbc8379ace00 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 16c03a067 P4D 16c03a067 PUD 15b990067 PMD 15b98f067 PTE 0 Oops: 0000 [ctrliq#1] PREEMPT SMP KASAN CPU: 3 PID: 851 Comm: r2 Not tainted 6.1.0-rc3-next-20221103+ ctrliq#432 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:kasan_check_range+0xdf/0x190 Call Trace: <TASK> get_desc+0xb0/0x1d0 insn_get_seg_base+0x104/0x270 insn_fetch_from_user+0x66/0x80 fixup_umip_exception+0xb1/0x530 exc_general_protection+0x181/0x210 asm_exc_general_protection+0x22/0x30 RIP: 0003:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0003:0000000000000000 EFLAGS: 00000202 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000000001d0 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> Fixes: 9fd429c28073 ("x86/kasan: Map shadow for percpu pages on demand") Reported-by: [email protected] Suggested-by: Andrey Ryabinin <[email protected]> Signed-off-by: Sean Christopherson <[email protected]> Signed-off-by: Peter Zijlstra (Intel) <[email protected]> Reviewed-by: Andrey Ryabinin <[email protected]> Link: https://lkml.kernel.org/r/[email protected] (cherry picked from commit 9765014) Signed-off-by: Marcin Wcisło <[email protected]>

jira VULN-8044 cve-bf CVE-2023-0597 commit-author Michal Koutný <[email protected]> commit a3f547a The commit 97e3d26 ("x86/mm: Randomize per-cpu entry area") fixed an omission of KASLR on CPU entry areas. It doesn't take into account KASLR switches though, which may result in unintended non-determinism when a user wants to avoid it (e.g. debugging, benchmarking). Generate only a single combination of CPU entry areas offsets -- the linear array that existed prior randomization when KASLR is turned off. Since we have 3f148f3 ("x86/kasan: Map shadow for percpu pages on demand") and followups, we can use the more relaxed guard kasrl_enabled() (in contrast to kaslr_memory_enabled()). Fixes: 97e3d26 ("x86/mm: Randomize per-cpu entry area") Signed-off-by: Michal Koutný <[email protected]> Signed-off-by: Dave Hansen <[email protected]> Cc: [email protected] Link: https://lore.kernel.org/all/20230306193144.24605-1-mkoutny%40suse.com (cherry picked from commit a3f547a) Signed-off-by: Marcin Wcisło <[email protected]>

pvts-mat added 8 commits October 6, 2025 21:58

bmastbergen requested a review from a team October 10, 2025 14:34

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[LTS 9.2] CVE-2023-46813, CVE-2023-0597 #614

[LTS 9.2] CVE-2023-46813, CVE-2023-0597 #614

Uh oh!

pvts-mat commented Oct 8, 2025

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

1 participant

[LTS 9.2] CVE-2023-46813, CVE-2023-0597 #614

Are you sure you want to change the base?

[LTS 9.2] CVE-2023-46813, CVE-2023-0597 #614

Uh oh!

Conversation

pvts-mat commented Oct 8, 2025

Commits

CVE-2023-46813

CVE-2023-0597

kABI check: passed

Boot test: passed

Kselftests: passed relative

Reference

Patch

Comparison

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

1 participant