CVE-2024-26989: Linux kernel arm64 hibernate vulnerability - Fix level 3 translation fault in swsusp_save()

The Linux kernel has addressed a vulnerability, specifically in the arm64 machines, related to hibernation. The issue is rooted in the swsusp_save() function, as it could cause faults if it attempts to access MEMBLOCK_NOMAP memory ranges. The problem was noticed when using QEMU with UEFI when booting with certain settings (rodata=off debug_pagealloc=off and CONFIG_KFENCE=n). This would then result in the kernel paging request being unable to handle the virtual address at ffffff800000000, leading to an internal error.

To better understand the issue, the code snippet below provides a description of the problem

swsusp_save+x280/x538
swsusp_arch_suspend+x148/x190
hibernation_snapshot+x240/x39c
hibernate+xc4/x378
state_store+xf/x10c
kobj_attr_store+x14/x24

This vulnerability was introduced in the Linux kernel by changes to the pfn_valid() logic in commit a7d9f306ba70 ("arm64: drop pfn_valid_within() and simplify pfn_valid()").

The solution to this problem is to drop the !can_set_direct_map() check in kernel_page_present() so that page_is_savable() skips such pages. This fix is similar to the solutions adopted in other architectures.

For more information on the original references and the corresponding source version, refer to the following links:

1. Linux kernel Git repository

2. ARM Community

In conclusion, this Linux kernel vulnerability, CVE-2024-26989, has been resolved by modifying the kernel_page_present() function to ensure that pages from MEMBLOCK_NOMAP memory ranges are not accessed during hibernation, ultimately fixing the level 3 translation fault in swsusp_save().

Timeline

Published on: 05/01/2024 06:15:16 UTC
Last modified on: 05/29/2024 05:26:30 UTC