CVE-2024-36926: Resolving LPAR Panics During Boot Up with a Frozen PE in the Linux Kernel

Content: The Linux kernel has addressed a vulnerability (CVE-2024-36926) to avoid instances of panics during boot up with frozen PEs. This issue affects powerpc/pseries/iommu in the kernel.

The partition firmware provides the ibm,dma-window Open Firmware property for the PE at the time of LPAR boot up. The property is offered on the PCI bus the PE is attached to.

However, in some cases, the partition firmware might not supply this property for the PE during LPAR boot up. This situation can occur when the firmware freezes the PE due to an error condition. In such cases, the PE will be frozen for 24 hours or until the entire system is reinitialized.

If the LPAR is booted within this timeframe, the frozen PE will be presented to the LPAR, but the ibm,dma-window property could be missing. As a result, the LPAR may oops with a NULL pointer dereference when configuring the PCI bus the PE is attached to.

The vulnerability can trigger the following kernel NULL pointer dereference on read

  BUG: Kernel NULL pointer dereference on read at x000000c8
  Faulting instruction address: xc0000000001024c
  Oops: Kernel access of bad area, sig: 7 [#1]
  LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries
  Modules linked in:
  Supported: Yes
  CPU:  PID: 1 Comm: swapper/ Not tainted 6.4.-150600.9-default #1
  Hardware name: IBM,9043-MRX POWER10 (raw) x800200 xf000006 of:IBM,FW106.00 (NM106_023) hv:phyp pSeries
  NIP:  c0000000001024c LR: c0000000001024b CTR: c000000000102450
  REGS: c0000000037db5c TRAP: 030   Not tainted  (6.4.-150600.9-default)
  MSR:  8000000002009033 <SF,VEC,EE,ME,IR, DR, RI, LE>  CR: 28000822  XER: 00000000
  CFAR: c00000000010254c DAR: 00000000000000c8 DSISR: 00080000 IRQMASK: 
  ...
  NIP [c0000000001024c] pci_dma_bus_setup_pSeriesLP+x70/x2a
  LR [c0000000001024b] pci_dma_bus_setup_pSeriesLP+x60/x2a
  Call Trace:
    pci_dma_bus_setup_pSeriesLP+x60/x2a (unreliable)
    pcibios_setup_bus_self+x1c/x370
    __of_scan_bus+x2f8/x330
    pcibios_scan_phb+x280/x3d
    pcibios_init+x88/x12c
    do_one_initcall+x60/x320
    kernel_init_freeable+x344/x3e4
    kernel_init+x34/x1d
    ret_from_kernel_user_thread+x14/x1c

With the vulnerability fixed, the Linux kernel should now handle missing ibm,dma-window properties on LPAR boot up and avoid panics with frozen PEs.

For more information on this vulnerability and its resolution, consult the Linux kernel documentation and the powerpc/pseries/iommu sources.

Stay vigilant and keep your kernel version up-to-date to protect against potential exploits.

Timeline

Published on: 05/30/2024 16:15:15 UTC
Last modified on: 07/03/2024 02:03:51 UTC