Description
In the Linux kernel, the following vulnerability has been resolved: ima: verify the previous kernel's IMA buffer lies in addressable RAM Patch series "Address page fault in ima_restore_measurement_list()", v3. When the second-stage kernel is booted via kexec with a limiting command line such as "mem=<size>" we observe a pafe fault that happens. BUG: unable to handle page fault for address: ffff97793ff47000 RIP: ima_restore_measurement_list+0xdc/0x45a #PF: error_code(0x0000) not-present page This happens on x86_64 only, as this is already fixed in aarch64 in commit: cbf9c4b9617b ("of: check previous kernel's ima-kexec-buffer against memory bounds") This patch (of 3): When the second-stage kernel is booted with a limiting command line (e.g. "mem=<size>"), the IMA measurement buffer handed over from the previous kernel may fall outside the addressable RAM of the new kernel. Accessing such a buffer can fault during early restore. Introduce a small generic helper, ima_validate_range(), which verifies that a physical [start, end] range for the previous-kernel IMA buffer lies within addressable memory: - On x86, use pfn_range_is_mapped(). - On OF based architectures, use page_is_ram().
Product status
b69a2afd5afce9bf6d56e349d6ab592c916e20f2 (git) before f11d7d088f5ed54b31c6735854c12845eb60eb4a
b69a2afd5afce9bf6d56e349d6ab592c916e20f2 (git) before 9e1f51c1ad57cc76a0e8b5eb27038f8973fff4fa
b69a2afd5afce9bf6d56e349d6ab592c916e20f2 (git) before 5366ec7d2f793ce703c403d7fd4c25a3db365b9d
b69a2afd5afce9bf6d56e349d6ab592c916e20f2 (git) before 10d1c75ed4382a8e79874379caa2ead8952734f9
6.0
Any version before 6.0
6.12.77 (semver)
6.18.16 (semver)
6.19.6 (semver)
7.0 (original_commit_for_fix)
References
git.kernel.org/...c/f11d7d088f5ed54b31c6735854c12845eb60eb4a
git.kernel.org/...c/9e1f51c1ad57cc76a0e8b5eb27038f8973fff4fa
git.kernel.org/...c/5366ec7d2f793ce703c403d7fd4c25a3db365b9d
git.kernel.org/...c/10d1c75ed4382a8e79874379caa2ead8952734f9