** Tags added: kernel-daily-bug
--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/2146472
Title:
Fix potential page fault caused by sha256 calculation
Status in linux package in Ubuntu:
New
Bug description:
SRU Justification:
[Impact]
Calculating the SHA-256 of a buffer with a size larger than 2GB and is
not divisible by 64 will lead to a page fault.
More specifically, this was seen in the firmware loader on Ubuntu
24.04.4 LTS, where CONFIG_FW_LOADER_DEBUG is enabled. Loading a
firmware file that is 3619035928 bytes fails with the following splat:
[1667258.914177] BUG: unable to handle page fault for address: ffffb731b3fbcd40
[1667258.914188] #PF: supervisor read access in kernel mode
[1667258.914193] #PF: error_code(0x0000) - not-present page
[1667258.914198] PGD 100000067 P4D 100000067 PUD 1002d4067 PMD 529eec067 PTE 0
[1667258.914208] Oops: 0000 [#3] PREEMPT SMP PTI
[1667258.914214] CPU: 11 PID: 1252644 Comm: kworker/11:1 Tainted: P D W OE 6.8.0-62-generic #65-Ubuntu
[1667258.914223] Hardware name: Wiwynn Twin Lakes MP/Twin Lakes Passive MP, BIOS YMGPE07 12/23/2019
[1667258.914229] Workqueue: events sahara_processing [qaic]
[1667258.914257] RIP: 0010:memcpy_orig+0x105/0x130
[1667258.914267] Code: 0f 1f 44 00 00 83 fa 04 72 1b 8b 0e 44 8b 44 16 fc 89 0f 44 89 44 17 fc c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 83 ea 01 72 19 <0f> b6 0e 74 12 4c 0f b6 46 01 4c 0f b6 0c 16 44 88 47 01 44 88 0c
[1667258.914278] RSP: 0018:ffffb731a3c57c78 EFLAGS: 00010202
[1667258.914284] RAX: ffffa0ac564f41b0 RBX: ffffa0ac564f41b0 RCX: 00000000d7af7212
[1667258.914290] RDX: 0000000000000001 RSI: ffffb731b3fbcd40 RDI: ffffa0ac564f41b0
[1667258.914295] RBP: ffffb731a3c57ca8 R08: 000000005ab6c582 R09: 0000000072a12f7b
[1667258.914301] R10: 0000000064f65b73 R11: 000000001cb47ae9 R12: ffffffff93d71d40
[1667258.914306] R13: ffffb731b3fbcd40 R14: 0000000000000002 R15: ffffb7322024b000
[1667258.914311] FS: 0000000000000000(0000) GS:ffffa0bb7f580000(0000) knlGS:0000000000000000
[1667258.914318] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[1667258.914323] CR2: ffffb731b3fbcd40 CR3: 0000000b09e3c005 CR4: 00000000007706f0
[1667258.914329] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[1667258.914334] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[1667258.914339] PKRU: 55555554
[1667258.914342] Call Trace:
[1667258.914346] <TASK>
[1667258.914350] ? show_regs+0x6d/0x80
[1667258.914358] ? __die+0x24/0x80
[1667258.914364] ? page_fault_oops+0x99/0x1b0
[1667258.914372] ? kernelmode_fixup_or_oops.isra.0+0x69/0x90
[1667258.914380] ? __bad_area_nosemaphore+0x19e/0x2c0
[1667258.914388] ? bad_area_nosemaphore+0x16/0x30
[1667258.914394] ? do_kern_addr_fault+0x7b/0xa0
[1667258.914400] ? exc_page_fault+0x1a4/0x1b0
[1667258.914407] ? asm_exc_page_fault+0x27/0x30
[1667258.914417] ? memcpy_orig+0x105/0x130
[1667258.914425] ? lib_sha256_base_do_update.isra.0+0x5d/0x1d0 [sha256_ssse3]
[1667258.914433] ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]
[1667258.914440] sha256_finup+0xf5/0x150 [sha256_ssse3]
[1667258.914447] sha256_avx2_digest+0x55/0x70 [sha256_ssse3]
[1667258.914453] crypto_shash_digest+0x2a/0x60
[1667258.914460] fw_log_firmware_info+0x113/0x1b0
[1667258.914469] _request_firmware+0x19d/0x4b0
[1667258.914476] firmware_request_nowarn+0x36/0x60
[1667258.914482] sahara_processing+0x399/0x710 [qaic]
[1667258.914501] process_one_work+0x181/0x3a0
[1667258.914508] worker_thread+0x306/0x440
[1667258.914514] ? _raw_spin_lock_irqsave+0xe/0x20
[1667258.914521] ? __pfx_worker_thread+0x10/0x10
[1667258.914526] kthread+0xef/0x120
[1667258.914533] ? __pfx_kthread+0x10/0x10
[1667258.914540] ret_from_fork+0x44/0x70
[1667258.914546] ? __pfx_kthread+0x10/0x10
[1667258.914552] ret_from_fork_asm+0x1b/0x30
[1667258.914561] </TASK>
[1667258.914564] Modules linked in: tls nfsv3 rpcsec_gss_krb5 nfsv4 nfs netfs snd_seq_dummy snd_hrtimer snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device snd_timer snd soundcore qrtr_mhi(OE) qrtr(OE) xt_conntrack xt_MASQUERADE bridge stp llc xt_set ip_set nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_addrtype nft_compat nf_tables xfrm_user xfrm_algo openafs(POE-) overlay cfg80211 binfmt_misc nls_iso8859_1 intel_rapl_msr intel_rapl_common intel_uncore_frequency intel_uncore_frequency_common isst_if_common skx_edac skx_edac_common nfit x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel ipmi_ssif kvm cmdlinepart spi_nor irqbypass mtd qaic(OE) mei_me rapl intel_cstate i2c_i801 mhi(OE) spi_intel_pci mei switchtec(OE) ioatdma spi_intel i2c_smbus intel_pch_thermal dca ipmi_si acpi_power_meter acpi_ipmi ipmi_devintf ipmi_msghandler acpi_pad mac_hid sch_fq_codel dm_multipath nfsd msr parport_pc auth_rpcgss nfs_acl lockd ppdev grace lp parport sunrpc efi_pstore nfnetlink dmi_sysfs
[1667258.914665] ip_tables x_tables autofs4 btrfs blake2b_generic xor raid6_pq libcrc32c dm_mirror dm_region_hash dm_log crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic nvme ghash_clmulni_intel sha256_ssse3 bnxt_en sha1_ssse3 nvme_core xhci_pci nvme_auth xhci_pci_renesas wmi aesni_intel crypto_simd cryptd
[1667258.914741] CR2: ffffb731b3fbcd40
[1667258.914746] ---[ end trace 0000000000000000 ]---
[Fix]
Cherry-pick upstream commit:
70165dc3ec8c ("crypto: sha256 - fix crash at kexec")
[Test Plan]
* An x86_64 system with Ubuntu 24.04.4 LTS, Linux 6.8.0-101-generic x86_64 and Qualcomm AIC100 PCIe card installed
* Create a dummy file with size larger than 2GB and not divisible by 64, compress it using zstd, then replace it with any of the firmware files in /lib/firmware/qcom/aic100/
* Reset the AIC100 device to force reloading the firmware files by writing 1 to /sys/bus/mhi/devices/mhi0/soc_reset
[Where Problems Could Occur]
Any <v6.16 kernel entity that makes use of sha256_update()
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2146472/+subscriptions
Комментариев нет:
Отправить комментарий