gsd-2024-26768
Vulnerability from gsd
Modified
2024-02-20 06:02
Details
In the Linux kernel, the following vulnerability has been resolved: LoongArch: Change acpi_core_pic[NR_CPUS] to acpi_core_pic[MAX_CORE_PIC] With default config, the value of NR_CPUS is 64. When HW platform has more then 64 cpus, system will crash on these platforms. MAX_CORE_PIC is the maximum cpu number in MADT table (max physical number) which can exceed the supported maximum cpu number (NR_CPUS, max logical number), but kernel should not crash. Kernel should boot cpus with NR_CPUS, let the remainder cpus stay in BIOS. The potential crash reason is that the array acpi_core_pic[NR_CPUS] can be overflowed when parsing MADT table, and it is obvious that CORE_PIC should be corresponding to physical core rather than logical core, so it is better to define the array as acpi_core_pic[MAX_CORE_PIC]. With the patch, system can boot up 64 vcpus with qemu parameter -smp 128, otherwise system will crash with the following message. [ 0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000420000004259, era == 90000000037a5f0c, ra == 90000000037a46ec [ 0.000000] Oops[#1]: [ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.8.0-rc2+ #192 [ 0.000000] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022 [ 0.000000] pc 90000000037a5f0c ra 90000000037a46ec tp 9000000003c90000 sp 9000000003c93d60 [ 0.000000] a0 0000000000000019 a1 9000000003d93bc0 a2 0000000000000000 a3 9000000003c93bd8 [ 0.000000] a4 9000000003c93a74 a5 9000000083c93a67 a6 9000000003c938f0 a7 0000000000000005 [ 0.000000] t0 0000420000004201 t1 0000000000000000 t2 0000000000000001 t3 0000000000000001 [ 0.000000] t4 0000000000000003 t5 0000000000000000 t6 0000000000000030 t7 0000000000000063 [ 0.000000] t8 0000000000000014 u0 ffffffffffffffff s9 0000000000000000 s0 9000000003caee98 [ 0.000000] s1 90000000041b0480 s2 9000000003c93da0 s3 9000000003c93d98 s4 9000000003c93d90 [ 0.000000] s5 9000000003caa000 s6 000000000a7fd000 s7 000000000f556b60 s8 000000000e0a4330 [ 0.000000] ra: 90000000037a46ec platform_init+0x214/0x250 [ 0.000000] ERA: 90000000037a5f0c efi_runtime_init+0x30/0x94 [ 0.000000] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) [ 0.000000] PRMD: 00000000 (PPLV0 -PIE -PWE) [ 0.000000] EUEN: 00000000 (-FPE -SXE -ASXE -BTE) [ 0.000000] ECFG: 00070800 (LIE=11 VS=7) [ 0.000000] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0) [ 0.000000] BADV: 0000420000004259 [ 0.000000] PRID: 0014c010 (Loongson-64bit, Loongson-3A5000) [ 0.000000] Modules linked in: [ 0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____)) [ 0.000000] Stack : 9000000003c93a14 9000000003800898 90000000041844f8 90000000037a46ec [ 0.000000] 000000000a7fd000 0000000008290000 0000000000000000 0000000000000000 [ 0.000000] 0000000000000000 0000000000000000 00000000019d8000 000000000f556b60 [ 0.000000] 000000000a7fd000 000000000f556b08 9000000003ca7700 9000000003800000 [ 0.000000] 9000000003c93e50 9000000003800898 9000000003800108 90000000037a484c [ 0.000000] 000000000e0a4330 000000000f556b60 000000000a7fd000 000000000f556b08 [ 0.000000] 9000000003ca7700 9000000004184000 0000000000200000 000000000e02b018 [ 0.000000] 000000000a7fd000 90000000037a0790 9000000003800108 0000000000000000 [ 0.000000] 0000000000000000 000000000e0a4330 000000000f556b60 000000000a7fd000 [ 0.000000] 000000000f556b08 000000000eaae298 000000000eaa5040 0000000000200000 [ 0.000000] ... [ 0.000000] Call Trace: [ 0.000000] [<90000000037a5f0c>] efi_runtime_init+0x30/0x94 [ 0.000000] [<90000000037a46ec>] platform_init+0x214/0x250 [ 0.000000] [<90000000037a484c>] setup_arch+0x124/0x45c [ 0.000000] [<90000000037a0790>] start_kernel+0x90/0x670 [ 0.000000] [<900000000378b0d8>] kernel_entry+0xd8/0xdc
Aliases


To clipboard 

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-26768"
      ],
      "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Change acpi_core_pic[NR_CPUS] to acpi_core_pic[MAX_CORE_PIC]\n\nWith default config, the value of NR_CPUS is 64. When HW platform has\nmore then 64 cpus, system will crash on these platforms. MAX_CORE_PIC\nis the maximum cpu number in MADT table (max physical number) which can\nexceed the supported maximum cpu number (NR_CPUS, max logical number),\nbut kernel should not crash. Kernel should boot cpus with NR_CPUS, let\nthe remainder cpus stay in BIOS.\n\nThe potential crash reason is that the array acpi_core_pic[NR_CPUS] can\nbe overflowed when parsing MADT table, and it is obvious that CORE_PIC\nshould be corresponding to physical core rather than logical core, so it\nis better to define the array as acpi_core_pic[MAX_CORE_PIC].\n\nWith the patch, system can boot up 64 vcpus with qemu parameter -smp 128,\notherwise system will crash with the following message.\n\n[    0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000420000004259, era == 90000000037a5f0c, ra == 90000000037a46ec\n[    0.000000] Oops[#1]:\n[    0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.8.0-rc2+ #192\n[    0.000000] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022\n[    0.000000] pc 90000000037a5f0c ra 90000000037a46ec tp 9000000003c90000 sp 9000000003c93d60\n[    0.000000] a0 0000000000000019 a1 9000000003d93bc0 a2 0000000000000000 a3 9000000003c93bd8\n[    0.000000] a4 9000000003c93a74 a5 9000000083c93a67 a6 9000000003c938f0 a7 0000000000000005\n[    0.000000] t0 0000420000004201 t1 0000000000000000 t2 0000000000000001 t3 0000000000000001\n[    0.000000] t4 0000000000000003 t5 0000000000000000 t6 0000000000000030 t7 0000000000000063\n[    0.000000] t8 0000000000000014 u0 ffffffffffffffff s9 0000000000000000 s0 9000000003caee98\n[    0.000000] s1 90000000041b0480 s2 9000000003c93da0 s3 9000000003c93d98 s4 9000000003c93d90\n[    0.000000] s5 9000000003caa000 s6 000000000a7fd000 s7 000000000f556b60 s8 000000000e0a4330\n[    0.000000]    ra: 90000000037a46ec platform_init+0x214/0x250\n[    0.000000]   ERA: 90000000037a5f0c efi_runtime_init+0x30/0x94\n[    0.000000]  CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n[    0.000000]  PRMD: 00000000 (PPLV0 -PIE -PWE)\n[    0.000000]  EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n[    0.000000]  ECFG: 00070800 (LIE=11 VS=7)\n[    0.000000] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\n[    0.000000]  BADV: 0000420000004259\n[    0.000000]  PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)\n[    0.000000] Modules linked in:\n[    0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____))\n[    0.000000] Stack : 9000000003c93a14 9000000003800898 90000000041844f8 90000000037a46ec\n[    0.000000]         000000000a7fd000 0000000008290000 0000000000000000 0000000000000000\n[    0.000000]         0000000000000000 0000000000000000 00000000019d8000 000000000f556b60\n[    0.000000]         000000000a7fd000 000000000f556b08 9000000003ca7700 9000000003800000\n[    0.000000]         9000000003c93e50 9000000003800898 9000000003800108 90000000037a484c\n[    0.000000]         000000000e0a4330 000000000f556b60 000000000a7fd000 000000000f556b08\n[    0.000000]         9000000003ca7700 9000000004184000 0000000000200000 000000000e02b018\n[    0.000000]         000000000a7fd000 90000000037a0790 9000000003800108 0000000000000000\n[    0.000000]         0000000000000000 000000000e0a4330 000000000f556b60 000000000a7fd000\n[    0.000000]         000000000f556b08 000000000eaae298 000000000eaa5040 0000000000200000\n[    0.000000]         ...\n[    0.000000] Call Trace:\n[    0.000000] [\u003c90000000037a5f0c\u003e] efi_runtime_init+0x30/0x94\n[    0.000000] [\u003c90000000037a46ec\u003e] platform_init+0x214/0x250\n[    0.000000] [\u003c90000000037a484c\u003e] setup_arch+0x124/0x45c\n[    0.000000] [\u003c90000000037a0790\u003e] start_kernel+0x90/0x670\n[    0.000000] [\u003c900000000378b0d8\u003e] kernel_entry+0xd8/0xdc",
      "id": "GSD-2024-26768",
      "modified": "2024-02-20T06:02:29.220009Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@kernel.org",
        "ID": "CVE-2024-26768",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Linux",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "1da177e4c3f4",
                          "version_value": "88e189bd16e5"
                        },
                        {
                          "version_value": "not down converted",
                          "x_cve_json_5_version_data": {
                            "defaultStatus": "affected",
                            "versions": [
                              {
                                "lessThanOrEqual": "6.6.*",
                                "status": "unaffected",
                                "version": "6.6.19",
                                "versionType": "custom"
                              },
                              {
                                "lessThanOrEqual": "6.7.*",
                                "status": "unaffected",
                                "version": "6.7.7",
                                "versionType": "custom"
                              },
                              {
                                "lessThanOrEqual": "*",
                                "status": "unaffected",
                                "version": "6.8",
                                "versionType": "original_commit_for_fix"
                              }
                            ]
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Linux"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Change acpi_core_pic[NR_CPUS] to acpi_core_pic[MAX_CORE_PIC]\n\nWith default config, the value of NR_CPUS is 64. When HW platform has\nmore then 64 cpus, system will crash on these platforms. MAX_CORE_PIC\nis the maximum cpu number in MADT table (max physical number) which can\nexceed the supported maximum cpu number (NR_CPUS, max logical number),\nbut kernel should not crash. Kernel should boot cpus with NR_CPUS, let\nthe remainder cpus stay in BIOS.\n\nThe potential crash reason is that the array acpi_core_pic[NR_CPUS] can\nbe overflowed when parsing MADT table, and it is obvious that CORE_PIC\nshould be corresponding to physical core rather than logical core, so it\nis better to define the array as acpi_core_pic[MAX_CORE_PIC].\n\nWith the patch, system can boot up 64 vcpus with qemu parameter -smp 128,\notherwise system will crash with the following message.\n\n[    0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000420000004259, era == 90000000037a5f0c, ra == 90000000037a46ec\n[    0.000000] Oops[#1]:\n[    0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.8.0-rc2+ #192\n[    0.000000] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022\n[    0.000000] pc 90000000037a5f0c ra 90000000037a46ec tp 9000000003c90000 sp 9000000003c93d60\n[    0.000000] a0 0000000000000019 a1 9000000003d93bc0 a2 0000000000000000 a3 9000000003c93bd8\n[    0.000000] a4 9000000003c93a74 a5 9000000083c93a67 a6 9000000003c938f0 a7 0000000000000005\n[    0.000000] t0 0000420000004201 t1 0000000000000000 t2 0000000000000001 t3 0000000000000001\n[    0.000000] t4 0000000000000003 t5 0000000000000000 t6 0000000000000030 t7 0000000000000063\n[    0.000000] t8 0000000000000014 u0 ffffffffffffffff s9 0000000000000000 s0 9000000003caee98\n[    0.000000] s1 90000000041b0480 s2 9000000003c93da0 s3 9000000003c93d98 s4 9000000003c93d90\n[    0.000000] s5 9000000003caa000 s6 000000000a7fd000 s7 000000000f556b60 s8 000000000e0a4330\n[    0.000000]    ra: 90000000037a46ec platform_init+0x214/0x250\n[    0.000000]   ERA: 90000000037a5f0c efi_runtime_init+0x30/0x94\n[    0.000000]  CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n[    0.000000]  PRMD: 00000000 (PPLV0 -PIE -PWE)\n[    0.000000]  EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n[    0.000000]  ECFG: 00070800 (LIE=11 VS=7)\n[    0.000000] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\n[    0.000000]  BADV: 0000420000004259\n[    0.000000]  PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)\n[    0.000000] Modules linked in:\n[    0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____))\n[    0.000000] Stack : 9000000003c93a14 9000000003800898 90000000041844f8 90000000037a46ec\n[    0.000000]         000000000a7fd000 0000000008290000 0000000000000000 0000000000000000\n[    0.000000]         0000000000000000 0000000000000000 00000000019d8000 000000000f556b60\n[    0.000000]         000000000a7fd000 000000000f556b08 9000000003ca7700 9000000003800000\n[    0.000000]         9000000003c93e50 9000000003800898 9000000003800108 90000000037a484c\n[    0.000000]         000000000e0a4330 000000000f556b60 000000000a7fd000 000000000f556b08\n[    0.000000]         9000000003ca7700 9000000004184000 0000000000200000 000000000e02b018\n[    0.000000]         000000000a7fd000 90000000037a0790 9000000003800108 0000000000000000\n[    0.000000]         0000000000000000 000000000e0a4330 000000000f556b60 000000000a7fd000\n[    0.000000]         000000000f556b08 000000000eaae298 000000000eaa5040 0000000000200000\n[    0.000000]         ...\n[    0.000000] Call Trace:\n[    0.000000] [\u003c90000000037a5f0c\u003e] efi_runtime_init+0x30/0x94\n[    0.000000] [\u003c90000000037a46ec\u003e] platform_init+0x214/0x250\n[    0.000000] [\u003c90000000037a484c\u003e] setup_arch+0x124/0x45c\n[    0.000000] [\u003c90000000037a0790\u003e] start_kernel+0x90/0x670\n[    0.000000] [\u003c900000000378b0d8\u003e] kernel_entry+0xd8/0xdc"
          }
        ]
      },
      "generator": {
        "engine": "bippy-d3b290d2becc"
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://git.kernel.org/stable/c/88e189bd16e5889e44a41b3309558ebab78b9280",
            "refsource": "MISC",
            "url": "https://git.kernel.org/stable/c/88e189bd16e5889e44a41b3309558ebab78b9280"
          },
          {
            "name": "https://git.kernel.org/stable/c/0f6810e39898af2d2cabd9313e4dbc945fb5dfdd",
            "refsource": "MISC",
            "url": "https://git.kernel.org/stable/c/0f6810e39898af2d2cabd9313e4dbc945fb5dfdd"
          },
          {
            "name": "https://git.kernel.org/stable/c/4551b30525cf3d2f026b92401ffe241eb04dfebe",
            "refsource": "MISC",
            "url": "https://git.kernel.org/stable/c/4551b30525cf3d2f026b92401ffe241eb04dfebe"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Change acpi_core_pic[NR_CPUS] to acpi_core_pic[MAX_CORE_PIC]\n\nWith default config, the value of NR_CPUS is 64. When HW platform has\nmore then 64 cpus, system will crash on these platforms. MAX_CORE_PIC\nis the maximum cpu number in MADT table (max physical number) which can\nexceed the supported maximum cpu number (NR_CPUS, max logical number),\nbut kernel should not crash. Kernel should boot cpus with NR_CPUS, let\nthe remainder cpus stay in BIOS.\n\nThe potential crash reason is that the array acpi_core_pic[NR_CPUS] can\nbe overflowed when parsing MADT table, and it is obvious that CORE_PIC\nshould be corresponding to physical core rather than logical core, so it\nis better to define the array as acpi_core_pic[MAX_CORE_PIC].\n\nWith the patch, system can boot up 64 vcpus with qemu parameter -smp 128,\notherwise system will crash with the following message.\n\n[    0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000420000004259, era == 90000000037a5f0c, ra == 90000000037a46ec\n[    0.000000] Oops[#1]:\n[    0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.8.0-rc2+ #192\n[    0.000000] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022\n[    0.000000] pc 90000000037a5f0c ra 90000000037a46ec tp 9000000003c90000 sp 9000000003c93d60\n[    0.000000] a0 0000000000000019 a1 9000000003d93bc0 a2 0000000000000000 a3 9000000003c93bd8\n[    0.000000] a4 9000000003c93a74 a5 9000000083c93a67 a6 9000000003c938f0 a7 0000000000000005\n[    0.000000] t0 0000420000004201 t1 0000000000000000 t2 0000000000000001 t3 0000000000000001\n[    0.000000] t4 0000000000000003 t5 0000000000000000 t6 0000000000000030 t7 0000000000000063\n[    0.000000] t8 0000000000000014 u0 ffffffffffffffff s9 0000000000000000 s0 9000000003caee98\n[    0.000000] s1 90000000041b0480 s2 9000000003c93da0 s3 9000000003c93d98 s4 9000000003c93d90\n[    0.000000] s5 9000000003caa000 s6 000000000a7fd000 s7 000000000f556b60 s8 000000000e0a4330\n[    0.000000]    ra: 90000000037a46ec platform_init+0x214/0x250\n[    0.000000]   ERA: 90000000037a5f0c efi_runtime_init+0x30/0x94\n[    0.000000]  CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n[    0.000000]  PRMD: 00000000 (PPLV0 -PIE -PWE)\n[    0.000000]  EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n[    0.000000]  ECFG: 00070800 (LIE=11 VS=7)\n[    0.000000] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\n[    0.000000]  BADV: 0000420000004259\n[    0.000000]  PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)\n[    0.000000] Modules linked in:\n[    0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____))\n[    0.000000] Stack : 9000000003c93a14 9000000003800898 90000000041844f8 90000000037a46ec\n[    0.000000]         000000000a7fd000 0000000008290000 0000000000000000 0000000000000000\n[    0.000000]         0000000000000000 0000000000000000 00000000019d8000 000000000f556b60\n[    0.000000]         000000000a7fd000 000000000f556b08 9000000003ca7700 9000000003800000\n[    0.000000]         9000000003c93e50 9000000003800898 9000000003800108 90000000037a484c\n[    0.000000]         000000000e0a4330 000000000f556b60 000000000a7fd000 000000000f556b08\n[    0.000000]         9000000003ca7700 9000000004184000 0000000000200000 000000000e02b018\n[    0.000000]         000000000a7fd000 90000000037a0790 9000000003800108 0000000000000000\n[    0.000000]         0000000000000000 000000000e0a4330 000000000f556b60 000000000a7fd000\n[    0.000000]         000000000f556b08 000000000eaae298 000000000eaa5040 0000000000200000\n[    0.000000]         ...\n[    0.000000] Call Trace:\n[    0.000000] [\u003c90000000037a5f0c\u003e] efi_runtime_init+0x30/0x94\n[    0.000000] [\u003c90000000037a46ec\u003e] platform_init+0x214/0x250\n[    0.000000] [\u003c90000000037a484c\u003e] setup_arch+0x124/0x45c\n[    0.000000] [\u003c90000000037a0790\u003e] start_kernel+0x90/0x670\n[    0.000000] [\u003c900000000378b0d8\u003e] kernel_entry+0xd8/0xdc"
          }
        ],
        "id": "CVE-2024-26768",
        "lastModified": "2024-04-03T17:24:18.150",
        "metrics": {},
        "published": "2024-04-03T17:15:52.800",
        "references": [
          {
            "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            "url": "https://git.kernel.org/stable/c/0f6810e39898af2d2cabd9313e4dbc945fb5dfdd"
          },
          {
            "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            "url": "https://git.kernel.org/stable/c/4551b30525cf3d2f026b92401ffe241eb04dfebe"
          },
          {
            "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            "url": "https://git.kernel.org/stable/c/88e189bd16e5889e44a41b3309558ebab78b9280"
          }
        ],
        "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "vulnStatus": "Awaiting Analysis"
      }
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.