CVE-2023-53169

Summary

In the Linux kernel, the following vulnerability has been resolved:

x86/resctrl: Clear staged_config[] before and after it is used

As a temporary storage, staged_config[] in rdt_domain should be cleared before and after it is used. The stale value in staged_config[] could cause an MSR access error.

Here is a reproducer on a system with 16 usable CLOSIDs for a 15-way L3 Cache (MBA should be disabled if the number of CLOSIDs for MB is less than 16.) : mount -t resctrl resctrl -o cdp /sys/fs/resctrl mkdir /sys/fs/resctrl/p{1..7} umount /sys/fs/resctrl/ mount -t resctrl resctrl /sys/fs/resctrl mkdir /sys/fs/resctrl/p{1..8}

An error occurs when creating resource group named p8: unchecked MSR access error: WRMSR to 0xca0 (tried to write 0x00000000000007ff) at rIP: 0xffffffff82249142 (cat_wrmsr+0x32/0x60) Call Trace: <IRQ> __flush_smp_call_function_queue+0x11d/0x170 __sysvec_call_function+0x24/0xd0 sysvec_call_function+0x89/0xc0 </IRQ> <TASK> asm_sysvec_call_function+0x16/0x20

When creating a new resource control group, hardware will be configured by the following process: rdtgroup_mkdir() rdtgroup_mkdir_ctrl_mon() rdtgroup_init_alloc() resctrl_arch_update_domains()

resctrl_arch_update_domains() iterates and updates all resctrl_conf_type whose have_new_ctrl is true. Since staged_config[] holds the same values as when CDP was enabled, it will continue to update the CDP_CODE and CDP_DATA configurations. When group p8 is created, get_config_index() called in resctrl_arch_update_domains() will return 16 and 17 as the CLOSIDs for CDP_CODE and CDP_DATA, which will be translated to an invalid register - 0xca0 in this scenario.

Fix it by clearing staged_config[] before and after it is used.

[reinette: re-order commit tags]

Affected Software

VendorProductVersion RangeStatus
LinuxLinux75408e43509ed6207870c0e7e28656acbbc1f7fd < 86db319d25db70cf4af4557e05f6fa6f39c70003affected
LinuxLinux75408e43509ed6207870c0e7e28656acbbc1f7fd < 3fc5941ecc31a495b6b84b465f36155009db99b5affected
LinuxLinux75408e43509ed6207870c0e7e28656acbbc1f7fd < 8ecc60ef9318f0d533b866fa421858cc185bccfcaffected
LinuxLinux75408e43509ed6207870c0e7e28656acbbc1f7fd < 0424a7dfe9129b93f29b277511a60e87f052ac6baffected
LinuxLinux5.15affected
LinuxLinux0 < 5.15unaffected
LinuxLinux5.15.104 <= 5.15.*unaffected
LinuxLinux6.1.21 <= 6.1.*unaffected
LinuxLinux6.2.8 <= 6.2.*unaffected
LinuxLinux6.3 <= *unaffected

Weaknesses

References