{
  "threat_severity" : "Moderate",
  "public_date" : "2024-04-02T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: arm64: entry: fix ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD",
    "id" : "2272800",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2272800"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-1300",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\narm64: entry: fix ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD\nCurrently the ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD workaround isn't\nquite right, as it is supposed to be applied after the last explicit\nmemory access, but is immediately followed by an LDR.\nThe ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD workaround is used to\nhandle Cortex-A520 erratum 2966298 and Cortex-A510 erratum 3117295,\nwhich are described in:\n* https://developer.arm.com/documentation/SDEN2444153/0600/?lang=en\n* https://developer.arm.com/documentation/SDEN1873361/1600/?lang=en\nIn both cases the workaround is described as:\n| If pagetable isolation is disabled, the context switch logic in the\n| kernel can be updated to execute the following sequence on affected\n| cores before exiting to EL0, and after all explicit memory accesses:\n|\n| 1. A non-shareable TLBI to any context and/or address, including\n|    unused contexts or addresses, such as a `TLBI VALE1 Xzr`.\n|\n| 2. A DSB NSH to guarantee completion of the TLBI.\nThe important part being that the TLBI+DSB must be placed \"after all\nexplicit memory accesses\".\nUnfortunately, as-implemented, the TLBI+DSB is immediately followed by\nan LDR, as we have:\n| alternative_if ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD\n| tlbivale1, xzr\n| dsbnsh\n| alternative_else_nop_endif\n| alternative_if_not ARM64_UNMAP_KERNEL_AT_EL0\n| ldrlr, [sp, #S_LR]\n| addsp, sp, #PT_REGS_SIZE// restore sp\n| eret\n| alternative_else_nop_endif\n|\n| [ ... KPTI exception return path ... ]\nThis patch fixes this by reworking the logic to place the TLBI+DSB\nimmediately before the ERET, after all explicit memory accesses.\nThe ERET is currently in a separate alternative block, and alternatives\ncannot be nested. To account for this, the alternative block for\nARM64_UNMAP_KERNEL_AT_EL0 is replaced with a single alternative branch\nto skip the KPTI logic, with the new shape of the logic being:\n| alternative_insn \"b .L_skip_tramp_exit_\\@\", nop, ARM64_UNMAP_KERNEL_AT_EL0\n| [ ... KPTI exception return path ... ]\n| .L_skip_tramp_exit_\\@:\n|\n| ldrlr, [sp, #S_LR]\n| addsp, sp, #PT_REGS_SIZE// restore sp\n|\n| alternative_if ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD\n| tlbivale1, xzr\n| dsbnsh\n| alternative_else_nop_endif\n| eret\nThe new structure means that the workaround is only applied when KPTI is\nnot in use; this is fine as noted in the documented implications of the\nerratum:\n| Pagetable isolation between EL0 and higher level ELs prevents the\n| issue from occurring.\n... and as per the workaround description quoted above, the workaround\nis only necessary \"If pagetable isolation is disabled\".", "A vulnerability was found in the Linux kernel. This issue occurs due to the incorrect placement of the TLBI and DSB instructions, which are not placed after all explicit memory accesses, creating the potential for speculative unprivileged loads." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9315",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.11.1.el9_5"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-26670\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26670\nhttps://lore.kernel.org/linux-cve-announce/2024040238-CVE-2024-26670-ecbd@gregkh/T" ],
  "name" : "CVE-2024-26670",
  "csaw" : false
}