PAN is broken for execute-only user mappings on ARMv8
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
High
|
Tyler Hicks | ||
Bionic |
Fix Released
|
High
|
Tyler Hicks | ||
Disco |
Fix Released
|
High
|
Tyler Hicks | ||
Eoan |
Fix Released
|
High
|
Tyler Hicks | ||
Focal |
Fix Released
|
High
|
Tyler Hicks |
Bug Description
[Impact]
It was discovered that upstream kernel commit cab15ce604e5 ("arm64: Introduce execute-only page access permissions"), which introduced execute-only user mappings, subverted the Privileged Access Never protections.
The fix is to effectively revert commit cab15ce604e5. This is done in upstream kernel commit 24cecc377463 ("arm64: Revert support for execute-only user mappings").
[Test Case]
I'm not aware of any PAN test cases. Booting our arm64 kernels on an ARMv8 device and running through our typical regression tests is probably the best we can do at this time.
[Regression Potential]
Touching the page handling code always carries significant risk. However, the fix is simply reverting the change that added the execute-only user mappings feature in v4.9.
CVE References
Changed in linux (Ubuntu Eoan): | |
status: | New → Triaged |
Changed in linux (Ubuntu Disco): | |
status: | New → Triaged |
Changed in linux (Ubuntu Bionic): | |
status: | New → Triaged |
Changed in linux (Ubuntu Eoan): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Disco): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Bionic): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Bionic): | |
status: | Triaged → In Progress |
Changed in linux (Ubuntu Disco): | |
status: | Triaged → In Progress |
Changed in linux (Ubuntu Eoan): | |
status: | Triaged → In Progress |
Changed in linux (Ubuntu Focal): | |
status: | Triaged → In Progress |
Changed in linux (Ubuntu Disco): | |
assignee: | nobody → Tyler Hicks (tyhicks) |
Changed in linux (Ubuntu Bionic): | |
assignee: | nobody → Tyler Hicks (tyhicks) |
Changed in linux (Ubuntu Eoan): | |
assignee: | nobody → Tyler Hicks (tyhicks) |
Changed in linux (Ubuntu Focal): | |
assignee: | nobody → Tyler Hicks (tyhicks) |
description: | updated |
Changed in linux (Ubuntu Bionic): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Disco): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Eoan): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Focal): | |
status: | In Progress → Fix Committed |
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification- needed- disco' to 'verification- done-disco' . If the problem still exists, change the tag 'verification- needed- disco' to 'verification- failed- disco'.
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation how to enable and use -proposed. Thank you!