*** This bug is a security vulnerability ***
Public security bug reported:
[Impact]
It was discovered that upstream kernel commit cab15ce604e5 ("arm64:
Introduce execute-only page access permissions"), which introduced
execute-only user mappings, subverted the Privileged Access Never
protections.
The fix is to effectively revert commit cab15ce604e5. This is done in
upstream kernel commit 24cecc377463 ("arm64: Revert support for execute-
only user mappings").
[Test Case]
I'm not aware of any PAN test cases. Booting our arm64 kernels on an
ARMv8 device and running through our typical regression tests are
probably the best we can do at this time.
[Regression Potential]
Touching the page handling code always carries significant risk.
However, the fix is simply reverting the change that added the execute-
only user mappings feature in v4.9.
** Affects: linux (Ubuntu)
Importance: High
Status: Triaged
** Affects: linux (Ubuntu Bionic)
Importance: High
Status: Triaged
** Affects: linux (Ubuntu Disco)
Importance: High
Status: Triaged
** Affects: linux (Ubuntu Eoan)
Importance: High
Status: Triaged
** Affects: linux (Ubuntu Focal)
Importance: High
Status: Triaged
** Also affects: linux (Ubuntu Disco)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Focal)
Importance: High
Status: Triaged
** Also affects: linux (Ubuntu Eoan)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Eoan)
Status: New => Triaged
** Changed in: linux (Ubuntu Disco)
Status: New => Triaged
** Changed in: linux (Ubuntu Bionic)
Status: New => Triaged
** Changed in: linux (Ubuntu Eoan)
Importance: Undecided => High
** Changed in: linux (Ubuntu Disco)
Importance: Undecided => High
** Changed in: linux (Ubuntu Bionic)
Importance: Undecided => High
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1858815
Title:
PAN is broken for execute-only user mappings on ARMv8
Status in linux package in Ubuntu:
Triaged
Status in linux source package in Bionic:
Triaged
Status in linux source package in Disco:
Triaged
Status in linux source package in Eoan:
Triaged
Status in linux source package in Focal:
Triaged
Bug description:
[Impact]
It was discovered that upstream kernel commit cab15ce604e5 ("arm64:
Introduce execute-only page access permissions"), which introduced
execute-only user mappings, subverted the Privileged Access Never
protections.
The fix is to effectively revert commit cab15ce604e5. This is done in
upstream kernel commit 24cecc377463 ("arm64: Revert support for
execute-only user mappings").
[Test Case]
I'm not aware of any PAN test cases. Booting our arm64 kernels on an
ARMv8 device and running through our typical regression tests are
probably the best we can do at this time.
[Regression Potential]
Touching the page handling code always carries significant risk.
However, the fix is simply reverting the change that added the
execute-only user mappings feature in v4.9.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1858815/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
