Headline
CVE-2021-22566
An incorrect setting of UXN bits within mmu_flags_to_s1_pte_attr lead to privileged executable pages being mapped as executable from an unprivileged context. This can be leveraged by an attacker to bypass executability restrictions of kernel-mode pages from user-mode. An incorrect setting of PXN bits within mmu_flags_to_s1_pte_attr lead to unprivileged executable pages being mapped as executable from a privileged context. This can be leveraged by an attacker to bypass executability restrictions of user-mode pages from kernel-mode. Typically this allows a potential attacker to circumvent a mitigation, making exploitation of potential kernel-mode vulnerabilities easier. We recommend updating kernel beyond commit 7d731b4e9599088ac3073956933559da7bca6a00 and rebuilding.
)]}’ { "commit": "7d731b4e9599088ac3073956933559da7bca6a00", "tree": "22482985c7dac6dfd52e418d423880cad15437d9", "parents": [ “85cf47932359ea76deef555e5ee0c79422c5ae98” ], "author": { "name": "Travis Geiselbrecht", "email": "[email protected]", "time": “Tue Dec 07 03:27:16 2021 +0000” }, "committer": { "name": "Commit Bot", "email": "[email protected]", "time": “Tue Dec 07 03:27:16 2021 +0000” }, "message": "[kernel][arm64][mmu] Fix bug where privileged executable pages are executable from EL0\n\nPreviously, was always setting UXN and PXN bits on pages explicitly\nmapped as non executable, not taking into account that user (EL0) code\ncould access a privileged page because UXN wasn\u0027t set.\n\nChange the logic to appropriately set PXN and UXN bits on user and\nprivleged executable pages, appropriately:\n\nuser/privileged non-executable page: UXN\u003d1, PXN\u003d1\nuser executable page: UXN\u003d0, PXN\u003d1\nprivileged executable page: UXN\u003d1, PXN\u003d0\n\nEL2 mappings for the kernel interpret these bits slightly differently,\nso simply map the non executable code as XN\u003d1 (bit 54).\n\nAdd kernel unit test to validate that pages mapped this way at least\nappear to be in sync with the aspace.Query() api.\n\nBug: 88451\nChange-Id: Icea7a3c5b5effa8b8fe828b3ed6d8e27433caaf0\nReviewed-on: https://fuchsia-review.googlesource.com/c/fuchsia/+/614141\nReviewed-by: Marco Vanotti \[email protected]\u003e\nCommit-Queue: Travis Geiselbrecht \[email protected]\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "8f9bd269084c4f0ed59f59ff1cc1f0b1f7f1102d", "old_mode": 33188, "old_path": "zircon/kernel/arch/arm64/BUILD.gn", "new_id": "73eceeef22e02c038da866b32eddd648f03c4215", "new_mode": 33188, "new_path": “zircon/kernel/arch/arm64/BUILD.gn” }, { "type": "modify", "old_id": "f76caad50d77d8e4c5a20f5e5bcc954b9342948d", "old_mode": 33188, "old_path": "zircon/kernel/arch/arm64/include/arch/arm64/mmu.h", "new_id": "09a7ed3e1b92c4a936e824193161755188ae9e20", "new_mode": 33188, "new_path": “zircon/kernel/arch/arm64/include/arch/arm64/mmu.h” }, { "type": "modify", "old_id": "8f8d3e259fb43135bfcc5a9573d33cceb0959f44", "old_mode": 33188, "old_path": "zircon/kernel/arch/arm64/mmu.cc", "new_id": "c864fd16c104a7f439b6f877c49d526462c02207", "new_mode": 33188, "new_path": “zircon/kernel/arch/arm64/mmu.cc” }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "c7b9d3e7e83ebef9382ca822438eeca93dc13e37", "new_mode": 33188, "new_path": “zircon/kernel/arch/arm64/mmu_tests.cc” }, { "type": "modify", "old_id": "20510c1382cbc1ac1e1cb9c58124df2bd451e254", "old_mode": 33188, "old_path": "zircon/kernel/arch/arm64/start.S", "new_id": "0f914ea906d887d297770dfa6e687e9dbd1fc135", "new_mode": 33188, "new_path": “zircon/kernel/arch/arm64/start.S” } ] }