Linux Kernel PTE_SHARED Misconfiguration Vulnerability in Arm64 GCS Mappings with LPA2 Enabled

A vulnerability exists in the Linux kernel's handling of page table entries (PTE) for the Guarded Control Stack (GCS) on arm64 architectures. When the FEAT_LPA2 feature is enabled, the PTE's shareability attribute is incorrectly set, leading to kernel panics. This issue arises because the GCS page definitions include PTE_SHARED bits that conflict with the LPA2 shareability requirements. The vulnerability has been addressed by modifying the GCS page protection handling to align with LPA2's specifications, ensuring proper virtualization and memory management without causing system errors.

Impact

The vulnerability can cause a kernel panic, disrupting system operations and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, enable the FEAT_LPA2 feature on an arm64 system. Then, activate the Guarded Control Stack (GCS) feature. This combination will trigger a kernel panic due to the improper handling of page table entries, specifically a translation fault at the virtual address associated with the GCS mapping.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched kernel are available on the official Linux kernel website.