Linux Kernel User Memory Type Extraction Vulnerability in ioremap_prot() on arm64

A vulnerability exists in the Linux kernel's handling of user memory types in the ioremap_prot() function for arm64 architecture. This issue arises because ioremap_prot() is called by generic_access_phys(), which uses a 'pgprot_t' value derived from the user mapping of the physical frame number (pfn) being accessed. The 'pgprot_t' on arm64 includes non-address bits from the page table entry (pte), such as permission controls. As a result, ioremap_prot() can return a user mapping that causes a fault when accessed by the kernel on systems with Pointer Authentication (PAN) enabled. The vulnerability has been addressed by modifying ioremap_prot() to extract only the memory type from the user 'pgprot_t' and ensure that a user mapping is being used, preventing future issues that may require additional handling.

Impact

The vulnerability can lead to kernel faults when accessing certain memory regions, causing disruptions in kernel operations or potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by accessing user memory types through the ioremap_prot() function on an arm64 system with Pointer Authentication (PAN) enabled. This can be done by using the generic_access_phys() function, which will pass a 'pgprot_t' value that includes permission controls, resulting in a fault when the kernel tries to read from the mapped memory.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the Linux kernel official website.