Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]arm64: mte: Avoid setting PG_mte_tagged if no tags cleared or restored[EOL][EOL]Prior to commit 69e3b846d8a7 ("arm64: mte: Sync tags for pages where PTE[EOL]is untagged"), mte_sync_tags() was only called for pte_tagged() entries[EOL](those mapped with PROT_MTE). Therefore mte_sync_tags() could safely use[EOL]test_and_set_bit(PG_mte_tagged, &page->flags) without inadvertently[EOL]setting PG_mte_tagged on an untagged page.[EOL][EOL]The above commit was required as guests may enable MTE without any[EOL]control at the stage 2 mapping, nor a PROT_MTE mapping in the VMM.[EOL]However, the side-effect was that any page with a PTE that looked like[EOL]swap (or migration) was getting PG_mte_tagged set automatically. A[EOL]subsequent page copy (e.g. migration) copied the tags to the destination[EOL]page even if the tags were owned by KASAN.[EOL][EOL]This issue was masked by the page_kasan_tag_reset() call introduced in[EOL]commit e5b8d9218951 ("arm64: mte: reset the page tag in page->flags").[EOL]When this commit was reverted (20794545c146), KASAN started reporting[EOL]access faults because the overriding tags in a page did not match the[EOL]original page->flags (with CONFIG_KASAN_HW_TAGS=y):[EOL][EOL]  BUG: KASAN: invalid-access in copy_page+0x10/0xd0 arch/arm64/lib/copy_page.S:26[EOL]  Read at addr f5ff000017f2e000 by task syz-executor.1/2218[EOL]  Pointer tag: [f5], memory tag: [f2][EOL][EOL]Move the PG_mte_tagged bit setting from mte_sync_tags() to the actual[EOL]place where tags are cleared (mte_sync_page_tags()) or restored[EOL](mte_restore_tags()).