Michael Ellerman

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.37 **Description** The issue is related to CPU mitigations in the Linux kernel. A recent commit missed that "cpu mitigations" is completely generic, whereas SPECULATION MITIGATIONS is x86-specific. This led to unnecessary confusion. The mitigation has been re-enabled by default for non-X86 architectures. The change allows x86 to use a single configuration for managing mitigations not strictly related to speculative execution. **Recommendations** Update to Linux kernel version 6.6.37 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a null-pointer dereference in the `pgtable cache add` function of the `powerpc/mm` component of the Linux kernel. The `kasprintf()` function returns a pointer to dynamically allocated memory, which can be `NULL` upon failure. The vulnerability can be exploited to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the KVM: PPC: Book3S HV: Fix stack handling in idle kvm start guest() function. The problem arises because there is no caller frame on the emergency stack, and the function stores CR/LR into its caller's frame, which can lead to corruption of memory outside the allocation for the emergency stack. The function creates a stack frame and saves non-volatile registers, but the frame is not large enough to fit the non-volatiles, resulting in writing outside the emergency stack allocation. This can corrupt memory at 0-24 bytes and 112-248 bytes above the emergency stack allocation. However, this has gone unnoticed in practice because the memory immediately above the emergency stack is used for other stack allocations. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the powerpc/64s architecture in the Linux kernel, where crashes can occur when toggling the entry flush barrier. The entry flush mitigation can be enabled or disabled at runtime via a debugfs file (entry flush), which causes the kernel to patch itself. However, depending on the mitigation used, it may not be safe to do this patching while other CPUs are active, leading to crashes such as a segfault with a corrupted LR pointing into the kernel. The fix involves doing the patching under stop machine, ensuring that CPUs not doing the patching spin in the core of the stop machine logic, which is sufficient because the patching does not affect that code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.14.15 **Description** The issue is related to an implementation bug in the arch/powerpc/kvm/book3s hv rmhandlers.S file, specifically in the handling of the SRR1 register values. This bug allows a malicious KVM guest to crash the host when it is running on Power8. The vulnerability is due to the lack of checking of returned data when processing SRR1 values. **Recommendations** For versions prior to 5.14.15, update to version 5.14.15 or later to resolve the issue. As a temporary workaround, consider restricting access to the KVM guest functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.1.15 for powerpc **Description** The issue is related to a bug in the arch/powerpc/mm/mmu context book3s64.c component of the Linux kernel for powerpc systems. This bug allows unrelated processes to potentially read or write to each other's virtual memory under certain conditions, specifically when an mmap operation is performed above 512 TB. The vulnerability is caused by a buffer overflow in memory, which can be exploited to access or damage the memory content of other processes in the system using the mmap function. **Recommendations** For Linux kernel versions prior to 5.1.15 for powerpc, update to version 5.1.15 or later to resolve the issue. As a temporary workaround, consider restricting the use of the mmap function above 512 TB to minimize the risk of exploitation.