diff --git a/debian/changelog b/debian/changelog index 41406ed27..e779672d2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -12,6 +12,7 @@ linux (4.19.37-5+deb10u2) UNRELEASED; urgency=medium * inet: switch IP ID generator to siphash (CVE-2019-10638) * floppy: fix div-by-zero in setup_format_params (CVE-2019-14284) * Bluetooth: hci_uart: check for missing tty operations (CVE-2019-10207) + * [powerpc/tm] Fix oops on sigreturn on systems without TM (CVE-2019-13648) -- Romain Perier Mon, 22 Jul 2019 14:00:00 +0200 diff --git a/debian/patches/bugfix/powerpc/powerpc-tm-Fix-oops-on-sigreturn-on-systems-without-TM.patch b/debian/patches/bugfix/powerpc/powerpc-tm-Fix-oops-on-sigreturn-on-systems-without-TM.patch new file mode 100644 index 000000000..18911ac94 --- /dev/null +++ b/debian/patches/bugfix/powerpc/powerpc-tm-Fix-oops-on-sigreturn-on-systems-without-TM.patch @@ -0,0 +1,96 @@ +From: Michael Neuling +Date: Fri, 19 Jul 2019 15:05:02 +1000 +Subject: powerpc/tm: Fix oops on sigreturn on systems without TM +Origin: ttps://git.kernel.org/torvalds/c/f16d80b75a096c52354c6e0a574993f3b0dfbdfe +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-13648 + +commit f16d80b75a096c52354c6e0a574993f3b0dfbdfe upstream. + +On systems like P9 powernv where we have no TM (or P8 booted with +ppc_tm=off), userspace can construct a signal context which still has +the MSR TS bits set. The kernel tries to restore this context which +results in the following crash: + + Unexpected TM Bad Thing exception at c0000000000022fc (msr 0x8000000102a03031) tm_scratch=800000020280f033 + Oops: Unrecoverable exception, sig: 6 [#1] + LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries + Modules linked in: + CPU: 0 PID: 1636 Comm: sigfuz Not tainted 5.2.0-11043-g0a8ad0ffa4 #69 + NIP: c0000000000022fc LR: 00007fffb2d67e48 CTR: 0000000000000000 + REGS: c00000003fffbd70 TRAP: 0700 Not tainted (5.2.0-11045-g7142b497d8) + MSR: 8000000102a03031 CR: 42004242 XER: 00000000 + CFAR: c0000000000022e0 IRQMASK: 0 + GPR00: 0000000000000072 00007fffb2b6e560 00007fffb2d87f00 0000000000000669 + GPR04: 00007fffb2b6e728 0000000000000000 0000000000000000 00007fffb2b6f2a8 + GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 + GPR12: 0000000000000000 00007fffb2b76900 0000000000000000 0000000000000000 + GPR16: 00007fffb2370000 00007fffb2d84390 00007fffea3a15ac 000001000a250420 + GPR20: 00007fffb2b6f260 0000000010001770 0000000000000000 0000000000000000 + GPR24: 00007fffb2d843a0 00007fffea3a14a0 0000000000010000 0000000000800000 + GPR28: 00007fffea3a14d8 00000000003d0f00 0000000000000000 00007fffb2b6e728 + NIP [c0000000000022fc] rfi_flush_fallback+0x7c/0x80 + LR [00007fffb2d67e48] 0x7fffb2d67e48 + Call Trace: + Instruction dump: + e96a0220 e96a02a8 e96a0330 e96a03b8 394a0400 4200ffdc 7d2903a6 e92d0c00 + e94d0c08 e96d0c10 e82d0c18 7db242a6 <4c000024> 7db243a6 7db142a6 f82d0c18 + +The problem is the signal code assumes TM is enabled when +CONFIG_PPC_TRANSACTIONAL_MEM is enabled. This may not be the case as +with P9 powernv or if `ppc_tm=off` is used on P8. + +This means any local user can crash the system. + +Fix the problem by returning a bad stack frame to the user if they try +to set the MSR TS bits with sigreturn() on systems where TM is not +supported. + +Found with sigfuz kernel selftest on P9. + +This fixes CVE-2019-13648. + +Fixes: 2b0a576d15e0 ("powerpc: Add new transactional memory state to the signal context") +Cc: stable@vger.kernel.org # v3.9 +Reported-by: Praveen Pandey +Signed-off-by: Michael Neuling +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20190719050502.405-1-mikey@neuling.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/signal_32.c | 3 +++ + arch/powerpc/kernel/signal_64.c | 5 +++++ + 2 files changed, 8 insertions(+) + +diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c +index fd59fef9931b..906b05c2adae 100644 +--- a/arch/powerpc/kernel/signal_32.c ++++ b/arch/powerpc/kernel/signal_32.c +@@ -1202,6 +1202,9 @@ SYSCALL_DEFINE0(rt_sigreturn) + goto bad; + + if (MSR_TM_ACTIVE(msr_hi<<32)) { ++ /* Trying to start TM on non TM system */ ++ if (!cpu_has_feature(CPU_FTR_TM)) ++ goto bad; + /* We only recheckpoint on return if we're + * transaction. + */ +diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c +index 14b0f5b6a373..b5933d7219db 100644 +--- a/arch/powerpc/kernel/signal_64.c ++++ b/arch/powerpc/kernel/signal_64.c +@@ -750,6 +750,11 @@ SYSCALL_DEFINE0(rt_sigreturn) + if (MSR_TM_ACTIVE(msr)) { + /* We recheckpoint on return. */ + struct ucontext __user *uc_transact; ++ ++ /* Trying to start TM on non TM system */ ++ if (!cpu_has_feature(CPU_FTR_TM)) ++ goto badframe; ++ + if (__get_user(uc_transact, &uc->uc_link)) + goto badframe; + if (restore_tm_sigcontexts(current, &uc->uc_mcontext, +-- +cgit 1.2-0.3.lf.el7 + diff --git a/debian/patches/series b/debian/patches/series index 103c4f6e5..f4e381744 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -239,6 +239,7 @@ bugfix/all/net-switch-IP-ID-generator-to-siphash.patch bugfix/all/floppy-fix-div-by-zero-in-setup_format_params.patch bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch bugfix/all/Bluetooth-hci_uart-check-for-missing-tty-operations.patch +bugfix/powerpc/powerpc-tm-Fix-oops-on-sigreturn-on-systems-without-TM.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch