[powerpc/tm] Fix oops on sigreturn on systems without TM (CVE-2019-13648)
This commit is contained in:
parent
3b76691d24
commit
65c2005956
|
@ -12,6 +12,7 @@ linux (4.19.37-5+deb10u2) UNRELEASED; urgency=medium
|
||||||
* inet: switch IP ID generator to siphash (CVE-2019-10638)
|
* inet: switch IP ID generator to siphash (CVE-2019-10638)
|
||||||
* floppy: fix div-by-zero in setup_format_params (CVE-2019-14284)
|
* floppy: fix div-by-zero in setup_format_params (CVE-2019-14284)
|
||||||
* Bluetooth: hci_uart: check for missing tty operations (CVE-2019-10207)
|
* Bluetooth: hci_uart: check for missing tty operations (CVE-2019-10207)
|
||||||
|
* [powerpc/tm] Fix oops on sigreturn on systems without TM (CVE-2019-13648)
|
||||||
|
|
||||||
-- Romain Perier <romain.perier@gmail.com> Mon, 22 Jul 2019 14:00:00 +0200
|
-- Romain Perier <romain.perier@gmail.com> Mon, 22 Jul 2019 14:00:00 +0200
|
||||||
|
|
||||||
|
|
96
debian/patches/bugfix/powerpc/powerpc-tm-Fix-oops-on-sigreturn-on-systems-without-TM.patch
vendored
Normal file
96
debian/patches/bugfix/powerpc/powerpc-tm-Fix-oops-on-sigreturn-on-systems-without-TM.patch
vendored
Normal file
|
@ -0,0 +1,96 @@
|
||||||
|
From: Michael Neuling <mikey@neuling.org>
|
||||||
|
Date: Fri, 19 Jul 2019 15:05:02 +1000
|
||||||
|
Subject: powerpc/tm: Fix oops on sigreturn on systems without TM
|
||||||
|
Origin: ttps://git.kernel.org/torvalds/c/f16d80b75a096c52354c6e0a574993f3b0dfbdfe
|
||||||
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-13648
|
||||||
|
|
||||||
|
commit f16d80b75a096c52354c6e0a574993f3b0dfbdfe upstream.
|
||||||
|
|
||||||
|
On systems like P9 powernv where we have no TM (or P8 booted with
|
||||||
|
ppc_tm=off), userspace can construct a signal context which still has
|
||||||
|
the MSR TS bits set. The kernel tries to restore this context which
|
||||||
|
results in the following crash:
|
||||||
|
|
||||||
|
Unexpected TM Bad Thing exception at c0000000000022fc (msr 0x8000000102a03031) tm_scratch=800000020280f033
|
||||||
|
Oops: Unrecoverable exception, sig: 6 [#1]
|
||||||
|
LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
|
||||||
|
Modules linked in:
|
||||||
|
CPU: 0 PID: 1636 Comm: sigfuz Not tainted 5.2.0-11043-g0a8ad0ffa4 #69
|
||||||
|
NIP: c0000000000022fc LR: 00007fffb2d67e48 CTR: 0000000000000000
|
||||||
|
REGS: c00000003fffbd70 TRAP: 0700 Not tainted (5.2.0-11045-g7142b497d8)
|
||||||
|
MSR: 8000000102a03031 <SF,VEC,VSX,FP,ME,IR,DR,LE,TM[E]> CR: 42004242 XER: 00000000
|
||||||
|
CFAR: c0000000000022e0 IRQMASK: 0
|
||||||
|
GPR00: 0000000000000072 00007fffb2b6e560 00007fffb2d87f00 0000000000000669
|
||||||
|
GPR04: 00007fffb2b6e728 0000000000000000 0000000000000000 00007fffb2b6f2a8
|
||||||
|
GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
|
||||||
|
GPR12: 0000000000000000 00007fffb2b76900 0000000000000000 0000000000000000
|
||||||
|
GPR16: 00007fffb2370000 00007fffb2d84390 00007fffea3a15ac 000001000a250420
|
||||||
|
GPR20: 00007fffb2b6f260 0000000010001770 0000000000000000 0000000000000000
|
||||||
|
GPR24: 00007fffb2d843a0 00007fffea3a14a0 0000000000010000 0000000000800000
|
||||||
|
GPR28: 00007fffea3a14d8 00000000003d0f00 0000000000000000 00007fffb2b6e728
|
||||||
|
NIP [c0000000000022fc] rfi_flush_fallback+0x7c/0x80
|
||||||
|
LR [00007fffb2d67e48] 0x7fffb2d67e48
|
||||||
|
Call Trace:
|
||||||
|
Instruction dump:
|
||||||
|
e96a0220 e96a02a8 e96a0330 e96a03b8 394a0400 4200ffdc 7d2903a6 e92d0c00
|
||||||
|
e94d0c08 e96d0c10 e82d0c18 7db242a6 <4c000024> 7db243a6 7db142a6 f82d0c18
|
||||||
|
|
||||||
|
The problem is the signal code assumes TM is enabled when
|
||||||
|
CONFIG_PPC_TRANSACTIONAL_MEM is enabled. This may not be the case as
|
||||||
|
with P9 powernv or if `ppc_tm=off` is used on P8.
|
||||||
|
|
||||||
|
This means any local user can crash the system.
|
||||||
|
|
||||||
|
Fix the problem by returning a bad stack frame to the user if they try
|
||||||
|
to set the MSR TS bits with sigreturn() on systems where TM is not
|
||||||
|
supported.
|
||||||
|
|
||||||
|
Found with sigfuz kernel selftest on P9.
|
||||||
|
|
||||||
|
This fixes CVE-2019-13648.
|
||||||
|
|
||||||
|
Fixes: 2b0a576d15e0 ("powerpc: Add new transactional memory state to the signal context")
|
||||||
|
Cc: stable@vger.kernel.org # v3.9
|
||||||
|
Reported-by: Praveen Pandey <Praveen.Pandey@in.ibm.com>
|
||||||
|
Signed-off-by: Michael Neuling <mikey@neuling.org>
|
||||||
|
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
|
||||||
|
Link: https://lore.kernel.org/r/20190719050502.405-1-mikey@neuling.org
|
||||||
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||||
|
---
|
||||||
|
arch/powerpc/kernel/signal_32.c | 3 +++
|
||||||
|
arch/powerpc/kernel/signal_64.c | 5 +++++
|
||||||
|
2 files changed, 8 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
|
||||||
|
index fd59fef9931b..906b05c2adae 100644
|
||||||
|
--- a/arch/powerpc/kernel/signal_32.c
|
||||||
|
+++ b/arch/powerpc/kernel/signal_32.c
|
||||||
|
@@ -1202,6 +1202,9 @@ SYSCALL_DEFINE0(rt_sigreturn)
|
||||||
|
goto bad;
|
||||||
|
|
||||||
|
if (MSR_TM_ACTIVE(msr_hi<<32)) {
|
||||||
|
+ /* Trying to start TM on non TM system */
|
||||||
|
+ if (!cpu_has_feature(CPU_FTR_TM))
|
||||||
|
+ goto bad;
|
||||||
|
/* We only recheckpoint on return if we're
|
||||||
|
* transaction.
|
||||||
|
*/
|
||||||
|
diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
|
||||||
|
index 14b0f5b6a373..b5933d7219db 100644
|
||||||
|
--- a/arch/powerpc/kernel/signal_64.c
|
||||||
|
+++ b/arch/powerpc/kernel/signal_64.c
|
||||||
|
@@ -750,6 +750,11 @@ SYSCALL_DEFINE0(rt_sigreturn)
|
||||||
|
if (MSR_TM_ACTIVE(msr)) {
|
||||||
|
/* We recheckpoint on return. */
|
||||||
|
struct ucontext __user *uc_transact;
|
||||||
|
+
|
||||||
|
+ /* Trying to start TM on non TM system */
|
||||||
|
+ if (!cpu_has_feature(CPU_FTR_TM))
|
||||||
|
+ goto badframe;
|
||||||
|
+
|
||||||
|
if (__get_user(uc_transact, &uc->uc_link))
|
||||||
|
goto badframe;
|
||||||
|
if (restore_tm_sigcontexts(current, &uc->uc_mcontext,
|
||||||
|
--
|
||||||
|
cgit 1.2-0.3.lf.el7
|
||||||
|
|
|
@ -239,6 +239,7 @@ bugfix/all/net-switch-IP-ID-generator-to-siphash.patch
|
||||||
bugfix/all/floppy-fix-div-by-zero-in-setup_format_params.patch
|
bugfix/all/floppy-fix-div-by-zero-in-setup_format_params.patch
|
||||||
bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch
|
bugfix/all/floppy-fix-out-of-bounds-read-in-copy_buffer.patch
|
||||||
bugfix/all/Bluetooth-hci_uart-check-for-missing-tty-operations.patch
|
bugfix/all/Bluetooth-hci_uart-check-for-missing-tty-operations.patch
|
||||||
|
bugfix/powerpc/powerpc-tm-Fix-oops-on-sigreturn-on-systems-without-TM.patch
|
||||||
|
|
||||||
# Fix exported symbol versions
|
# Fix exported symbol versions
|
||||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||||
|
|
Loading…
Reference in New Issue