[powerpc*] Fix illegal TM state in signal handler
This commit is contained in:
parent
6c3a386d04
commit
fba37066c7
|
@ -8,6 +8,7 @@ linux (4.13.4-2) UNRELEASED; urgency=medium
|
||||||
(CVE-2017-0786)
|
(CVE-2017-0786)
|
||||||
* [powerpc*] Use emergency stack for kernel TM Bad Thing program
|
* [powerpc*] Use emergency stack for kernel TM Bad Thing program
|
||||||
(CVE-2017-1000255)
|
(CVE-2017-1000255)
|
||||||
|
* [powerpc*] Fix illegal TM state in signal handler
|
||||||
|
|
||||||
-- Ben Hutchings <ben@decadent.org.uk> Wed, 04 Oct 2017 23:14:54 +0100
|
-- Ben Hutchings <ben@decadent.org.uk> Wed, 04 Oct 2017 23:14:54 +0100
|
||||||
|
|
||||||
|
|
62
debian/patches/bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch
vendored
Normal file
62
debian/patches/bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch
vendored
Normal file
|
@ -0,0 +1,62 @@
|
||||||
|
From: Gustavo Romero <gromero@linux.vnet.ibm.com>
|
||||||
|
Date: Tue, 22 Aug 2017 17:20:09 -0400
|
||||||
|
Subject: powerpc/tm: Fix illegal TM state in signal handler
|
||||||
|
Origin: https://git.kernel.org/linus/044215d145a7a8a60ffa8fdc859d110a795fa6ea
|
||||||
|
|
||||||
|
Currently it's possible that on returning from the signal handler
|
||||||
|
through the restore_tm_sigcontexts() code path (e.g. from a signal
|
||||||
|
caught due to a `trap` instruction executed in the middle of an HTM
|
||||||
|
block, or a deliberately constructed sigframe) an illegal TM state
|
||||||
|
(like TS=10 TM=0, i.e. "T0") is set in SRR1 and when `rfid` sets
|
||||||
|
implicitly the MSR register from SRR1 register on return to userspace
|
||||||
|
it causes a TM Bad Thing exception.
|
||||||
|
|
||||||
|
That illegal state can be set (a) by a malicious user that disables
|
||||||
|
the TM bit by tweaking the bits in uc_mcontext before returning from
|
||||||
|
the signal handler or (b) by a sufficient number of context switches
|
||||||
|
occurring such that the load_tm counter overflows and TM is disabled
|
||||||
|
whilst in the signal handler.
|
||||||
|
|
||||||
|
This commit fixes the illegal TM state by ensuring that TM bit is
|
||||||
|
always enabled before we return from restore_tm_sigcontexts(). A small
|
||||||
|
comment correction is made as well.
|
||||||
|
|
||||||
|
Fixes: 5d176f751ee3 ("powerpc: tm: Enable transactional memory (TM) lazily for userspace")
|
||||||
|
Cc: stable@vger.kernel.org # v4.9+
|
||||||
|
Signed-off-by: Gustavo Romero <gromero@linux.vnet.ibm.com>
|
||||||
|
Signed-off-by: Breno Leitao <leitao@debian.org>
|
||||||
|
Signed-off-by: Cyril Bur <cyrilbur@gmail.com>
|
||||||
|
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
|
||||||
|
---
|
||||||
|
arch/powerpc/kernel/signal_64.c | 13 ++++++++++++-
|
||||||
|
1 file changed, 12 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
|
||||||
|
index c83c115858c1..b2c002993d78 100644
|
||||||
|
--- a/arch/powerpc/kernel/signal_64.c
|
||||||
|
+++ b/arch/powerpc/kernel/signal_64.c
|
||||||
|
@@ -452,9 +452,20 @@ static long restore_tm_sigcontexts(struct task_struct *tsk,
|
||||||
|
if (MSR_TM_RESV(msr))
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
|
- /* pull in MSR TM from user context */
|
||||||
|
+ /* pull in MSR TS bits from user context */
|
||||||
|
regs->msr = (regs->msr & ~MSR_TS_MASK) | (msr & MSR_TS_MASK);
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * Ensure that TM is enabled in regs->msr before we leave the signal
|
||||||
|
+ * handler. It could be the case that (a) user disabled the TM bit
|
||||||
|
+ * through the manipulation of the MSR bits in uc_mcontext or (b) the
|
||||||
|
+ * TM bit was disabled because a sufficient number of context switches
|
||||||
|
+ * happened whilst in the signal handler and load_tm overflowed,
|
||||||
|
+ * disabling the TM bit. In either case we can end up with an illegal
|
||||||
|
+ * TM state leading to a TM Bad Thing when we return to userspace.
|
||||||
|
+ */
|
||||||
|
+ regs->msr |= MSR_TM;
|
||||||
|
+
|
||||||
|
/* pull in MSR LE from user context */
|
||||||
|
regs->msr = (regs->msr & ~MSR_LE) | (msr & MSR_LE);
|
||||||
|
|
||||||
|
--
|
||||||
|
2.11.0
|
||||||
|
|
|
@ -121,6 +121,7 @@ bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch
|
||||||
bugfix/all/fix-infoleak-in-waitid-2.patch
|
bugfix/all/fix-infoleak-in-waitid-2.patch
|
||||||
bugfix/all/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch
|
bugfix/all/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch
|
||||||
bugfix/all/powerpc-64s-Use-emergency-stack-for-kernel-TM-Bad-Th.patch
|
bugfix/all/powerpc-64s-Use-emergency-stack-for-kernel-TM-Bad-Th.patch
|
||||||
|
bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch
|
||||||
|
|
||||||
# Fix exported symbol versions
|
# Fix exported symbol versions
|
||||||
bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch
|
bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch
|
||||||
|
|
Loading…
Reference in New Issue