[X/B/D/E][SRU][PATCH 0/1] Fix for CVE-2019-13648

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[X/B/D/E][SRU][PATCH 0/1] Fix for CVE-2019-13648

Po-Hsu Lin (Sam)
In the Linux kernel through 5.2.1 on the powerpc platform, when hardware
transactional memory is disabled, a local user can cause a denial of
service (TM Bad Thing exception and system crash) via a sigreturn()
system call that sends a crafted signal frame.

This patch can be cherry-picked into all the affected kernels,
X, B, D and E. I'm sending two patches seperately as the one for B/D/E
cannot be applied to X.

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13648.html

Michael Neuling (1):
  powerpc/tm: Fix oops on sigreturn on systems without TM

 arch/powerpc/kernel/signal_32.c | 3 +++
 arch/powerpc/kernel/signal_64.c | 5 +++++
 2 files changed, 8 insertions(+)

--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[CVE-2019-13648][X][SRU][PATCH 1/1] powerpc/tm: Fix oops on sigreturn on systems without TM

Po-Hsu Lin (Sam)
From: Michael Neuling <[hidden email]>

CVE-2019-13648

On systems like P9 powernv where we have no TM (or P8 booted with
ppc_tm=off), userspace can construct a signal context which still has
the MSR TS bits set. The kernel tries to restore this context which
results in the following crash:

  Unexpected TM Bad Thing exception at c0000000000022fc (msr 0x8000000102a03031) tm_scratch=800000020280f033
  Oops: Unrecoverable exception, sig: 6 [#1]
  LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
  Modules linked in:
  CPU: 0 PID: 1636 Comm: sigfuz Not tainted 5.2.0-11043-g0a8ad0ffa4 #69
  NIP:  c0000000000022fc LR: 00007fffb2d67e48 CTR: 0000000000000000
  REGS: c00000003fffbd70 TRAP: 0700   Not tainted  (5.2.0-11045-g7142b497d8)
  MSR:  8000000102a03031 <SF,VEC,VSX,FP,ME,IR,DR,LE,TM[E]>  CR: 42004242  XER: 00000000
  CFAR: c0000000000022e0 IRQMASK: 0
  GPR00: 0000000000000072 00007fffb2b6e560 00007fffb2d87f00 0000000000000669
  GPR04: 00007fffb2b6e728 0000000000000000 0000000000000000 00007fffb2b6f2a8
  GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
  GPR12: 0000000000000000 00007fffb2b76900 0000000000000000 0000000000000000
  GPR16: 00007fffb2370000 00007fffb2d84390 00007fffea3a15ac 000001000a250420
  GPR20: 00007fffb2b6f260 0000000010001770 0000000000000000 0000000000000000
  GPR24: 00007fffb2d843a0 00007fffea3a14a0 0000000000010000 0000000000800000
  GPR28: 00007fffea3a14d8 00000000003d0f00 0000000000000000 00007fffb2b6e728
  NIP [c0000000000022fc] rfi_flush_fallback+0x7c/0x80
  LR [00007fffb2d67e48] 0x7fffb2d67e48
  Call Trace:
  Instruction dump:
  e96a0220 e96a02a8 e96a0330 e96a03b8 394a0400 4200ffdc 7d2903a6 e92d0c00
  e94d0c08 e96d0c10 e82d0c18 7db242a6 <4c000024> 7db243a6 7db142a6 f82d0c18

The problem is the signal code assumes TM is enabled when
CONFIG_PPC_TRANSACTIONAL_MEM is enabled. This may not be the case as
with P9 powernv or if `ppc_tm=off` is used on P8.

This means any local user can crash the system.

Fix the problem by returning a bad stack frame to the user if they try
to set the MSR TS bits with sigreturn() on systems where TM is not
supported.

Found with sigfuz kernel selftest on P9.

This fixes CVE-2019-13648.

Fixes: 2b0a576d15e0 ("powerpc: Add new transactional memory state to the signal context")
Cc: [hidden email] # v3.9
Reported-by: Praveen Pandey <[hidden email]>
Signed-off-by: Michael Neuling <[hidden email]>
Signed-off-by: Michael Ellerman <[hidden email]>
Link: https://lore.kernel.org/r/20190719050502.405-1-mikey@...
(cherry picked from commit f16d80b75a096c52354c6e0a574993f3b0dfbdfe)
Signed-off-by: Po-Hsu Lin <[hidden email]>
---
 arch/powerpc/kernel/signal_32.c | 3 +++
 arch/powerpc/kernel/signal_64.c | 5 +++++
 2 files changed, 8 insertions(+)

diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
index cff1a4d..6eb4fb5 100644
--- a/arch/powerpc/kernel/signal_32.c
+++ b/arch/powerpc/kernel/signal_32.c
@@ -1275,6 +1275,9 @@ long sys_rt_sigreturn(int r3, int r4, int r5, int r6, int r7, int r8,
  goto bad;
 
  if (MSR_TM_ACTIVE(msr_hi<<32)) {
+ /* Trying to start TM on non TM system */
+ if (!cpu_has_feature(CPU_FTR_TM))
+ goto bad;
  /* We only recheckpoint on return if we're
  * transaction.
  */
diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
index 1639b4a..0f3d355 100644
--- a/arch/powerpc/kernel/signal_64.c
+++ b/arch/powerpc/kernel/signal_64.c
@@ -709,6 +709,11 @@ int sys_rt_sigreturn(unsigned long r3, unsigned long r4, unsigned long r5,
  if (MSR_TM_ACTIVE(msr)) {
  /* We recheckpoint on return. */
  struct ucontext __user *uc_transact;
+
+ /* Trying to start TM on non TM system */
+ if (!cpu_has_feature(CPU_FTR_TM))
+ goto badframe;
+
  if (__get_user(uc_transact, &uc->uc_link))
  goto badframe;
  if (restore_tm_sigcontexts(regs, &uc->uc_mcontext,
--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[CVE-2019-13648][B/D/E][SRU][PATCH 1/1] powerpc/tm: Fix oops on sigreturn on systems without TM

Po-Hsu Lin (Sam)
In reply to this post by Po-Hsu Lin (Sam)
From: Michael Neuling <[hidden email]>

CVE-2019-13648

On systems like P9 powernv where we have no TM (or P8 booted with
ppc_tm=off), userspace can construct a signal context which still has
the MSR TS bits set. The kernel tries to restore this context which
results in the following crash:

  Unexpected TM Bad Thing exception at c0000000000022fc (msr 0x8000000102a03031) tm_scratch=800000020280f033
  Oops: Unrecoverable exception, sig: 6 [#1]
  LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
  Modules linked in:
  CPU: 0 PID: 1636 Comm: sigfuz Not tainted 5.2.0-11043-g0a8ad0ffa4 #69
  NIP:  c0000000000022fc LR: 00007fffb2d67e48 CTR: 0000000000000000
  REGS: c00000003fffbd70 TRAP: 0700   Not tainted  (5.2.0-11045-g7142b497d8)
  MSR:  8000000102a03031 <SF,VEC,VSX,FP,ME,IR,DR,LE,TM[E]>  CR: 42004242  XER: 00000000
  CFAR: c0000000000022e0 IRQMASK: 0
  GPR00: 0000000000000072 00007fffb2b6e560 00007fffb2d87f00 0000000000000669
  GPR04: 00007fffb2b6e728 0000000000000000 0000000000000000 00007fffb2b6f2a8
  GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
  GPR12: 0000000000000000 00007fffb2b76900 0000000000000000 0000000000000000
  GPR16: 00007fffb2370000 00007fffb2d84390 00007fffea3a15ac 000001000a250420
  GPR20: 00007fffb2b6f260 0000000010001770 0000000000000000 0000000000000000
  GPR24: 00007fffb2d843a0 00007fffea3a14a0 0000000000010000 0000000000800000
  GPR28: 00007fffea3a14d8 00000000003d0f00 0000000000000000 00007fffb2b6e728
  NIP [c0000000000022fc] rfi_flush_fallback+0x7c/0x80
  LR [00007fffb2d67e48] 0x7fffb2d67e48
  Call Trace:
  Instruction dump:
  e96a0220 e96a02a8 e96a0330 e96a03b8 394a0400 4200ffdc 7d2903a6 e92d0c00
  e94d0c08 e96d0c10 e82d0c18 7db242a6 <4c000024> 7db243a6 7db142a6 f82d0c18

The problem is the signal code assumes TM is enabled when
CONFIG_PPC_TRANSACTIONAL_MEM is enabled. This may not be the case as
with P9 powernv or if `ppc_tm=off` is used on P8.

This means any local user can crash the system.

Fix the problem by returning a bad stack frame to the user if they try
to set the MSR TS bits with sigreturn() on systems where TM is not
supported.

Found with sigfuz kernel selftest on P9.

This fixes CVE-2019-13648.

Fixes: 2b0a576d15e0 ("powerpc: Add new transactional memory state to the signal context")
Cc: [hidden email] # v3.9
Reported-by: Praveen Pandey <[hidden email]>
Signed-off-by: Michael Neuling <[hidden email]>
Signed-off-by: Michael Ellerman <[hidden email]>
Link: https://lore.kernel.org/r/20190719050502.405-1-mikey@...
(cherry picked from commit f16d80b75a096c52354c6e0a574993f3b0dfbdfe)
Signed-off-by: Po-Hsu Lin <[hidden email]>
---
 arch/powerpc/kernel/signal_32.c | 3 +++
 arch/powerpc/kernel/signal_64.c | 5 +++++
 2 files changed, 8 insertions(+)

diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
index 9ffd732..1123658 100644
--- a/arch/powerpc/kernel/signal_32.c
+++ b/arch/powerpc/kernel/signal_32.c
@@ -1238,6 +1238,9 @@ long sys_rt_sigreturn(int r3, int r4, int r5, int r6, int r7, int r8,
  goto bad;
 
  if (MSR_TM_ACTIVE(msr_hi<<32)) {
+ /* Trying to start TM on non TM system */
+ if (!cpu_has_feature(CPU_FTR_TM))
+ goto bad;
  /* We only recheckpoint on return if we're
  * transaction.
  */
diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
index b1b9962..a1ea4ce 100644
--- a/arch/powerpc/kernel/signal_64.c
+++ b/arch/powerpc/kernel/signal_64.c
@@ -736,6 +736,11 @@ int sys_rt_sigreturn(unsigned long r3, unsigned long r4, unsigned long r5,
  if (MSR_TM_ACTIVE(msr)) {
  /* We recheckpoint on return. */
  struct ucontext __user *uc_transact;
+
+ /* Trying to start TM on non TM system */
+ if (!cpu_has_feature(CPU_FTR_TM))
+ goto badframe;
+
  if (__get_user(uc_transact, &uc->uc_link))
  goto badframe;
  if (restore_tm_sigcontexts(current, &uc->uc_mcontext,
--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK / APPLIED[E/Unstable]: [X/B/D/E][SRU][PATCH 0/1] Fix for CVE-2019-13648

Seth Forshee
In reply to this post by Po-Hsu Lin (Sam)
On Fri, Jul 26, 2019 at 04:57:54PM +0800, Po-Hsu Lin wrote:

> In the Linux kernel through 5.2.1 on the powerpc platform, when hardware
> transactional memory is disabled, a local user can cause a denial of
> service (TM Bad Thing exception and system crash) via a sigreturn()
> system call that sends a crafted signal frame.
>
> This patch can be cherry-picked into all the affected kernels,
> X, B, D and E. I'm sending two patches seperately as the one for B/D/E
> cannot be applied to X.
>
> https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13648.html

Acked-by: Seth Forshee <[hidden email]>

Applied to eoan/master-next and unstable/master, thanks!

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK/CMNT: [X/B/D/E][SRU][PATCH 0/1] Fix for CVE-2019-13648

Tyler Hicks-2
In reply to this post by Po-Hsu Lin (Sam)
On 2019-07-26 16:57:54, Po-Hsu Lin wrote:
> In the Linux kernel through 5.2.1 on the powerpc platform, when hardware
> transactional memory is disabled, a local user can cause a denial of
> service (TM Bad Thing exception and system crash) via a sigreturn()
> system call that sends a crafted signal frame.
>
> This patch can be cherry-picked into all the affected kernels,
> X, B, D and E. I'm sending two patches seperately as the one for B/D/E
> cannot be applied to X.

D and X look good to me:

 Acked-by: Tyler Hicks <[hidden email]>

B has since picked up the patch via upstream linux-stable (Bionic commit
ad30c8361c159f3bdbaa7d10c71fc7dca690c4e6) so there's no longer a need to
apply this patch to B.

Thanks!

Tyler

>
> https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13648.html
>
> Michael Neuling (1):
>   powerpc/tm: Fix oops on sigreturn on systems without TM
>
>  arch/powerpc/kernel/signal_32.c | 3 +++
>  arch/powerpc/kernel/signal_64.c | 5 +++++
>  2 files changed, 8 insertions(+)
>
> --
> 2.7.4
>
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED(X,D)/cmt: [X/B/D/E][SRU][PATCH 0/1] Fix for CVE-2019-13648

Khaled Elmously
In reply to this post by Po-Hsu Lin (Sam)
Not applied to B based on Tyler's input

On 2019-07-26 16:57:54 , Po-Hsu Lin wrote:

> In the Linux kernel through 5.2.1 on the powerpc platform, when hardware
> transactional memory is disabled, a local user can cause a denial of
> service (TM Bad Thing exception and system crash) via a sigreturn()
> system call that sends a crafted signal frame.
>
> This patch can be cherry-picked into all the affected kernels,
> X, B, D and E. I'm sending two patches seperately as the one for B/D/E
> cannot be applied to X.
>
> https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13648.html
>
> Michael Neuling (1):
>   powerpc/tm: Fix oops on sigreturn on systems without TM
>
>  arch/powerpc/kernel/signal_32.c | 3 +++
>  arch/powerpc/kernel/signal_64.c | 5 +++++
>  2 files changed, 8 insertions(+)
>
> --
> 2.7.4
>
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team