[linux] 01/03: [powerpc*] tm: Always reclaim in start_thread() for exec() class syscalls (CVE-2016-5828)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Sat Jul 2 10:04:40 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie-security
in repository linux.

commit 8b52763f7038fdb1dd1a18aaa23d96e5483c0083
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sat Jul 2 11:50:42 2016 +0200

    [powerpc*] tm: Always reclaim in start_thread() for exec() class syscalls (CVE-2016-5828)
---
 debian/changelog                                   |   2 +
 ...always-reclaim-in-start_thread-for-exec-c.patch | 106 +++++++++++++++++++++
 debian/patches/series                              |   1 +
 3 files changed, 109 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 755c259..4d5ee50 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,8 @@ linux (3.16.7-ckt25-2+deb8u3) UNRELEASED; urgency=medium
   * ALSA: compress: fix an integer overflow check (CVE-2014-9904)
   * [amd64] misc: mic: Fix for double fetch security bug in VOP driver
     (CVE-2016-5728)
+  * [powerpc*] tm: Always reclaim in start_thread() for exec() class syscalls
+    (CVE-2016-5828)
 
  -- Salvatore Bonaccorso <carnil at debian.org>  Sat, 02 Jul 2016 11:22:39 +0200
 
diff --git a/debian/patches/bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch b/debian/patches/bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch
new file mode 100644
index 0000000..949390a
--- /dev/null
+++ b/debian/patches/bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch
@@ -0,0 +1,106 @@
+From: Cyril Bur <cyrilbur at gmail.com>
+Date: Fri, 17 Jun 2016 14:58:34 +1000
+Subject: powerpc/tm: Always reclaim in start_thread() for exec() class
+ syscalls
+Origin: https://git.kernel.org/cgit/linux/kernel/git/powerpc/linux.git/commit?id=8e96a87c5431c256feb65bcfc5aec92d9f7839b6
+
+Userspace can quite legitimately perform an exec() syscall with a
+suspended transaction. exec() does not return to the old process, rather
+it load a new one and starts that, the expectation therefore is that the
+new process starts not in a transaction. Currently exec() is not treated
+any differently to any other syscall which creates problems.
+
+Firstly it could allow a new process to start with a suspended
+transaction for a binary that no longer exists. This means that the
+checkpointed state won't be valid and if the suspended transaction were
+ever to be resumed and subsequently aborted (a possibility which is
+exceedingly likely as exec()ing will likely doom the transaction) the
+new process will jump to invalid state.
+
+Secondly the incorrect attempt to keep the transactional state while
+still zeroing state for the new process creates at least two TM Bad
+Things. The first triggers on the rfid to return to userspace as
+start_thread() has given the new process a 'clean' MSR but the suspend
+will still be set in the hardware MSR. The second TM Bad Thing triggers
+in __switch_to() as the processor is still transactionally suspended but
+__switch_to() wants to zero the TM sprs for the new process.
+
+This is an example of the outcome of calling exec() with a suspended
+transaction. Note the first 700 is likely the first TM bad thing
+decsribed earlier only the kernel can't report it as we've loaded
+userspace registers. c000000000009980 is the rfid in
+fast_exception_return()
+
+  Bad kernel stack pointer 3fffcfa1a370 at c000000000009980
+  Oops: Bad kernel stack pointer, sig: 6 [#1]
+  CPU: 0 PID: 2006 Comm: tm-execed Not tainted
+  NIP: c000000000009980 LR: 0000000000000000 CTR: 0000000000000000
+  REGS: c00000003ffefd40 TRAP: 0700   Not tainted
+  MSR: 8000000300201031 <SF,ME,IR,DR,LE,TM[SE]>  CR: 00000000  XER: 00000000
+  CFAR: c0000000000098b4 SOFTE: 0
+  PACATMSCRATCH: b00000010000d033
+  GPR00: 0000000000000000 00003fffcfa1a370 0000000000000000 0000000000000000
+  GPR04: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+  GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+  GPR12: 00003fff966611c0 0000000000000000 0000000000000000 0000000000000000
+  NIP [c000000000009980] fast_exception_return+0xb0/0xb8
+  LR [0000000000000000]           (null)
+  Call Trace:
+  Instruction dump:
+  f84d0278 e9a100d8 7c7b03a6 e84101a0 7c4ff120 e8410170 7c5a03a6 e8010070
+  e8410080 e8610088 e8810090 e8210078 <4c000024> 48000000 e8610178 88ed023b
+
+  Kernel BUG at c000000000043e80 [verbose debug info unavailable]
+  Unexpected TM Bad Thing exception at c000000000043e80 (msr 0x201033)
+  Oops: Unrecoverable exception, sig: 6 [#2]
+  CPU: 0 PID: 2006 Comm: tm-execed Tainted: G      D
+  task: c0000000fbea6d80 ti: c00000003ffec000 task.ti: c0000000fb7ec000
+  NIP: c000000000043e80 LR: c000000000015a24 CTR: 0000000000000000
+  REGS: c00000003ffef7e0 TRAP: 0700   Tainted: G      D
+  MSR: 8000000300201033 <SF,ME,IR,DR,RI,LE,TM[SE]>  CR: 28002828  XER: 00000000
+  CFAR: c000000000015a20 SOFTE: 0
+  PACATMSCRATCH: b00000010000d033
+  GPR00: 0000000000000000 c00000003ffefa60 c000000000db5500 c0000000fbead000
+  GPR04: 8000000300001033 2222222222222222 2222222222222222 00000000ff160000
+  GPR08: 0000000000000000 800000010000d033 c0000000fb7e3ea0 c00000000fe00004
+  GPR12: 0000000000002200 c00000000fe00000 0000000000000000 0000000000000000
+  GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+  GPR20: 0000000000000000 0000000000000000 c0000000fbea7410 00000000ff160000
+  GPR24: c0000000ffe1f600 c0000000fbea8700 c0000000fbea8700 c0000000fbead000
+  GPR28: c000000000e20198 c0000000fbea6d80 c0000000fbeab680 c0000000fbea6d80
+  NIP [c000000000043e80] tm_restore_sprs+0xc/0x1c
+  LR [c000000000015a24] __switch_to+0x1f4/0x420
+  Call Trace:
+  Instruction dump:
+  7c800164 4e800020 7c0022a6 f80304a8 7c0222a6 f80304b0 7c0122a6 f80304b8
+  4e800020 e80304a8 7c0023a6 e80304b0 <7c0223a6> e80304b8 7c0123a6 4e800020
+
+This fixes CVE-2016-5828.
+
+Fixes: bc2a9408fa65 ("powerpc: Hook in new transactional memory code")
+Cc: stable at vger.kernel.org # v3.9+
+Signed-off-by: Cyril Bur <cyrilbur at gmail.com>
+Signed-off-by: Michael Ellerman <mpe at ellerman.id.au>
+---
+ arch/powerpc/kernel/process.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/arch/powerpc/kernel/process.c
++++ b/arch/powerpc/kernel/process.c
+@@ -1239,6 +1239,16 @@ void start_thread(struct pt_regs *regs,
+ 		current->thread.regs = regs - 1;
+ 	}
+ 
++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
++	/*
++	 * Clear any transactional state, we're exec()ing. The cause is
++	 * not important as there will never be a recheckpoint so it's not
++	 * user visible.
++	 */
++	if (MSR_TM_SUSPENDED(mfmsr()))
++		tm_reclaim_current(0);
++#endif
++
+ 	memset(regs->gpr, 0, sizeof(regs->gpr));
+ 	regs->ctr = 0;
+ 	regs->link = 0;
diff --git a/debian/patches/series b/debian/patches/series
index feccbbf..836c84a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -726,3 +726,4 @@ bugfix/all/netfilter-ensure-number-of-counters-is-0-in-do_repla.patch
 bugfix/all/Revert-netfilter-ensure-number-of-counters-is-0-in-d.patch
 bugfix/all/alsa-compress-fix-an-integer-overflow-check.patch
 bugfix/x86/misc-mic-fix-for-double-fetch-security-bug-in-vop-dr.patch
+bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list