[linux] 01/01: [powerpc*] tm: Always reclaim in start_thread() for exec() class syscalls (CVE-2016-5828)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sun Jul 3 14:33:37 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch sid
in repository linux.
commit ade54804a1ca3cbe5340508fdcf0f088fe6a8c13
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sun Jul 3 16:33:04 2016 +0200
[powerpc*] tm: Always reclaim in start_thread() for exec() class syscalls (CVE-2016-5828)
---
debian/changelog | 2 +
...always-reclaim-in-start_thread-for-exec-c.patch | 106 +++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 109 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 126691b..f83b0cc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -67,6 +67,8 @@ linux (4.6.3-1) UNRELEASED; urgency=medium
- drm/core: Do not preserve framebuffer on rmfb, v4.
- [x86] Revert "drm/i915: Exit cherryview_irq_handler() after one pass"
- gpio: make sure gpiod_to_irq() returns negative on NULL desc
+ * [powerpc*] tm: Always reclaim in start_thread() for exec() class syscalls
+ (CVE-2016-5828)
[ Salvatore Bonaccorso ]
* HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands
diff --git a/debian/patches/bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch b/debian/patches/bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch
new file mode 100644
index 0000000..d98651b
--- /dev/null
+++ b/debian/patches/bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch
@@ -0,0 +1,106 @@
+From: Cyril Bur <cyrilbur at gmail.com>
+Date: Fri, 17 Jun 2016 14:58:34 +1000
+Subject: powerpc/tm: Always reclaim in start_thread() for exec() class
+ syscalls
+Origin: https://git.kernel.org/cgit/linux/kernel/git/powerpc/linux.git/commit?id=8e96a87c5431c256feb65bcfc5aec92d9f7839b6
+
+Userspace can quite legitimately perform an exec() syscall with a
+suspended transaction. exec() does not return to the old process, rather
+it load a new one and starts that, the expectation therefore is that the
+new process starts not in a transaction. Currently exec() is not treated
+any differently to any other syscall which creates problems.
+
+Firstly it could allow a new process to start with a suspended
+transaction for a binary that no longer exists. This means that the
+checkpointed state won't be valid and if the suspended transaction were
+ever to be resumed and subsequently aborted (a possibility which is
+exceedingly likely as exec()ing will likely doom the transaction) the
+new process will jump to invalid state.
+
+Secondly the incorrect attempt to keep the transactional state while
+still zeroing state for the new process creates at least two TM Bad
+Things. The first triggers on the rfid to return to userspace as
+start_thread() has given the new process a 'clean' MSR but the suspend
+will still be set in the hardware MSR. The second TM Bad Thing triggers
+in __switch_to() as the processor is still transactionally suspended but
+__switch_to() wants to zero the TM sprs for the new process.
+
+This is an example of the outcome of calling exec() with a suspended
+transaction. Note the first 700 is likely the first TM bad thing
+decsribed earlier only the kernel can't report it as we've loaded
+userspace registers. c000000000009980 is the rfid in
+fast_exception_return()
+
+ Bad kernel stack pointer 3fffcfa1a370 at c000000000009980
+ Oops: Bad kernel stack pointer, sig: 6 [#1]
+ CPU: 0 PID: 2006 Comm: tm-execed Not tainted
+ NIP: c000000000009980 LR: 0000000000000000 CTR: 0000000000000000
+ REGS: c00000003ffefd40 TRAP: 0700 Not tainted
+ MSR: 8000000300201031 <SF,ME,IR,DR,LE,TM[SE]> CR: 00000000 XER: 00000000
+ CFAR: c0000000000098b4 SOFTE: 0
+ PACATMSCRATCH: b00000010000d033
+ GPR00: 0000000000000000 00003fffcfa1a370 0000000000000000 0000000000000000
+ GPR04: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+ GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+ GPR12: 00003fff966611c0 0000000000000000 0000000000000000 0000000000000000
+ NIP [c000000000009980] fast_exception_return+0xb0/0xb8
+ LR [0000000000000000] (null)
+ Call Trace:
+ Instruction dump:
+ f84d0278 e9a100d8 7c7b03a6 e84101a0 7c4ff120 e8410170 7c5a03a6 e8010070
+ e8410080 e8610088 e8810090 e8210078 <4c000024> 48000000 e8610178 88ed023b
+
+ Kernel BUG at c000000000043e80 [verbose debug info unavailable]
+ Unexpected TM Bad Thing exception at c000000000043e80 (msr 0x201033)
+ Oops: Unrecoverable exception, sig: 6 [#2]
+ CPU: 0 PID: 2006 Comm: tm-execed Tainted: G D
+ task: c0000000fbea6d80 ti: c00000003ffec000 task.ti: c0000000fb7ec000
+ NIP: c000000000043e80 LR: c000000000015a24 CTR: 0000000000000000
+ REGS: c00000003ffef7e0 TRAP: 0700 Tainted: G D
+ MSR: 8000000300201033 <SF,ME,IR,DR,RI,LE,TM[SE]> CR: 28002828 XER: 00000000
+ CFAR: c000000000015a20 SOFTE: 0
+ PACATMSCRATCH: b00000010000d033
+ GPR00: 0000000000000000 c00000003ffefa60 c000000000db5500 c0000000fbead000
+ GPR04: 8000000300001033 2222222222222222 2222222222222222 00000000ff160000
+ GPR08: 0000000000000000 800000010000d033 c0000000fb7e3ea0 c00000000fe00004
+ GPR12: 0000000000002200 c00000000fe00000 0000000000000000 0000000000000000
+ GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+ GPR20: 0000000000000000 0000000000000000 c0000000fbea7410 00000000ff160000
+ GPR24: c0000000ffe1f600 c0000000fbea8700 c0000000fbea8700 c0000000fbead000
+ GPR28: c000000000e20198 c0000000fbea6d80 c0000000fbeab680 c0000000fbea6d80
+ NIP [c000000000043e80] tm_restore_sprs+0xc/0x1c
+ LR [c000000000015a24] __switch_to+0x1f4/0x420
+ Call Trace:
+ Instruction dump:
+ 7c800164 4e800020 7c0022a6 f80304a8 7c0222a6 f80304b0 7c0122a6 f80304b8
+ 4e800020 e80304a8 7c0023a6 e80304b0 <7c0223a6> e80304b8 7c0123a6 4e800020
+
+This fixes CVE-2016-5828.
+
+Fixes: bc2a9408fa65 ("powerpc: Hook in new transactional memory code")
+Cc: stable at vger.kernel.org # v3.9+
+Signed-off-by: Cyril Bur <cyrilbur at gmail.com>
+Signed-off-by: Michael Ellerman <mpe at ellerman.id.au>
+---
+ arch/powerpc/kernel/process.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/arch/powerpc/kernel/process.c
++++ b/arch/powerpc/kernel/process.c
+@@ -1503,6 +1503,16 @@ void start_thread(struct pt_regs *regs,
+ current->thread.regs = regs - 1;
+ }
+
++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
++ /*
++ * Clear any transactional state, we're exec()ing. The cause is
++ * not important as there will never be a recheckpoint so it's not
++ * user visible.
++ */
++ if (MSR_TM_SUSPENDED(mfmsr()))
++ tm_reclaim_current(0);
++#endif
++
+ memset(regs->gpr, 0, sizeof(regs->gpr));
+ regs->ctr = 0;
+ regs->link = 0;
diff --git a/debian/patches/series b/debian/patches/series
index 50cedef..8c16bb5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -114,6 +114,7 @@ bugfix/all/percpu-fix-synchronization-between-synchronous-map-e.patch
bugfix/all/posix_acl-add-set_posix_acl.patch
bugfix/all/nfsd-check-permissions-when-setting-acls.patch
bugfix/all/HID-hiddev-validate-num_values-for-HIDIOCGUSAGES-HID.patch
+bugfix/powerpc/powerpc-tm-always-reclaim-in-start_thread-for-exec-c.patch
# ABI maintenance
debian/mips-siginfo-fix-abi-change-in-4.6.2.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list