cve/published/2021/CVE-2021-46961.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-46961: irqchip/gic-v3: Do not enable irqs when handling spurious interrups

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 irqchip/gic-v3: Do not enable irqs when handling spurious interrups

 We triggered the following error while running our 4.19 kernel
 with the pseudo-NMI patches backported to it:

 [   14.816231] ------------[ cut here ]------------
 [   14.816231] kernel BUG at irq.c:99!
 [   14.816232] Internal error: Oops - BUG: 0 [#1] SMP
 [   14.816232] Process swapper/0 (pid: 0, stack limit = 0x(____ptrval____))
 [   14.816233] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G           O      4.19.95.aarch64 #14
 [   14.816233] Hardware name: evb (DT)
 [   14.816234] pstate: 80400085 (Nzcv daIf +PAN -UAO)
 [   14.816234] pc : asm_nmi_enter+0x94/0x98
 [   14.816235] lr : asm_nmi_enter+0x18/0x98
 [   14.816235] sp : ffff000008003c50
 [   14.816235] pmr_save: 00000070
 [   14.816237] x29: ffff000008003c50 x28: ffff0000095f56c0
 [   14.816238] x27: 0000000000000000 x26: ffff000008004000
 [   14.816239] x25: 00000000015e0000 x24: ffff8008fb916000
 [   14.816240] x23: 0000000020400005 x22: ffff0000080817cc
 [   14.816241] x21: ffff000008003da0 x20: 0000000000000060
 [   14.816242] x19: 00000000000003ff x18: ffffffffffffffff
 [   14.816243] x17: 0000000000000008 x16: 003d090000000000
 [   14.816244] x15: ffff0000095ea6c8 x14: ffff8008fff5ab40
 [   14.816244] x13: ffff8008fff58b9d x12: 0000000000000000
 [   14.816245] x11: ffff000008c8a200 x10: 000000008e31fca5
 [   14.816246] x9 : ffff000008c8a208 x8 : 000000000000000f
 [   14.816247] x7 : 0000000000000004 x6 : ffff8008fff58b9e
 [   14.816248] x5 : 0000000000000000 x4 : 0000000080000000
 [   14.816249] x3 : 0000000000000000 x2 : 0000000080000000
 [   14.816250] x1 : 0000000000120000 x0 : ffff0000095f56c0
 [   14.816251] Call trace:
 [   14.816251]  asm_nmi_enter+0x94/0x98
 [   14.816251]  el1_irq+0x8c/0x180                    (IRQ C)
 [   14.816252]  gic_handle_irq+0xbc/0x2e4
 [   14.816252]  el1_irq+0xcc/0x180                    (IRQ B)
 [   14.816253]  arch_timer_handler_virt+0x38/0x58
 [   14.816253]  handle_percpu_devid_irq+0x90/0x240
 [   14.816253]  generic_handle_irq+0x34/0x50
 [   14.816254]  __handle_domain_irq+0x68/0xc0
 [   14.816254]  gic_handle_irq+0xf8/0x2e4
 [   14.816255]  el1_irq+0xcc/0x180                    (IRQ A)
 [   14.816255]  arch_cpu_idle+0x34/0x1c8
 [   14.816255]  default_idle_call+0x24/0x44
 [   14.816256]  do_idle+0x1d0/0x2c8
 [   14.816256]  cpu_startup_entry+0x28/0x30
 [   14.816256]  rest_init+0xb8/0xc8
 [   14.816257]  start_kernel+0x4c8/0x4f4
 [   14.816257] Code: 940587f1 d5384100 b9401001 36a7fd01 (d4210000)
 [   14.816258] Modules linked in: start_dp(O) smeth(O)
 [   15.103092] ---[ end trace 701753956cb14aa8 ]---
 [   15.103093] Kernel panic - not syncing: Fatal exception in interrupt
 [   15.103099] SMP: stopping secondary CPUs
 [   15.103100] Kernel Offset: disabled
 [   15.103100] CPU features: 0x36,a2400218
 [   15.103100] Memory Limit: none

 which is cause by a 'BUG_ON(in_nmi())' in nmi_enter().

 From the call trace, we can find three interrupts (noted A, B, C above):
 interrupt (A) is preempted by (B), which is further interrupted by (C).

 Subsequent investigations show that (B) results in nmi_enter() being
 called, but that it actually is a spurious interrupt. Furthermore,
 interrupts are reenabled in the context of (B), and (C) fires with
 NMI priority. We end-up with a nested NMI situation, something
 we definitely do not want to (and cannot) handle.

 The bug here is that spurious interrupts should never result in any
 state change, and we should just return to the interrupted context.
 Moving the handling of spurious interrupts as early as possible in
 the GICv3 handler fixes this issue.

 [maz: rewrote commit message, corrected Fixes: tag]

 The Linux kernel CVE team has assigned CVE-2021-46961 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.1 with commit 3f1f3234bc2db1c16b9818b9a15a5d58ad45251c and fixed in 5.4.118 with commit e7ea8e46e3b777be26aa855fe07778c415f24926
 	Issue introduced in 5.1 with commit 3f1f3234bc2db1c16b9818b9a15a5d58ad45251c and fixed in 5.10.36 with commit 7be4db5c2b59fa77071c93ca4329876fb9777202
 	Issue introduced in 5.1 with commit 3f1f3234bc2db1c16b9818b9a15a5d58ad45251c and fixed in 5.11.20 with commit ea817ac1014c04f47885532b55f5d0898deadfba
 	Issue introduced in 5.1 with commit 3f1f3234bc2db1c16b9818b9a15a5d58ad45251c and fixed in 5.12.3 with commit 3f72d3709f53af72835af7dc8b15ba61611a0e36
 	Issue introduced in 5.1 with commit 3f1f3234bc2db1c16b9818b9a15a5d58ad45251c and fixed in 5.13 with commit a97709f563a078e259bf0861cd259aa60332890a

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-46961
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/irqchip/irq-gic-v3.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e7ea8e46e3b777be26aa855fe07778c415f24926
 	https://git.kernel.org/stable/c/7be4db5c2b59fa77071c93ca4329876fb9777202
 	https://git.kernel.org/stable/c/ea817ac1014c04f47885532b55f5d0898deadfba
 	https://git.kernel.org/stable/c/3f72d3709f53af72835af7dc8b15ba61611a0e36
 	https://git.kernel.org/stable/c/a97709f563a078e259bf0861cd259aa60332890a
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-46961: irqchip/gic-v3: Do not enable irqs when handling spurious interrups

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	irqchip/gic-v3: Do not enable irqs when handling spurious interrups

	We triggered the following error while running our 4.19 kernel
	with the pseudo-NMI patches backported to it:

	[ 14.816231] ------------[ cut here ]------------
	[ 14.816231] kernel BUG at irq.c:99!
	[ 14.816232] Internal error: Oops - BUG: 0 [#1] SMP
	[ 14.816232] Process swapper/0 (pid: 0, stack limit = 0x(____ptrval____))
	[ 14.816233] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 4.19.95.aarch64 #14
	[ 14.816233] Hardware name: evb (DT)
	[ 14.816234] pstate: 80400085 (Nzcv daIf +PAN -UAO)
	[ 14.816234] pc : asm_nmi_enter+0x94/0x98
	[ 14.816235] lr : asm_nmi_enter+0x18/0x98
	[ 14.816235] sp : ffff000008003c50
	[ 14.816235] pmr_save: 00000070
	[ 14.816237] x29: ffff000008003c50 x28: ffff0000095f56c0
	[ 14.816238] x27: 0000000000000000 x26: ffff000008004000
	[ 14.816239] x25: 00000000015e0000 x24: ffff8008fb916000
	[ 14.816240] x23: 0000000020400005 x22: ffff0000080817cc
	[ 14.816241] x21: ffff000008003da0 x20: 0000000000000060
	[ 14.816242] x19: 00000000000003ff x18: ffffffffffffffff
	[ 14.816243] x17: 0000000000000008 x16: 003d090000000000
	[ 14.816244] x15: ffff0000095ea6c8 x14: ffff8008fff5ab40
	[ 14.816244] x13: ffff8008fff58b9d x12: 0000000000000000
	[ 14.816245] x11: ffff000008c8a200 x10: 000000008e31fca5
	[ 14.816246] x9 : ffff000008c8a208 x8 : 000000000000000f
	[ 14.816247] x7 : 0000000000000004 x6 : ffff8008fff58b9e
	[ 14.816248] x5 : 0000000000000000 x4 : 0000000080000000
	[ 14.816249] x3 : 0000000000000000 x2 : 0000000080000000
	[ 14.816250] x1 : 0000000000120000 x0 : ffff0000095f56c0
	[ 14.816251] Call trace:
	[ 14.816251] asm_nmi_enter+0x94/0x98
	[ 14.816251] el1_irq+0x8c/0x180 (IRQ C)
	[ 14.816252] gic_handle_irq+0xbc/0x2e4
	[ 14.816252] el1_irq+0xcc/0x180 (IRQ B)
	[ 14.816253] arch_timer_handler_virt+0x38/0x58
	[ 14.816253] handle_percpu_devid_irq+0x90/0x240
	[ 14.816253] generic_handle_irq+0x34/0x50
	[ 14.816254] __handle_domain_irq+0x68/0xc0
	[ 14.816254] gic_handle_irq+0xf8/0x2e4
	[ 14.816255] el1_irq+0xcc/0x180 (IRQ A)
	[ 14.816255] arch_cpu_idle+0x34/0x1c8
	[ 14.816255] default_idle_call+0x24/0x44
	[ 14.816256] do_idle+0x1d0/0x2c8
	[ 14.816256] cpu_startup_entry+0x28/0x30
	[ 14.816256] rest_init+0xb8/0xc8
	[ 14.816257] start_kernel+0x4c8/0x4f4
	[ 14.816257] Code: 940587f1 d5384100 b9401001 36a7fd01 (d4210000)
	[ 14.816258] Modules linked in: start_dp(O) smeth(O)
	[ 15.103092] ---[ end trace 701753956cb14aa8 ]---
	[ 15.103093] Kernel panic - not syncing: Fatal exception in interrupt
	[ 15.103099] SMP: stopping secondary CPUs
	[ 15.103100] Kernel Offset: disabled
	[ 15.103100] CPU features: 0x36,a2400218
	[ 15.103100] Memory Limit: none

	which is cause by a 'BUG_ON(in_nmi())' in nmi_enter().

	From the call trace, we can find three interrupts (noted A, B, C above):
	interrupt (A) is preempted by (B), which is further interrupted by (C).

	Subsequent investigations show that (B) results in nmi_enter() being
	called, but that it actually is a spurious interrupt. Furthermore,
	interrupts are reenabled in the context of (B), and (C) fires with
	NMI priority. We end-up with a nested NMI situation, something
	we definitely do not want to (and cannot) handle.

	The bug here is that spurious interrupts should never result in any
	state change, and we should just return to the interrupted context.
	Moving the handling of spurious interrupts as early as possible in
	the GICv3 handler fixes this issue.

	[maz: rewrote commit message, corrected Fixes: tag]

	The Linux kernel CVE team has assigned CVE-2021-46961 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.1 with commit 3f1f3234bc2db1c16b9818b9a15a5d58ad45251c and fixed in 5.4.118 with commit e7ea8e46e3b777be26aa855fe07778c415f24926
	Issue introduced in 5.1 with commit 3f1f3234bc2db1c16b9818b9a15a5d58ad45251c and fixed in 5.10.36 with commit 7be4db5c2b59fa77071c93ca4329876fb9777202
	Issue introduced in 5.1 with commit 3f1f3234bc2db1c16b9818b9a15a5d58ad45251c and fixed in 5.11.20 with commit ea817ac1014c04f47885532b55f5d0898deadfba
	Issue introduced in 5.1 with commit 3f1f3234bc2db1c16b9818b9a15a5d58ad45251c and fixed in 5.12.3 with commit 3f72d3709f53af72835af7dc8b15ba61611a0e36
	Issue introduced in 5.1 with commit 3f1f3234bc2db1c16b9818b9a15a5d58ad45251c and fixed in 5.13 with commit a97709f563a078e259bf0861cd259aa60332890a

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-46961
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/irqchip/irq-gic-v3.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e7ea8e46e3b777be26aa855fe07778c415f24926
	https://git.kernel.org/stable/c/7be4db5c2b59fa77071c93ca4329876fb9777202
	https://git.kernel.org/stable/c/ea817ac1014c04f47885532b55f5d0898deadfba
	https://git.kernel.org/stable/c/3f72d3709f53af72835af7dc8b15ba61611a0e36
	https://git.kernel.org/stable/c/a97709f563a078e259bf0861cd259aa60332890a