cve/published/2021/CVE-2021-46997.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-46997: arm64: entry: always set GIC_PRIO_PSR_I_SET during entry

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 arm64: entry: always set GIC_PRIO_PSR_I_SET during entry

 Zenghui reports that booting a kernel with "irqchip.gicv3_pseudo_nmi=1"
 on the command line hits a warning during kernel entry, due to the way
 we manipulate the PMR.

 Early in the entry sequence, we call lockdep_hardirqs_off() to inform
 lockdep that interrupts have been masked (as the HW sets DAIF wqhen
 entering an exception). Architecturally PMR_EL1 is not affected by
 exception entry, and we don't set GIC_PRIO_PSR_I_SET in the PMR early in
 the exception entry sequence, so early in exception entry the PMR can
 indicate that interrupts are unmasked even though they are masked by
 DAIF.

 If DEBUG_LOCKDEP is selected, lockdep_hardirqs_off() will check that
 interrupts are masked, before we set GIC_PRIO_PSR_I_SET in any of the
 exception entry paths, and hence lockdep_hardirqs_off() will WARN() that
 something is amiss.

 We can avoid this by consistently setting GIC_PRIO_PSR_I_SET during
 exception entry so that kernel code sees a consistent environment. We
 must also update local_daif_inherit() to undo this, as currently only
 touches DAIF. For other paths, local_daif_restore() will update both
 DAIF and the PMR. With this done, we can remove the existing special
 cases which set this later in the entry code.

 We always use (GIC_PRIO_IRQON | GIC_PRIO_PSR_I_SET) for consistency with
 local_daif_save(), as this will warn if it ever encounters
 (GIC_PRIO_IRQOFF | GIC_PRIO_PSR_I_SET), and never sets this itself. This
 matches the gic_prio_kentry_setup that we have to retain for
 ret_to_user.

 The original splat from Zenghui's report was:

 | DEBUG_LOCKS_WARN_ON(!irqs_disabled())
 | WARNING: CPU: 3 PID: 125 at kernel/locking/lockdep.c:4258 lockdep_hardirqs_off+0xd4/0xe8
 | Modules linked in:
 | CPU: 3 PID: 125 Comm: modprobe Tainted: G        W         5.12.0-rc8+ #463
 | Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
 | pstate: 604003c5 (nZCv DAIF +PAN -UAO -TCO BTYPE=--)
 | pc : lockdep_hardirqs_off+0xd4/0xe8
 | lr : lockdep_hardirqs_off+0xd4/0xe8
 | sp : ffff80002a39bad0
 | pmr_save: 000000e0
 | x29: ffff80002a39bad0 x28: ffff0000de214bc0
 | x27: ffff0000de1c0400 x26: 000000000049b328
 | x25: 0000000000406f30 x24: ffff0000de1c00a0
 | x23: 0000000020400005 x22: ffff8000105f747c
 | x21: 0000000096000044 x20: 0000000000498ef9
 | x19: ffff80002a39bc88 x18: ffffffffffffffff
 | x17: 0000000000000000 x16: ffff800011c61eb0
 | x15: ffff800011700a88 x14: 0720072007200720
 | x13: 0720072007200720 x12: 0720072007200720
 | x11: 0720072007200720 x10: 0720072007200720
 | x9 : ffff80002a39bad0 x8 : ffff80002a39bad0
 | x7 : ffff8000119f0800 x6 : c0000000ffff7fff
 | x5 : ffff8000119f07a8 x4 : 0000000000000001
 | x3 : 9bcdab23f2432800 x2 : ffff800011730538
 | x1 : 9bcdab23f2432800 x0 : 0000000000000000
 | Call trace:
 |  lockdep_hardirqs_off+0xd4/0xe8
 |  enter_from_kernel_mode.isra.5+0x7c/0xa8
 |  el1_abort+0x24/0x100
 |  el1_sync_handler+0x80/0xd0
 |  el1_sync+0x6c/0x100
 |  __arch_clear_user+0xc/0x90
 |  load_elf_binary+0x9fc/0x1450
 |  bprm_execve+0x404/0x880
 |  kernel_execve+0x180/0x188
 |  call_usermodehelper_exec_async+0xdc/0x158
 |  ret_from_fork+0x10/0x18

 The Linux kernel CVE team has assigned CVE-2021-46997 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.10 with commit 23529049c68423820487304f244144e0d576e85a and fixed in 5.10.38 with commit 51524fa8b5f7b879ba569227738375d283b79382
 	Issue introduced in 5.10 with commit 23529049c68423820487304f244144e0d576e85a and fixed in 5.11.22 with commit e67a83f078005461b59b4c776e6b5addd11725fa
 	Issue introduced in 5.10 with commit 23529049c68423820487304f244144e0d576e85a and fixed in 5.12.5 with commit d8d52005f57bbb4a4ec02f647e2555d327135c68
 	Issue introduced in 5.10 with commit 23529049c68423820487304f244144e0d576e85a and fixed in 5.13 with commit 4d6a38da8e79e94cbd1344aa90876f0f805db705

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-46997
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/arm64/include/asm/daifflags.h
 	arch/arm64/kernel/entry-common.c
 	arch/arm64/kernel/entry.S


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/51524fa8b5f7b879ba569227738375d283b79382
 	https://git.kernel.org/stable/c/e67a83f078005461b59b4c776e6b5addd11725fa
 	https://git.kernel.org/stable/c/d8d52005f57bbb4a4ec02f647e2555d327135c68
 	https://git.kernel.org/stable/c/4d6a38da8e79e94cbd1344aa90876f0f805db705
	From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-46997: arm64: entry: always set GIC_PRIO_PSR_I_SET during entry

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	arm64: entry: always set GIC_PRIO_PSR_I_SET during entry

	Zenghui reports that booting a kernel with "irqchip.gicv3_pseudo_nmi=1"
	on the command line hits a warning during kernel entry, due to the way
	we manipulate the PMR.

	Early in the entry sequence, we call lockdep_hardirqs_off() to inform
	lockdep that interrupts have been masked (as the HW sets DAIF wqhen
	entering an exception). Architecturally PMR_EL1 is not affected by
	exception entry, and we don't set GIC_PRIO_PSR_I_SET in the PMR early in
	the exception entry sequence, so early in exception entry the PMR can
	indicate that interrupts are unmasked even though they are masked by
	DAIF.

	If DEBUG_LOCKDEP is selected, lockdep_hardirqs_off() will check that
	interrupts are masked, before we set GIC_PRIO_PSR_I_SET in any of the
	exception entry paths, and hence lockdep_hardirqs_off() will WARN() that
	something is amiss.

	We can avoid this by consistently setting GIC_PRIO_PSR_I_SET during
	exception entry so that kernel code sees a consistent environment. We
	must also update local_daif_inherit() to undo this, as currently only
	touches DAIF. For other paths, local_daif_restore() will update both
	DAIF and the PMR. With this done, we can remove the existing special
	cases which set this later in the entry code.

	We always use (GIC_PRIO_IRQON \| GIC_PRIO_PSR_I_SET) for consistency with
	local_daif_save(), as this will warn if it ever encounters
	(GIC_PRIO_IRQOFF \| GIC_PRIO_PSR_I_SET), and never sets this itself. This
	matches the gic_prio_kentry_setup that we have to retain for
	ret_to_user.

	The original splat from Zenghui's report was:

	\| DEBUG_LOCKS_WARN_ON(!irqs_disabled())
	\| WARNING: CPU: 3 PID: 125 at kernel/locking/lockdep.c:4258 lockdep_hardirqs_off+0xd4/0xe8
	\| Modules linked in:
	\| CPU: 3 PID: 125 Comm: modprobe Tainted: G W 5.12.0-rc8+ #463
	\| Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
	\| pstate: 604003c5 (nZCv DAIF +PAN -UAO -TCO BTYPE=--)
	\| pc : lockdep_hardirqs_off+0xd4/0xe8
	\| lr : lockdep_hardirqs_off+0xd4/0xe8
	\| sp : ffff80002a39bad0
	\| pmr_save: 000000e0
	\| x29: ffff80002a39bad0 x28: ffff0000de214bc0
	\| x27: ffff0000de1c0400 x26: 000000000049b328
	\| x25: 0000000000406f30 x24: ffff0000de1c00a0
	\| x23: 0000000020400005 x22: ffff8000105f747c
	\| x21: 0000000096000044 x20: 0000000000498ef9
	\| x19: ffff80002a39bc88 x18: ffffffffffffffff
	\| x17: 0000000000000000 x16: ffff800011c61eb0
	\| x15: ffff800011700a88 x14: 0720072007200720
	\| x13: 0720072007200720 x12: 0720072007200720
	\| x11: 0720072007200720 x10: 0720072007200720
	\| x9 : ffff80002a39bad0 x8 : ffff80002a39bad0
	\| x7 : ffff8000119f0800 x6 : c0000000ffff7fff
	\| x5 : ffff8000119f07a8 x4 : 0000000000000001
	\| x3 : 9bcdab23f2432800 x2 : ffff800011730538
	\| x1 : 9bcdab23f2432800 x0 : 0000000000000000
	\| Call trace:
	\| lockdep_hardirqs_off+0xd4/0xe8
	\| enter_from_kernel_mode.isra.5+0x7c/0xa8
	\| el1_abort+0x24/0x100
	\| el1_sync_handler+0x80/0xd0
	\| el1_sync+0x6c/0x100
	\| __arch_clear_user+0xc/0x90
	\| load_elf_binary+0x9fc/0x1450
	\| bprm_execve+0x404/0x880
	\| kernel_execve+0x180/0x188
	\| call_usermodehelper_exec_async+0xdc/0x158
	\| ret_from_fork+0x10/0x18

	The Linux kernel CVE team has assigned CVE-2021-46997 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.10 with commit 23529049c68423820487304f244144e0d576e85a and fixed in 5.10.38 with commit 51524fa8b5f7b879ba569227738375d283b79382
	Issue introduced in 5.10 with commit 23529049c68423820487304f244144e0d576e85a and fixed in 5.11.22 with commit e67a83f078005461b59b4c776e6b5addd11725fa
	Issue introduced in 5.10 with commit 23529049c68423820487304f244144e0d576e85a and fixed in 5.12.5 with commit d8d52005f57bbb4a4ec02f647e2555d327135c68
	Issue introduced in 5.10 with commit 23529049c68423820487304f244144e0d576e85a and fixed in 5.13 with commit 4d6a38da8e79e94cbd1344aa90876f0f805db705

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-46997
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/arm64/include/asm/daifflags.h
	arch/arm64/kernel/entry-common.c
	arch/arm64/kernel/entry.S


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/51524fa8b5f7b879ba569227738375d283b79382
	https://git.kernel.org/stable/c/e67a83f078005461b59b4c776e6b5addd11725fa
	https://git.kernel.org/stable/c/d8d52005f57bbb4a4ec02f647e2555d327135c68
	https://git.kernel.org/stable/c/4d6a38da8e79e94cbd1344aa90876f0f805db705