cve/published/2021/CVE-2021-47428.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47428: powerpc/64s: fix program check interrupt emergency stack path

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 powerpc/64s: fix program check interrupt emergency stack path

 Emergency stack path was jumping into a 3: label inside the
 __GEN_COMMON_BODY macro for the normal path after it had finished,
 rather than jumping over it. By a small miracle this is the correct
 place to build up a new interrupt frame with the existing stack
 pointer, so things basically worked okay with an added weird looking
 700 trap frame on top (which had the wrong ->nip so it didn't decode
 bug messages either).

 Fix this by avoiding using numeric labels when jumping over non-trivial
 macros.

 Before:

  LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV
  Modules linked in:
  CPU: 0 PID: 88 Comm: sh Not tainted 5.15.0-rc2-00034-ge057cdade6e5 #2637
  NIP:  7265677368657265 LR: c00000000006c0c8 CTR: c0000000000097f0
  REGS: c0000000fffb3a50 TRAP: 0700   Not tainted
  MSR:  9000000000021031 <SF,HV,ME,IR,DR,LE>  CR: 00000700  XER: 20040000
  CFAR: c0000000000098b0 IRQMASK: 0
  GPR00: c00000000006c964 c0000000fffb3cf0 c000000001513800 0000000000000000
  GPR04: 0000000048ab0778 0000000042000000 0000000000000000 0000000000001299
  GPR08: 000001e447c718ec 0000000022424282 0000000000002710 c00000000006bee8
  GPR12: 9000000000009033 c0000000016b0000 00000000000000b0 0000000000000001
  GPR16: 0000000000000000 0000000000000002 0000000000000000 0000000000000ff8
  GPR20: 0000000000001fff 0000000000000007 0000000000000080 00007fff89d90158
  GPR24: 0000000002000000 0000000002000000 0000000000000255 0000000000000300
  GPR28: c000000001270000 0000000042000000 0000000048ab0778 c000000080647e80
  NIP [7265677368657265] 0x7265677368657265
  LR [c00000000006c0c8] ___do_page_fault+0x3f8/0xb10
  Call Trace:
  [c0000000fffb3cf0] [c00000000000bdac] soft_nmi_common+0x13c/0x1d0 (unreliable)
  --- interrupt: 700 at decrementer_common_virt+0xb8/0x230
  NIP:  c0000000000098b8 LR: c00000000006c0c8 CTR: c0000000000097f0
  REGS: c0000000fffb3d60 TRAP: 0700   Not tainted
  MSR:  9000000000021031 <SF,HV,ME,IR,DR,LE>  CR: 22424282  XER: 20040000
  CFAR: c0000000000098b0 IRQMASK: 0
  GPR00: c00000000006c964 0000000000002400 c000000001513800 0000000000000000
  GPR04: 0000000048ab0778 0000000042000000 0000000000000000 0000000000001299
  GPR08: 000001e447c718ec 0000000022424282 0000000000002710 c00000000006bee8
  GPR12: 9000000000009033 c0000000016b0000 00000000000000b0 0000000000000001
  GPR16: 0000000000000000 0000000000000002 0000000000000000 0000000000000ff8
  GPR20: 0000000000001fff 0000000000000007 0000000000000080 00007fff89d90158
  GPR24: 0000000002000000 0000000002000000 0000000000000255 0000000000000300
  GPR28: c000000001270000 0000000042000000 0000000048ab0778 c000000080647e80
  NIP [c0000000000098b8] decrementer_common_virt+0xb8/0x230
  LR [c00000000006c0c8] ___do_page_fault+0x3f8/0xb10
  --- interrupt: 700
  Instruction dump:
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
  ---[ end trace 6d28218e0cc3c949 ]---

 After:

  ------------[ cut here ]------------
  kernel BUG at arch/powerpc/kernel/exceptions-64s.S:491!
  Oops: Exception in kernel mode, sig: 5 [#1]
  LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV
  Modules linked in:
  CPU: 0 PID: 88 Comm: login Not tainted 5.15.0-rc2-00034-ge057cdade6e5-dirty #2638
  NIP:  c0000000000098b8 LR: c00000000006bf04 CTR: c0000000000097f0
  REGS: c0000000fffb3d60 TRAP: 0700   Not tainted
  MSR:  9000000000021031 <SF,HV,ME,IR,DR,LE>  CR: 24482227  XER: 00040000
  CFAR: c0000000000098b0 IRQMASK: 0
  GPR00: c00000000006bf04 0000000000002400 c000000001513800 c000000001271868
  GPR04: 00000000100f0d29 0000000042000000 0000000000000007 0000000000000009
  GPR08: 00000000100f0d29 0000000024482227 0000000000002710 c000000000181b3c
  GPR12: 9000000000009033 c0000000016b0000 00000000100f0d29 c000000005b22f00
  GPR16: 00000000ffff0000 0000000000000001 0000000000000009 00000000100eed90
  GPR20: 00000000100eed90 0000000010000000 000000001000a49c 00000000100f1430
  GPR24: c000000001271868 0000000002000000 0000000000000215 0000000000000300
  GPR28: c000000001271800 0000000042000000 00000000100f0d29 c000000080647860
  NIP [c0000000000098b8] decrementer_common_virt+0xb8/0x230
  LR [c00000000006bf04] ___do_page_fault+0x234/0xb10
  Call Trace:
  Instruction dump:
  4182000c 39400001 48000008 894d0932 714a0001 39400008 408225fc 718a4000
  7c2a0b78 3821fcf0 41c20008 e82d0910 <0981fcf0> f92101a0 f9610170 f9810178
  ---[ end trace a5dbd1f5ea4ccc51 ]---

 The Linux kernel CVE team has assigned CVE-2021-47428 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.3 with commit 0a882e28468f48ab3d9a36dde0a5723ea29ed1ed and fixed in 5.10.73 with commit 411b38fe68ba20a8bbe724b0939762c3f16e16ca
 	Issue introduced in 5.3 with commit 0a882e28468f48ab3d9a36dde0a5723ea29ed1ed and fixed in 5.14.12 with commit c835b3d1d6362b4a4ebb192da7e7fd27a0a45d01
 	Issue introduced in 5.3 with commit 0a882e28468f48ab3d9a36dde0a5723ea29ed1ed and fixed in 5.15 with commit 3e607dc4df180b72a38e75030cb0f94d12808712

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47428
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/powerpc/kernel/exceptions-64s.S


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/411b38fe68ba20a8bbe724b0939762c3f16e16ca
 	https://git.kernel.org/stable/c/c835b3d1d6362b4a4ebb192da7e7fd27a0a45d01
 	https://git.kernel.org/stable/c/3e607dc4df180b72a38e75030cb0f94d12808712
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47428: powerpc/64s: fix program check interrupt emergency stack path

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	powerpc/64s: fix program check interrupt emergency stack path

	Emergency stack path was jumping into a 3: label inside the
	__GEN_COMMON_BODY macro for the normal path after it had finished,
	rather than jumping over it. By a small miracle this is the correct
	place to build up a new interrupt frame with the existing stack
	pointer, so things basically worked okay with an added weird looking
	700 trap frame on top (which had the wrong ->nip so it didn't decode
	bug messages either).

	Fix this by avoiding using numeric labels when jumping over non-trivial
	macros.

	Before:

	LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV
	Modules linked in:
	CPU: 0 PID: 88 Comm: sh Not tainted 5.15.0-rc2-00034-ge057cdade6e5 #2637
	NIP: 7265677368657265 LR: c00000000006c0c8 CTR: c0000000000097f0
	REGS: c0000000fffb3a50 TRAP: 0700 Not tainted
	MSR: 9000000000021031 <SF,HV,ME,IR,DR,LE> CR: 00000700 XER: 20040000
	CFAR: c0000000000098b0 IRQMASK: 0
	GPR00: c00000000006c964 c0000000fffb3cf0 c000000001513800 0000000000000000
	GPR04: 0000000048ab0778 0000000042000000 0000000000000000 0000000000001299
	GPR08: 000001e447c718ec 0000000022424282 0000000000002710 c00000000006bee8
	GPR12: 9000000000009033 c0000000016b0000 00000000000000b0 0000000000000001
	GPR16: 0000000000000000 0000000000000002 0000000000000000 0000000000000ff8
	GPR20: 0000000000001fff 0000000000000007 0000000000000080 00007fff89d90158
	GPR24: 0000000002000000 0000000002000000 0000000000000255 0000000000000300
	GPR28: c000000001270000 0000000042000000 0000000048ab0778 c000000080647e80
	NIP [7265677368657265] 0x7265677368657265
	LR [c00000000006c0c8] ___do_page_fault+0x3f8/0xb10
	Call Trace:
	[c0000000fffb3cf0] [c00000000000bdac] soft_nmi_common+0x13c/0x1d0 (unreliable)
	--- interrupt: 700 at decrementer_common_virt+0xb8/0x230
	NIP: c0000000000098b8 LR: c00000000006c0c8 CTR: c0000000000097f0
	REGS: c0000000fffb3d60 TRAP: 0700 Not tainted
	MSR: 9000000000021031 <SF,HV,ME,IR,DR,LE> CR: 22424282 XER: 20040000
	CFAR: c0000000000098b0 IRQMASK: 0
	GPR00: c00000000006c964 0000000000002400 c000000001513800 0000000000000000
	GPR04: 0000000048ab0778 0000000042000000 0000000000000000 0000000000001299
	GPR08: 000001e447c718ec 0000000022424282 0000000000002710 c00000000006bee8
	GPR12: 9000000000009033 c0000000016b0000 00000000000000b0 0000000000000001
	GPR16: 0000000000000000 0000000000000002 0000000000000000 0000000000000ff8
	GPR20: 0000000000001fff 0000000000000007 0000000000000080 00007fff89d90158
	GPR24: 0000000002000000 0000000002000000 0000000000000255 0000000000000300
	GPR28: c000000001270000 0000000042000000 0000000048ab0778 c000000080647e80
	NIP [c0000000000098b8] decrementer_common_virt+0xb8/0x230
	LR [c00000000006c0c8] ___do_page_fault+0x3f8/0xb10
	--- interrupt: 700
	Instruction dump:
	XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
	XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
	---[ end trace 6d28218e0cc3c949 ]---

	After:

	------------[ cut here ]------------
	kernel BUG at arch/powerpc/kernel/exceptions-64s.S:491!
	Oops: Exception in kernel mode, sig: 5 [#1]
	LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV
	Modules linked in:
	CPU: 0 PID: 88 Comm: login Not tainted 5.15.0-rc2-00034-ge057cdade6e5-dirty #2638
	NIP: c0000000000098b8 LR: c00000000006bf04 CTR: c0000000000097f0
	REGS: c0000000fffb3d60 TRAP: 0700 Not tainted
	MSR: 9000000000021031 <SF,HV,ME,IR,DR,LE> CR: 24482227 XER: 00040000
	CFAR: c0000000000098b0 IRQMASK: 0
	GPR00: c00000000006bf04 0000000000002400 c000000001513800 c000000001271868
	GPR04: 00000000100f0d29 0000000042000000 0000000000000007 0000000000000009
	GPR08: 00000000100f0d29 0000000024482227 0000000000002710 c000000000181b3c
	GPR12: 9000000000009033 c0000000016b0000 00000000100f0d29 c000000005b22f00
	GPR16: 00000000ffff0000 0000000000000001 0000000000000009 00000000100eed90
	GPR20: 00000000100eed90 0000000010000000 000000001000a49c 00000000100f1430
	GPR24: c000000001271868 0000000002000000 0000000000000215 0000000000000300
	GPR28: c000000001271800 0000000042000000 00000000100f0d29 c000000080647860
	NIP [c0000000000098b8] decrementer_common_virt+0xb8/0x230
	LR [c00000000006bf04] ___do_page_fault+0x234/0xb10
	Call Trace:
	Instruction dump:
	4182000c 39400001 48000008 894d0932 714a0001 39400008 408225fc 718a4000
	7c2a0b78 3821fcf0 41c20008 e82d0910 <0981fcf0> f92101a0 f9610170 f9810178
	---[ end trace a5dbd1f5ea4ccc51 ]---

	The Linux kernel CVE team has assigned CVE-2021-47428 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.3 with commit 0a882e28468f48ab3d9a36dde0a5723ea29ed1ed and fixed in 5.10.73 with commit 411b38fe68ba20a8bbe724b0939762c3f16e16ca
	Issue introduced in 5.3 with commit 0a882e28468f48ab3d9a36dde0a5723ea29ed1ed and fixed in 5.14.12 with commit c835b3d1d6362b4a4ebb192da7e7fd27a0a45d01
	Issue introduced in 5.3 with commit 0a882e28468f48ab3d9a36dde0a5723ea29ed1ed and fixed in 5.15 with commit 3e607dc4df180b72a38e75030cb0f94d12808712

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47428
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/powerpc/kernel/exceptions-64s.S


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/411b38fe68ba20a8bbe724b0939762c3f16e16ca
	https://git.kernel.org/stable/c/c835b3d1d6362b4a4ebb192da7e7fd27a0a45d01
	https://git.kernel.org/stable/c/3e607dc4df180b72a38e75030cb0f94d12808712