cve/published/2021/CVE-2021-47553.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47553: sched/scs: Reset task stack state in bringup_cpu()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 sched/scs: Reset task stack state in bringup_cpu()

 To hot unplug a CPU, the idle task on that CPU calls a few layers of C
 code before finally leaving the kernel. When KASAN is in use, poisoned
 shadow is left around for each of the active stack frames, and when
 shadow call stacks are in use. When shadow call stacks (SCS) are in use
 the task's saved SCS SP is left pointing at an arbitrary point within
 the task's shadow call stack.

 When a CPU is offlined than onlined back into the kernel, this stale
 state can adversely affect execution. Stale KASAN shadow can alias new
 stackframes and result in bogus KASAN warnings. A stale SCS SP is
 effectively a memory leak, and prevents a portion of the shadow call
 stack being used. Across a number of hotplug cycles the idle task's
 entire shadow call stack can become unusable.

 We previously fixed the KASAN issue in commit:

   e1b77c92981a5222 ("sched/kasan: remove stale KASAN poison after hotplug")

 ... by removing any stale KASAN stack poison immediately prior to
 onlining a CPU.

 Subsequently in commit:

   f1a0a376ca0c4ef1 ("sched/core: Initialize the idle task with preemption disabled")

 ... the refactoring left the KASAN and SCS cleanup in one-time idle
 thread initialization code rather than something invoked prior to each
 CPU being onlined, breaking both as above.

 We fixed SCS (but not KASAN) in commit:

   63acd42c0d4942f7 ("sched/scs: Reset the shadow stack when idle_task_exit")

 ... but as this runs in the context of the idle task being offlined it's
 potentially fragile.

 To fix these consistently and more robustly, reset the SCS SP and KASAN
 shadow of a CPU's idle task immediately before we online that CPU in
 bringup_cpu(). This ensures the idle task always has a consistent state
 when it is running, and removes the need to so so when exiting an idle
 task.

 Whenever any thread is created, dup_task_struct() will give the task a
 stack which is free of KASAN shadow, and initialize the task's SCS SP,
 so there's no need to specially initialize either for idle thread within
 init_idle(), as this was only necessary to handle hotplug cycles.

 I've tested this on arm64 with:

 * gcc 11.1.0, defconfig +KASAN_INLINE, KASAN_STACK
 * clang 12.0.0, defconfig +KASAN_INLINE, KASAN_STACK, SHADOW_CALL_STACK

 ... offlining and onlining CPUS with:

 | while true; do
 |   for C in /sys/devices/system/cpu/cpu*/online; do
 |     echo 0 > $C;
 |     echo 1 > $C;
 |   done
 | done

 The Linux kernel CVE team has assigned CVE-2021-47553 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.10.50 with commit 3c51d82d0b7862d7d246016c74b4390fb1fa1f11 and fixed in 5.10.83 with commit e6ee7abd6bfe559ad9989004b34c320fd638c526
 	Issue introduced in 5.14 with commit f1a0a376ca0c4ef1fc3d24e3e502acbb5b795674 and fixed in 5.15.6 with commit 229c555260cb9c1ccdab861e16f0410f1718f302
 	Issue introduced in 5.14 with commit f1a0a376ca0c4ef1fc3d24e3e502acbb5b795674 and fixed in 5.16 with commit dce1ca0525bfdc8a69a9343bc714fbc19a2f04b3
 	Issue introduced in 5.12.17 with commit 1cb358b3ac1bb43aa8c4283830a84216dda65d39
 	Issue introduced in 5.13.2 with commit 24c79a7e54ccfa29fb8cbf7ed8d1e48ff1ec6e3d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47553
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	kernel/cpu.c
 	kernel/sched/core.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e6ee7abd6bfe559ad9989004b34c320fd638c526
 	https://git.kernel.org/stable/c/229c555260cb9c1ccdab861e16f0410f1718f302
 	https://git.kernel.org/stable/c/dce1ca0525bfdc8a69a9343bc714fbc19a2f04b3
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47553: sched/scs: Reset task stack state in bringup_cpu()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	sched/scs: Reset task stack state in bringup_cpu()

	To hot unplug a CPU, the idle task on that CPU calls a few layers of C
	code before finally leaving the kernel. When KASAN is in use, poisoned
	shadow is left around for each of the active stack frames, and when
	shadow call stacks are in use. When shadow call stacks (SCS) are in use
	the task's saved SCS SP is left pointing at an arbitrary point within
	the task's shadow call stack.

	When a CPU is offlined than onlined back into the kernel, this stale
	state can adversely affect execution. Stale KASAN shadow can alias new
	stackframes and result in bogus KASAN warnings. A stale SCS SP is
	effectively a memory leak, and prevents a portion of the shadow call
	stack being used. Across a number of hotplug cycles the idle task's
	entire shadow call stack can become unusable.

	We previously fixed the KASAN issue in commit:

	e1b77c92981a5222 ("sched/kasan: remove stale KASAN poison after hotplug")

	... by removing any stale KASAN stack poison immediately prior to
	onlining a CPU.

	Subsequently in commit:

	f1a0a376ca0c4ef1 ("sched/core: Initialize the idle task with preemption disabled")

	... the refactoring left the KASAN and SCS cleanup in one-time idle
	thread initialization code rather than something invoked prior to each
	CPU being onlined, breaking both as above.

	We fixed SCS (but not KASAN) in commit:

	63acd42c0d4942f7 ("sched/scs: Reset the shadow stack when idle_task_exit")

	... but as this runs in the context of the idle task being offlined it's
	potentially fragile.

	To fix these consistently and more robustly, reset the SCS SP and KASAN
	shadow of a CPU's idle task immediately before we online that CPU in
	bringup_cpu(). This ensures the idle task always has a consistent state
	when it is running, and removes the need to so so when exiting an idle
	task.

	Whenever any thread is created, dup_task_struct() will give the task a
	stack which is free of KASAN shadow, and initialize the task's SCS SP,
	so there's no need to specially initialize either for idle thread within
	init_idle(), as this was only necessary to handle hotplug cycles.

	I've tested this on arm64 with:

	* gcc 11.1.0, defconfig +KASAN_INLINE, KASAN_STACK
	* clang 12.0.0, defconfig +KASAN_INLINE, KASAN_STACK, SHADOW_CALL_STACK

	... offlining and onlining CPUS with:

	\| while true; do
	\| for C in /sys/devices/system/cpu/cpu*/online; do
	\| echo 0 > $C;
	\| echo 1 > $C;
	\| done
	\| done

	The Linux kernel CVE team has assigned CVE-2021-47553 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.10.50 with commit 3c51d82d0b7862d7d246016c74b4390fb1fa1f11 and fixed in 5.10.83 with commit e6ee7abd6bfe559ad9989004b34c320fd638c526
	Issue introduced in 5.14 with commit f1a0a376ca0c4ef1fc3d24e3e502acbb5b795674 and fixed in 5.15.6 with commit 229c555260cb9c1ccdab861e16f0410f1718f302
	Issue introduced in 5.14 with commit f1a0a376ca0c4ef1fc3d24e3e502acbb5b795674 and fixed in 5.16 with commit dce1ca0525bfdc8a69a9343bc714fbc19a2f04b3
	Issue introduced in 5.12.17 with commit 1cb358b3ac1bb43aa8c4283830a84216dda65d39
	Issue introduced in 5.13.2 with commit 24c79a7e54ccfa29fb8cbf7ed8d1e48ff1ec6e3d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47553
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	kernel/cpu.c
	kernel/sched/core.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e6ee7abd6bfe559ad9989004b34c320fd638c526
	https://git.kernel.org/stable/c/229c555260cb9c1ccdab861e16f0410f1718f302
	https://git.kernel.org/stable/c/dce1ca0525bfdc8a69a9343bc714fbc19a2f04b3