cve/published/2023/CVE-2023-52597.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52597: KVM: s390: fix setting of fpc register

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 KVM: s390: fix setting of fpc register

 kvm_arch_vcpu_ioctl_set_fpu() allows to set the floating point control
 (fpc) register of a guest cpu. The new value is tested for validity by
 temporarily loading it into the fpc register.

 This may lead to corruption of the fpc register of the host process:
 if an interrupt happens while the value is temporarily loaded into the fpc
 register, and within interrupt context floating point or vector registers
 are used, the current fp/vx registers are saved with save_fpu_regs()
 assuming they belong to user space and will be loaded into fp/vx registers
 when returning to user space.

 test_fp_ctl() restores the original user space / host process fpc register
 value, however it will be discarded, when returning to user space.

 In result the host process will incorrectly continue to run with the value
 that was supposed to be used for a guest cpu.

 Fix this by simply removing the test. There is another test right before
 the SIE context is entered which will handles invalid values.

 This results in a change of behaviour: invalid values will now be accepted
 instead of that the ioctl fails with -EINVAL. This seems to be acceptable,
 given that this interface is most likely not used anymore, and this is in
 addition the same behaviour implemented with the memory mapped interface
 (replace invalid values with zero) - see sync_regs() in kvm-s390.c.

 The Linux kernel CVE team has assigned CVE-2023-52597 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.13 with commit 4725c86055f5bbdcdfe47199c0715881893a2c79 and fixed in 4.19.307 with commit 3a04410b0bc7e056e0843ac598825dd359246d18
 	Issue introduced in 3.13 with commit 4725c86055f5bbdcdfe47199c0715881893a2c79 and fixed in 5.4.269 with commit 5e63c9ae8055109d805aacdaf2a4fe2c3b371ba1
 	Issue introduced in 3.13 with commit 4725c86055f5bbdcdfe47199c0715881893a2c79 and fixed in 5.10.210 with commit 150a3a3871490e8c454ffbac2e60abeafcecff99
 	Issue introduced in 3.13 with commit 4725c86055f5bbdcdfe47199c0715881893a2c79 and fixed in 5.15.149 with commit 732a3bea7aba5b15026ea42d14953c3425cc7dc2
 	Issue introduced in 3.13 with commit 4725c86055f5bbdcdfe47199c0715881893a2c79 and fixed in 6.1.77 with commit 0671f42a9c1084db10d68ac347d08dbf6689ecb3
 	Issue introduced in 3.13 with commit 4725c86055f5bbdcdfe47199c0715881893a2c79 and fixed in 6.6.16 with commit c87d7d910775a025e230fd6359b60627e392460f
 	Issue introduced in 3.13 with commit 4725c86055f5bbdcdfe47199c0715881893a2c79 and fixed in 6.7.4 with commit 2823db0010c400e4b2b12d02aa5d0d3ecb15d7c7
 	Issue introduced in 3.13 with commit 4725c86055f5bbdcdfe47199c0715881893a2c79 and fixed in 6.8 with commit b988b1bb0053c0dcd26187d29ef07566a565cf55

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52597
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/s390/kvm/kvm-s390.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/3a04410b0bc7e056e0843ac598825dd359246d18
 	https://git.kernel.org/stable/c/5e63c9ae8055109d805aacdaf2a4fe2c3b371ba1
 	https://git.kernel.org/stable/c/150a3a3871490e8c454ffbac2e60abeafcecff99
 	https://git.kernel.org/stable/c/732a3bea7aba5b15026ea42d14953c3425cc7dc2
 	https://git.kernel.org/stable/c/0671f42a9c1084db10d68ac347d08dbf6689ecb3
 	https://git.kernel.org/stable/c/c87d7d910775a025e230fd6359b60627e392460f
 	https://git.kernel.org/stable/c/2823db0010c400e4b2b12d02aa5d0d3ecb15d7c7
 	https://git.kernel.org/stable/c/b988b1bb0053c0dcd26187d29ef07566a565cf55
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52597: KVM: s390: fix setting of fpc register

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	KVM: s390: fix setting of fpc register

	kvm_arch_vcpu_ioctl_set_fpu() allows to set the floating point control
	(fpc) register of a guest cpu. The new value is tested for validity by
	temporarily loading it into the fpc register.

	This may lead to corruption of the fpc register of the host process:
	if an interrupt happens while the value is temporarily loaded into the fpc
	register, and within interrupt context floating point or vector registers
	are used, the current fp/vx registers are saved with save_fpu_regs()
	assuming they belong to user space and will be loaded into fp/vx registers
	when returning to user space.

	test_fp_ctl() restores the original user space / host process fpc register
	value, however it will be discarded, when returning to user space.

	In result the host process will incorrectly continue to run with the value
	that was supposed to be used for a guest cpu.

	Fix this by simply removing the test. There is another test right before
	the SIE context is entered which will handles invalid values.

	This results in a change of behaviour: invalid values will now be accepted
	instead of that the ioctl fails with -EINVAL. This seems to be acceptable,
	given that this interface is most likely not used anymore, and this is in
	addition the same behaviour implemented with the memory mapped interface
	(replace invalid values with zero) - see sync_regs() in kvm-s390.c.

	The Linux kernel CVE team has assigned CVE-2023-52597 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.13 with commit 4725c86055f5bbdcdfe47199c0715881893a2c79 and fixed in 4.19.307 with commit 3a04410b0bc7e056e0843ac598825dd359246d18
	Issue introduced in 3.13 with commit 4725c86055f5bbdcdfe47199c0715881893a2c79 and fixed in 5.4.269 with commit 5e63c9ae8055109d805aacdaf2a4fe2c3b371ba1
	Issue introduced in 3.13 with commit 4725c86055f5bbdcdfe47199c0715881893a2c79 and fixed in 5.10.210 with commit 150a3a3871490e8c454ffbac2e60abeafcecff99
	Issue introduced in 3.13 with commit 4725c86055f5bbdcdfe47199c0715881893a2c79 and fixed in 5.15.149 with commit 732a3bea7aba5b15026ea42d14953c3425cc7dc2
	Issue introduced in 3.13 with commit 4725c86055f5bbdcdfe47199c0715881893a2c79 and fixed in 6.1.77 with commit 0671f42a9c1084db10d68ac347d08dbf6689ecb3
	Issue introduced in 3.13 with commit 4725c86055f5bbdcdfe47199c0715881893a2c79 and fixed in 6.6.16 with commit c87d7d910775a025e230fd6359b60627e392460f
	Issue introduced in 3.13 with commit 4725c86055f5bbdcdfe47199c0715881893a2c79 and fixed in 6.7.4 with commit 2823db0010c400e4b2b12d02aa5d0d3ecb15d7c7
	Issue introduced in 3.13 with commit 4725c86055f5bbdcdfe47199c0715881893a2c79 and fixed in 6.8 with commit b988b1bb0053c0dcd26187d29ef07566a565cf55

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52597
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/s390/kvm/kvm-s390.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/3a04410b0bc7e056e0843ac598825dd359246d18
	https://git.kernel.org/stable/c/5e63c9ae8055109d805aacdaf2a4fe2c3b371ba1
	https://git.kernel.org/stable/c/150a3a3871490e8c454ffbac2e60abeafcecff99
	https://git.kernel.org/stable/c/732a3bea7aba5b15026ea42d14953c3425cc7dc2
	https://git.kernel.org/stable/c/0671f42a9c1084db10d68ac347d08dbf6689ecb3
	https://git.kernel.org/stable/c/c87d7d910775a025e230fd6359b60627e392460f
	https://git.kernel.org/stable/c/2823db0010c400e4b2b12d02aa5d0d3ecb15d7c7
	https://git.kernel.org/stable/c/b988b1bb0053c0dcd26187d29ef07566a565cf55