cve/published/2022/CVE-2022-49124.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49124: x86/mce: Work around an erratum on fast string copy instructions

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 x86/mce: Work around an erratum on fast string copy instructions

 A rare kernel panic scenario can happen when the following conditions
 are met due to an erratum on fast string copy instructions:

 1) An uncorrected error.
 2) That error must be in first cache line of a page.
 3) Kernel must execute page_copy from the page immediately before that
 page.

 The fast string copy instructions ("REP; MOVS*") could consume an
 uncorrectable memory error in the cache line _right after_ the desired
 region to copy and raise an MCE.

 Bit 0 of MSR_IA32_MISC_ENABLE can be cleared to disable fast string
 copy and will avoid such spurious machine checks. However, that is less
 preferable due to the permanent performance impact. Considering memory
 poison is rare, it's desirable to keep fast string copy enabled until an
 MCE is seen.

 Intel has confirmed the following:
 1. The CPU erratum of fast string copy only applies to Skylake,
 Cascade Lake and Cooper Lake generations.

 Directly return from the MCE handler:
 2. Will result in complete execution of the "REP; MOVS*" with no data
 loss or corruption.
 3. Will not result in another MCE firing on the next poisoned cache line
 due to "REP; MOVS*".
 4. Will resume execution from a correct point in code.
 5. Will result in the same instruction that triggered the MCE firing a
 second MCE immediately for any other software recoverable data fetch
 errors.
 6. Is not safe without disabling the fast string copy, as the next fast
 string copy of the same buffer on the same CPU would result in a PANIC
 MCE.

 This should mitigate the erratum completely with the only caveat that
 the fast string copy is disabled on the affected hyper thread thus
 performance degradation.

 This is still better than the OS crashing on MCEs raised on an
 irrelevant process due to "REP; MOVS*' accesses in a kernel context,
 e.g., copy_page.


 Injected errors on 1st cache line of 8 anonymous pages of process
 'proc1' and observed MCE consumption from 'proc2' with no panic
 (directly returned).

 Without the fix, the host panicked within a few minutes on a
 random 'proc2' process due to kernel access from copy_page.

   [ bp: Fix comment style + touch ups, zap an unlikely(), improve the
     quirk function's readability. ]

 The Linux kernel CVE team has assigned CVE-2022-49124 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.17.3 with commit ba37c73be3d5632f6fb9fa20b250ce45560ca85d
 	Fixed in 5.18 with commit 8ca97812c3c830573f965a07bbd84223e8c5f5bd

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49124
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/x86/kernel/cpu/mce/core.c
 	arch/x86/kernel/cpu/mce/internal.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/ba37c73be3d5632f6fb9fa20b250ce45560ca85d
 	https://git.kernel.org/stable/c/8ca97812c3c830573f965a07bbd84223e8c5f5bd
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49124: x86/mce: Work around an erratum on fast string copy instructions

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	x86/mce: Work around an erratum on fast string copy instructions

	A rare kernel panic scenario can happen when the following conditions
	are met due to an erratum on fast string copy instructions:

	1) An uncorrected error.
	2) That error must be in first cache line of a page.
	3) Kernel must execute page_copy from the page immediately before that
	page.

	The fast string copy instructions ("REP; MOVS*") could consume an
	uncorrectable memory error in the cache line _right after_ the desired
	region to copy and raise an MCE.

	Bit 0 of MSR_IA32_MISC_ENABLE can be cleared to disable fast string
	copy and will avoid such spurious machine checks. However, that is less
	preferable due to the permanent performance impact. Considering memory
	poison is rare, it's desirable to keep fast string copy enabled until an
	MCE is seen.

	Intel has confirmed the following:
	1. The CPU erratum of fast string copy only applies to Skylake,
	Cascade Lake and Cooper Lake generations.

	Directly return from the MCE handler:
	2. Will result in complete execution of the "REP; MOVS*" with no data
	loss or corruption.
	3. Will not result in another MCE firing on the next poisoned cache line
	due to "REP; MOVS*".
	4. Will resume execution from a correct point in code.
	5. Will result in the same instruction that triggered the MCE firing a
	second MCE immediately for any other software recoverable data fetch
	errors.
	6. Is not safe without disabling the fast string copy, as the next fast
	string copy of the same buffer on the same CPU would result in a PANIC
	MCE.

	This should mitigate the erratum completely with the only caveat that
	the fast string copy is disabled on the affected hyper thread thus
	performance degradation.

	This is still better than the OS crashing on MCEs raised on an
	irrelevant process due to "REP; MOVS*' accesses in a kernel context,
	e.g., copy_page.


	Injected errors on 1st cache line of 8 anonymous pages of process
	'proc1' and observed MCE consumption from 'proc2' with no panic
	(directly returned).

	Without the fix, the host panicked within a few minutes on a
	random 'proc2' process due to kernel access from copy_page.

	[ bp: Fix comment style + touch ups, zap an unlikely(), improve the
	quirk function's readability. ]

	The Linux kernel CVE team has assigned CVE-2022-49124 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.17.3 with commit ba37c73be3d5632f6fb9fa20b250ce45560ca85d
	Fixed in 5.18 with commit 8ca97812c3c830573f965a07bbd84223e8c5f5bd

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49124
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/x86/kernel/cpu/mce/core.c
	arch/x86/kernel/cpu/mce/internal.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/ba37c73be3d5632f6fb9fa20b250ce45560ca85d
	https://git.kernel.org/stable/c/8ca97812c3c830573f965a07bbd84223e8c5f5bd