cve/published/2022/CVE-2022-49440.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49440: powerpc/rtas: Keep MSR[RI] set when calling RTAS

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 powerpc/rtas: Keep MSR[RI] set when calling RTAS

 RTAS runs in real mode (MSR[DR] and MSR[IR] unset) and in 32-bit big
 endian mode (MSR[SF,LE] unset).

 The change in MSR is done in enter_rtas() in a relatively complex way,
 since the MSR value could be hardcoded.

 Furthermore, a panic has been reported when hitting the watchdog interrupt
 while running in RTAS, this leads to the following stack trace:

   watchdog: CPU 24 Hard LOCKUP
   watchdog: CPU 24 TB:997512652051031, last heartbeat TB:997504470175378 (15980ms ago)
   ...
   Supported: No, Unreleased kernel
   CPU: 24 PID: 87504 Comm: drmgr Kdump: loaded Tainted: G            E  X    5.14.21-150400.71.1.bz196362_2-default #1 SLE15-SP4 (unreleased) 0d821077ef4faa8dfaf370efb5fdca1fa35f4e2c
   NIP:  000000001fb41050 LR: 000000001fb4104c CTR: 0000000000000000
   REGS: c00000000fc33d60 TRAP: 0100   Tainted: G            E  X     (5.14.21-150400.71.1.bz196362_2-default)
   MSR:  8000000002981000 <SF,VEC,VSX,ME>  CR: 48800002  XER: 20040020
   CFAR: 000000000000011c IRQMASK: 1
   GPR00: 0000000000000003 ffffffffffffffff 0000000000000001 00000000000050dc
   GPR04: 000000001ffb6100 0000000000000020 0000000000000001 000000001fb09010
   GPR08: 0000000020000000 0000000000000000 0000000000000000 0000000000000000
   GPR12: 80040000072a40a8 c00000000ff8b680 0000000000000007 0000000000000034
   GPR16: 000000001fbf6e94 000000001fbf6d84 000000001fbd1db0 000000001fb3f008
   GPR20: 000000001fb41018 ffffffffffffffff 000000000000017f fffffffffffff68f
   GPR24: 000000001fb18fe8 000000001fb3e000 000000001fb1adc0 000000001fb1cf40
   GPR28: 000000001fb26000 000000001fb460f0 000000001fb17f18 000000001fb17000
   NIP [000000001fb41050] 0x1fb41050
   LR [000000001fb4104c] 0x1fb4104c
   Call Trace:
   Instruction dump:
   XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
   XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
   Oops: Unrecoverable System Reset, sig: 6 [#1]
   LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
   ...
   Supported: No, Unreleased kernel
   CPU: 24 PID: 87504 Comm: drmgr Kdump: loaded Tainted: G            E  X    5.14.21-150400.71.1.bz196362_2-default #1 SLE15-SP4 (unreleased) 0d821077ef4faa8dfaf370efb5fdca1fa35f4e2c
   NIP:  000000001fb41050 LR: 000000001fb4104c CTR: 0000000000000000
   REGS: c00000000fc33d60 TRAP: 0100   Tainted: G            E  X     (5.14.21-150400.71.1.bz196362_2-default)
   MSR:  8000000002981000 <SF,VEC,VSX,ME>  CR: 48800002  XER: 20040020
   CFAR: 000000000000011c IRQMASK: 1
   GPR00: 0000000000000003 ffffffffffffffff 0000000000000001 00000000000050dc
   GPR04: 000000001ffb6100 0000000000000020 0000000000000001 000000001fb09010
   GPR08: 0000000020000000 0000000000000000 0000000000000000 0000000000000000
   GPR12: 80040000072a40a8 c00000000ff8b680 0000000000000007 0000000000000034
   GPR16: 000000001fbf6e94 000000001fbf6d84 000000001fbd1db0 000000001fb3f008
   GPR20: 000000001fb41018 ffffffffffffffff 000000000000017f fffffffffffff68f
   GPR24: 000000001fb18fe8 000000001fb3e000 000000001fb1adc0 000000001fb1cf40
   GPR28: 000000001fb26000 000000001fb460f0 000000001fb17f18 000000001fb17000
   NIP [000000001fb41050] 0x1fb41050
   LR [000000001fb4104c] 0x1fb4104c
   Call Trace:
   Instruction dump:
   XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
   XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
   ---[ end trace 3ddec07f638c34a2 ]---

 This happens because MSR[RI] is unset when entering RTAS but there is no
 valid reason to not set it here.

 RTAS is expected to be called with MSR[RI] as specified in PAPR+ section
 "7.2.1 Machine State":

   R1–7.2.1–9. If called with MSR[RI] equal to 1, then RTAS must protect
   its own critical regions from recursion by setting the MSR[RI] bit to
   0 when in the critical regions.

 Fixing this by reviewing the way MSR is compute before calling RTAS. Now a
 hardcoded value meaning real mode, 32 bits big endian mode and Recoverable
 Interrupt is loaded. In the case MSR[S] is set, it will remain set while
 entering RTAS as only urfid can unset it (thanks Fabiano).

 In addition a check is added in do_enter_rtas() to detect calls made with
 MSR[RI] unset, as we are forcing it on later.

 This patch has been tested on the following machines:
 Power KVM Guest
   P8 S822L (host Ubuntu kernel 5.11.0-49-generic)
 PowerVM LPAR
   P8 9119-MME (FW860.A1)
   p9 9008-22L (FW950.00)
   P10 9080-HEX (FW1010.00)

 The Linux kernel CVE team has assigned CVE-2022-49440 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.15.46 with commit 5ca40fcf0da0ce2b5bc44e7d8b036535955f2e3d
 	Fixed in 5.17.14 with commit 5f4367448f6817c8a0e94dc9736ed84fa8eee4a3
 	Fixed in 5.18.3 with commit c9c41f0273826a13ac93124e66a4ff45df281ba0
 	Fixed in 5.19 with commit b6b1c3ce06ca438eb24e0f45bf0e63ecad0369f5

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49440
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/powerpc/kernel/entry_64.S
 	arch/powerpc/kernel/rtas.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5ca40fcf0da0ce2b5bc44e7d8b036535955f2e3d
 	https://git.kernel.org/stable/c/5f4367448f6817c8a0e94dc9736ed84fa8eee4a3
 	https://git.kernel.org/stable/c/c9c41f0273826a13ac93124e66a4ff45df281ba0
 	https://git.kernel.org/stable/c/b6b1c3ce06ca438eb24e0f45bf0e63ecad0369f5
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49440: powerpc/rtas: Keep MSR[RI] set when calling RTAS

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	powerpc/rtas: Keep MSR[RI] set when calling RTAS

	RTAS runs in real mode (MSR[DR] and MSR[IR] unset) and in 32-bit big
	endian mode (MSR[SF,LE] unset).

	The change in MSR is done in enter_rtas() in a relatively complex way,
	since the MSR value could be hardcoded.

	Furthermore, a panic has been reported when hitting the watchdog interrupt
	while running in RTAS, this leads to the following stack trace:

	watchdog: CPU 24 Hard LOCKUP
	watchdog: CPU 24 TB:997512652051031, last heartbeat TB:997504470175378 (15980ms ago)
	...
	Supported: No, Unreleased kernel
	CPU: 24 PID: 87504 Comm: drmgr Kdump: loaded Tainted: G E X 5.14.21-150400.71.1.bz196362_2-default #1 SLE15-SP4 (unreleased) 0d821077ef4faa8dfaf370efb5fdca1fa35f4e2c
	NIP: 000000001fb41050 LR: 000000001fb4104c CTR: 0000000000000000
	REGS: c00000000fc33d60 TRAP: 0100 Tainted: G E X (5.14.21-150400.71.1.bz196362_2-default)
	MSR: 8000000002981000 <SF,VEC,VSX,ME> CR: 48800002 XER: 20040020
	CFAR: 000000000000011c IRQMASK: 1
	GPR00: 0000000000000003 ffffffffffffffff 0000000000000001 00000000000050dc
	GPR04: 000000001ffb6100 0000000000000020 0000000000000001 000000001fb09010
	GPR08: 0000000020000000 0000000000000000 0000000000000000 0000000000000000
	GPR12: 80040000072a40a8 c00000000ff8b680 0000000000000007 0000000000000034
	GPR16: 000000001fbf6e94 000000001fbf6d84 000000001fbd1db0 000000001fb3f008
	GPR20: 000000001fb41018 ffffffffffffffff 000000000000017f fffffffffffff68f
	GPR24: 000000001fb18fe8 000000001fb3e000 000000001fb1adc0 000000001fb1cf40
	GPR28: 000000001fb26000 000000001fb460f0 000000001fb17f18 000000001fb17000
	NIP [000000001fb41050] 0x1fb41050
	LR [000000001fb4104c] 0x1fb4104c
	Call Trace:
	Instruction dump:
	XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
	XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
	Oops: Unrecoverable System Reset, sig: 6 [#1]
	LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
	...
	Supported: No, Unreleased kernel
	CPU: 24 PID: 87504 Comm: drmgr Kdump: loaded Tainted: G E X 5.14.21-150400.71.1.bz196362_2-default #1 SLE15-SP4 (unreleased) 0d821077ef4faa8dfaf370efb5fdca1fa35f4e2c
	NIP: 000000001fb41050 LR: 000000001fb4104c CTR: 0000000000000000
	REGS: c00000000fc33d60 TRAP: 0100 Tainted: G E X (5.14.21-150400.71.1.bz196362_2-default)
	MSR: 8000000002981000 <SF,VEC,VSX,ME> CR: 48800002 XER: 20040020
	CFAR: 000000000000011c IRQMASK: 1
	GPR00: 0000000000000003 ffffffffffffffff 0000000000000001 00000000000050dc
	GPR04: 000000001ffb6100 0000000000000020 0000000000000001 000000001fb09010
	GPR08: 0000000020000000 0000000000000000 0000000000000000 0000000000000000
	GPR12: 80040000072a40a8 c00000000ff8b680 0000000000000007 0000000000000034
	GPR16: 000000001fbf6e94 000000001fbf6d84 000000001fbd1db0 000000001fb3f008
	GPR20: 000000001fb41018 ffffffffffffffff 000000000000017f fffffffffffff68f
	GPR24: 000000001fb18fe8 000000001fb3e000 000000001fb1adc0 000000001fb1cf40
	GPR28: 000000001fb26000 000000001fb460f0 000000001fb17f18 000000001fb17000
	NIP [000000001fb41050] 0x1fb41050
	LR [000000001fb4104c] 0x1fb4104c
	Call Trace:
	Instruction dump:
	XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
	XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
	---[ end trace 3ddec07f638c34a2 ]---

	This happens because MSR[RI] is unset when entering RTAS but there is no
	valid reason to not set it here.

	RTAS is expected to be called with MSR[RI] as specified in PAPR+ section
	"7.2.1 Machine State":

	R1–7.2.1–9. If called with MSR[RI] equal to 1, then RTAS must protect
	its own critical regions from recursion by setting the MSR[RI] bit to
	0 when in the critical regions.

	Fixing this by reviewing the way MSR is compute before calling RTAS. Now a
	hardcoded value meaning real mode, 32 bits big endian mode and Recoverable
	Interrupt is loaded. In the case MSR[S] is set, it will remain set while
	entering RTAS as only urfid can unset it (thanks Fabiano).

	In addition a check is added in do_enter_rtas() to detect calls made with
	MSR[RI] unset, as we are forcing it on later.

	This patch has been tested on the following machines:
	Power KVM Guest
	P8 S822L (host Ubuntu kernel 5.11.0-49-generic)
	PowerVM LPAR
	P8 9119-MME (FW860.A1)
	p9 9008-22L (FW950.00)
	P10 9080-HEX (FW1010.00)

	The Linux kernel CVE team has assigned CVE-2022-49440 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.15.46 with commit 5ca40fcf0da0ce2b5bc44e7d8b036535955f2e3d
	Fixed in 5.17.14 with commit 5f4367448f6817c8a0e94dc9736ed84fa8eee4a3
	Fixed in 5.18.3 with commit c9c41f0273826a13ac93124e66a4ff45df281ba0
	Fixed in 5.19 with commit b6b1c3ce06ca438eb24e0f45bf0e63ecad0369f5

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49440
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/powerpc/kernel/entry_64.S
	arch/powerpc/kernel/rtas.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5ca40fcf0da0ce2b5bc44e7d8b036535955f2e3d
	https://git.kernel.org/stable/c/5f4367448f6817c8a0e94dc9736ed84fa8eee4a3
	https://git.kernel.org/stable/c/c9c41f0273826a13ac93124e66a4ff45df281ba0
	https://git.kernel.org/stable/c/b6b1c3ce06ca438eb24e0f45bf0e63ecad0369f5