cve/published/2022/CVE-2022-49783.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49783: x86/fpu: Drop fpregs lock before inheriting FPU permissions

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 x86/fpu: Drop fpregs lock before inheriting FPU permissions

 Mike Galbraith reported the following against an old fork of preempt-rt
 but the same issue also applies to the current preempt-rt tree.

    BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46
    in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: systemd
    preempt_count: 1, expected: 0
    RCU nest depth: 0, expected: 0
    Preemption disabled at:
    fpu_clone
    CPU: 6 PID: 1 Comm: systemd Tainted: G            E       (unreleased)
    Call Trace:
     <TASK>
     dump_stack_lvl
     ? fpu_clone
     __might_resched
     rt_spin_lock
     fpu_clone
     ? copy_thread
     ? copy_process
     ? shmem_alloc_inode
     ? kmem_cache_alloc
     ? kernel_clone
     ? __do_sys_clone
     ? do_syscall_64
     ? __x64_sys_rt_sigprocmask
     ? syscall_exit_to_user_mode
     ? do_syscall_64
     ? syscall_exit_to_user_mode
     ? do_syscall_64
     ? syscall_exit_to_user_mode
     ? do_syscall_64
     ? exc_page_fault
     ? entry_SYSCALL_64_after_hwframe
     </TASK>

 Mike says:

   The splat comes from fpu_inherit_perms() being called under fpregs_lock(),
   and us reaching the spin_lock_irq() therein due to fpu_state_size_dynamic()
   returning true despite static key __fpu_state_size_dynamic having never
   been enabled.

 Mike's assessment looks correct. fpregs_lock on a PREEMPT_RT kernel disables
 preemption so calling spin_lock_irq() in fpu_inherit_perms() is unsafe. This
 problem exists since commit

   9e798e9aa14c ("x86/fpu: Prepare fpu_clone() for dynamically enabled features").

 Even though the original bug report should not have enabled the paths at
 all, the bug still exists.

 fpregs_lock is necessary when editing the FPU registers or a task's FP
 state but it is not necessary for fpu_inherit_perms(). The only write
 of any FP state in fpu_inherit_perms() is for the new child which is
 not running yet and cannot context switch or be borrowed by a kernel
 thread yet. Hence, fpregs_lock is not protecting anything in the new
 child until clone() completes and can be dropped earlier. The siglock
 still needs to be acquired by fpu_inherit_perms() as the read of the
 parent's permissions has to be serialised.

   [ bp: Cleanup splat. ]

 The Linux kernel CVE team has assigned CVE-2022-49783 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.16 with commit 9e798e9aa14c45fb94e47b30bf6347b369ce9df7 and fixed in 6.0.10 with commit c6e8a7a1780af3da65e78a615f7d0874da6aabb0
 	Issue introduced in 5.16 with commit 9e798e9aa14c45fb94e47b30bf6347b369ce9df7 and fixed in 6.1 with commit 36b038791e1e2baea892e9276588815fd14894b4

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49783
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/x86/kernel/fpu/core.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/c6e8a7a1780af3da65e78a615f7d0874da6aabb0
 	https://git.kernel.org/stable/c/36b038791e1e2baea892e9276588815fd14894b4
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49783: x86/fpu: Drop fpregs lock before inheriting FPU permissions

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	x86/fpu: Drop fpregs lock before inheriting FPU permissions

	Mike Galbraith reported the following against an old fork of preempt-rt
	but the same issue also applies to the current preempt-rt tree.

	BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46
	in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1, name: systemd
	preempt_count: 1, expected: 0
	RCU nest depth: 0, expected: 0
	Preemption disabled at:
	fpu_clone
	CPU: 6 PID: 1 Comm: systemd Tainted: G E (unreleased)
	Call Trace:
	<TASK>
	dump_stack_lvl
	? fpu_clone
	__might_resched
	rt_spin_lock
	fpu_clone
	? copy_thread
	? copy_process
	? shmem_alloc_inode
	? kmem_cache_alloc
	? kernel_clone
	? __do_sys_clone
	? do_syscall_64
	? __x64_sys_rt_sigprocmask
	? syscall_exit_to_user_mode
	? do_syscall_64
	? syscall_exit_to_user_mode
	? do_syscall_64
	? syscall_exit_to_user_mode
	? do_syscall_64
	? exc_page_fault
	? entry_SYSCALL_64_after_hwframe
	</TASK>

	Mike says:

	The splat comes from fpu_inherit_perms() being called under fpregs_lock(),
	and us reaching the spin_lock_irq() therein due to fpu_state_size_dynamic()
	returning true despite static key __fpu_state_size_dynamic having never
	been enabled.

	Mike's assessment looks correct. fpregs_lock on a PREEMPT_RT kernel disables
	preemption so calling spin_lock_irq() in fpu_inherit_perms() is unsafe. This
	problem exists since commit

	9e798e9aa14c ("x86/fpu: Prepare fpu_clone() for dynamically enabled features").

	Even though the original bug report should not have enabled the paths at
	all, the bug still exists.

	fpregs_lock is necessary when editing the FPU registers or a task's FP
	state but it is not necessary for fpu_inherit_perms(). The only write
	of any FP state in fpu_inherit_perms() is for the new child which is
	not running yet and cannot context switch or be borrowed by a kernel
	thread yet. Hence, fpregs_lock is not protecting anything in the new
	child until clone() completes and can be dropped earlier. The siglock
	still needs to be acquired by fpu_inherit_perms() as the read of the
	parent's permissions has to be serialised.

	[ bp: Cleanup splat. ]

	The Linux kernel CVE team has assigned CVE-2022-49783 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.16 with commit 9e798e9aa14c45fb94e47b30bf6347b369ce9df7 and fixed in 6.0.10 with commit c6e8a7a1780af3da65e78a615f7d0874da6aabb0
	Issue introduced in 5.16 with commit 9e798e9aa14c45fb94e47b30bf6347b369ce9df7 and fixed in 6.1 with commit 36b038791e1e2baea892e9276588815fd14894b4

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49783
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/x86/kernel/fpu/core.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/c6e8a7a1780af3da65e78a615f7d0874da6aabb0
	https://git.kernel.org/stable/c/36b038791e1e2baea892e9276588815fd14894b4