cve/published/2023/CVE-2023-52499.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52499: powerpc/47x: Fix 47x syscall return crash

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 powerpc/47x: Fix 47x syscall return crash

 Eddie reported that newer kernels were crashing during boot on his 476
 FSP2 system:

   kernel tried to execute user page (b7ee2000) - exploit attempt? (uid: 0)
   BUG: Unable to handle kernel instruction fetch
   Faulting instruction address: 0xb7ee2000
   Oops: Kernel access of bad area, sig: 11 [#1]
   BE PAGE_SIZE=4K FSP-2
   Modules linked in:
   CPU: 0 PID: 61 Comm: mount Not tainted 6.1.55-d23900f.ppcnf-fsp2 #1
   Hardware name: ibm,fsp2 476fpe 0x7ff520c0 FSP-2
   NIP:  b7ee2000 LR: 8c008000 CTR: 00000000
   REGS: bffebd83 TRAP: 0400   Not tainted (6.1.55-d23900f.ppcnf-fs p2)
   MSR:  00000030 <IR,DR>  CR: 00001000  XER: 20000000
   GPR00: c00110ac bffebe63 bffebe7e bffebe88 8c008000 00001000 00000d12 b7ee2000
   GPR08: 00000033 00000000 00000000 c139df10 48224824 1016c314 10160000 00000000
   GPR16: 10160000 10160000 00000008 00000000 10160000 00000000 10160000 1017f5b0
   GPR24: 1017fa50 1017f4f0 1017fa50 1017f740 1017f630 00000000 00000000 1017f4f0
   NIP [b7ee2000] 0xb7ee2000
   LR [8c008000] 0x8c008000
   Call Trace:
   Instruction dump:
   XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
   XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
   ---[ end trace 0000000000000000 ]---

 The problem is in ret_from_syscall where the check for
 icache_44x_need_flush is done. When the flush is needed the code jumps
 out-of-line to do the flush, and then intends to jump back to continue
 the syscall return.

 However the branch back to label 1b doesn't return to the correct
 location, instead branching back just prior to the return to userspace,
 causing bogus register values to be used by the rfi.

 The breakage was introduced by commit 6f76a01173cc
 ("powerpc/syscall: implement system call entry/exit logic in C for PPC32") which
 inadvertently removed the "1" label and reused it elsewhere.

 Fix it by adding named local labels in the correct locations. Note that
 the return label needs to be outside the ifdef so that CONFIG_PPC_47x=n
 compiles.

 The Linux kernel CVE team has assigned CVE-2023-52499 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.12 with commit 6f76a01173ccaa363739f913394d4e138d92d718 and fixed in 5.15.137 with commit 29017ab1a539101d9c7bec63cc13a019f97b2820
 	Issue introduced in 5.12 with commit 6f76a01173ccaa363739f913394d4e138d92d718 and fixed in 6.1.59 with commit 8ac2689502f986a46f4221e239d4ff2897f1ccb3
 	Issue introduced in 5.12 with commit 6f76a01173ccaa363739f913394d4e138d92d718 and fixed in 6.5.8 with commit 70f6756ad96dd70177dddcfac2fe4bd4bb320746
 	Issue introduced in 5.12 with commit 6f76a01173ccaa363739f913394d4e138d92d718 and fixed in 6.6 with commit f0eee815babed70a749d2496a7678be5b45b4c14

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52499
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/powerpc/kernel/entry_32.S


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/29017ab1a539101d9c7bec63cc13a019f97b2820
 	https://git.kernel.org/stable/c/8ac2689502f986a46f4221e239d4ff2897f1ccb3
 	https://git.kernel.org/stable/c/70f6756ad96dd70177dddcfac2fe4bd4bb320746
 	https://git.kernel.org/stable/c/f0eee815babed70a749d2496a7678be5b45b4c14
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52499: powerpc/47x: Fix 47x syscall return crash

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	powerpc/47x: Fix 47x syscall return crash

	Eddie reported that newer kernels were crashing during boot on his 476
	FSP2 system:

	kernel tried to execute user page (b7ee2000) - exploit attempt? (uid: 0)
	BUG: Unable to handle kernel instruction fetch
	Faulting instruction address: 0xb7ee2000
	Oops: Kernel access of bad area, sig: 11 [#1]
	BE PAGE_SIZE=4K FSP-2
	Modules linked in:
	CPU: 0 PID: 61 Comm: mount Not tainted 6.1.55-d23900f.ppcnf-fsp2 #1
	Hardware name: ibm,fsp2 476fpe 0x7ff520c0 FSP-2
	NIP: b7ee2000 LR: 8c008000 CTR: 00000000
	REGS: bffebd83 TRAP: 0400 Not tainted (6.1.55-d23900f.ppcnf-fs p2)
	MSR: 00000030 <IR,DR> CR: 00001000 XER: 20000000
	GPR00: c00110ac bffebe63 bffebe7e bffebe88 8c008000 00001000 00000d12 b7ee2000
	GPR08: 00000033 00000000 00000000 c139df10 48224824 1016c314 10160000 00000000
	GPR16: 10160000 10160000 00000008 00000000 10160000 00000000 10160000 1017f5b0
	GPR24: 1017fa50 1017f4f0 1017fa50 1017f740 1017f630 00000000 00000000 1017f4f0
	NIP [b7ee2000] 0xb7ee2000
	LR [8c008000] 0x8c008000
	Call Trace:
	Instruction dump:
	XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
	XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
	---[ end trace 0000000000000000 ]---

	The problem is in ret_from_syscall where the check for
	icache_44x_need_flush is done. When the flush is needed the code jumps
	out-of-line to do the flush, and then intends to jump back to continue
	the syscall return.

	However the branch back to label 1b doesn't return to the correct
	location, instead branching back just prior to the return to userspace,
	causing bogus register values to be used by the rfi.

	The breakage was introduced by commit 6f76a01173cc
	("powerpc/syscall: implement system call entry/exit logic in C for PPC32") which
	inadvertently removed the "1" label and reused it elsewhere.

	Fix it by adding named local labels in the correct locations. Note that
	the return label needs to be outside the ifdef so that CONFIG_PPC_47x=n
	compiles.

	The Linux kernel CVE team has assigned CVE-2023-52499 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.12 with commit 6f76a01173ccaa363739f913394d4e138d92d718 and fixed in 5.15.137 with commit 29017ab1a539101d9c7bec63cc13a019f97b2820
	Issue introduced in 5.12 with commit 6f76a01173ccaa363739f913394d4e138d92d718 and fixed in 6.1.59 with commit 8ac2689502f986a46f4221e239d4ff2897f1ccb3
	Issue introduced in 5.12 with commit 6f76a01173ccaa363739f913394d4e138d92d718 and fixed in 6.5.8 with commit 70f6756ad96dd70177dddcfac2fe4bd4bb320746
	Issue introduced in 5.12 with commit 6f76a01173ccaa363739f913394d4e138d92d718 and fixed in 6.6 with commit f0eee815babed70a749d2496a7678be5b45b4c14

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52499
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/powerpc/kernel/entry_32.S


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/29017ab1a539101d9c7bec63cc13a019f97b2820
	https://git.kernel.org/stable/c/8ac2689502f986a46f4221e239d4ff2897f1ccb3
	https://git.kernel.org/stable/c/70f6756ad96dd70177dddcfac2fe4bd4bb320746
	https://git.kernel.org/stable/c/f0eee815babed70a749d2496a7678be5b45b4c14