[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2024052140-CVE-2021-47350-08a8@gregkh>
Date: Tue, 21 May 2024 16:36:24 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2021-47350: powerpc/mm: Fix lockup on kernel exec fault
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
powerpc/mm: Fix lockup on kernel exec fault
The powerpc kernel is not prepared to handle exec faults from kernel.
Especially, the function is_exec_fault() will return 'false' when an
exec fault is taken by kernel, because the check is based on reading
current->thread.regs->trap which contains the trap from user.
For instance, when provoking a LKDTM EXEC_USERSPACE test,
current->thread.regs->trap is set to SYSCALL trap (0xc00), and
the fault taken by the kernel is not seen as an exec fault by
set_access_flags_filter().
Commit d7df2443cd5f ("powerpc/mm: Fix spurious segfaults on radix
with autonuma") made it clear and handled it properly. But later on
commit d3ca587404b3 ("powerpc/mm: Fix reporting of kernel execute
faults") removed that handling, introducing test based on error_code.
And here is the problem, because on the 603 all upper bits of SRR1
get cleared when the TLB instruction miss handler bails out to ISI.
Until commit cbd7e6ca0210 ("powerpc/fault: Avoid heavy
search_exception_tables() verification"), an exec fault from kernel
at a userspace address was indirectly caught by the lack of entry for
that address in the exception tables. But after that commit the
kernel mainly relies on KUAP or on core mm handling to catch wrong
user accesses. Here the access is not wrong, so mm handles it.
It is a minor fault because PAGE_EXEC is not set,
set_access_flags_filter() should set PAGE_EXEC and voila.
But as is_exec_fault() returns false as explained in the beginning,
set_access_flags_filter() bails out without setting PAGE_EXEC flag,
which leads to a forever minor exec fault.
As the kernel is not prepared to handle such exec faults, the thing to
do is to fire in bad_kernel_fault() for any exec fault taken by the
kernel, as it was prior to commit d3ca587404b3.
The Linux kernel CVE team has assigned CVE-2021-47350 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.14 with commit d3ca587404b3 and fixed in 5.4.133 with commit a82471a14aad
Issue introduced in 4.14 with commit d3ca587404b3 and fixed in 5.10.51 with commit d2e52d466409
Issue introduced in 4.14 with commit d3ca587404b3 and fixed in 5.12.18 with commit 500f81cec9f1
Issue introduced in 4.14 with commit d3ca587404b3 and fixed in 5.13.3 with commit 8a96ec5ebf96
Issue introduced in 4.14 with commit d3ca587404b3 and fixed in 5.14 with commit cd5d5e602f50
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2021-47350
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
arch/powerpc/mm/fault.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/a82471a14aad90f79d1608d2bcbb019f0ffb53f0
https://git.kernel.org/stable/c/d2e52d4664097a6c1f591d869ec594bd7a0d4925
https://git.kernel.org/stable/c/500f81cec9f1bfa5210aa9dd5ba9a06e22f62a35
https://git.kernel.org/stable/c/8a96ec5ebf96ad8e2ba7b1b34103a0be5140fc70
https://git.kernel.org/stable/c/cd5d5e602f502895e47e18cd46804d6d7014e65c
Powered by blists - more mailing lists