powerpc/tm: Fix oops on sigreturn on systems without TM
diff mbox series

Message ID 20190719050502.405-1-mikey@neuling.org
State Accepted
Commit f16d80b75a096c52354c6e0a574993f3b0dfbdfe
Headers show
Series
  • powerpc/tm: Fix oops on sigreturn on systems without TM
Related show

Checks

Context Check Description
snowpatch_ozlabs/checkpatch success total: 0 errors, 0 warnings, 0 checks, 20 lines checked
snowpatch_ozlabs/build-pmac32 success Build succeeded
snowpatch_ozlabs/build-ppc64e success Build succeeded
snowpatch_ozlabs/build-ppc64be success Build succeeded
snowpatch_ozlabs/build-ppc64le success Build succeeded
snowpatch_ozlabs/apply_patch success Successfully applied on branch next (f5c20693d8edcd665f1159dc941b9e7f87c17647)

Commit Message

Michael Neuling July 19, 2019, 5:05 a.m. UTC
On systems like P9 powernv where we have no TM (or P8 booted with
ppc_tm=off), userspace can construct a signal context which still has
the MSR TS bits set. The kernel tries to restore this context which
results in the following crash:

[   74.980557] Unexpected TM Bad Thing exception at c0000000000022fc (msr 0x8000000102a03031) tm_scratch=800000020280f033
[   74.980741] Oops: Unrecoverable exception, sig: 6 [#1]
[   74.980820] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
[   74.980917] Modules linked in:
[   74.980980] CPU: 0 PID: 1636 Comm: sigfuz Not tainted 5.2.0-11043-g0a8ad0ffa4 #69
[   74.981096] NIP:  c0000000000022fc LR: 00007fffb2d67e48 CTR: 0000000000000000
[   74.981212] REGS: c00000003fffbd70 TRAP: 0700   Not tainted  (5.2.0-11045-g7142b497d8)
[   74.981325] MSR:  8000000102a03031 <SF,VEC,VSX,FP,ME,IR,DR,LE,TM[E]>  CR: 42004242  XER: 00000000
[   74.981463] CFAR: c0000000000022e0 IRQMASK: 0
[   74.981463] GPR00: 0000000000000072 00007fffb2b6e560 00007fffb2d87f00 0000000000000669
[   74.981463] GPR04: 00007fffb2b6e728 0000000000000000 0000000000000000 00007fffb2b6f2a8
[   74.981463] GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[   74.981463] GPR12: 0000000000000000 00007fffb2b76900 0000000000000000 0000000000000000
[   74.981463] GPR16: 00007fffb2370000 00007fffb2d84390 00007fffea3a15ac 000001000a250420
[   74.981463] GPR20: 00007fffb2b6f260 0000000010001770 0000000000000000 0000000000000000
[   74.981463] GPR24: 00007fffb2d843a0 00007fffea3a14a0 0000000000010000 0000000000800000
[   74.981463] GPR28: 00007fffea3a14d8 00000000003d0f00 0000000000000000 00007fffb2b6e728
[   74.982420] NIP [c0000000000022fc] rfi_flush_fallback+0x7c/0x80
[   74.982517] LR [00007fffb2d67e48] 0x7fffb2d67e48
[   74.982593] Call Trace:
[   74.982632] Instruction dump:
[   74.982691] e96a0220 e96a02a8 e96a0330 e96a03b8 394a0400 4200ffdc 7d2903a6 e92d0c00
[   74.982809] e94d0c08 e96d0c10 e82d0c18 7db242a6 <4c000024> 7db243a6 7db142a6 f82d0c18

The problem is the signal code assumes TM is enabled when
CONFIG_PPC_TRANSACTIONAL_MEM is on. This may not be the case as with
P9 powernv or if `ppc_tm=off` is used on P8.

This means any local user can crash the system.

Fix the problem by returning a bad stack frame to the user if they try
to set the MSR TS bits with sigreturn() on systems where TM is not
supported.

Found with sigfuz kernel selftest on P9.

This fixes CVE-2019-13648.

Fixes: 2b0a576d15 ("powerpc: Add new transactional memory state to the signal context")
Cc: stable@vger.kernel.org # v3.9
Reported-by: Praveen Pandey <Praveen.Pandey@in.ibm.com>
Signed-off-by: Michael Neuling <mikey@neuling.org>
---
 arch/powerpc/kernel/signal_32.c | 3 +++
 arch/powerpc/kernel/signal_64.c | 5 +++++
 2 files changed, 8 insertions(+)

Comments

Michael Ellerman July 22, 2019, 2:48 a.m. UTC | #1
On Fri, 2019-07-19 at 05:05:02 UTC, Michael Neuling wrote:
> On systems like P9 powernv where we have no TM (or P8 booted with
> ppc_tm=off), userspace can construct a signal context which still has
> the MSR TS bits set. The kernel tries to restore this context which
> results in the following crash:
> 
> [   74.980557] Unexpected TM Bad Thing exception at c0000000000022fc (msr 0x8000000102a03031) tm_scratch=800000020280f033
> [   74.980741] Oops: Unrecoverable exception, sig: 6 [#1]
> [   74.980820] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
> [   74.980917] Modules linked in:
> [   74.980980] CPU: 0 PID: 1636 Comm: sigfuz Not tainted 5.2.0-11043-g0a8ad0ffa4 #69
> [   74.981096] NIP:  c0000000000022fc LR: 00007fffb2d67e48 CTR: 0000000000000000
> [   74.981212] REGS: c00000003fffbd70 TRAP: 0700   Not tainted  (5.2.0-11045-g7142b497d8)
> [   74.981325] MSR:  8000000102a03031 <SF,VEC,VSX,FP,ME,IR,DR,LE,TM[E]>  CR: 42004242  XER: 00000000
> [   74.981463] CFAR: c0000000000022e0 IRQMASK: 0
> [   74.981463] GPR00: 0000000000000072 00007fffb2b6e560 00007fffb2d87f00 0000000000000669
> [   74.981463] GPR04: 00007fffb2b6e728 0000000000000000 0000000000000000 00007fffb2b6f2a8
> [   74.981463] GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
> [   74.981463] GPR12: 0000000000000000 00007fffb2b76900 0000000000000000 0000000000000000
> [   74.981463] GPR16: 00007fffb2370000 00007fffb2d84390 00007fffea3a15ac 000001000a250420
> [   74.981463] GPR20: 00007fffb2b6f260 0000000010001770 0000000000000000 0000000000000000
> [   74.981463] GPR24: 00007fffb2d843a0 00007fffea3a14a0 0000000000010000 0000000000800000
> [   74.981463] GPR28: 00007fffea3a14d8 00000000003d0f00 0000000000000000 00007fffb2b6e728
> [   74.982420] NIP [c0000000000022fc] rfi_flush_fallback+0x7c/0x80
> [   74.982517] LR [00007fffb2d67e48] 0x7fffb2d67e48
> [   74.982593] Call Trace:
> [   74.982632] Instruction dump:
> [   74.982691] e96a0220 e96a02a8 e96a0330 e96a03b8 394a0400 4200ffdc 7d2903a6 e92d0c00
> [   74.982809] e94d0c08 e96d0c10 e82d0c18 7db242a6 <4c000024> 7db243a6 7db142a6 f82d0c18
> 
> The problem is the signal code assumes TM is enabled when
> CONFIG_PPC_TRANSACTIONAL_MEM is on. This may not be the case as with
> P9 powernv or if `ppc_tm=off` is used on P8.
> 
> This means any local user can crash the system.
> 
> Fix the problem by returning a bad stack frame to the user if they try
> to set the MSR TS bits with sigreturn() on systems where TM is not
> supported.
> 
> Found with sigfuz kernel selftest on P9.
> 
> This fixes CVE-2019-13648.
> 
> Fixes: 2b0a576d15 ("powerpc: Add new transactional memory state to the signal context")
> Cc: stable@vger.kernel.org # v3.9
> Reported-by: Praveen Pandey <Praveen.Pandey@in.ibm.com>
> Signed-off-by: Michael Neuling <mikey@neuling.org>

Applied to powerpc fixes, thanks.

https://git.kernel.org/powerpc/c/c7ce5fe9288c5692fa456a804cf5ea5976d842f1

cheers
Michael Ellerman July 22, 2019, 3:14 a.m. UTC | #2
On Fri, 2019-07-19 at 05:05:02 UTC, Michael Neuling wrote:
> On systems like P9 powernv where we have no TM (or P8 booted with
> ppc_tm=off), userspace can construct a signal context which still has
> the MSR TS bits set. The kernel tries to restore this context which
> results in the following crash:
> 
> [   74.980557] Unexpected TM Bad Thing exception at c0000000000022fc (msr 0x8000000102a03031) tm_scratch=800000020280f033
> [   74.980741] Oops: Unrecoverable exception, sig: 6 [#1]
> [   74.980820] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
> [   74.980917] Modules linked in:
> [   74.980980] CPU: 0 PID: 1636 Comm: sigfuz Not tainted 5.2.0-11043-g0a8ad0ffa4 #69
> [   74.981096] NIP:  c0000000000022fc LR: 00007fffb2d67e48 CTR: 0000000000000000
> [   74.981212] REGS: c00000003fffbd70 TRAP: 0700   Not tainted  (5.2.0-11045-g7142b497d8)
> [   74.981325] MSR:  8000000102a03031 <SF,VEC,VSX,FP,ME,IR,DR,LE,TM[E]>  CR: 42004242  XER: 00000000
> [   74.981463] CFAR: c0000000000022e0 IRQMASK: 0
> [   74.981463] GPR00: 0000000000000072 00007fffb2b6e560 00007fffb2d87f00 0000000000000669
> [   74.981463] GPR04: 00007fffb2b6e728 0000000000000000 0000000000000000 00007fffb2b6f2a8
> [   74.981463] GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
> [   74.981463] GPR12: 0000000000000000 00007fffb2b76900 0000000000000000 0000000000000000
> [   74.981463] GPR16: 00007fffb2370000 00007fffb2d84390 00007fffea3a15ac 000001000a250420
> [   74.981463] GPR20: 00007fffb2b6f260 0000000010001770 0000000000000000 0000000000000000
> [   74.981463] GPR24: 00007fffb2d843a0 00007fffea3a14a0 0000000000010000 0000000000800000
> [   74.981463] GPR28: 00007fffea3a14d8 00000000003d0f00 0000000000000000 00007fffb2b6e728
> [   74.982420] NIP [c0000000000022fc] rfi_flush_fallback+0x7c/0x80
> [   74.982517] LR [00007fffb2d67e48] 0x7fffb2d67e48
> [   74.982593] Call Trace:
> [   74.982632] Instruction dump:
> [   74.982691] e96a0220 e96a02a8 e96a0330 e96a03b8 394a0400 4200ffdc 7d2903a6 e92d0c00
> [   74.982809] e94d0c08 e96d0c10 e82d0c18 7db242a6 <4c000024> 7db243a6 7db142a6 f82d0c18
> 
> The problem is the signal code assumes TM is enabled when
> CONFIG_PPC_TRANSACTIONAL_MEM is on. This may not be the case as with
> P9 powernv or if `ppc_tm=off` is used on P8.
> 
> This means any local user can crash the system.
> 
> Fix the problem by returning a bad stack frame to the user if they try
> to set the MSR TS bits with sigreturn() on systems where TM is not
> supported.
> 
> Found with sigfuz kernel selftest on P9.
> 
> This fixes CVE-2019-13648.
> 
> Fixes: 2b0a576d15 ("powerpc: Add new transactional memory state to the signal context")
> Cc: stable@vger.kernel.org # v3.9
> Reported-by: Praveen Pandey <Praveen.Pandey@in.ibm.com>
> Signed-off-by: Michael Neuling <mikey@neuling.org>

Applied to powerpc fixes, thanks.

https://git.kernel.org/powerpc/c/f16d80b75a096c52354c6e0a574993f3b0dfbdfe

cheers
Michael Ellerman July 22, 2019, 3:20 a.m. UTC | #3
Michael Ellerman <patch-notifications@ellerman.id.au> writes:
> On Fri, 2019-07-19 at 05:05:02 UTC, Michael Neuling wrote:
>> On systems like P9 powernv where we have no TM (or P8 booted with
>> ppc_tm=off), userspace can construct a signal context which still has
>> the MSR TS bits set. The kernel tries to restore this context which
>> results in the following crash:
>> 
>> [   74.980557] Unexpected TM Bad Thing exception at c0000000000022fc (msr 0x8000000102a03031) tm_scratch=800000020280f033
>> [   74.980741] Oops: Unrecoverable exception, sig: 6 [#1]
>> [   74.980820] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
>> [   74.980917] Modules linked in:
>> [   74.980980] CPU: 0 PID: 1636 Comm: sigfuz Not tainted 5.2.0-11043-g0a8ad0ffa4 #69
>> [   74.981096] NIP:  c0000000000022fc LR: 00007fffb2d67e48 CTR: 0000000000000000
>> [   74.981212] REGS: c00000003fffbd70 TRAP: 0700   Not tainted  (5.2.0-11045-g7142b497d8)
>> [   74.981325] MSR:  8000000102a03031 <SF,VEC,VSX,FP,ME,IR,DR,LE,TM[E]>  CR: 42004242  XER: 00000000
>> [   74.981463] CFAR: c0000000000022e0 IRQMASK: 0
>> [   74.981463] GPR00: 0000000000000072 00007fffb2b6e560 00007fffb2d87f00 0000000000000669
>> [   74.981463] GPR04: 00007fffb2b6e728 0000000000000000 0000000000000000 00007fffb2b6f2a8
>> [   74.981463] GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>> [   74.981463] GPR12: 0000000000000000 00007fffb2b76900 0000000000000000 0000000000000000
>> [   74.981463] GPR16: 00007fffb2370000 00007fffb2d84390 00007fffea3a15ac 000001000a250420
>> [   74.981463] GPR20: 00007fffb2b6f260 0000000010001770 0000000000000000 0000000000000000
>> [   74.981463] GPR24: 00007fffb2d843a0 00007fffea3a14a0 0000000000010000 0000000000800000
>> [   74.981463] GPR28: 00007fffea3a14d8 00000000003d0f00 0000000000000000 00007fffb2b6e728
>> [   74.982420] NIP [c0000000000022fc] rfi_flush_fallback+0x7c/0x80
>> [   74.982517] LR [00007fffb2d67e48] 0x7fffb2d67e48
>> [   74.982593] Call Trace:
>> [   74.982632] Instruction dump:
>> [   74.982691] e96a0220 e96a02a8 e96a0330 e96a03b8 394a0400 4200ffdc 7d2903a6 e92d0c00
>> [   74.982809] e94d0c08 e96d0c10 e82d0c18 7db242a6 <4c000024> 7db243a6 7db142a6 f82d0c18
>> 
>> The problem is the signal code assumes TM is enabled when
>> CONFIG_PPC_TRANSACTIONAL_MEM is on. This may not be the case as with
>> P9 powernv or if `ppc_tm=off` is used on P8.
>> 
>> This means any local user can crash the system.
>> 
>> Fix the problem by returning a bad stack frame to the user if they try
>> to set the MSR TS bits with sigreturn() on systems where TM is not
>> supported.
>> 
>> Found with sigfuz kernel selftest on P9.
>> 
>> This fixes CVE-2019-13648.
>> 
>> Fixes: 2b0a576d15 ("powerpc: Add new transactional memory state to the signal context")
>> Cc: stable@vger.kernel.org # v3.9
>> Reported-by: Praveen Pandey <Praveen.Pandey@in.ibm.com>
>> Signed-off-by: Michael Neuling <mikey@neuling.org>
>
> Applied to powerpc fixes, thanks.
>
> https://git.kernel.org/powerpc/c/c7ce5fe9288c5692fa456a804cf5ea5976d842f1

Ignore this one.

cheers

Patch
diff mbox series

diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
index f50b708d6d..98600b276f 100644
--- a/arch/powerpc/kernel/signal_32.c
+++ b/arch/powerpc/kernel/signal_32.c
@@ -1198,6 +1198,9 @@  SYSCALL_DEFINE0(rt_sigreturn)
 			goto bad;
 
 		if (MSR_TM_ACTIVE(msr_hi<<32)) {
+			/* Trying to start TM on non TM system */
+			if (!cpu_has_feature(CPU_FTR_TM))
+				goto bad;
 			/* We only recheckpoint on return if we're
 			 * transaction.
 			 */
diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
index 2f80e270c7..117515564e 100644
--- a/arch/powerpc/kernel/signal_64.c
+++ b/arch/powerpc/kernel/signal_64.c
@@ -771,6 +771,11 @@  SYSCALL_DEFINE0(rt_sigreturn)
 	if (MSR_TM_ACTIVE(msr)) {
 		/* We recheckpoint on return. */
 		struct ucontext __user *uc_transact;
+
+		/* Trying to start TM on non TM system */
+		if (!cpu_has_feature(CPU_FTR_TM))
+			goto badframe;
+
 		if (__get_user(uc_transact, &uc->uc_link))
 			goto badframe;
 		if (restore_tm_sigcontexts(current, &uc->uc_mcontext,