[powerpc*] Fix illegal TM state in signal handler
This commit is contained in:
parent
6c3a386d04
commit
fba37066c7
|
@ -8,6 +8,7 @@ linux (4.13.4-2) UNRELEASED; urgency=medium
|
|||
(CVE-2017-0786)
|
||||
* [powerpc*] Use emergency stack for kernel TM Bad Thing program
|
||||
(CVE-2017-1000255)
|
||||
* [powerpc*] Fix illegal TM state in signal handler
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Wed, 04 Oct 2017 23:14:54 +0100
|
||||
|
||||
|
|
62
debian/patches/bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch
vendored
Normal file
62
debian/patches/bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch
vendored
Normal file
|
@ -0,0 +1,62 @@
|
|||
From: Gustavo Romero <gromero@linux.vnet.ibm.com>
|
||||
Date: Tue, 22 Aug 2017 17:20:09 -0400
|
||||
Subject: powerpc/tm: Fix illegal TM state in signal handler
|
||||
Origin: https://git.kernel.org/linus/044215d145a7a8a60ffa8fdc859d110a795fa6ea
|
||||
|
||||
Currently it's possible that on returning from the signal handler
|
||||
through the restore_tm_sigcontexts() code path (e.g. from a signal
|
||||
caught due to a `trap` instruction executed in the middle of an HTM
|
||||
block, or a deliberately constructed sigframe) an illegal TM state
|
||||
(like TS=10 TM=0, i.e. "T0") is set in SRR1 and when `rfid` sets
|
||||
implicitly the MSR register from SRR1 register on return to userspace
|
||||
it causes a TM Bad Thing exception.
|
||||
|
||||
That illegal state can be set (a) by a malicious user that disables
|
||||
the TM bit by tweaking the bits in uc_mcontext before returning from
|
||||
the signal handler or (b) by a sufficient number of context switches
|
||||
occurring such that the load_tm counter overflows and TM is disabled
|
||||
whilst in the signal handler.
|
||||
|
||||
This commit fixes the illegal TM state by ensuring that TM bit is
|
||||
always enabled before we return from restore_tm_sigcontexts(). A small
|
||||
comment correction is made as well.
|
||||
|
||||
Fixes: 5d176f751ee3 ("powerpc: tm: Enable transactional memory (TM) lazily for userspace")
|
||||
Cc: stable@vger.kernel.org # v4.9+
|
||||
Signed-off-by: Gustavo Romero <gromero@linux.vnet.ibm.com>
|
||||
Signed-off-by: Breno Leitao <leitao@debian.org>
|
||||
Signed-off-by: Cyril Bur <cyrilbur@gmail.com>
|
||||
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
|
||||
---
|
||||
arch/powerpc/kernel/signal_64.c | 13 ++++++++++++-
|
||||
1 file changed, 12 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
|
||||
index c83c115858c1..b2c002993d78 100644
|
||||
--- a/arch/powerpc/kernel/signal_64.c
|
||||
+++ b/arch/powerpc/kernel/signal_64.c
|
||||
@@ -452,9 +452,20 @@ static long restore_tm_sigcontexts(struct task_struct *tsk,
|
||||
if (MSR_TM_RESV(msr))
|
||||
return -EINVAL;
|
||||
|
||||
- /* pull in MSR TM from user context */
|
||||
+ /* pull in MSR TS bits from user context */
|
||||
regs->msr = (regs->msr & ~MSR_TS_MASK) | (msr & MSR_TS_MASK);
|
||||
|
||||
+ /*
|
||||
+ * Ensure that TM is enabled in regs->msr before we leave the signal
|
||||
+ * handler. It could be the case that (a) user disabled the TM bit
|
||||
+ * through the manipulation of the MSR bits in uc_mcontext or (b) the
|
||||
+ * TM bit was disabled because a sufficient number of context switches
|
||||
+ * happened whilst in the signal handler and load_tm overflowed,
|
||||
+ * disabling the TM bit. In either case we can end up with an illegal
|
||||
+ * TM state leading to a TM Bad Thing when we return to userspace.
|
||||
+ */
|
||||
+ regs->msr |= MSR_TM;
|
||||
+
|
||||
/* pull in MSR LE from user context */
|
||||
regs->msr = (regs->msr & ~MSR_LE) | (msr & MSR_LE);
|
||||
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -121,6 +121,7 @@ bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch
|
|||
bugfix/all/fix-infoleak-in-waitid-2.patch
|
||||
bugfix/all/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch
|
||||
bugfix/all/powerpc-64s-Use-emergency-stack-for-kernel-TM-Bad-Th.patch
|
||||
bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch
|
||||
|
|
Loading…
Reference in New Issue