[PATCH] powerpc/tm: Fix oops on sigreturn on systems without TM

Michael Ellerman mpe at ellerman.id.au
Mon Jul 22 13:20:25 AEST 2019 

Michael Ellerman <patch-notifications at ellerman.id.au> writes:
> On Fri, 2019-07-19 at 05:05:02 UTC, Michael Neuling wrote:
>> On systems like P9 powernv where we have no TM (or P8 booted with
>> ppc_tm=off), userspace can construct a signal context which still has
>> the MSR TS bits set. The kernel tries to restore this context which
>> results in the following crash:
>> 
>> [   74.980557] Unexpected TM Bad Thing exception at c0000000000022fc (msr 0x8000000102a03031) tm_scratch=800000020280f033
>> [   74.980741] Oops: Unrecoverable exception, sig: 6 [#1]
>> [   74.980820] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
>> [   74.980917] Modules linked in:
>> [   74.980980] CPU: 0 PID: 1636 Comm: sigfuz Not tainted 5.2.0-11043-g0a8ad0ffa4 #69
>> [   74.981096] NIP:  c0000000000022fc LR: 00007fffb2d67e48 CTR: 0000000000000000
>> [   74.981212] REGS: c00000003fffbd70 TRAP: 0700   Not tainted  (5.2.0-11045-g7142b497d8)
>> [   74.981325] MSR:  8000000102a03031 <SF,VEC,VSX,FP,ME,IR,DR,LE,TM[E]>  CR: 42004242  XER: 00000000
>> [   74.981463] CFAR: c0000000000022e0 IRQMASK: 0
>> [   74.981463] GPR00: 0000000000000072 00007fffb2b6e560 00007fffb2d87f00 0000000000000669
>> [   74.981463] GPR04: 00007fffb2b6e728 0000000000000000 0000000000000000 00007fffb2b6f2a8
>> [   74.981463] GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>> [   74.981463] GPR12: 0000000000000000 00007fffb2b76900 0000000000000000 0000000000000000
>> [   74.981463] GPR16: 00007fffb2370000 00007fffb2d84390 00007fffea3a15ac 000001000a250420
>> [   74.981463] GPR20: 00007fffb2b6f260 0000000010001770 0000000000000000 0000000000000000
>> [   74.981463] GPR24: 00007fffb2d843a0 00007fffea3a14a0 0000000000010000 0000000000800000
>> [   74.981463] GPR28: 00007fffea3a14d8 00000000003d0f00 0000000000000000 00007fffb2b6e728
>> [   74.982420] NIP [c0000000000022fc] rfi_flush_fallback+0x7c/0x80
>> [   74.982517] LR [00007fffb2d67e48] 0x7fffb2d67e48
>> [   74.982593] Call Trace:
>> [   74.982632] Instruction dump:
>> [   74.982691] e96a0220 e96a02a8 e96a0330 e96a03b8 394a0400 4200ffdc 7d2903a6 e92d0c00
>> [   74.982809] e94d0c08 e96d0c10 e82d0c18 7db242a6 <4c000024> 7db243a6 7db142a6 f82d0c18
>> 
>> The problem is the signal code assumes TM is enabled when
>> CONFIG_PPC_TRANSACTIONAL_MEM is on. This may not be the case as with
>> P9 powernv or if `ppc_tm=off` is used on P8.
>> 
>> This means any local user can crash the system.
>> 
>> Fix the problem by returning a bad stack frame to the user if they try
>> to set the MSR TS bits with sigreturn() on systems where TM is not
>> supported.
>> 
>> Found with sigfuz kernel selftest on P9.
>> 
>> This fixes CVE-2019-13648.
>> 
>> Fixes: 2b0a576d15 ("powerpc: Add new transactional memory state to the signal context")
>> Cc: stable at vger.kernel.org # v3.9
>> Reported-by: Praveen Pandey <Praveen.Pandey at in.ibm.com>
>> Signed-off-by: Michael Neuling <mikey at neuling.org>
>
> Applied to powerpc fixes, thanks.
>
> https://git.kernel.org/powerpc/c/c7ce5fe9288c5692fa456a804cf5ea5976d842f1

Ignore this one.

cheers

More information about the Linuxppc-dev mailing list