CVE-2020-11669: Linux kernel 4.10 to 5.1: powerpc: guest can cause DoS on POWER9 KVM hosts
Andrew Donnellan
ajd at linux.ibm.com
Wed Apr 15 22:52:53 AEST 2020
The Linux kernel for powerpc from v4.10 to v5.1 has a bug where the
Authority Mask Register (AMR), Authority Mask Override Register (AMOR)
and User Authority Mask Override Register (UAMOR) are not correctly
saved and restored when the CPU is going into/coming out of idle state.
On POWER9 CPUs, this means that a CPU may return from idle with the AMR
value of another thread on the same core.
This allows a trivial Denial of Service attack against KVM hosts, by
booting a guest kernel which makes use of the AMR, such as a v5.2 or
later kernel with Kernel Userspace Access Prevention (KUAP) enabled.
The guest kernel will set the AMR to prevent userspace access, then the
thread will go idle. At a later point, the hardware thread that the
guest was using may come out of idle and start executing in the host,
without restoring the host AMR value. The host kernel can get caught in
a page fault loop, as the AMR is unexpectedly causing memory accesses to
fail in the host, and the host is eventually rendered unusable.
The fix is to correctly save and restore the AMR in the idle state
handling code.
The bug does not affect POWER8 or earlier Power CPUs.
CVE-2020-11669 has been assigned.
The bug has already been fixed upstream in kernels v5.2 onwards, by [0].
Fixes have been submitted for inclusion in upstream stable kernel trees
for v4.19[1] and v4.14[2].
The bug is already fixed in Red Hat Enterprise Linux 8 kernels from
4.18.0-147 onwards - see RHSA-2019:3517[3].
Thanks to David Gibson of Red Hat for the initial bug report.
[0]
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=53a712bae5dd919521a58d7bad773b949358add0
[1] https://lists.ozlabs.org/pipermail/linuxppc-dev/2020-April/208661.html
[2] https://lists.ozlabs.org/pipermail/linuxppc-dev/2020-April/208660.html
[3] https://access.redhat.com/errata/RHSA-2019:3517
--
Andrew Donnellan OzLabs, ADL Canberra
ajd at linux.ibm.com IBM Australia Limited
More information about the Linuxppc-dev
mailing list