From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: [V3] x86: mce: fix kernel panic when check_interval is changed From: Greg Kroah-Hartman Message-Id: <20180306105748.GA31087@kroah.com> Date: Tue, 6 Mar 2018 02:57:48 -0800 To: Borislav Petkov Cc: Seunghun Han , Tony Luck , linux-edac@vger.kernel.org, linux-kernel@vger.kernel.org List-ID: T24gVHVlLCBNYXIgMDYsIDIwMTggYXQgMTE6NDM6MjBBTSArMDEwMCwgQm9yaXNsYXYgUGV0a292 IHdyb3RlOgo+IE9uIFNhdCwgTWFyIDAzLCAyMDE4IGF0IDA1OjI3OjA2QU0gKzA5MDAsIFNldW5n aHVuIEhhbiB3cm90ZToKPiA+IEkgYW0gU2V1bmdodW4gSGFuIGFuZCBhIHNlbmlvciBzZWN1cml0 eSByZXNlYXJjaGVyIGF0IE5hdGlvbmFsIFNlY3VyaXR5Cj4gPiBSZXNlYXJjaCBJbnN0aXR1dGUg b2YgU291dGggS29yZWEuCj4gPiAKPiA+IEkgZm91bmQgYSBzZWN1cml0eSBpc3N1ZSB3aGljaCBj YW4gbWFrZSBrZXJuZWwgcGFuaWMgaW4gdXNlcnNwYWNlLiBBZnRlcgo+ID4gYW5hbHl6aW5nIHRo ZSBpc3N1ZSBjYXJlZnVsbHksIEkgZm91bmQgdGhhdCBNQ0UgZHJpdmVyIGluIHRoZSBrZXJuZWwg aGFzIGEKPiA+IHByb2JsZW0gd2hpY2ggY2FuIGJlIG9jY3VycmVkIGluIFNNUCBlbnZpcm9ubWVu dC4KPiA+IAo+ID4gVGhlIGNoZWNrX2ludGVydmFsIGZpbGUgaW4KPiA+IC9zeXMvZGV2aWNlcy9z eXN0ZW0vbWFjaGluZWNoZWNrL21hY2hpbmVjaGVjazxjcHUgbnVtYmVyPiBkaXJlY3RvcnkgaXMg YQo+ID4gZ2xvYmFsIHRpbWVyIHZhbHVlIGZvciBNQ0UgcG9sbGluZy4gSWYgaXQgaXMgY2hhbmdl ZCBieSBvbmUgQ1BVLCBNQ0UgZHJpdmVyCj4gPiBpbiBrZXJuZWwgY2FsbHMgbWNlX3Jlc3RhcnQo KSBmdW5jdGlvbiBpbiBzdG9yZV9pbnRfd2l0aF9yZXN0YXJ0KCkgZnVuY3Rpb24KPiA+IGFuZCBi cm9hZGNhc3RzIHRoZSBldmVudCB0byBvdGhlciBDUFVzIHRvIGRlbGV0ZSBhbmQgcmVzdGFydCBN Q0UgcG9sbGluZwo+ID4gdGltZXIuCj4gPiAKPiA+IFRoZSBfX21jaGVja19jcHVfaW5pdF90aW1l cigpIGZ1bmN0aW9uIHdoaWNoIGlzIGNhbGxlZCBieSBtY2VfcmVzdGFydCgpCj4gPiBmdW5jdGlv biBpbml0aWFsaXplcyB0aGUgbWNlX3RpbWVyIHZhcmlhYmxlLCBhbmQgdGhlICJsb2NrIiBpbiBt Y2VfdGltZXIgaXMKPiA+IGFsc28gcmVpbml0aWFsaXplZC4gSWYgbW9yZSB0aGFuIG9uZSBDUFUg d3JpdGUgYSBzcGVjaWZpYyB2YWx1ZSB0bwo+ID4gY2hlY2tfaW50ZXJ2YWwgZmlsZSBjb25jdXJy ZW50bHksIG9uZSBjYW4gaW5pdGlhbGl6ZSB0aGUgImxvY2siIGluIG1jZV90aW1lcgo+ID4gd2hp bGUgdGhlIG90aGVycyBhcmUgaGFuZGxpbmcgImxvY2siIGluIG1jZV90aW1lci4gVGhpcyBwcm9i bGVtIGNhdXNlcyBzb21lCj4gPiBzeW5jaHJvbml6YXRpb24gZXJyb3JzIHN1Y2ggYXMga2VybmVs IHBhbmljIGFuZCBrZXJuZWwgaGFuZy4gT3RoZXIgZnVuY3Rpb25zCj4gPiBzdWNoIGFzIHNldF9p Z25vcmVfY2UoKSwgc2V0X2NtY2lfZGlzYWJsZWQoKSwgYW5kIG1jZV9lbmFibGVfY2UoKSBhbHNv Cj4gPiBoYXZlIHN5bmNocm9uaXphdGlvbiBwcm9ibGVtcy4KPiA+IAo+ID4gSXQgY291bGQgYmUg YSBzZWN1cml0eSBwcm9ibGVtIGJlY2F1c2UgdGhlIGF0dGFja2VyIGNvdWxkIG1ha2Uga2VybmVs IHBhbmljCj4gPiBieSB3cml0aW5nIGEgdmFsdWUgdG8gdGhlIGNoZWNrX2ludGVydmFsIGZpbGUg aW4gdXNlcnNwYWNlLCBhbmQgaXQgY291bGQgYmUKPiA+IHVzZWQgZm9yIERlbmlhbC1vZi1TZXJ2 aWNlIChEb1MpIGF0dGFjay4KPiA+IAo+ID4gVG8gZml4IHRoaXMgcHJvYmxlbSwgSSBhZGRlZCBh IG1jZV9zeXNmc19tdXRleCB0byBzZXJpYWxpemUgcmVxdWVzdHMgZm9yCj4gPiB0aW1lciBhbmQg c3lzZnMgZnVuY3Rpb25zLgo+ID4gCj4gPiBTaWduZWQtb2ZmLWJ5OiBTZXVuZ2h1biBIYW4gPGtr YW1hZ3VpQGdtYWlsLmNvbT4KPiA+IC0tLQo+ID4gQ2hhbmdlcyBzaW5jZSB2MjogYWRkIGEgbXV0 ZXggdG8gc3lzZnMgZnVuY3Rpb25zIGFjY29yZGluZyB0byByZXZpZXcKPiA+IHJlc3VsdC4KPiA+ IENoYW5nZXMgc2luY2UgdjE6IGFkZCBtY2Vfc3lzZnNfbXV0ZXggYWNjb3JkaW5nIHRvIHJldmll dyByZXN1bHQuCj4gCj4gVGhhbmtzLCBJJ3ZlIGNvbW1pdHRlZCB0aGUgcGF0Y2ggYmVsb3cuIFNj cmVhbSBpZiB0aGVyZSdzIHN0aWxsCj4gc29tZXRoaW5nIG5vdCBpbiBvcmRlcjoKCkl0IHdvdWxk IGhhdmUgYmVlbiBuaWNlIHRvIGFkZCBhIGNjOnN0YWJsZSBmb3IgdGhpcywgYnV0IEknbGwgdHJ5 IHRvCndhdGNoIGl0IGFuZCB3aGVuIGl0IGhpdHMgTGludXMncyB0cmVlIEknbGwgcXVldWUgaXQg dXAgdGhlcmUuCgp0aGFua3MsCgpncmVnIGstaAotLS0KVG8gdW5zdWJzY3JpYmUgZnJvbSB0aGlz IGxpc3Q6IHNlbmQgdGhlIGxpbmUgInVuc3Vic2NyaWJlIGxpbnV4LWVkYWMiIGluCnRoZSBib2R5 IG9mIGEgbWVzc2FnZSB0byBtYWpvcmRvbW9Admdlci5rZXJuZWwub3JnCk1vcmUgbWFqb3Jkb21v IGluZm8gYXQgIGh0dHA6Ly92Z2VyLmtlcm5lbC5vcmcvbWFqb3Jkb21vLWluZm8uaHRtbAo= From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Tue, 6 Mar 2018 02:57:48 -0800 From: Greg Kroah-Hartman To: Borislav Petkov Cc: Seunghun Han , Tony Luck , linux-edac@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH V3] x86: mce: fix kernel panic when check_interval is changed Message-ID: <20180306105748.GA31087@kroah.com> References: <20180302202706.9434-1-kkamagui@gmail.com> <20180306104320.GB11535@pd.tnic> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180306104320.GB11535@pd.tnic> User-Agent: Mutt/1.9.4 (2018-02-28) X-Mailing-List: linux-kernel@vger.kernel.org List-ID: On Tue, Mar 06, 2018 at 11:43:20AM +0100, Borislav Petkov wrote: > On Sat, Mar 03, 2018 at 05:27:06AM +0900, Seunghun Han wrote: > > I am Seunghun Han and a senior security researcher at National Security > > Research Institute of South Korea. > > > > I found a security issue which can make kernel panic in userspace. After > > analyzing the issue carefully, I found that MCE driver in the kernel has a > > problem which can be occurred in SMP environment. > > > > The check_interval file in > > /sys/devices/system/machinecheck/machinecheck directory is a > > global timer value for MCE polling. If it is changed by one CPU, MCE driver > > in kernel calls mce_restart() function in store_int_with_restart() function > > and broadcasts the event to other CPUs to delete and restart MCE polling > > timer. > > > > The __mcheck_cpu_init_timer() function which is called by mce_restart() > > function initializes the mce_timer variable, and the "lock" in mce_timer is > > also reinitialized. If more than one CPU write a specific value to > > check_interval file concurrently, one can initialize the "lock" in mce_timer > > while the others are handling "lock" in mce_timer. This problem causes some > > synchronization errors such as kernel panic and kernel hang. Other functions > > such as set_ignore_ce(), set_cmci_disabled(), and mce_enable_ce() also > > have synchronization problems. > > > > It could be a security problem because the attacker could make kernel panic > > by writing a value to the check_interval file in userspace, and it could be > > used for Denial-of-Service (DoS) attack. > > > > To fix this problem, I added a mce_sysfs_mutex to serialize requests for > > timer and sysfs functions. > > > > Signed-off-by: Seunghun Han > > --- > > Changes since v2: add a mutex to sysfs functions according to review > > result. > > Changes since v1: add mce_sysfs_mutex according to review result. > > Thanks, I've committed the patch below. Scream if there's still > something not in order: It would have been nice to add a cc:stable for this, but I'll try to watch it and when it hits Linus's tree I'll queue it up there. thanks, greg k-h