Re: [PATCH] powerpc/tm: Fix oops on sigreturn on systems without TM

linuxppc-dev.lists.ozlabs.org archive mirror
 help / color / mirror / Atom feed

From: Michael Ellerman <patch-notifications@ellerman.id.au>
To: Michael Neuling <mikey@neuling.org>
Cc: mikey@neuling.org, Praveen Pandey <Praveen.Pandey@in.ibm.com>,
	gromero@br.ibm.com, linuxppc-dev@lists.ozlabs.org,
	Breno Leitao <breno.leitao@gmail.com>,
	Haren Myneni <haren@linux.vnet.ibm.com>
Subject: Re: [PATCH] powerpc/tm: Fix oops on sigreturn on systems without TM
Date: Mon, 22 Jul 2019 12:48:15 +1000 (AEST)	[thread overview]
Message-ID: <45sQyl2WrQz9sLt@ozlabs.org> (raw)
In-Reply-To: <20190719050502.405-1-mikey@neuling.org>

On Fri, 2019-07-19 at 05:05:02 UTC, Michael Neuling wrote:
> On systems like P9 powernv where we have no TM (or P8 booted with
> ppc_tm=off), userspace can construct a signal context which still has
> the MSR TS bits set. The kernel tries to restore this context which
> results in the following crash:
> 
> [   74.980557] Unexpected TM Bad Thing exception at c0000000000022fc (msr 0x8000000102a03031) tm_scratch=800000020280f033
> [   74.980741] Oops: Unrecoverable exception, sig: 6 [#1]
> [   74.980820] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
> [   74.980917] Modules linked in:
> [   74.980980] CPU: 0 PID: 1636 Comm: sigfuz Not tainted 5.2.0-11043-g0a8ad0ffa4 #69
> [   74.981096] NIP:  c0000000000022fc LR: 00007fffb2d67e48 CTR: 0000000000000000
> [   74.981212] REGS: c00000003fffbd70 TRAP: 0700   Not tainted  (5.2.0-11045-g7142b497d8)
> [   74.981325] MSR:  8000000102a03031 <SF,VEC,VSX,FP,ME,IR,DR,LE,TM[E]>  CR: 42004242  XER: 00000000
> [   74.981463] CFAR: c0000000000022e0 IRQMASK: 0
> [   74.981463] GPR00: 0000000000000072 00007fffb2b6e560 00007fffb2d87f00 0000000000000669
> [   74.981463] GPR04: 00007fffb2b6e728 0000000000000000 0000000000000000 00007fffb2b6f2a8
> [   74.981463] GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
> [   74.981463] GPR12: 0000000000000000 00007fffb2b76900 0000000000000000 0000000000000000
> [   74.981463] GPR16: 00007fffb2370000 00007fffb2d84390 00007fffea3a15ac 000001000a250420
> [   74.981463] GPR20: 00007fffb2b6f260 0000000010001770 0000000000000000 0000000000000000
> [   74.981463] GPR24: 00007fffb2d843a0 00007fffea3a14a0 0000000000010000 0000000000800000
> [   74.981463] GPR28: 00007fffea3a14d8 00000000003d0f00 0000000000000000 00007fffb2b6e728
> [   74.982420] NIP [c0000000000022fc] rfi_flush_fallback+0x7c/0x80
> [   74.982517] LR [00007fffb2d67e48] 0x7fffb2d67e48
> [   74.982593] Call Trace:
> [   74.982632] Instruction dump:
> [   74.982691] e96a0220 e96a02a8 e96a0330 e96a03b8 394a0400 4200ffdc 7d2903a6 e92d0c00
> [   74.982809] e94d0c08 e96d0c10 e82d0c18 7db242a6 <4c000024> 7db243a6 7db142a6 f82d0c18
> 
> The problem is the signal code assumes TM is enabled when
> CONFIG_PPC_TRANSACTIONAL_MEM is on. This may not be the case as with
> P9 powernv or if `ppc_tm=off` is used on P8.
> 
> This means any local user can crash the system.
> 
> Fix the problem by returning a bad stack frame to the user if they try
> to set the MSR TS bits with sigreturn() on systems where TM is not
> supported.
> 
> Found with sigfuz kernel selftest on P9.
> 
> This fixes CVE-2019-13648.
> 
> Fixes: 2b0a576d15 ("powerpc: Add new transactional memory state to the signal context")
> Cc: stable@vger.kernel.org # v3.9
> Reported-by: Praveen Pandey <Praveen.Pandey@in.ibm.com>
> Signed-off-by: Michael Neuling <mikey@neuling.org>

Applied to powerpc fixes, thanks.

https://git.kernel.org/powerpc/c/c7ce5fe9288c5692fa456a804cf5ea5976d842f1

cheers

next prev parent reply	other threads:[~2019-07-22  2:55 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-07-19  5:05 [PATCH] powerpc/tm: Fix oops on sigreturn on systems without TM Michael Neuling
2019-07-22  2:48 ` Michael Ellerman [this message]
2019-07-22  3:20   ` Michael Ellerman
2019-07-22  3:14 ` Michael Ellerman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=45sQyl2WrQz9sLt@ozlabs.org \
    --to=patch-notifications@ellerman.id.au \
    --cc=Praveen.Pandey@in.ibm.com \
    --cc=breno.leitao@gmail.com \
    --cc=gromero@br.ibm.com \
    --cc=haren@linux.vnet.ibm.com \
    --cc=linuxppc-dev@lists.ozlabs.org \
    --cc=mikey@neuling.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).