oss-sec mailing list archives

CVE Request: Linux kernel: incorrect restoration of machine specific registers from signal handler.

From: Wade Mealing <wmealing () redhat com>
Date: Wed, 13 Apr 2016 21:18:16 +1000

A flaw was found in the linux kernel which could cause a kernel panic
when restoring machine specific registers on ppc platform.  Incorrect
transactional memory state registers could inadvertently change the
call path on return from userspace and cause the kernel to enter an
unknown state in the transactional memory handling code and panic in a
BUG_ON() defensively.

QMEU guests can also modify the same machine specific register values
via set_one_reg and guests may invoke the same unknown state and
callpath.  Since the fix is in the same location I would argue that
this is the same flaw.

This only both big endian and little endian ppc platforms, it does not
affect non powerpc platforms.

Thanks,

Wade Mealing
Red Hat Product Security

References:

Upstream fixes:
https://git.kernel.org/cgit/linux/kernel/git/powerpc/linux.git/commit/?h=fixes&id=d2b9d2a5ad5ef04ff978c9923d19730cb05efd55

https://git.kernel.org/cgit/linux/kernel/git/powerpc/linux.git/commit/?h=fixes&id=7f821fc9c77a9b01fe7b1d6e72717b33d8d64142

Red Hat Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1326540

Current thread:

CVE Request: Linux kernel: incorrect restoration of machine specific registers from signal handler. Wade Mealing (Apr 13)
- Re: CVE Request: Linux kernel: incorrect restoration of machine specific registers from signal handler. cve-assign (Apr 13)