Pendiente de análisis
No Disponible / Otro tipo
Fecha de publicación:
Última modificación:


*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/64s: Fix pte update for kernel memory on radix<br /> <br /> When adding a PTE a ptesync is needed to order the update of the PTE<br /> with subsequent accesses otherwise a spurious fault may be raised.<br /> <br /> radix__set_pte_at() does not do this for performance gains. For<br /> non-kernel memory this is not an issue as any faults of this kind are<br /> corrected by the page fault handler. For kernel memory these faults<br /> are not handled. The current solution is that there is a ptesync in<br /> flush_cache_vmap() which should be called when mapping from the<br /> vmalloc region.<br /> <br /> However, map_kernel_page() does not call flush_cache_vmap(). This is<br /> troublesome in particular for code patching with Strict RWX on radix.<br /> In do_patch_instruction() the page frame that contains the instruction<br /> to be patched is mapped and then immediately patched. With no ordering<br /> or synchronization between setting up the PTE and writing to the page<br /> it is possible for faults.<br /> <br /> As the code patching is done using __put_user_asm_goto() the resulting<br /> fault is obscured - but using a normal store instead it can be seen:<br /> <br /> BUG: Unable to handle kernel data access on write at 0xc008000008f24a3c<br /> Faulting instruction address: 0xc00000000008bd74<br /> Oops: Kernel access of bad area, sig: 11 [#1]<br /> LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV<br /> Modules linked in: nop_module(PO+) [last unloaded: nop_module]<br /> CPU: 4 PID: 757 Comm: sh Tainted: P O 5.10.0-rc5-01361-ge3c1b78c8440-dirty #43<br /> NIP: c00000000008bd74 LR: c00000000008bd50 CTR: c000000000025810<br /> REGS: c000000016f634a0 TRAP: 0300 Tainted: P O (5.10.0-rc5-01361-ge3c1b78c8440-dirty)<br /> MSR: 9000000000009033 CR: 44002884 XER: 00000000<br /> CFAR: c00000000007c68c DAR: c008000008f24a3c DSISR: 42000000 IRQMASK: 1<br /> <br /> This results in the kind of issue reported here:<br /><br /> <br /> Chris Riedl suggested a reliable way to reproduce the issue:<br /> $ mount -t debugfs none /sys/kernel/debug<br /> $ (while true; do echo function &gt; /sys/kernel/debug/tracing/current_tracer ; echo nop &gt; /sys/kernel/debug/tracing/current_tracer ; done) &amp;<br /> <br /> Turning ftrace on and off does a large amount of code patching which<br /> in usually less then 5min will crash giving a trace like:<br /> <br /> ftrace-powerpc: (____ptrval____): replaced (4b473b11) != old (60000000)<br /> ------------[ ftrace bug ]------------<br /> ftrace failed to modify<br /> [] napi_busy_loop+0xc/0x390<br /> actual: 11:3b:47:4b<br /> Setting ftrace call site to call ftrace function<br /> ftrace record flags: 80000001<br /> (1)<br /> expected tramp: c00000000006c96c<br /> ------------[ cut here ]------------<br /> WARNING: CPU: 4 PID: 809 at kernel/trace/ftrace.c:2065 ftrace_bug+0x28c/0x2e8<br /> Modules linked in: nop_module(PO-) [last unloaded: nop_module]<br /> CPU: 4 PID: 809 Comm: sh Tainted: P O 5.10.0-rc5-01360-gf878ccaf250a #1<br /> NIP: c00000000024f334 LR: c00000000024f330 CTR: c0000000001a5af0<br /> REGS: c000000004c8b760 TRAP: 0700 Tainted: P O (5.10.0-rc5-01360-gf878ccaf250a)<br /> MSR: 900000000282b033 CR: 28008848 XER: 20040000<br /> CFAR: c0000000001a9c98 IRQMASK: 0<br /> GPR00: c00000000024f330 c000000004c8b9f0 c000000002770600 0000000000000022<br /> GPR04: 00000000ffff7fff c000000004c8b6d0 0000000000000027 c0000007fe9bcdd8<br /> GPR08: 0000000000000023 ffffffffffffffd8 0000000000000027 c000000002613118<br /> GPR12: 0000000000008000 c0000007fffdca00 0000000000000000 0000000000000000<br /> GPR16: 0000000023ec37c5 0000000000000000 0000000000000000 0000000000000008<br /> GPR20: c000000004c8bc90 c0000000027a2d20 c000000004c8bcd0 c000000002612fe8<br /> GPR24: 0000000000000038 0000000000000030 0000000000000028 0000000000000020<br /> GPR28: c000000000ff1b68 c000000000bf8e5c c00000000312f700 c000000000fbb9b0<br /> NIP ftrace_bug+0x28c/0x2e8<br /> LR ftrace_bug+0x288/0x2e8<br /> Call T<br /> ---truncated---