CVE-2021-47350

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/mm: Fix lockup on kernel exec fault<br /> <br /> The powerpc kernel is not prepared to handle exec faults from kernel.<br /> Especially, the function is_exec_fault() will return &amp;#39;false&amp;#39; when an<br /> exec fault is taken by kernel, because the check is based on reading<br /> current-&gt;thread.regs-&gt;trap which contains the trap from user.<br /> <br /> For instance, when provoking a LKDTM EXEC_USERSPACE test,<br /> current-&gt;thread.regs-&gt;trap is set to SYSCALL trap (0xc00), and<br /> the fault taken by the kernel is not seen as an exec fault by<br /> set_access_flags_filter().<br /> <br /> Commit d7df2443cd5f ("powerpc/mm: Fix spurious segfaults on radix<br /> with autonuma") made it clear and handled it properly. But later on<br /> commit d3ca587404b3 ("powerpc/mm: Fix reporting of kernel execute<br /> faults") removed that handling, introducing test based on error_code.<br /> And here is the problem, because on the 603 all upper bits of SRR1<br /> get cleared when the TLB instruction miss handler bails out to ISI.<br /> <br /> Until commit cbd7e6ca0210 ("powerpc/fault: Avoid heavy<br /> search_exception_tables() verification"), an exec fault from kernel<br /> at a userspace address was indirectly caught by the lack of entry for<br /> that address in the exception tables. But after that commit the<br /> kernel mainly relies on KUAP or on core mm handling to catch wrong<br /> user accesses. Here the access is not wrong, so mm handles it.<br /> It is a minor fault because PAGE_EXEC is not set,<br /> set_access_flags_filter() should set PAGE_EXEC and voila.<br /> But as is_exec_fault() returns false as explained in the beginning,<br /> set_access_flags_filter() bails out without setting PAGE_EXEC flag,<br /> which leads to a forever minor exec fault.<br /> <br /> As the kernel is not prepared to handle such exec faults, the thing to<br /> do is to fire in bad_kernel_fault() for any exec fault taken by the<br /> kernel, as it was prior to commit d3ca587404b3.