PPC: KVM: Book3S HV: Fix conflicting use of HSTATE_HOST_R1
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
The Ubuntu-power-systems project |
Fix Released
|
High
|
Ubuntu on IBM Power Systems Bug Triage | ||
linux (Ubuntu) |
Fix Released
|
Undecided
|
Ubuntu Security Team | ||
Bionic |
Fix Released
|
Undecided
|
Ubuntu Security Team |
Bug Description
---Problem Description---
Currently a malicious user can craft a code to be executed in the guest kernel space that puts CPU in TM suspended mode and call a hypercall (for instance H_PUT_TERM_CHAR, token 0x58) leading to a kernel panic on host. I was not able to reproduce it upstream, nonetheless it's reproducible on most updated stock kernel for Ubuntu Bionic Beaver, i.e 4.15.0-76.86. Guest kernel version is not meaningful unless TM facility is disabled (it must be enabled).
---Steps to Reproduce---
The following hypercall fuzzer I'll trigger it: https:/
$ git clone https:/
$ make
$ make insmod
$ sudo ./injector
Currently it's possible to crash a host from a guest by calling a hypercall when
CPU is in TM suspended mode. Whilst on guest a TM Bad Thing is caught, on host
the following traces are observed:
[ 618.563991] Oops: Exception in kernel mode, sig: 4 [#1]
[ 618.563994] LE SMP NR_CPUS=2048 NUMA PowerNV
[ 618.563999] Modules linked in: xt_CHECKSUM iptable_mangle ipt_MASQUERADE
nf_nat_
nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp bridge
stp llc ebtable_filter ebtables devlink ip6table_filter ip6_tables iptable_filter
kvm_hv kvm vmx_crypto ipmi_powernv ipmi_devintf ipmi_msghandler uio_pdrv_genirq
uio leds_powernv crct10dif_vpmsum ibmpowernv powernv_rng sch_fq_codel nfsd auth_rpcgss
nfs_acl lockd grace sunrpc ip_tables x_tables autofs4 xfs btrfs zstd_compress
raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor
raid6_pq libcrc32c raid1 raid0 multipath linear lpfc crc32c_vpmsum nvmet_fc
nvmet nvme_fc nvme_fabrics nvme_core tg3 ipr scsi_transport_fc
[ 618.564064] CPU: 51 PID: 0 Comm: swapper/51 Not tainted 4.15.0-76-generic #86-Ubuntu
[ 618.564066] NIP: 0000000000000000 LR: 0000000000000000 CTR: d0000000072f0580
[ 618.564068] REGS: c00000003fd9bca0 TRAP: 0e40 Not tainted (4.15.0-76-generic)
[ 618.564068] MSR: 9000000102883003 <SF,HV,
[ 618.564077] CFAR: c0000000000f53f0 SOFTE: 0
[ 618.564077] GPR00: 0000000000000000 c00000003fd9bf20 c00000000171c800 0000000000000000
[ 618.564077] GPR04: c000000ff4d10000 c0000000ff067400 000000000ad0cc9e c0000000000fb4bc
[ 618.564077] GPR08: 804800000180f000 c000000dcabcbe80 0000000000000000 0000000020000000
[ 618.564077] GPR12: 0000000000000e80 c00000000faa3100 0000000000000000 0000000000000000
[ 618.564077] GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[ 618.564077] GPR20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[ 618.564077] GPR24: 0000000000000000 d0000000072e0158 000000000000009b 000000000000009c
[ 618.564077] GPR28: 000000000000009c 0000000000000000 0000000000000000 0010000000000000
[ 618.564100] NIP [0000000000000000] (null)
[ 618.564101] LR [0000000000000000] (null)
[ 618.564101] Call Trace:
[ 618.564102] Instruction dump:
[ 618.564105] XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
[ 618.564109] XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX 0100421c f2820104 0000001b 00000132
[ 618.564118] ---[ end trace f0be3cc10ea6fc44 ]---
[ 618.569897]
[ 618.593555] KVM: CPU 51 seems to be stuck
[ 258.967652] Kernel panic - not syncing: Attempted to kill the idle task!
[ 258.967677] Unable to handle kernel paging request for data at address 0xc000001ff6c9d700
[ 618.596478] Faulting instruction address: 0xc000000000077cf0
[ 618.596479] Oops: Kernel access of bad area, sig: 11 [#2]
[ 618.596480] LE SMP NR_CPUS=2048 NUMA PowerNV
[ 618.596482] Modules linked in: xt_CHECKSUM iptable_mangle ipt_MASQUERADE
nf_nat_
nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4
xt_tcpudp bridge stp llc ebtable_filter ebtables devlink ip6table_filter
ip6_tables iptable_filter kvm_hv kvm vmx_crypto ipmi_powernv ipmi_devintf
ipmi_msghandler uio_pdrv_genirq uio leds_powernv crct10dif_vpmsum ibmpowernv
powernv_rng sch_fq_codel nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables
x_tables autofs4 xfs btrfs zstd_compress raid10 raid456 async_raid6_recov
async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0
multipath linear lpfc crc32c_vpmsum nvmet_fc nvmet nvme_fc nvme_fabrics
nvme_core tg3 ipr scsi_transport_fc
[ 618.596521] CPU: 51 PID: 0 Comm: swapper/51 Tainted: G D 4.15.0-76-generic #86-Ubuntu
[ 618.596522] NIP: c000000000077cf0 LR: c000000000080c84 CTR: c000000000077c90
[ 618.596524] REGS: c00000003fd9b040 TRAP: 0300 Tainted: G D (4.15.0-76-generic)
[ 618.596524] MSR: 9000000000001033 <SF,HV,
[ 618.596530] CFAR: c000000000080c80 DAR: c000001ff6c9d700 DSISR: 40000000 SOFTE: 0
[ 618.596530] GPR00: c000000000080c84 c00000003fd9b2c0 c00000000171c800 0000000006c9d700
[ 618.596530] GPR04: 00000000000001ac 0071d13aa0080040 0000000000000002 0000000000000002
[ 618.596530] GPR08: 0000000000000001 0000000000000002 00000e3a27540100 c000001ff6c9d700
[ 618.596530] GPR12: c000001ff0000000 c00000000faa3100 0000000000000000 0000000000000000
[ 618.596530] GPR16: 0000000000000004 0071d13aa0080040 00000000000001ac c0000000018be858
[ 618.596530] GPR20: 800000000000000e d00038008004000c 00000000071d13aa c0000000018be280
[ 618.596530] GPR24: 0000000000000001 0000000000000002 0000000000000300 0000000000000300
[ 618.596530] GPR28: 4000000000000000 0000000000000000 c0000000018be2d0 00000000000000b0
[ 618.596560] NIP [c000000000077cf0] native_
[ 618.596562] LR [c000000000080c84] __hash_
[ 618.596562] Call Trace:
[ 618.596563] Instruction dump:
[ 618.596565] 791cf046 3fc2001a 3bde1ad0 3d62001a 396b2188 91810008 f821ff71 7fbefa14
[ 618.596570] ebbd0048 e98b0000 7d4ae878 7d6c1a14 <7c0c1c28> 794a3e24 7f9c5378 48000018
[ 618.596576] ---[ end trace f0be3cc10ea6fc45 ]---
[ 618.602738]
[ 618.625946] KVM: CPU 51 seems to be stuck
[ 258.999498] Kernel panic - not syncing: Attempted to kill the idle task!
[ 618.653500] KVM: CPU 51 seems to be stuck
This is due to conflicting use of HSTATE_HOST_R1 to store r1 state in
kvmppc_hv_entry plus in kvmppc_
The commit that introduced such a conflict is
f024ee098476 ("KVM: PPC: Book3S HV: Pull out TM state save/restore into separate procedures")
but issue really appears when change
87a11bb6a7f7 ("KVM: PPC: Book3S HV: Work around XER[SO] bug in fake suspend mode")
is applied too because it creates a new stack to the two conflicting r1 stored
to HSTATE_HOST_R1 are different.
The issue was fixed accidentally by
6f597c6b63b6 ("KVM: PPC: Book3S PR: Add guest MSR parameter for kvmppc_
which is actually a change most related to Book3S PR.
This commit fixes the issue by backporting from 6f597c6b63b6 the part only
responsible for storing r1 to a different memory location (HSTATE_SCRATCH2)
avoiding the conflict and so the stack corruption.
On Ubuntu Bionic, tag "Ubuntu-
CVE References
tags: | added: ppc64el |
Changed in ubuntu-power-systems: | |
assignee: | nobody → Ubuntu Security Team (ubuntu-security) |
Changed in linux (Ubuntu): | |
assignee: | nobody → Ubuntu Security Team (ubuntu-security) |
Changed in ubuntu-power-systems: | |
assignee: | Ubuntu Security Team (ubuntu-security) → Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) |
Changed in ubuntu-power-systems: | |
status: | New → Triaged |
Changed in ubuntu-power-systems: | |
importance: | Undecided → High |
Changed in ubuntu-power-systems: | |
status: | Triaged → Fix Released |
Xenial should not be affected - it doesn't have 87a11bb6a7f7. Since that's a power9 specific patch it's not something we would include.
There was no CVE for this right now - should we get one?