Bugzilla – Bug 871149
VUL-1: CVE-2014-2673: kernel: local crash on powerpc
Last modified: 2016-04-27 20:07:00 UTC
via oss-sec/mitre > http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=621b5060e823301d0cba4cb52a7ee3491922d291 > > The vulnerability is caused due to an error in the "arch_dup_task_struct()" > function (arch/powerpc/kernel/process.c) and can be exploited to cause a crash > via a specially crafted instruction sequence. > https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.12.15 > https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.13.7 Use CVE-2014-2673.
Affected packages: SLE-11-SP3: kernel-source
bugbot adjusting priority
It seems as if the SLES 11 SP3 3.0.101 based kernel does not support transactional memory for Power8. Also does not call tmrechkpt apparently. But could you try the 3 line assembler snippet on a Power8 with SLES 11 Sp3 and see if it crashes? tbegin li r0, 2 sc (SLE12 has the fix in patches.kernel.org/patch-3.12.14-15 before GA.)
According to the PowerISA 2.07 spec, the situation above should simply trigger a "Facility Unavailable Interrupt" at tbegin. (Book III-S, Chapter 6.5.24)
Welcome to SUSE Linux Enterprise Server 11 SP3 (ppc64) - Kernel 3.0.76-0.11-ppc64 (console). linux login: Bad kernel stack pointer fffffaafeb0 at f60 Oops: Bad kernel stack pointer, sig: 6 [#1] SMP NR_CPUS=1024 NUMA pSeries Modules linked in: af_packet loop dm_mod ipv6 ipv6_lib sg sr_mod cdrom ibmveth(X) ext3 jbd mbcache sd_mod crc_t10dif scsi_dh_rdac scsi_dh_emc scsi_dh_hp_sw scsi_dh_alua scsi_dh ibmvscsic(X) scsi_transport_srp scsi_tgt scsi_mod Supported: Yes, External NIP: 0000000000000f60 LR: 00000fff8685fe5c CTR: 0000000010000540 REGS: c00000003fff3d40 TRAP: 0700 Tainted: G X (3.0.76-0.11-ppc64) MSR: 8000000000081000 <ME> CR: 22000442 XER: 00000000 TASK = c00000003ad45b50[7688] 'helloBE' THREAD: c00000003a3b4000 CPU: 0 GPR00: 00000fff8685fe5c 00000fffffaafeb0 00000000100190e8 0000000000000001 GPR04: 00000fffffab0368 00000fffffab0378 00000fffffab0508 00000fff869e6ec0 GPR08: 00000fff869e6ec0 0000000010011088 00000fff869e89c0 0000000000000000 GPR12: 0000000000000001 00000fff86807710 00000fff89d20488 000000001012dea0 GPR16: 00000000100cb9d8 0000000010093088 000000001012dea0 0000000000000000 GPR20: 0000000000000000 000000001011bb80 00000000100ce458 0000000000000000 GPR24: 000000001011b410 0000000000000000 0000000010111e80 00000fff86a59b98 GPR28: 00000fff86a5c4d8 00000000100110b8 0000000010011010 00000fffffab02e0 NIP [0000000000000f60] 0xf60 LR [00000fff8685fe5c] 0xfff8685fe5c Call Trace: Instruction dump: 00000000 XXXXXXXX XXXXXXXX XXXXXXXX 48002300 XXXXXXXX XXXXXXXX XXXXXXXX 00000000 XXXXXXXX XXXXXXXX XXXXXXXX 00000000 XXXXXXXX XXXXXXXX XXXXXXXX Sending IPI to other cpus... I'm in purgatory CF000012 CF000015ch SUSE Linux crash #1 SMP Fri Jun 1io_event_irq: No ibm,io-events on system! IO Event interrupt disabled. ... rebooting ...
We could probably ask IBM to fix this in scope of the Power8 port to SLES 11 SP3.
In arch/powerpc/kernel/exceptions-64s.S I can see exceptions for altivec_unavailable_common vsx_unavailable_common fp_unavailable_common How is the POWER8 "Facility Unavailable" handled, if at all?
------- Comment From ddstreet@us.ibm.com 2014-07-15 03:57 EDT------- Transactional memory is Michael Neuling's area I believe, Michael can you review this bug?
Affected packages: SLE-10-SP3-TERADATA: kernel-source SLE-11-SP1-TERADATA: kernel-source SLE-11-SP3: kernel-source
This one is not really a problem of TM. Citing the public parts from the non-public comments: in c#19 Alex says: "SLES11 ... kernel does an RTAS "client,architecture-set" (CAS) call" Marcus in c#22 asks for a reproducer in a scenario that is really supported. Conclusion: as SLE11SP3 does not support TM, and asks the HV for POWER7 compatibility mode, this really should not be an issue, so I'll now close as "invalid". Should anyone find that CAS does not work in a supported scenario, please open a new bug.