In the Linux kernel, the following vulnerability has been resolved:
powerpc/64s: fix program check interrupt emergency stack path Emergency
stack path was jumping into a 3: label inside the __GEN_COMMON_BODY macro
for the normal path after it had finished, rather than jumping over it. By
a small miracle this is the correct place to build up a new interrupt frame
with the existing stack pointer, so things basically worked okay with an
added weird looking 700 trap frame on top (which had the wrong ->nip so it
didn’t decode bug messages either). Fix this by avoiding using numeric
labels when jumping over non-trivial macros. Before: LE PAGE_SIZE=64K
MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV Modules linked in: CPU: 0 PID: 88
Comm: sh Not tainted 5.15.0-rc2-00034-ge057cdade6e5 #2637 NIP:
7265677368657265 LR: c00000000006c0c8 CTR: c0000000000097f0 REGS:
c0000000fffb3a50 TRAP: 0700 Not tainted MSR: 9000000000021031
<SF,HV,ME,IR,DR,LE> CR: 00000700 XER: 20040000 CFAR: c0000000000098b0
IRQMASK: 0 GPR00: c00000000006c964 c0000000fffb3cf0 c000000001513800
0000000000000000 GPR04: 0000000048ab0778 0000000042000000 0000000000000000
0000000000001299 GPR08: 000001e447c718ec 0000000022424282 0000000000002710
c00000000006bee8 GPR12: 9000000000009033 c0000000016b0000 00000000000000b0
0000000000000001 GPR16: 0000000000000000 0000000000000002 0000000000000000
0000000000000ff8 GPR20: 0000000000001fff 0000000000000007 0000000000000080
00007fff89d90158 GPR24: 0000000002000000 0000000002000000 0000000000000255
0000000000000300 GPR28: c000000001270000 0000000042000000 0000000048ab0778
c000000080647e80 NIP [7265677368657265] 0x7265677368657265 LR
[c00000000006c0c8] ___do_page_fault+0x3f8/0xb10 Call Trace:
[c0000000fffb3cf0] [c00000000000bdac] soft_nmi_common+0x13c/0x1d0
(unreliable) — interrupt: 700 at decrementer_common_virt+0xb8/0x230 NIP:
c0000000000098b8 LR: c00000000006c0c8 CTR: c0000000000097f0 REGS:
c0000000fffb3d60 TRAP: 0700 Not tainted MSR: 9000000000021031
<SF,HV,ME,IR,DR,LE> CR: 22424282 XER: 20040000 CFAR: c0000000000098b0
IRQMASK: 0 GPR00: c00000000006c964 0000000000002400 c000000001513800
0000000000000000 GPR04: 0000000048ab0778 0000000042000000 0000000000000000
0000000000001299 GPR08: 000001e447c718ec 0000000022424282 0000000000002710
c00000000006bee8 GPR12: 9000000000009033 c0000000016b0000 00000000000000b0
0000000000000001 GPR16: 0000000000000000 0000000000000002 0000000000000000
0000000000000ff8 GPR20: 0000000000001fff 0000000000000007 0000000000000080
00007fff89d90158 GPR24: 0000000002000000 0000000002000000 0000000000000255
0000000000000300 GPR28: c000000001270000 0000000042000000 0000000048ab0778
c000000080647e80 NIP [c0000000000098b8] decrementer_common_virt+0xb8/0x230
LR [c00000000006c0c8] ___do_page_fault+0x3f8/0xb10 — interrupt: 700
Instruction dump: XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX —[ end trace 6d28218e0cc3c949 ]— After: ------------[
cut here ]------------ kernel BUG at
arch/powerpc/kernel/exceptions-64s.S:491! Oops: Exception in kernel mode,
sig: 5 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV
Modules linked in: CPU: 0 PID: 88 Comm: login Not tainted
5.15.0-rc2-00034-ge057cdade6e5-dirty #2638 NIP: c0000000000098b8 LR:
c00000000006bf04 CTR: c0000000000097f0 REGS: c0000000fffb3d60 TRAP: 0700
Not tainted MSR: 9000000000021031 <SF,HV,ME,IR,DR,LE> CR: 24482227 XER:
00040000 CFAR: c0000000000098b0 IRQMASK: 0 GPR00: c00000000006bf04
0000000000002400 c000000001513800 c000000001271868 GPR04: 00000000100f0d29
0000000042000000 0000000000000007 0000000000000009 GPR08: 00000000100f0d29
0000000024482227 0000000000002710 c000000000181b3c GPR12: 9000000000009033
c0000000016b0000 00000000100f0d29 c000000005b22f00 GPR16: 00000000ffff0000
0000000000000001 0000000000000009 00000000100eed90 GPR20: 00000000100eed90
00000 —truncated—
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-bluefield | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-gcp | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-gkeop | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-ibm | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-iot | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-kvm | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-oracle | < any | UNKNOWN |
git.kernel.org/linus/3e607dc4df180b72a38e75030cb0f94d12808712 (5.15-rc5)
git.kernel.org/stable/c/3e607dc4df180b72a38e75030cb0f94d12808712
git.kernel.org/stable/c/411b38fe68ba20a8bbe724b0939762c3f16e16ca
git.kernel.org/stable/c/c835b3d1d6362b4a4ebb192da7e7fd27a0a45d01
launchpad.net/bugs/cve/CVE-2021-47428
nvd.nist.gov/vuln/detail/CVE-2021-47428
security-tracker.debian.org/tracker/CVE-2021-47428
www.cve.org/CVERecord?id=CVE-2021-47428