Received: by 10.223.185.116 with SMTP id b49csp539787wrg;
        Fri, 23 Feb 2018 02:53:14 -0800 (PST)
X-Google-Smtp-Source: AH8x227ph/Mm9oq97UXQm0Q5pw/P+k7L+CnGN3Am+VqE/tqmGvSUwekbM21aSliHi8OlfzFgKH6w
X-Received: by 10.101.89.6 with SMTP id f6mr1140200pgu.22.1519383194067;
        Fri, 23 Feb 2018 02:53:14 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1519383194; cv=none;
        d=google.com; s=arc-20160816;
        b=RdeEjT1Pl8KAPIqn0HGnMEIgybdorSfYvOh1PYnxygM5XN3g534MNzEM+3p9yPuSj3
         B6BsUo9lWWutoGnixU+mTKK+myyjaWVD1EYl74GIOyztaa8e1TTi8iBld71zf1lsB3ek
         A9Ein7cz8T7yEjpUBPtAQJocaNSwy+d12sn/ld5wgaoTuem31v3w949HebMw0Z1gegem
         HrVnneudAoLoLpbMwMstKsWpJT6FKuCTAtoa5P7trh+PxPHkZ6ECTNZurLkDMK+2LYn4
         Nt7IpknMQxlqTM6V2Zf68Z6j2waSxffZQRrhra0U4maBeKPCmVqNWuXPTOJucgqd86VL
         J0PQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=ohhUe6MoE4JSSrijX8WypO97HpyKa4l3b/hUKb4Vrd4=;
        b=NAkh1o0omGEGUqdvi3gFynD2qnxmgIHitF/Cdf2/b47tora5hduA0/H4ZdUmPIB2/V
         /lU1RlLRnYdEj9MgqIdHFNB8I/F2xobX0WsMFD7O4ZYnM1xMRGvYmruh/VctSxxckPBP
         DPML0+jnxbUhdUz17h+Nk1E+2rEvnERrxGkWJr8caMNG18q45L3QWHpI1ykdKEP3DURV
         5ctohCCh/c6ypr701x7eiE0D8EdwJ/yJlAVLZvApI5hTqzz5wVz/CThzdobfsWHvUeGW
         aVEBldUA0CRZI4xSaa45Y5SW4hCpg67aF7lVQoU+/o6XFcZkUpyUJIvG23riccWJWFpR
         7fxQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 3-v6si1593215plm.409.2018.02.23.02.52.59;
        Fri, 23 Feb 2018 02:53:14 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751468AbeBWKwV (ORCPT <rfc822;charleyewang@gmail.com>
        + 99 others); Fri, 23 Feb 2018 05:52:21 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:55834 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751273AbeBWKwT (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 23 Feb 2018 05:52:19 -0500
Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id E01B7EDE;
        Fri, 23 Feb 2018 10:52:18 +0000 (UTC)
Date:   Fri, 23 Feb 2018 11:52:20 +0100
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     Seunghun Han <kkamagui@gmail.com>
Cc:     Tony Luck <tony.luck@intel.com>, Borislav Petkov <bp@alien8.de>,
        linux-edac@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] x86: mce: fix kernel panic when check_interval is changed
Message-ID: <20180223105220.GA12058@kroah.com>
References: <20180223101350.8344-1-kkamagui@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180223101350.8344-1-kkamagui@gmail.com>
User-Agent: Mutt/1.9.3 (2018-01-21)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Feb 23, 2018 at 07:13:50PM +0900, Seunghun Han wrote:
> I am Seunghun Han and a senior security researcher at National Security
> Research Institute of South Korea.
> 
> I found a critical security issue which can make kernel panic in userspace.
> After analyzing the issue carefully, I found that MCE driver in the kernel
> has a problem which can be occurred in SMP environment.
> 
> The check_interval file in
> /sys/devices/system/machinecheck/machinecheck<cpu number> directory is a
> global timer value for MCE polling. If it is changed by one CPU, MCE driver
> in kernel calls mce_restart() function and broadcasts the event to other
> CPUs to delete and restart MCE polling timer.
> 
> The __mcheck_cpu_init_timer() function which is called by mce_restart()
> function initializes the mce_timer variable, and the "lock" in mce_timer is
> also reinitialized. If more than one CPU write a specific value to
> check_interval file concurrently, one can initialize the "lock" in mce_timer
> while the others are handling "lock" in mce_timer. This problem causes some
> synchronization errors such as kernel panic and kernel hang.
> 
> It is a critical security problem because the attacker can make kernel panic
> by writing a value to the check_interval file in userspace, and it can be
> used for Denial-of-Service (DoS) attack.

As only root can write to that file, it's not that critical of an issue,
but yes, this is a problem.  Nice find and fix.

> 
> To fix this problem, I changed the __mcheck_cpu_init_timer() function to
> reuse mce_timer instead of initializing it. The purpose of the function is
> to restart the timer and it can be archived by calling
> 
> Signed-off-by: Seunghun Han <kkamagui@gmail.com>

Cc: stable <stable@vger.kernel.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>