Received: by 10.223.185.116 with SMTP id b49csp3032571wrg; Sun, 25 Feb 2018 12:06:28 -0800 (PST) X-Google-Smtp-Source: AH8x227lnSHgZLUTaUKo5xSASIoXyMbuehDg69bxXOUPVT/wULKive48nM5gF3hi1hKdj1BLKHyj X-Received: by 10.101.82.1 with SMTP id o1mr6719488pgp.37.1519589188533; Sun, 25 Feb 2018 12:06:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519589188; cv=none; d=google.com; s=arc-20160816; b=XVBIG3xJ66lklsivS0HYxbHHUgomNAxjQyoAxolkRE9xPsVWrtZz6WXkZRjW/iE7se WGb8McMwm487Xg0HIas+DehoJL7UFjIUjT4QXyFjbfrFnp0AQjruw6DRTcMEJsW1oWkw 2o83iVx0ZNM6dBHxQLfFWGlXSemQ9Kee65i1spLky7avUv2Lqqd0csLlzRNG0kuzFr90 hpDxxQaDYpaXMmN81VNieeGAW91bhwTBSkV8lFn8n1W8SHj5PHEZzKGs1fov5aRyz+l9 8HUkbXlOzHJyYFzzANFC44xgyBwSOf58CJqa3sdsXvaYxsvIxcvg+no6wjQAuRF2gT1r j8lA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=XubpVW1oXu9F4J45dpU808x0/zewJPLeW9Hj95aKgNY=; b=M1JvBP6Sij/jcjnOkI0GeULRkC0Nh23sDrgrkioeKC/AyB59liApG1MatVMVcrnEoT Hr5WL+24d6SQZTMrBhwtQ2YM2rDl3lkFQb73/iZJUiCS9TkgIWXvH7Gd7RqEin+rF+xq hdG+lKlMBIC5tkOuuHI2hZDOApK5L0gsK7ZP0UnsXHazmeiFeZOWqhGJikR/tTPqfqaY x8lW6hxptShSi8mVx5LlThmyCNUmlT+NmyudqjDB0aGwzJYGsl/LmS2wAjjOAcq6YWwe 4RveKwfT4oboZgMcKw9ebqdujPmtNUXMNk/rD4UI6CId1b7U+dW3G7uZ9R+H8G8bZe0o NaSg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=nnoTzFEP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p125si4538409pga.97.2018.02.25.12.06.13; Sun, 25 Feb 2018 12:06:28 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=nnoTzFEP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751988AbeBYUFI (ORCPT + 99 others); Sun, 25 Feb 2018 15:05:08 -0500 Received: from mail-yb0-f193.google.com ([209.85.213.193]:45370 "EHLO mail-yb0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751762AbeBYUFF (ORCPT ); Sun, 25 Feb 2018 15:05:05 -0500 Received: by mail-yb0-f193.google.com with SMTP id e89-v6so675548ybi.12; Sun, 25 Feb 2018 12:05:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=XubpVW1oXu9F4J45dpU808x0/zewJPLeW9Hj95aKgNY=; b=nnoTzFEP3vpHJPWZdITdsudvoS6vdPrGcbrbsIDMRWgsqA5DK2umJiCk0sYKgVcacd 7/KnY1REd32ev/YbUND35kTt2vwUkIXDdeI6eHdtjsvIzokpROAROVRNRzJcVChb2Jud sUUKf/2WtYU+CfSTOJrzAK24c3U8/4s8supjxGx/VDr+eu5Ce9fZmvFm8tPXk0Gi4TXp +X5sfpJIHo8CsuWKVLQeLiqrGzEWWRW7cfyHYHmQ8YEUBP0sysV0YWG2KQkKglWzhRD0 8NZ24b+bes9n24Pv6AqYb9lOIJbdsRObjfc7Sf5o1LIDKyHRAuisU2+t666TR7lQfHxJ eogQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=XubpVW1oXu9F4J45dpU808x0/zewJPLeW9Hj95aKgNY=; b=ZsTZworBzH/desFpYfy5lPJNJLZ0eh2gUcIAuBtt1Kr83VEd93mUPUEYnn+sKVwlTZ 8+KneztPECzn22uZnUys1zPXMCVuzrxQ6bIB2QXce/n1v4pcPGrDCqOdS1ZPuXNThwUp GdvN+4Vv9WB6K9eOKAuPGBJjLYyh+hcCNwxbKtkvnalLEbeYMNtIQ8VSyFA3LNuSvwGF WXlZYc9bISeZaCdLwM0mJiDRZT1ilBdaHr4Z7Nrs7CY4Wd5LpwUAwBEKxH3JTaNM3PB9 oXhOE/k5xKGdrR+o/zCiTun8iWHQBOGCUTviAm4NqzNKA+hjFYX6fIlfusCvspc2btyS B1Ug== X-Gm-Message-State: APf1xPAmIxgqDRjOdKHQeihwhC4us2yDiJtgPlp/HNAkCty4NEIpUSAE tz/3viaFMBvku8pF1oFkHGeeY0q7Kaa0URLnpAo= X-Received: by 2002:a25:ff12:: with SMTP id c18-v6mr5608808ybe.305.1519589104852; Sun, 25 Feb 2018 12:05:04 -0800 (PST) MIME-Version: 1.0 Received: by 2002:a25:b98d:0:0:0:0:0 with HTTP; Sun, 25 Feb 2018 12:05:04 -0800 (PST) In-Reply-To: <20180223105220.GA12058@kroah.com> References: <20180223101350.8344-1-kkamagui@gmail.com> <20180223105220.GA12058@kroah.com> From: Seunghun Han Date: Mon, 26 Feb 2018 05:05:04 +0900 Message-ID: Subject: Re: [PATCH] x86: mce: fix kernel panic when check_interval is changed To: Greg Kroah-Hartman Cc: Tony Luck , Borislav Petkov , linux-edac@vger.kernel.org, Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, Greg. 2018-02-23 19:52 GMT+09:00 Greg Kroah-Hartman : > On Fri, Feb 23, 2018 at 07:13:50PM +0900, Seunghun Han wrote: >> I am Seunghun Han and a senior security researcher at National Security >> Research Institute of South Korea. >> >> I found a critical security issue which can make kernel panic in userspace. >> After analyzing the issue carefully, I found that MCE driver in the kernel >> has a problem which can be occurred in SMP environment. >> >> The check_interval file in >> /sys/devices/system/machinecheck/machinecheck directory is a >> global timer value for MCE polling. If it is changed by one CPU, MCE driver >> in kernel calls mce_restart() function and broadcasts the event to other >> CPUs to delete and restart MCE polling timer. >> >> The __mcheck_cpu_init_timer() function which is called by mce_restart() >> function initializes the mce_timer variable, and the "lock" in mce_timer is >> also reinitialized. If more than one CPU write a specific value to >> check_interval file concurrently, one can initialize the "lock" in mce_timer >> while the others are handling "lock" in mce_timer. This problem causes some >> synchronization errors such as kernel panic and kernel hang. >> >> It is a critical security problem because the attacker can make kernel panic >> by writing a value to the check_interval file in userspace, and it can be >> used for Denial-of-Service (DoS) attack. > > As only root can write to that file, it's not that critical of an issue, > but yes, this is a problem. Nice find and fix. I agree with your opinion. Thank you for your advice. Best regards. Seunghun. >> >> To fix this problem, I changed the __mcheck_cpu_init_timer() function to >> reuse mce_timer instead of initializing it. The purpose of the function is >> to restart the timer and it can be archived by calling >> >> Signed-off-by: Seunghun Han > > Cc: stable > Acked-by: Greg Kroah-Hartman >