Received: by 10.223.185.116 with SMTP id b49csp7490565wrg; Thu, 1 Mar 2018 06:25:40 -0800 (PST) X-Google-Smtp-Source: AG47ELuqYLJOW8YMaFoPXrruHOEQMftXQ3ZLvguCXeQVf2fxO4Oyr0HKCV0pVBr/tmWA3h2fK2Ph X-Received: by 2002:a17:902:14cb:: with SMTP id y11-v6mr2118426plg.209.1519914340061; Thu, 01 Mar 2018 06:25:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519914340; cv=none; d=google.com; s=arc-20160816; b=eECFF4yxAkDJZOWJT/MyD8cNSzuDzFdoPIUPSlJ3yzHjQEUpovThVB9mWuEsrP9zaN AW3taqbYwxSNd1v4dwKkvzf5ElKZBARj+9bK2AMpfIem5DFtgEx131qBB6QkHYQVWUjj 18uHPIqQd4D+Pou3pRp7hxprYpfioQcqF1Wa3jG0qkz9lFU2l/Ozr72gA+0xSquRbfOm C5jWIjsH8b33PdiMR8anqCHbIxvoOghwLdFcs+0x+rVVYmd8OAA+217nFS80n24bFElz PHt1aDSOuyjJD6ffleVCeF5T/6wuvDY4dKDEXeFqmVBRYhmJJqughE5Lao5CSLrh5gJo +vkQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=cJrpLNqwGcRYVsrhNYfNXb5b16jVZWO1es3FREdGne4=; b=lVnxNAT3BW49gQu18xfUdluO1e7D8agLta56SlGu7Avg6adtD930xWfrGkfwkT54q/ MCO5OyT6TiwEpS0h8Rj2Vb4OPDH/RA6eaV/gxWBWf6ARw8njktBv0ivX2i8gR30sGAjW 3FIpsrwrw3eUNbB5dCvv4l2Z8PZmDI9oztaUkgJ+35Wzts2hwWr+U8uHjSs1HGSYbR/3 aWOearNNWlWeI04yep9snjjZ9Uc8UEwTKRZJL2gfiOp8W6cNPaSf2wI17n1BzQEcFcJI 7FVq1mFFRI+cWUOJAK9c7kIQa4EC4NGZkUuXX8Wh6KluNluGYQAQTr+J4nd8E7iU5ds8 mJDA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=OEzoiwPt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k9si2538660pgo.42.2018.03.01.06.25.25; Thu, 01 Mar 2018 06:25:40 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=OEzoiwPt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1031477AbeCAOWr (ORCPT + 99 others); Thu, 1 Mar 2018 09:22:47 -0500 Received: from mail-yb0-f196.google.com ([209.85.213.196]:42704 "EHLO mail-yb0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1031437AbeCAOWo (ORCPT ); Thu, 1 Mar 2018 09:22:44 -0500 Received: by mail-yb0-f196.google.com with SMTP id i13-v6so2189723ybl.9; Thu, 01 Mar 2018 06:22:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=cJrpLNqwGcRYVsrhNYfNXb5b16jVZWO1es3FREdGne4=; b=OEzoiwPt6J+y+fv+dOK+jrdKJ+jbNM1MLixlaLGBbCdP8+R/OVlQixGyDIk3+3TG7B QN/PysmLmaPm1/zDSrJUx9vfxCm/WRkX+LNvXrljDfa13Ckix5e3GdU97PKD10uhZsch V1a28GLyrnyxoo0SBI85SYtZmCZlA6Ter2EDQ6WmS/VfXReb2oXstfUY4sqwvjYDQM5N SrQEL+RbVusRPGNKBj25bIvZ/xHc/ni0Y3Sn9rQcJp/9RsGPlsagwitj6QvXeZf2/j1S vt4pQcC5NdptCT6RDOe8Nk5zsBhfIatJWmxH3MXfFYM984t97T2/HzT3QSuE5a3jcA0N Cm0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=cJrpLNqwGcRYVsrhNYfNXb5b16jVZWO1es3FREdGne4=; b=JX9ypglKjBEe/fbSb7Gc/NWGLuCRmn4/+QsWsuGW6FhPzbLoLygdcY/bM0yLZ+Marz HP/1x/G61NuQx4s4J4mfWETyC63mt+jgvTAdfbfA4KGo3DF+wmKjKjaWRf4LQqbl3Wh6 PFLR4IIDqTLrHKenUzkpiFurPCS4YIr4NoueGCf7So9KDQ+OxgQ2vr/A4MXegathQvRy p5gnu/it0meUM9wEmLM/iG/R9s9lHBtefsChEYMJ+eFQnXQ5xCMjFWxWaNW5AZZI66BE SNlPGfszrbMTmrys0mBwDO/ibqkb5bjpS41UzP6kLtMcfRDpCdX62gxFfUlG9JUpK2im c3EQ== X-Gm-Message-State: AElRT7FpxGnvkWV0BxfSEQ4qx5240d7Q29iqNvCoqNCo2B4IJA7aHNFB mL4BMyUbC86Eys9335VZHxK9PqLbDuBRnVFXODv2dQ== X-Received: by 2002:a25:f44a:: with SMTP id p10-v6mr1169119ybe.525.1519914163366; Thu, 01 Mar 2018 06:22:43 -0800 (PST) MIME-Version: 1.0 Received: by 2002:a25:b98d:0:0:0:0:0 with HTTP; Thu, 1 Mar 2018 06:22:42 -0800 (PST) In-Reply-To: <20180228203131.3176-1-kkamagui@gmail.com> References: <20180228203131.3176-1-kkamagui@gmail.com> From: Seunghun Han Date: Thu, 1 Mar 2018 23:22:42 +0900 Message-ID: Subject: Re: [PATCH V2] x86: mce: fix kernel panic when check_interval is changed To: Tony Luck , Borislav Petkov Cc: linux-edac@vger.kernel.org, Linux Kernel Mailing List , Greg Kroah-Hartman , Seunghun Han Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, Borislav. I made new patch according to your advice. The patch is here, https://lkml.org/lkml/2018/2/28/1230. If you have any advice about it, please let me know. Best regards. Seunghun. 2018-03-01 5:31 GMT+09:00 Seunghun Han : > I am Seunghun Han and a senior security researcher at National Security > Research Institute of South Korea. > > I found a security issue which can make kernel panic in userspace. After > analyzing the issue carefully, I found that MCE driver in the kernel has a > problem which can be occurred in SMP environment. > > The check_interval file in > /sys/devices/system/machinecheck/machinecheck directory is a > global timer value for MCE polling. If it is changed by one CPU, MCE driver > in kernel calls mce_restart() function and broadcasts the event to other > CPUs to delete and restart MCE polling timer. > > The __mcheck_cpu_init_timer() function which is called by mce_restart() > function initializes the mce_timer variable, and the "lock" in mce_timer is > also reinitialized. If more than one CPU write a specific value to > check_interval file concurrently, one can initialize the "lock" in mce_timer > while the others are handling "lock" in mce_timer. This problem causes some > synchronization errors such as kernel panic and kernel hang. > > It is a security problem because the attacker can make kernel panic by > writing a value to the check_interval file in userspace, and it can be used > for Denial-of-Service (DoS) attack. > > To fix this problem, I added a mce_sysfs_mutex to serialize requests. > > Signed-off-by: Seunghun Han > --- > Changes since v1: add mce_sysfs_mutex according to review result. > > arch/x86/kernel/cpu/mcheck/mce.c | 12 +++++++++++- > 1 file changed, 11 insertions(+), 1 deletion(-) > > diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c > index 706584681a4c..bee0795a3b8c 100644 > --- a/arch/x86/kernel/cpu/mcheck/mce.c > +++ b/arch/x86/kernel/cpu/mcheck/mce.c > @@ -55,6 +55,7 @@ > #include "mce-internal.h" > > static DEFINE_MUTEX(mce_log_mutex); > +static DEFINE_MUTEX(mce_sysfs_mutex); > > #define CREATE_TRACE_POINTS > #include > @@ -2045,8 +2046,11 @@ static void mce_enable_ce(void *all) > return; > cmci_reenable(); > cmci_recheck(); > - if (all) > + if (all) { > + mutex_lock(&mce_sysfs_mutex); > __mcheck_cpu_init_timer(); > + mutex_unlock(&mce_sysfs_mutex); > + } > } > > static struct bus_type mce_subsys = { > @@ -2132,8 +2136,14 @@ static ssize_t store_int_with_restart(struct device *s, > struct device_attribute *attr, > const char *buf, size_t size) > { > + unsigned long old_check_interval = check_interval; > ssize_t ret = device_store_int(s, attr, buf, size); > + > + if (check_interval == old_check_interval) > + return ret; > + mutex_lock(&mce_sysfs_mutex); > mce_restart(); > + mutex_unlock(&mce_sysfs_mutex); > return ret; > } > > -- > 2.16.2 >