Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp6001992ybe; Tue, 10 Sep 2019 12:00:35 -0700 (PDT) X-Google-Smtp-Source: APXvYqyuWC8tx7LYgrMyS7c2aF//QG3KNTO4FP5Zf/ij5idw3jtGQEO3Rcp72XDQqcYtk/l3rHnM X-Received: by 2002:a17:906:7ac6:: with SMTP id k6mr21890079ejo.243.1568142035878; Tue, 10 Sep 2019 12:00:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568142035; cv=none; d=google.com; s=arc-20160816; b=no+oDuDqgmv/JDengLUhBhCis5MkwY/+msP4cEuEgFZPFszA9ZNfvhSih840R2Yyq8 pXw4ZcBlJasoDDr9jqPfze69k0tlwS6Ds+Ppaa7/sa8TODq9aoYfiMKAC1BSgUMjnwDz hvd+Q2yuKV+AjTomTa030tOfuQUGNjjlR2VGmPX8uU7P4q3pjH18jXK1fWvY0xwlENAB bMfUeCcZl4oOk3mreInGHLHiD/3YXKlFfNXp/OhY0TpmnuwoMjZ7+Cv+T1iFc3tCj1ly kJnDJ+73q9+NEQFL6abvmkyOuNegodHd72lrGlpFHJ1kEvSoX61sHFetck+D/5JhFQvm oArQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent :content-transfer-encoding:date:cc:to:from:subject:message-id :dkim-signature; bh=O2OV1uaeuuw7ctEpE2uFbzMGbmX8LSHZ3CNNz7G+dcA=; b=oTKSxQ5KcsqiVyzBZ5KAe0F5bm4n9hkwqbP89SBfpXFbnWUOul8fESj9PsOVYSDpjt kLCoahD41xPFBF6Pz7jlbF2jRqxpz8oOpr+XZIgItAEAazBrMVEdjhCLM7rkcm3qj56D wlSoIStRB8I3DgCIusTiFM5DW0sd5oYjLgMDxn4CLzWs3qTqWEInX+1IuswrC2sDWOV/ TBvi2W3j/njkSr/t5uBlq08WxW45nydGDa66FlSLLHBvKFow6hTZgmeP0/GwKsoYnl5j +4pkB3l6cL0mPDV6AT13AhqSX+WfJOfKR7b3nofTsh6wg96RZjhlLPvnu8A93gOysI/F 9P1A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@neuling.org header.s=201811 header.b=oUUf9Q64; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m17si10409243ejn.237.2019.09.10.12.00.11; Tue, 10 Sep 2019 12:00:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@neuling.org header.s=201811 header.b=oUUf9Q64; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731317AbfIJNQ4 (ORCPT + 99 others); Tue, 10 Sep 2019 09:16:56 -0400 Received: from ozlabs.org ([203.11.71.1]:40469 "EHLO ozlabs.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725942AbfIJNQ4 (ORCPT ); Tue, 10 Sep 2019 09:16:56 -0400 Received: from neuling.org (localhost [127.0.0.1]) by ozlabs.org (Postfix) with ESMTP id 46SQY16KHnz9sP6; Tue, 10 Sep 2019 23:16:53 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=neuling.org; s=201811; t=1568121413; bh=AuX99LUqbp1Lf5Waj0ruq7cGRnU1eycOTwzoHk5YkPk=; h=Subject:From:To:Cc:Date:From; b=oUUf9Q64Li8hy7ydebbi2lLVMvsD3aRYrfl8Q4F5PTGojl/aBh202eNYsD9haEyjX oKYKjO72NZoacLd8SPMjb057qAXCf3ZfjcmNPS5U0zyVF/1ZTDKyQhulDqHfi/ho2z H3UgB3zbZK1gYRvDrFJ/HVYjEGpL0oS29fXO0WTBxvZAAZ+3UhVkRJxzl4Vhk21EEn VgXONSN+j4pZeCd3Ia/IaFDAIbKP3SvKAb8EJ7BZS9xjjcC0r4uFvnK3XE/CUkyyXS bu5YExcfGHPWBRulBgjw6KtOgzn8U89hIZGJJdxLtW+Nw1PobTSwCB1+r6+/dO1b/k pvdLmCgyrlnpQ== Received: by neuling.org (Postfix, from userid 1000) id BB6EE2A276E; Tue, 10 Sep 2019 23:16:53 +1000 (AEST) Message-ID: <2b9f664b4763f745dee7efa526285eb891c99c72.camel@neuling.org> Subject: CVE-2019-15031: Linux kernel: powerpc: data leak with FP/VMX triggerable by interrupt in transaction From: Michael Neuling To: oss-security Cc: Michael Ellerman , linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org, Linuxppc-users , Gustavo Romero Date: Tue, 10 Sep 2019 23:16:53 +1000 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.32.4 (3.32.4-1.fc30) MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The Linux kernel for powerpc since v4.15 has a bug in it's TM handling duri= ng interrupts where any user can read the FP/VMX registers of a difference use= r's process. Users of TM + FP/VMX can also experience corruption of their FP/VM= X state. To trigger the bug, a process starts a transaction with FP/VMX off and then takes an interrupt. Due to the kernels incorrect handling of the interrupt, FP/VMX is turned on but the checkpointed state is not updated. If this transaction then rolls back, the checkpointed state may contain the state o= f a different process. This checkpointed state can then be read by the process = hence leaking data from one process to another. The trigger for this bug is an interrupt inside a transaction where FP/VMX = is off, hence the process needs FP/VMX off when starting the transaction. FP/V= MX availability is under the control of the kernel and is transparent to the u= ser, hence the user has to retry the transaction many times to trigger this bug.= High interrupt loads also help trigger this bug. All 64-bit machines where TM is present are affected. This includes all POW= ER8 variants and POWER9 VMs under KVM or LPARs under PowerVM. POWER9 bare metal doesn't support TM and hence is not affected. The bug was introduced in commit: fa7771176b439 ("powerpc: Don't enable FP/Altivec if not checkpointed") Which was originally merged in v4.15 The upstream fix is here: https://git.kernel.org/torvalds/c/a8318c13e79badb92bc6640704a64cc022a6eb9= 7 The fix can be verified by running the tm-poison from the kernel selftests.= This test is in a patch here: https://patchwork.ozlabs.org/patch/1157467/ which should eventually end up here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/too= ls/testing/selftests/powerpc/tm/tm-poison.c cheers Mikey