Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp6003957ybe; Tue, 10 Sep 2019 12:02:09 -0700 (PDT) X-Google-Smtp-Source: APXvYqw2a/fgcojz0aSYmr48e5bUyOZAHa/cAhWJ79k8apdIar4oqjTLuAewRYzQdey63lK67cM2 X-Received: by 2002:a50:9eab:: with SMTP id a40mr32518889edf.20.1568142129449; Tue, 10 Sep 2019 12:02:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568142129; cv=none; d=google.com; s=arc-20160816; b=GGfly0C0HVvf98wBAiaj7aUwnSLitSLGPuf7QhAM5P3PaxhpcmRS2zycvf2xWDQA2D rGKXmCR9Faa50kii1tO7d78KtT7rubpk7ECrYGenIsKBt3JJHc/pskVc/qhRjZTlpRLM SUbXIR2K4d6LmvD5AGFLnd3/Po04jyWBSOuwmGGVkiFNsYYyzksg+dyiC8+0NI7yt7Ks 8skFiWMXO3tqpktY4zeUJhLaeP3v94tHP/8NfMDSC0hTS+CcRFx8APHb+BTlsPu5Z4vW 0T+bTuA/sXv4P6KVkp4lT2gfLpBpz87xE2WBvAo9i/3b1aTy9k4ZpsoXkUD+5rkATQLv PPnQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent :content-transfer-encoding:date:cc:to:from:subject:message-id :dkim-signature; bh=AqgMPTkXBXauq0+N3rGflIsFJ0lTa2l0vHL6NbgS5jo=; b=qbKfmhmNqj2muzQW67dbqbXNO5VL8/FQXZkpQu+ZjlzS081mTzMDBAD398pOTS5Yqq +661Tlix7FNIcNOB2jnP48QLnGzqY3z1mTMjEFf+4KJZxGDL5lgW5nSQGBPJ/IXjO6Gn PFuzkYkvea7Vc/q5ynTis3lhCb5Brak67v2wUR/wv00LTmrHcvY+zcvi2wfouiPMeizJ FqOaFE0AK6k/fjIFgU3lzvKG4x1NJXJzWyWZXLd9tbU+Te8Fg+Ta/T/wOkwXrcwuqmw0 11QAVHJB7tZ40Ij84cXOgxnWyHwX72noQSEq4YQVcNUKV/CDzZ+v5wKcjvnISCneZHjo YB1w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@neuling.org header.s=201811 header.b=afV9jy3e; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c20si4980824edv.246.2019.09.10.12.01.45; Tue, 10 Sep 2019 12:02:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@neuling.org header.s=201811 header.b=afV9jy3e; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731181AbfIJNQw (ORCPT + 99 others); Tue, 10 Sep 2019 09:16:52 -0400 Received: from ozlabs.org ([203.11.71.1]:43341 "EHLO ozlabs.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725942AbfIJNQw (ORCPT ); Tue, 10 Sep 2019 09:16:52 -0400 Received: from neuling.org (localhost [127.0.0.1]) by ozlabs.org (Postfix) with ESMTP id 46SQXw5LXpz9s7T; Tue, 10 Sep 2019 23:16:48 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=neuling.org; s=201811; t=1568121409; bh=8YpvriWgZotmerko0J+/vGDj0I0pWRFk35pz5gDDI3E=; h=Subject:From:To:Cc:Date:From; b=afV9jy3e43LDgZZ6cCx9zYoP1i33CBwatneHIcRpDM/dYSvl+PlNywbzT+32oG8bn fEMIvS/EcUUFmz95slyme9PkgMYgwoPxm0MXKvlhgOpBJTLx8yJ+fD9kBATXOj0sLi nG6HuBAKzF/cRbGWpr+PY+ZZjgLNPMuG903ctQ4DgFMuPgXxDt1fq1bFFHmpCcU6RY kg0D3PZkrvxrSW/O7PyFz9OOIHTq218qDKrHhGyJxJFRkeGORToHoddoe+bLFs1/eP MVgPofN8mI0/qQ2RmkZQupFHsoohFs5gTiHM6Y7yW3C1MGAvBppA731Z70wSer0/Xn 4tyf33YQYzK8w== Received: by neuling.org (Postfix, from userid 1000) id 9362C2A01E8; Tue, 10 Sep 2019 23:16:48 +1000 (AEST) Message-ID: <856d6efa0e9b4dd39030e7372a17e3dba2db2aef.camel@neuling.org> Subject: CVE-2019-15030: Linux kernel: powerpc: data leak with FP/VMX triggerable by unavailable exception in transaction From: Michael Neuling To: oss-security Cc: Michael Ellerman , linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org, Linuxppc-users , Gustavo Romero Date: Tue, 10 Sep 2019 23:16:48 +1000 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.32.4 (3.32.4-1.fc30) MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The Linux kernel for powerpc since v4.12 has a bug in it's TM handling wher= e any user can read the FP/VMX registers of a difference user's process. Users of= TM + FP/VMX can also experience corruption of their FP/VMX state. To trigger the bug, a process starts a transaction and reads a FP/VMX regis= ter. This transaction can then fail which causes a rollback to the checkpointed state. Due to the kernel taking an FP/VMX unavaliable exception inside a transaction and the kernel's incorrect handling of this, the checkpointed s= tate can be set to the FP/VMX registers of another process. This checkpointed st= ate can then be read by the process hence leaking data from one process to anot= her. The trigger for this bug is an FP/VMX unavailable exception inside a transaction, hence the process needs FP/VMX off when starting the transacti= on. FP/VMX availability is under the control of the kernel and is transparent t= o the user, hence the user has to retry the transaction many times to trigger thi= s bug.=20 All 64-bit machines where TM is present are affected. This includes all POW= ER8 variants and POWER9 VMs under KVM or LPARs under PowerVM. POWER9 bare metal doesn't support TM and hence is not affected. The bug was introduced in commit: f48e91e87e67 ("powerpc/tm: Fix FP and VMX register corruption") Which was originally merged in v4.12 The upstream fix is here: https://git.kernel.org/torvalds/c/8205d5d98ef7f155de211f5e2eb6ca03d95a5a6= 0 The fix can be verified by running the tm-poison from the kernel selftests.= This test is in a patch here: https://patchwork.ozlabs.org/patch/1157467/ which should eventually end up here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/too= ls/testing/selftests/powerpc/tm/tm-poison.c cheers Mikey