fkie_cve-2022-49164
Vulnerability from fkie_nvd
Published
2025-02-26 07:00
Modified
2025-02-26 07:00
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: powerpc/tm: Fix more userspace r13 corruption Commit cf13435b730a ("powerpc/tm: Fix userspace r13 corruption") fixes a problem in treclaim where a SLB miss can occur on the thread_struct->ckpt_regs while SCRATCH0 is live with the saved user r13 value, clobbering it with the kernel r13 and ultimately resulting in kernel r13 being stored in ckpt_regs. There is an equivalent problem in trechkpt where the user r13 value is loaded into r13 from chkpt_regs to be recheckpointed, but a SLB miss could occur on ckpt_regs accesses after that, which will result in r13 being clobbered with a kernel value and that will get recheckpointed and then restored to user registers. The same memory page is accessed right before this critical window where a SLB miss could cause corruption, so hitting the bug requires the SLB entry be removed within a small window of instructions, which is possible if a SLB related MCE hits there. PAPR also permits the hypervisor to discard this SLB entry (because slb_shadow->persistent is only set to SLB_NUM_BOLTED) although it's not known whether any implementations would do this (KVM does not). So this is an extremely unlikely bug, only found by inspection. Fix this by also storing user r13 in a temporary location on the kernel stack and don't change the r13 register from kernel r13 until the RI=0 critical section that does not fault. The SCRATCH0 change is not strictly part of the fix, it's only used in the RI=0 section so it does not have the same problem as the previous SCRATCH0 bug.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/5dce84f475d13b773a1a4c823581cab25044d86a
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/73d8082c90f17dfba57cad4ca94db5cae323f1b1
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9d71165d3934e607070c4e48458c0cf161b1baea
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/tm: Fix more userspace r13 corruption\n\nCommit cf13435b730a (\"powerpc/tm: Fix userspace r13 corruption\") fixes a\nproblem in treclaim where a SLB miss can occur on the\nthread_struct-\u003eckpt_regs while SCRATCH0 is live with the saved user r13\nvalue, clobbering it with the kernel r13 and ultimately resulting in\nkernel r13 being stored in ckpt_regs.\n\nThere is an equivalent problem in trechkpt where the user r13 value is\nloaded into r13 from chkpt_regs to be recheckpointed, but a SLB miss\ncould occur on ckpt_regs accesses after that, which will result in r13\nbeing clobbered with a kernel value and that will get recheckpointed and\nthen restored to user registers.\n\nThe same memory page is accessed right before this critical window where\na SLB miss could cause corruption, so hitting the bug requires the SLB\nentry be removed within a small window of instructions, which is\npossible if a SLB related MCE hits there. PAPR also permits the\nhypervisor to discard this SLB entry (because slb_shadow-\u003epersistent is\nonly set to SLB_NUM_BOLTED) although it\u0027s not known whether any\nimplementations would do this (KVM does not). So this is an extremely\nunlikely bug, only found by inspection.\n\nFix this by also storing user r13 in a temporary location on the kernel\nstack and don\u0027t change the r13 register from kernel r13 until the RI=0\ncritical section that does not fault.\n\nThe SCRATCH0 change is not strictly part of the fix, it\u0027s only used in\nthe RI=0 section so it does not have the same problem as the previous\nSCRATCH0 bug."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: powerpc/tm: Fix more userspace r13 democracy Commit cf13435b730a (\"powerpc/tm: Fix userspace r13 democracy\") corrige un problema en treclaim donde puede ocurrir un error de SLB en thread_struct-\u0026gt;ckpt_regs mientras SCRATCH0 est\u00e1 activo con el valor r13 del usuario guardado, golpe\u00e1ndolo con el r13 del kernel y, en \u00faltima instancia, resultando en que el r13 del kernel se almacene en ckpt_regs. Hay un problema equivalente en trechkpt donde el valor r13 del usuario se carga en r13 desde chkpt_regs para volver a establecer un punto de control, pero podr\u00eda ocurrir un error de SLB en los accesos a ckpt_regs despu\u00e9s de eso, lo que resultar\u00e1 en que r13 se golpee con un valor del kernel y que se vuelva a establecer un punto de control y luego se restaure a los registros del usuario. Se accede a la misma p\u00e1gina de memoria justo antes de esta ventana cr\u00edtica donde un error de SLB podr\u00eda causar corrupci\u00f3n, por lo que encontrar el error requiere que la entrada de SLB se elimine dentro de una peque\u00f1a ventana de instrucciones, lo que es posible si un MCE relacionado con SLB llega all\u00ed. PAPR tambi\u00e9n permite que el hipervisor descarte esta entrada de SLB (porque slb_shadow-\u0026gt;persistent solo est\u00e1 configurado en SLB_NUM_BOLTED) aunque no se sabe si alguna implementaci\u00f3n har\u00eda esto (KVM no lo hace). Por lo tanto, este es un error extremadamente improbable, que solo se encuentra por inspecci\u00f3n. Arregle esto almacenando tambi\u00e9n el usuario r13 en una ubicaci\u00f3n temporal en la pila del kernel y no cambie el registro r13 del kernel r13 hasta la secci\u00f3n cr\u00edtica RI=0 que no falla. El cambio SCRATCH0 no es estrictamente parte de la soluci\u00f3n, solo se usa en la secci\u00f3n RI=0, por lo que no tiene el mismo problema que el error SCRATCH0 anterior."
    }
  ],
  "id": "CVE-2022-49164",
  "lastModified": "2025-02-26T07:00:53.563",
  "metrics": {},
  "published": "2025-02-26T07:00:53.563",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/5dce84f475d13b773a1a4c823581cab25044d86a"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/73d8082c90f17dfba57cad4ca94db5cae323f1b1"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/9d71165d3934e607070c4e48458c0cf161b1baea"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.