Bug 1784572 (CVE-2019-19602)

Summary: CVE-2019-19602 kernel: cached use of fpu_fpregs_owner_ctx in arch/x86/include/asm/fpu/internal.h can lead to DoS
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, bdettelb, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mcressma, mjg59, mlangsdo, nmurray, qzhao, rkeshri, rt-maint, rvrbovsk, steved, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. When compiled with GCC 9, a vector register corruption occurs on return from a signal handler where the top page of the signal stack had not yet been paged in which can allow a local attacker with special user privilege (or root) to leak kernel internal information. The highest threat from this vulnerability is to data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 22:15:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1784575, 1810236, 1830209, 1830210, 1830212    
Bug Blocks: 1784573    

Description Guilherme de Almeida Suckevicz 2019-12-17 18:09:25 UTC 
A vulnerability was found in Linux kernel when compiled with GCC 9 could cause a vector register corruption on return from a signal handler where the top page of the signal stack had not yet been paged in. This flaw can allow a local attacker with special user privilege (or root) to leak kernel internal information.

The content of fpregs_state_valid (or FPU register) may change during preemption and must not be cached. While in current situation FPU data like state/owner is never changed during the lifetime of a task and they remained constant (which is not right).  
 
With peferred FPU loading, compiler is no longer allowed to move the load of fpu_fpregs_owner_ctx somewhere else outside of the locked section, with this a task preemption will change its value and stale content will be observed.

Reference:
https://bugzilla.kernel.org/show_bug.cgi?id=205663

Upstream commit:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=59c4bd853abcea95eccc167a7d7fd5f1a5f47b98
Comment 1 Guilherme de Almeida Suckevicz 2019-12-17 18:16:58 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1784575]
Comment 2 Justin M. Forbes 2019-12-19 15:14:57 UTC 
This is fixed for Fedora with the 5.3.15 stable kernel update.
Comment 8 Rohit Keshri 2020-05-02 08:06:18 UTC 
Mitigation:

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.