Bug 1326540 (CVE-2015-8844, CVE-2015-8845) - CVE-2015-8845 CVE-2015-8844 kernel: incorrect restoration of machine specific registers from userspace
Summary: CVE-2015-8845 CVE-2015-8844 kernel: incorrect restoration of machine specific...
Status: NEW
Alias: CVE-2015-8844, CVE-2015-8845
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20160413,repor...
Keywords: Security
Depends On: 1276293 1326607 1326608 1326610 1326611 1326613 1326614 1326649
Blocks: 1282344
TreeView+ depends on / blocked
 
Reported: 2016-04-13 01:57 UTC by Wade Mealing
Modified: 2019-02-08 15:03 UTC (History)
21 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the Linux kernel which could cause a kernel panic when restoring machine specific registers on the PowerPC platform. Incorrect transactional memory state registers could inadvertently change the call path on return from userspace and cause the kernel to enter an unknown state and crash.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2574 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2016-11-03 12:06:10 UTC
Red Hat Product Errata RHSA-2016:2584 normal SHIPPED_LIVE Important: kernel-rt security, bug fix, and enhancement update 2016-11-03 12:08:49 UTC

Description Wade Mealing 2016-04-13 01:57:15 UTC
A flaw was found in the linux kernel which could cause a kernel panic when restoring machine specific registers on the power pc platform.  Incorrect transactional memory state registers could inadvertently change the call path on return from userspace and cause the kernel to enter an unknown state and panic defensively.

The message is usually as follows:

kernel BUG at arch/powerpc/kernel/tm.S:177

Call Trace:
[c0000001cb41ba60] [c000000000015b40] .tm_reclaim_current+0xa0/0x120
[c0000001cb41bb00] [c000000000018188] .get_tm_stackpointer+0x48/0x80
[c0000001cb41bb80] [c000000000025634] .handle_rt_signal64+0x64/0x7c0
[c0000001cb41bc70] [c000000000017db8] .do_signal+0x168/0x320
[c0000001cb41bdb0] [c0000000000180cc] .do_notify_resume+0x8c/0x100


In this situation, the transactional memory state has not been initiated correctly for the handler to work, and the BUG() is triggered.

References (Fixes):
https://git.kernel.org/cgit/linux/kernel/git/powerpc/linux.git/commit/?h=fixes&id=d2b9d2a5ad5ef04ff978c9923d19730cb05efd55

https://git.kernel.org/cgit/linux/kernel/git/powerpc/linux.git/commit/?h=fixes&id=7f821fc9c77a9b01fe7b1d6e72717b33d8d64142

Oss-sec post:
http://seclists.org/oss-sec/2016/q2/64

Comment 1 Wade Mealing 2016-04-13 02:03:45 UTC
Acknowledgements:

Name: Miroslav Vadkerti (Red Hat Engineering)

Comment 4 Wade Mealing 2016-04-13 08:04:25 UTC
Statement:

This issue does not affect the Linux kernels as shipped with Red Hat Enterprise Linux 5 and 6,

This issue affects the Linux kernels as shipped with Red Hat Enterprise Linux 7 and MRG-2 realtime kernels.

For additional information, refer
to the Red Hat Enterprise Linux Life Cycle:
https://access.redhat.com/support/policy/updates/errata/ .

Comment 9 Wade Mealing 2016-04-13 09:39:02 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1326649]

Comment 10 Josh Boyer 2016-04-13 11:34:36 UTC
(In reply to Wade Mealing from comment #0)
> In this situation, the transactional memory state has not been initiated
> correctly for the handler to work, and the BUG() is triggered.
> 
> References:
> https://git.kernel.org/cgit/linux/kernel/git/powerpc/linux.git/commit/
> ?h=fixes&id=d2b9d2a5ad5ef04ff978c9923d19730cb05efd55
> 
> https://git.kernel.org/cgit/linux/kernel/git/powerpc/linux.git/commit/
> ?h=fixes&id=7f821fc9c77a9b01fe7b1d6e72717b33d8d64142

Are these commits fixes for this issue, or are they the commits that introduced this issue?

Comment 11 Wade Mealing 2016-04-13 11:49:53 UTC
I believe those are the two that fixes the issue, sorry should have made that clearer.

Comment 15 errata-xmlrpc 2016-11-03 15:56:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html

Comment 16 errata-xmlrpc 2016-11-03 19:46:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html

Comment 17 errata-xmlrpc 2016-11-03 21:33:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html

Comment 18 errata-xmlrpc 2016-11-03 21:49:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html


Note You need to log in before you can comment on or make changes to this bug.