Bug 1326540 (CVE-2015-8844, CVE-2015-8845) - CVE-2015-8845 CVE-2015-8844 kernel: incorrect restoration of machine specific registers from userspace
Summary: CVE-2015-8845 CVE-2015-8844 kernel: incorrect restoration of machine specific...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-8844, CVE-2015-8845
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1276293 1326607 1326608 1326610 1326611 1326613 1326614 1326649
Blocks: 1282344
TreeView+ depends on / blocked
 
Reported: 2016-04-13 01:57 UTC by Wade Mealing
Modified: 2021-10-21 00:52 UTC (History)
18 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the Linux kernel which could cause a kernel panic when restoring machine specific registers on the PowerPC platform. Incorrect transactional memory state registers could inadvertently change the call path on return from userspace and cause the kernel to enter an unknown state and crash.
Clone Of:
Environment:
Last Closed: 2021-10-21 00:52:17 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2574 0 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2016-11-03 12:06:10 UTC
Red Hat Product Errata RHSA-2016:2584 0 normal SHIPPED_LIVE Important: kernel-rt security, bug fix, and enhancement update 2016-11-03 12:08:49 UTC

Description Wade Mealing 2016-04-13 01:57:15 UTC 
A flaw was found in the linux kernel which could cause a kernel panic when restoring machine specific registers on the power pc platform.  Incorrect transactional memory state registers could inadvertently change the call path on return from userspace and cause the kernel to enter an unknown state and panic defensively.

The message is usually as follows:

kernel BUG at arch/powerpc/kernel/tm.S:177

Call Trace:
[c0000001cb41ba60] [c000000000015b40] .tm_reclaim_current+0xa0/0x120
[c0000001cb41bb00] [c000000000018188] .get_tm_stackpointer+0x48/0x80
[c0000001cb41bb80] [c000000000025634] .handle_rt_signal64+0x64/0x7c0
[c0000001cb41bc70] [c000000000017db8] .do_signal+0x168/0x320
[c0000001cb41bdb0] [c0000000000180cc] .do_notify_resume+0x8c/0x100


In this situation, the transactional memory state has not been initiated correctly for the handler to work, and the BUG() is triggered.

References (Fixes):
https://git.kernel.org/cgit/linux/kernel/git/powerpc/linux.git/commit/?h=fixes&id=d2b9d2a5ad5ef04ff978c9923d19730cb05efd55

https://git.kernel.org/cgit/linux/kernel/git/powerpc/linux.git/commit/?h=fixes&id=7f821fc9c77a9b01fe7b1d6e72717b33d8d64142

Oss-sec post:
http://seclists.org/oss-sec/2016/q2/64
Comment 1 Wade Mealing 2016-04-13 02:03:45 UTC 
Acknowledgements:

Name: Miroslav Vadkerti (Red Hat Engineering)
Comment 4 Wade Mealing 2016-04-13 08:04:25 UTC 
Statement:

This issue does not affect the Linux kernels as shipped with Red Hat Enterprise Linux 5 and 6,

This issue affects the Linux kernels as shipped with Red Hat Enterprise Linux 7 and MRG-2 realtime kernels.

For additional information, refer
to the Red Hat Enterprise Linux Life Cycle:
https://access.redhat.com/support/policy/updates/errata/ .
Comment 9 Wade Mealing 2016-04-13 09:39:02 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1326649]
Comment 10 Josh Boyer 2016-04-13 11:34:36 UTC 
(In reply to Wade Mealing from comment #0)
> In this situation, the transactional memory state has not been initiated
> correctly for the handler to work, and the BUG() is triggered.
> 
> References:
> https://git.kernel.org/cgit/linux/kernel/git/powerpc/linux.git/commit/
> ?h=fixes&id=d2b9d2a5ad5ef04ff978c9923d19730cb05efd55
> 
> https://git.kernel.org/cgit/linux/kernel/git/powerpc/linux.git/commit/
> ?h=fixes&id=7f821fc9c77a9b01fe7b1d6e72717b33d8d64142

Are these commits fixes for this issue, or are they the commits that introduced this issue?
Comment 11 Wade Mealing 2016-04-13 11:49:53 UTC 
I believe those are the two that fixes the issue, sorry should have made that clearer.
Comment 15 errata-xmlrpc 2016-11-03 15:56:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html
Comment 16 errata-xmlrpc 2016-11-03 19:46:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html
Comment 17 errata-xmlrpc 2016-11-03 21:33:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2574 https://rhn.redhat.com/errata/RHSA-2016-2574.html
Comment 18 errata-xmlrpc 2016-11-03 21:49:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2584 https://rhn.redhat.com/errata/RHSA-2016-2584.html
Note You need to log in before you can comment on or make changes to this bug.