A flaw was found in the Linux kernels handling of signal frame processing where any user process can craft a signal frame and then do a sigreturn so that the kernel will take an exception (interrupt), and use the r1 value *from the signal frame* as the kernel stack pointer. As part of the exception entry the content of the signal frame is written to the kernel stack, allowing an attacker to overwrite arbitrary locations with arbitrary values. The exception handling does produce an oops, and a panic if panic_on_oops=1, but only after kernel memory has been over written.
This flaw only affects PowerPC systems running on Power8 or later processors.
This issue was introduced by commit:
An upstream fix:
Created attachment 1333629 [details]
This issue does not affect the Linux kernel and kernel-rt packages as shipped with Red Hat Enterprise Linux 5, 6, and 7.
Created attachment 1335172 [details]
Proposed patch 2
This is a supplement to the first patch, not a replacement.
Name: Michael Ellerman, Gustavo Romero, Breno Leitao, Paul Mackerras, Cyril Bur
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1500335]
kernel-4.13.8-300.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
kernel-4.13.8-100.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
kernel-4.13.8-200.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2018:0654 https://access.redhat.com/errata/RHSA-2018:0654