A flaw was found in the way the Linux kernel's memory subsystem on certain 64-bit PowerPC with the hash page table MMU handled memory above 512TB. A local, unprivileged user could use this flaw to escalate their privileges on the system. Upstream commit that introduced this issue: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f384796c40dc Upstream fix: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ca72d88378b2f2444d3ec145dd442d449d3fefbc
*** Bug 1720341 has been marked as a duplicate of this bug. ***
Note from the reporter: This bug only affects machines using 64-bit CPUs with the hash page table MMU, see below for more detail on affected CPUs. To trigger the bug a process must allocate memory above 512TB. That only happens if userspace explicitly requests it with mmap(). That process must then fork(), at this point the child incorrectly inherits the "context id" of the parent associated with the mapping above 512TB. It may then be possible for the parent/child to write to each other's mappings above 512TB, which should not be possible, and constitutes memory corruption. If instead the child process exits, all its context ids are freed, including the context id that is still in use by the parent for the mapping above 512TB. That id can then be reallocated to a third process, that process can then read/write to the parent's mapping above 512TB. Additionally if the freed id is used for the third process's primary context id, then the parent is able to read/write to the third process's mappings *below* 512TB. If the parent and child both exit before another process is allocated the freed context id, the kernel will notice the double free of the id and print a warning such as: ida_free called for id=103 which is not allocated. WARNING: CPU: 8 PID: 7293 at lib/idr.c:520 ida_free_rc+0x1b4/0x1d0 Only machines using the hash page table (HPT) MMU are affected, eg. PowerPC 970 (G5), PA6T, Power5/6/7/8/9. By default Power9 bare metal machines (powernv) use the Radix MMU and are not affected, unless the machine has been explicitly booted in HPT mode (using disable_radix on the kernel command line). KVM guests on Power9 may be affected if the host or guest is configured to use the HPT MMU. LPARs under PowerVM on Power9 are affected as they always use the HPT MMU. Kernels built with PAGE_SIZE=4K are not affected.
Acknowledgments: Name: Michael Ellerman
Statement: Red Hat Product Security is aware of this issue. Updates will be released as they become available.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1723697]
External References: https://seclists.org/oss-sec/2019/q2/200
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2703 https://access.redhat.com/errata/RHSA-2019:2703