A flaw was found in the way the Linux kernel's memory subsystem on certain 64-bit PowerPCs with the hash page table MMU handled memory above 512TB. A local, unprivileged user could use this flaw to escalate their privileges on the system.
A flaw was found in the way the Linux kernel's memory subsystem on certain
64-bit PowerPC with the hash page table MMU handled memory above 512TB. A local,
unprivileged user could use this flaw to escalate their privileges on the system.
Upstream commit that introduced this issue:
*** Bug 1720341 has been marked as a duplicate of this bug. ***
Note from the reporter:
This bug only affects machines using 64-bit CPUs with the hash page table MMU,
see below for more detail on affected CPUs.
To trigger the bug a process must allocate memory above 512TB. That only happens
if userspace explicitly requests it with mmap(). That process must then fork(),
at this point the child incorrectly inherits the "context id" of the parent
associated with the mapping above 512TB. It may then be possible for the
parent/child to write to each other's mappings above 512TB, which should not be
possible, and constitutes memory corruption.
If instead the child process exits, all its context ids are freed, including the
context id that is still in use by the parent for the mapping above 512TB. That
id can then be reallocated to a third process, that process can then read/write
to the parent's mapping above 512TB. Additionally if the freed id is used for
the third process's primary context id, then the parent is able to read/write to
the third process's mappings *below* 512TB.
If the parent and child both exit before another process is allocated the freed
context id, the kernel will notice the double free of the id and print a warning
ida_free called for id=103 which is not allocated.
WARNING: CPU: 8 PID: 7293 at lib/idr.c:520 ida_free_rc+0x1b4/0x1d0
Only machines using the hash page table (HPT) MMU are affected, eg. PowerPC 970
(G5), PA6T, Power5/6/7/8/9. By default Power9 bare metal machines (powernv) use
the Radix MMU and are not affected, unless the machine has been explicitly
booted in HPT mode (using disable_radix on the kernel command line). KVM guests
on Power9 may be affected if the host or guest is configured to use the HPT MMU.
LPARs under PowerVM on Power9 are affected as they always use the HPT MMU.
Kernels built with PAGE_SIZE=4K are not affected.
Name: Michael Ellerman
Red Hat Product Security is aware of this issue. Updates will be released as they become available.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1723697]