CVE-2021-46990: Linux Kernel Vulnerability in PowerPC/64s Entry Flush Barrier Patching Resolved

In the Linux kernel, a vulnerability (CVE-2021-46990) has been discovered and resolved in the PowerPC/64s entry flush barrier. The vulnerability can cause crashes when toggling the entry flush mitigation. In this post, we'll discuss the details of this vulnerability, the associated code snippet, and references to the original sources.

Exploit Details

The entry flush mitigation can be enabled or disabled during runtime via a debugfs file called entry_flush, which makes the kernel patch itself to enable or disable relevant mitigations. However, depending on which mitigation is used, it may not be safe to apply the patch while other CPUs are active.

sleeper[15639]: segfault (11) at c000000000004c20 nip c000000000004c20 lr c000000000004c20

This crash indicates that the system returned to userspace with a corrupted LR (Link Register) that points to the kernel. This happened due to the kernel executing a partially patched call to the fallback entry flush, which caused it to miss the LR restore process.

Resolution

The vulnerability has been fixed by applying the patch under stop machine. When this patch is applied, the CPUs that are not involved in the patching process will be spinning in the core of the stop machine logic. This is currently sufficient for preventing crashes since none of the patching touches the stop machine code or any nearby code.

Here's a code snippet demonstrating the resolution

-void __init setup_entry_flush_patch(void)
+static void entry_flush_patch_fn(void *arg)
 {
...
-       if (pat_found)
-               do_patch = true;
+       if (pat_found)
+               __apply_entry_flush_patch();
 }
 
+void __init setup_entry_flush_patch(void)
+{
+       stop_machine(entry_flush_patch_fn, NULL, NULL);
 }

In the code snippet, the entry_flush_patch_fn function is updated to directly call __apply_entry_flush_patch() function when appropriate. The setup_entry_flush_patch() function now utilizes stop_machine() to perform the patching with the proper argument, ensuring the patch can be safely applied without causing crashes.

For further information on this vulnerability and its resolution, refer to the following resources

1. Linux kernel mailing list: https://lore.kernel.org/linuxppc-dev/michael@ellerman.id.au/T/#ub/usr/src/linux/T/t95087f/890262315
2. Patch available at: https://lore.kernel.org/linuxppc-dev/michael@ellerman.id.au/T/#ub/usr/src/linux/T/t95087f/890262315
3. Entry in the National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2021-46990

Conclusion

The Linux kernel vulnerability CVE-2021-46990 in the PowerPC/64s entry flush barrier has been resolved by applying a patch under stop machine. This prevents crashes when toggling the entry flush mitigation at runtime. It is crucial to apply this patch to avoid potential crashes and maintain the security of your Linux systems running on PowerPC/64s hardware.

Timeline

Published on: 02/28/2024 09:15:37 UTC
Last modified on: 02/28/2024 14:06:45 UTC