From 0d179a3f40bfbb326b7427ed15dda5417a6f332b Mon Sep 17 00:00:00 2001 From: Miroslav Franc Date: Mar 26 2024 09:01:41 +0000 Subject: s390/ptrace: handle setting of fpc register correctly (CVE-2023-52598 bsc#1221060 git-fixes). --- diff --git a/patches.suse/s390-ptrace-handle-setting-of-fpc-register-correctly.patch b/patches.suse/s390-ptrace-handle-setting-of-fpc-register-correctly.patch new file mode 100644 index 0000000..8487c11 --- /dev/null +++ b/patches.suse/s390-ptrace-handle-setting-of-fpc-register-correctly.patch @@ -0,0 +1,67 @@ +From: Heiko Carstens +Date: Thu, 30 Nov 2023 18:55:59 +0100 +Subject: s390/ptrace: handle setting of fpc register correctly +Git-commit: 8b13601d19c541158a6e18b278c00ba69ae37829 +Patch-mainline: v6.8-rc1 +References: CVE-2023-52598 bsc#1221060 git-fixes + +If the content of the floating point control (fpc) register of a traced +process is modified with the ptrace interface the new value is tested for +validity by temporarily loading it into the fpc register. + +This may lead to corruption of the fpc register of the tracing process: +if an interrupt happens while the value is temporarily loaded into the +fpc register, and within interrupt context floating point or vector +registers are used, the current fp/vx registers are saved with +save_fpu_regs() assuming they belong to user space and will be loaded into +fp/vx registers when returning to user space. + +test_fp_ctl() restores the original user space fpc register value, however +it will be discarded, when returning to user space. + +In result the tracer will incorrectly continue to run with the value that +was supposed to be used for the traced process. + +Fix this by saving fpu register contents with save_fpu_regs() before using +test_fp_ctl(). + +Reviewed-by: Claudio Imbrenda +Signed-off-by: Heiko Carstens +Signed-off-by: Alexander Gordeev +Acked-by: Miroslav Franc +--- + arch/s390/kernel/ptrace.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c +index 046403471c5d..c7ed302a6b59 100644 +--- a/arch/s390/kernel/ptrace.c ++++ b/arch/s390/kernel/ptrace.c +@@ -392,6 +392,7 @@ static int __poke_user(struct task_struct *child, addr_t addr, addr_t data) + /* + * floating point control reg. is in the thread structure + */ ++ save_fpu_regs(); + if ((unsigned int) data != 0 || + test_fp_ctl(data >> (BITS_PER_LONG - 32))) + return -EINVAL; +@@ -748,6 +749,7 @@ static int __poke_user_compat(struct task_struct *child, + /* + * floating point control reg. is in the thread structure + */ ++ save_fpu_regs(); + if (test_fp_ctl(tmp)) + return -EINVAL; + child->thread.fpu.fpc = data; +@@ -911,9 +913,7 @@ static int s390_fpregs_set(struct task_struct *target, + int rc = 0; + freg_t fprs[__NUM_FPRS]; + +- if (target == current) +- save_fpu_regs(); +- ++ save_fpu_regs(); + if (MACHINE_HAS_VX) + convert_vx_to_fp(fprs, target->thread.fpu.vxrs); + else + diff --git a/series.conf b/series.conf index 5579939..39eae20 100644 --- a/series.conf +++ b/series.conf @@ -64969,6 +64969,7 @@ patches.suse/pstore-ram_core-fix-possible-overflow-in-persistent_ram_init_ecc.patch patches.suse/NFSv4.1-pnfs-Ensure-we-handle-the-error-NFS4ERR_RETU.patch patches.suse/pNFS-Fix-the-pnfs-block-driver-s-calculation-of-layo.patch + patches.suse/s390-ptrace-handle-setting-of-fpc-register-correctly.patch patches.suse/KVM-s390-fix-setting-of-fpc-register.patch patches.suse/md-bypass-block-throttle-for-superblock-update-d6e0.patch patches.suse/Revert-md-raid5-Wait-for-MD_SB_CHANGE_PENDING-in-rai.patch