CVE-2021-47428

EUVD-2021-34433

21.05.2024, 15:15

In the Linux kernel, the following vulnerability has been resolved:

powerpc/64s: fix program check interrupt emergency stack path

Emergency stack path was jumping into a 3: label inside the
__GEN_COMMON_BODY macro for the normal path after it had finished,
rather than jumping over it. By a small miracle this is the correct
place to build up a new interrupt frame with the existing stack
pointer, so things basically worked okay with an added weird looking
700 trap frame on top (which had the wrong ->nip so it didn't decode
bug messages either).

Fix this by avoiding using numeric labels when jumping over non-trivial
macros.

Before:

 LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV
 Modules linked in:
 CPU: 0 PID: 88 Comm: sh Not tainted 5.15.0-rc2-00034-ge057cdade6e5 #2637
 NIP:  7265677368657265 LR: c00000000006c0c8 CTR: c0000000000097f0
 REGS: c0000000fffb3a50 TRAP: 0700   Not tainted
 MSR:  9000000000021031 <SF,HV,ME,IR,DR,LE>  CR: 00000700  XER: 20040000
 CFAR: c0000000000098b0 IRQMASK: 0
 GPR00: c00000000006c964 c0000000fffb3cf0 c000000001513800 0000000000000000
 GPR04: 0000000048ab0778 0000000042000000 0000000000000000 0000000000001299
 GPR08: 000001e447c718ec 0000000022424282 0000000000002710 c00000000006bee8
 GPR12: 9000000000009033 c0000000016b0000 00000000000000b0 0000000000000001
 GPR16: 0000000000000000 0000000000000002 0000000000000000 0000000000000ff8
 GPR20: 0000000000001fff 0000000000000007 0000000000000080 00007fff89d90158
 GPR24: 0000000002000000 0000000002000000 0000000000000255 0000000000000300
 GPR28: c000000001270000 0000000042000000 0000000048ab0778 c000000080647e80
 NIP [7265677368657265] 0x7265677368657265
 LR [c00000000006c0c8] ___do_page_fault+0x3f8/0xb10
 Call Trace:
 [c0000000fffb3cf0] [c00000000000bdac] soft_nmi_common+0x13c/0x1d0 (unreliable)
 --- interrupt: 700 at decrementer_common_virt+0xb8/0x230
 NIP:  c0000000000098b8 LR: c00000000006c0c8 CTR: c0000000000097f0
 REGS: c0000000fffb3d60 TRAP: 0700   Not tainted
 MSR:  9000000000021031 <SF,HV,ME,IR,DR,LE>  CR: 22424282  XER: 20040000
 CFAR: c0000000000098b0 IRQMASK: 0
 GPR00: c00000000006c964 0000000000002400 c000000001513800 0000000000000000
 GPR04: 0000000048ab0778 0000000042000000 0000000000000000 0000000000001299
 GPR08: 000001e447c718ec 0000000022424282 0000000000002710 c00000000006bee8
 GPR12: 9000000000009033 c0000000016b0000 00000000000000b0 0000000000000001
 GPR16: 0000000000000000 0000000000000002 0000000000000000 0000000000000ff8
 GPR20: 0000000000001fff 0000000000000007 0000000000000080 00007fff89d90158
 GPR24: 0000000002000000 0000000002000000 0000000000000255 0000000000000300
 GPR28: c000000001270000 0000000042000000 0000000048ab0778 c000000080647e80
 NIP [c0000000000098b8] decrementer_common_virt+0xb8/0x230
 LR [c00000000006c0c8] ___do_page_fault+0x3f8/0xb10
 --- interrupt: 700
 Instruction dump:
 XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
 XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
 ---[ end trace 6d28218e0cc3c949 ]---

After:

 ------------[ cut here ]------------
 kernel BUG at arch/powerpc/kernel/exceptions-64s.S:491!
 Oops: Exception in kernel mode, sig: 5 [#1]
 LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV
 Modules linked in:
 CPU: 0 PID: 88 Comm: login Not tainted 5.15.0-rc2-00034-ge057cdade6e5-dirty #2638
 NIP:  c0000000000098b8 LR: c00000000006bf04 CTR: c0000000000097f0
 REGS: c0000000fffb3d60 TRAP: 0700   Not tainted
 MSR:  9000000000021031 <SF,HV,ME,IR,DR,LE>  CR: 24482227  XER: 00040000
 CFAR: c0000000000098b0 IRQMASK: 0
 GPR00: c00000000006bf04 0000000000002400 c000000001513800 c000000001271868
 GPR04: 00000000100f0d29 0000000042000000 0000000000000007 0000000000000009
 GPR08: 00000000100f0d29 0000000024482227 0000000000002710 c000000000181b3c
 GPR12: 9000000000009033 c0000000016b0000 00000000100f0d29 c000000005b22f00
 GPR16: 00000000ffff0000 0000000000000001 0000000000000009 00000000100eed90
 GPR20: 00000000100eed90 00000
---truncated---

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 7%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	5.3 ≤ 𝑥 < 5.10.73
linux	linux_kernel	5.11 ≤ 𝑥 < 5.14.12
linux	linux_kernel	5.15:rc1
linux	linux_kernel	5.15:rc2
linux	linux_kernel	5.15:rc3
linux	linux_kernel	5.15:rc4

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.106-3 fixed
bookworm (security)	6.1.112-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.226-1 fixed
buster	not-affected
sid	6.11.6-1 fixed
trixie	6.11.5-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

bionic	not-affected
focal	needed
jammy	not-affected
mantic	not-affected
noble	not-affected
trusty	not-affected
xenial	not-affected

linux-allwinner-5.19

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-aws

bionic	not-affected
focal	needed
jammy	not-affected
mantic	not-affected
noble	not-affected
trusty	not-affected
xenial	not-affected

linux-aws-5.0

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-aws-5.11

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-aws-5.13

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-aws-5.15

focal	not-affected
jammy	dne
mantic	dne
noble	dne

linux-aws-5.19

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-aws-5.3

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-aws-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-aws-5.8

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-aws-6.2

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-aws-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-aws-fips

focal	dne
jammy	dne
mantic	dne
noble	dne

linux-aws-hwe

focal	dne
jammy	dne
mantic	dne
noble	dne
xenial	not-affected

linux-azure

bionic	ignored
focal	needed
jammy	not-affected
mantic	not-affected
noble	not-affected
trusty	not-affected
xenial	not-affected

linux-azure-4.15

bionic	not-affected
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-azure-5.11

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-azure-5.13

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-azure-5.15

focal	not-affected
jammy	dne
mantic	dne
noble	dne

linux-azure-5.19

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-azure-5.3

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-azure-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-azure-5.8

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-azure-6.2

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-azure-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-azure-edge

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-azure-fde

focal	ignored
jammy	not-affected
mantic	dne
noble	dne

linux-azure-fde-5.15

focal	not-affected
jammy	dne
mantic	dne
noble	dne

linux-azure-fde-5.19

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-azure-fde-6.2

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-azure-fips

focal	dne
jammy	dne
mantic	dne
noble	dne

linux-bluefield

focal	needed
jammy	dne
mantic	dne
noble	dne

linux-fips

focal	dne
jammy	dne
mantic	dne
noble	dne

linux-gcp

bionic	ignored
focal	needed
jammy	not-affected
mantic	not-affected
noble	not-affected
xenial	not-affected

linux-gcp-4.15

bionic	not-affected
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-gcp-5.11

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-gcp-5.13

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-gcp-5.15

focal	not-affected
jammy	dne
mantic	dne
noble	dne

linux-gcp-5.19

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-gcp-5.3

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-gcp-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-gcp-5.8

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-gcp-6.2

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-gcp-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-gcp-fips

focal	dne
jammy	dne
mantic	dne
noble	dne

linux-gke

focal	ignored
jammy	not-affected
mantic	dne
noble	not-affected

linux-gke-4.15

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-gke-5.15

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-gke-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-gkeop

focal	needed
jammy	not-affected
mantic	dne
noble	dne

linux-gkeop-5.15

focal	not-affected
jammy	dne
mantic	dne
noble	dne

linux-gkeop-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-hwe

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
xenial	not-affected

linux-hwe-5.11

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-hwe-5.13

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-hwe-5.15

focal	not-affected
jammy	dne
mantic	dne
noble	dne

linux-hwe-5.19

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-hwe-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-hwe-5.8

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-hwe-6.2

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-hwe-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-hwe-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
trusty	dne
xenial	dne

linux-hwe-edge

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
xenial	ignored

linux-ibm

focal	needed
jammy	not-affected
mantic	ignored
noble	not-affected

linux-ibm-5.15

focal	not-affected
jammy	dne
mantic	dne
noble	dne

linux-ibm-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-intel

bionic	dne
focal	dne
jammy	dne
mantic	dne
noble	not-affected
trusty	dne
xenial	dne

linux-intel-5.13

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-intel-iot-realtime

bionic	dne
focal	dne
jammy	dne
noble	dne
trusty	dne
xenial	dne

linux-intel-iotg

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-intel-iotg-5.15

focal	not-affected
jammy	dne
mantic	dne
noble	dne

linux-iot

focal	needed
jammy	dne
mantic	dne
noble	dne

linux-kvm

bionic	not-affected
focal	needed
jammy	not-affected
mantic	dne
noble	dne
xenial	not-affected

linux-laptop

focal	dne
jammy	dne
mantic	not-affected
noble	dne

linux-lowlatency

focal	dne
jammy	not-affected
mantic	not-affected
noble	not-affected

linux-lowlatency-hwe-5.15

focal	not-affected
jammy	dne
mantic	dne
noble	dne

linux-lowlatency-hwe-5.19

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-lowlatency-hwe-6.2

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-lowlatency-hwe-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-lowlatency-hwe-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
trusty	dne
xenial	dne

linux-lts-xenial

focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	not-affected

linux-nvidia

focal	dne
jammy	not-affected
mantic	dne
noble	not-affected

linux-nvidia-6.2

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-nvidia-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-nvidia-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
trusty	dne
xenial	dne

linux-nvidia-lowlatency

bionic	dne
focal	dne
jammy	dne
noble	not-affected
trusty	dne
xenial	dne

linux-oem

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-oem-5.10

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-oem-5.13

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-oem-5.14

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-oem-5.17

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-oem-5.6

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-oem-6.0

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-oem-6.1

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-oem-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-oem-6.8

bionic	dne
focal	dne
jammy	dne
mantic	dne
noble	not-affected
trusty	dne
xenial	dne

linux-oracle

bionic	not-affected
focal	needed
jammy	not-affected
mantic	not-affected
noble	not-affected
xenial	not-affected

linux-oracle-5.0

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-oracle-5.11

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-oracle-5.13

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-oracle-5.15

focal	not-affected
jammy	dne
mantic	dne
noble	dne

linux-oracle-5.3

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-oracle-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-oracle-5.8

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-oracle-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-raspi

focal	needed
jammy	not-affected
mantic	not-affected
noble	not-affected

linux-raspi-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-raspi-realtime

bionic	dne
focal	dne
jammy	dne
noble	dne
trusty	dne
xenial	dne

linux-raspi2

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-realtime

bionic	dne
focal	dne
jammy	ignored
noble	dne
trusty	dne
xenial	dne

linux-riscv

focal	ignored
jammy	ignored
mantic	not-affected
noble	not-affected

linux-riscv-5.11

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-riscv-5.15

focal	not-affected
jammy	dne
mantic	dne
noble	dne

linux-riscv-5.19

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-riscv-5.8

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-riscv-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-riscv-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
trusty	dne
xenial	dne

linux-starfive

focal	dne
jammy	dne
mantic	not-affected
noble	dne

linux-starfive-5.19

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-starfive-6.2

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-starfive-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-xilinx-zynqmp

focal	needed
jammy	not-affected
mantic	dne
noble	dne

References

https://git.kernel.org/stable/c/3e607dc4df180b72a38e75030cb0f94d12808712

https://git.kernel.org/stable/c/411b38fe68ba20a8bbe724b0939762c3f16e16ca

https://git.kernel.org/stable/c/c835b3d1d6362b4a4ebb192da7e7fd27a0a45d01

https://git.kernel.org/stable/c/3e607dc4df180b72a38e75030cb0f94d12808712

https://git.kernel.org/stable/c/411b38fe68ba20a8bbe724b0939762c3f16e16ca

https://git.kernel.org/stable/c/c835b3d1d6362b4a4ebb192da7e7fd27a0a45d01