CVE-2021-47632 Information

Description

In the Linux kernel the following vulnerability has been resolved:

powerpc/set_memory: Avoid spinlock recursion in change_page_attr()

Commit 1f9ad21c3b38 (\powerpc/mm: Implement set_memory() routines) included a spin_lock() to change_page_attr() in order to safely perform the three step operations. But then commit 9f7853d7609d (\powerpc/mm: Fix set_memory_() against concurrent accesses) modify it to use pte_update() and do the operation safely against concurrent access.

In the meantime Maxime reported some spinlock recursion.

[ 15.351649] BUG: spinlock recursion on CPU0 kworker/0:2/217 [ 15.357540] lock: init_mm+0x3c/0x420 .magic: dead4ead .owner: kworker/0:2/217 .owner_cpu: 0 [ 15.366563] CPU: 0 PID: 217 Comm: kworker/0:2 Not tainted 5.15.0+ 523 [ 15.373350] Workqueue: events do_free_init [ 15.377615] Call Trace: [ 15.380232] [e4105ac0] [800946a4] do_raw_spin_lock+0xf8/0x120 (unreliable) [ 15.387340] [e4105ae0] [8001f4ec] change_page_attr+0x40/0x1d4 [ 15.393413] [e4105b10] [801424e0] __apply_to_page_range+0x164/0x310 [ 15.400009] [e4105b60] [80169620] free_pcp_prepare+0x1e4/0x4a0 [ 15.406045] [e4105ba0] [8016c5a0] free_unref_page+0x40/0x2b8 [ 15.411979] [e4105be0] [8018724c] kasan_depopulate_vmalloc_pte+0x6c/0x94 [ 15.418989] [e4105c00] [801424e0] __apply_to_page_range+0x164/0x310 [ 15.425451] [e4105c50] [80187834] kasan_release_vmalloc+0xbc/0x134 [ 15.431898] [e4105c70] [8015f7a8] __purge_vmap_area_lazy+0x4e4/0xdd8 [ 15.438560] [e4105d30] [80160d10] _vm_unmap_aliases.part.0+0x17c/0x24c [ 15.445283] [e4105d60] [801642d0] __vunmap+0x2f0/0x5c8 [ 15.450684] [e4105db0] [800e32d0] do_free_init+0x68/0x94 [ 15.456181] [e4105dd0] [8005d094] process_one_work+0x4bc/0x7b8 [ 15.462283] [e4105e90] [8005d614] worker_thread+0x284/0x6e8 [ 15.468227] [e4105f00] [8006aaec] kthread+0x1f0/0x210 [ 15.473489] [e4105f40] [80017148] ret_from_kernel_thread+0x14/0x1c

Remove the read / modify / write sequence to make the operation atomic and remove the spin_lock() in change_page_attr().

To do the operation atomically we can’t use pte modification helpers anymore. Because all platforms have different combination of bits it is not easy to use those bits directly. But all have the _PAGE_KERNEL_RO/ROX/RW/RWX set of flags. All we need it to compare two sets to know which bits are set or cleared.

For instance by comparing _PAGE_KERNEL_ROX and _PAGE_KERNEL_RO you know which bit gets cleared and which bit get set when changing exec permission.

Reference

https://git.kernel.org/stable/c/6def4eaf0391f24be541633a954c0e4876858b1e https://git.kernel.org/stable/c/6ebe5ca2cbe438a688f2ae238ef5a0b0b5f3468a https://git.kernel.org/stable/c/96917107e67846f1d959ed03be281048efad14c5 https://git.kernel.org/stable/c/a4c182ecf33584b9b2d1aa9dad073014a504c01f