From mboxrd@z Thu Jan  1 00:00:00 1970
Date: Fri, 23 Feb 2018 11:52:20 +0100
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Seunghun Han <kkamagui@gmail.com>
Cc: Tony Luck <tony.luck@intel.com>, Borislav Petkov <bp@alien8.de>,
	linux-edac@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] x86: mce: fix kernel panic when check_interval is changed
Message-ID: <20180223105220.GA12058@kroah.com>
References: <20180223101350.8344-1-kkamagui@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180223101350.8344-1-kkamagui@gmail.com>
User-Agent: Mutt/1.9.3 (2018-01-21)
X-Mailing-List: linux-kernel@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>

On Fri, Feb 23, 2018 at 07:13:50PM +0900, Seunghun Han wrote:
> I am Seunghun Han and a senior security researcher at National Security
> Research Institute of South Korea.
> 
> I found a critical security issue which can make kernel panic in userspace.
> After analyzing the issue carefully, I found that MCE driver in the kernel
> has a problem which can be occurred in SMP environment.
> 
> The check_interval file in
> /sys/devices/system/machinecheck/machinecheck<cpu number> directory is a
> global timer value for MCE polling. If it is changed by one CPU, MCE driver
> in kernel calls mce_restart() function and broadcasts the event to other
> CPUs to delete and restart MCE polling timer.
> 
> The __mcheck_cpu_init_timer() function which is called by mce_restart()
> function initializes the mce_timer variable, and the "lock" in mce_timer is
> also reinitialized. If more than one CPU write a specific value to
> check_interval file concurrently, one can initialize the "lock" in mce_timer
> while the others are handling "lock" in mce_timer. This problem causes some
> synchronization errors such as kernel panic and kernel hang.
> 
> It is a critical security problem because the attacker can make kernel panic
> by writing a value to the check_interval file in userspace, and it can be
> used for Denial-of-Service (DoS) attack.

As only root can write to that file, it's not that critical of an issue,
but yes, this is a problem.  Nice find and fix.

> 
> To fix this problem, I changed the __mcheck_cpu_init_timer() function to
> reuse mce_timer instead of initializing it. The purpose of the function is
> to restart the timer and it can be archived by calling
> 
> Signed-off-by: Seunghun Han <kkamagui@gmail.com>

Cc: stable <stable@vger.kernel.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

From mboxrd@z Thu Jan  1 00:00:00 1970
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Subject: x86: mce: fix kernel panic when check_interval is changed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Message-Id: <20180223105220.GA12058@kroah.com>
Date: Fri, 23 Feb 2018 11:52:20 +0100
To: Seunghun Han <kkamagui@gmail.com>
Cc: Tony Luck <tony.luck@intel.com>, Borislav Petkov <bp@alien8.de>, linux-edac@vger.kernel.org, linux-kernel@vger.kernel.org
List-ID: <edac.vger.kernel.org>

T24gRnJpLCBGZWIgMjMsIDIwMTggYXQgMDc6MTM6NTBQTSArMDkwMCwgU2V1bmdodW4gSGFuIHdy
b3RlOgo+IEkgYW0gU2V1bmdodW4gSGFuIGFuZCBhIHNlbmlvciBzZWN1cml0eSByZXNlYXJjaGVy
IGF0IE5hdGlvbmFsIFNlY3VyaXR5Cj4gUmVzZWFyY2ggSW5zdGl0dXRlIG9mIFNvdXRoIEtvcmVh
Lgo+IAo+IEkgZm91bmQgYSBjcml0aWNhbCBzZWN1cml0eSBpc3N1ZSB3aGljaCBjYW4gbWFrZSBr
ZXJuZWwgcGFuaWMgaW4gdXNlcnNwYWNlLgo+IEFmdGVyIGFuYWx5emluZyB0aGUgaXNzdWUgY2Fy
ZWZ1bGx5LCBJIGZvdW5kIHRoYXQgTUNFIGRyaXZlciBpbiB0aGUga2VybmVsCj4gaGFzIGEgcHJv
YmxlbSB3aGljaCBjYW4gYmUgb2NjdXJyZWQgaW4gU01QIGVudmlyb25tZW50Lgo+IAo+IFRoZSBj
aGVja19pbnRlcnZhbCBmaWxlIGluCj4gL3N5cy9kZXZpY2VzL3N5c3RlbS9tYWNoaW5lY2hlY2sv
bWFjaGluZWNoZWNrPGNwdSBudW1iZXI+IGRpcmVjdG9yeSBpcyBhCj4gZ2xvYmFsIHRpbWVyIHZh
bHVlIGZvciBNQ0UgcG9sbGluZy4gSWYgaXQgaXMgY2hhbmdlZCBieSBvbmUgQ1BVLCBNQ0UgZHJp
dmVyCj4gaW4ga2VybmVsIGNhbGxzIG1jZV9yZXN0YXJ0KCkgZnVuY3Rpb24gYW5kIGJyb2FkY2Fz
dHMgdGhlIGV2ZW50IHRvIG90aGVyCj4gQ1BVcyB0byBkZWxldGUgYW5kIHJlc3RhcnQgTUNFIHBv
bGxpbmcgdGltZXIuCj4gCj4gVGhlIF9fbWNoZWNrX2NwdV9pbml0X3RpbWVyKCkgZnVuY3Rpb24g
d2hpY2ggaXMgY2FsbGVkIGJ5IG1jZV9yZXN0YXJ0KCkKPiBmdW5jdGlvbiBpbml0aWFsaXplcyB0
aGUgbWNlX3RpbWVyIHZhcmlhYmxlLCBhbmQgdGhlICJsb2NrIiBpbiBtY2VfdGltZXIgaXMKPiBh
bHNvIHJlaW5pdGlhbGl6ZWQuIElmIG1vcmUgdGhhbiBvbmUgQ1BVIHdyaXRlIGEgc3BlY2lmaWMg
dmFsdWUgdG8KPiBjaGVja19pbnRlcnZhbCBmaWxlIGNvbmN1cnJlbnRseSwgb25lIGNhbiBpbml0
aWFsaXplIHRoZSAibG9jayIgaW4gbWNlX3RpbWVyCj4gd2hpbGUgdGhlIG90aGVycyBhcmUgaGFu
ZGxpbmcgImxvY2siIGluIG1jZV90aW1lci4gVGhpcyBwcm9ibGVtIGNhdXNlcyBzb21lCj4gc3lu
Y2hyb25pemF0aW9uIGVycm9ycyBzdWNoIGFzIGtlcm5lbCBwYW5pYyBhbmQga2VybmVsIGhhbmcu
Cj4gCj4gSXQgaXMgYSBjcml0aWNhbCBzZWN1cml0eSBwcm9ibGVtIGJlY2F1c2UgdGhlIGF0dGFj
a2VyIGNhbiBtYWtlIGtlcm5lbCBwYW5pYwo+IGJ5IHdyaXRpbmcgYSB2YWx1ZSB0byB0aGUgY2hl
Y2tfaW50ZXJ2YWwgZmlsZSBpbiB1c2Vyc3BhY2UsIGFuZCBpdCBjYW4gYmUKPiB1c2VkIGZvciBE
ZW5pYWwtb2YtU2VydmljZSAoRG9TKSBhdHRhY2suCgpBcyBvbmx5IHJvb3QgY2FuIHdyaXRlIHRv
IHRoYXQgZmlsZSwgaXQncyBub3QgdGhhdCBjcml0aWNhbCBvZiBhbiBpc3N1ZSwKYnV0IHllcywg
dGhpcyBpcyBhIHByb2JsZW0uICBOaWNlIGZpbmQgYW5kIGZpeC4KCj4gCj4gVG8gZml4IHRoaXMg
cHJvYmxlbSwgSSBjaGFuZ2VkIHRoZSBfX21jaGVja19jcHVfaW5pdF90aW1lcigpIGZ1bmN0aW9u
IHRvCj4gcmV1c2UgbWNlX3RpbWVyIGluc3RlYWQgb2YgaW5pdGlhbGl6aW5nIGl0LiBUaGUgcHVy
cG9zZSBvZiB0aGUgZnVuY3Rpb24gaXMKPiB0byByZXN0YXJ0IHRoZSB0aW1lciBhbmQgaXQgY2Fu
IGJlIGFyY2hpdmVkIGJ5IGNhbGxpbmcKPiAKPiBTaWduZWQtb2ZmLWJ5OiBTZXVuZ2h1biBIYW4g
PGtrYW1hZ3VpQGdtYWlsLmNvbT4KCkNjOiBzdGFibGUgPHN0YWJsZUB2Z2VyLmtlcm5lbC5vcmc+
CkFja2VkLWJ5OiBHcmVnIEtyb2FoLUhhcnRtYW4gPGdyZWdraEBsaW51eGZvdW5kYXRpb24ub3Jn
PgotLS0KVG8gdW5zdWJzY3JpYmUgZnJvbSB0aGlzIGxpc3Q6IHNlbmQgdGhlIGxpbmUgInVuc3Vi
c2NyaWJlIGxpbnV4LWVkYWMiIGluCnRoZSBib2R5IG9mIGEgbWVzc2FnZSB0byBtYWpvcmRvbW9A
dmdlci5rZXJuZWwub3JnCk1vcmUgbWFqb3Jkb21vIGluZm8gYXQgIGh0dHA6Ly92Z2VyLmtlcm5l
bC5vcmcvbWFqb3Jkb21vLWluZm8uaHRtbAo=