Found by Olof Johansson: On PPC970, having HID0[31] (en_attn) set makes it possible to wedge the machine by just doing an 'asm volatile("attn");' from userspace, clearly a local DoS exposure. Apple firmware seems to set it and we don't clear it at boot time. Patch below, with intentionally sparse description. Let me know if you prefer the details there instead. I'm not aware of any intentional exploits of this. I happened to come across it by running crash01 from LTP, it tries to execute random data as code and kept locking up my machine. I'd like to see this in 2.6.18, but already shipping kernels have had this exposure for quite some time (ever since g5 support went in?). It probably makes sense to get it into a -stable release as well. Thanks, Olof Clear HID0[en_attn] at CPU init time on PPC970. Signed-off-by: Olof Johansson <olof@lixom.net> diff --git a/arch/powerpc/kernel/cpu_setup_power4.S b/arch/powerpc/kernel/cpu_setup_power4.S index f69af2c..76e97aa 100644 --- a/arch/powerpc/kernel/cpu_setup_power4.S +++ b/arch/powerpc/kernel/cpu_setup_power4.S @@ -76,6 +76,8 @@ _GLOBAL(__setup_cpu_ppc970) mfspr r0,SPRN_HID0 li r11,5 /* clear DOZE and SLEEP */ rldimi r0,r11,52,8 /* set NAP and DPM */ + li r11,0 + rldimi r0,r11,32,31 /* clear EN_ATTN */ mtspr SPRN_HID0,r0 mfspr r0,SPRN_HID0 mfspr r0,SPRN_HID0
CVE is public, so I guess I can disclose this now. rsbac, just you here too.
~arch for rsbac.
rsbac-sources-2.6.19 is in cvs (~arch)