Linux Kernel PowerPC SLB Fault Handling Vulnerability

A vulnerability in the Linux kernel's PowerPC architecture has been addressed, specifically related to how Data Segment Interrupts (SLB faults) are handled. In versions through 3.1, SLB faults do not provide a useful value in the Data Storage Interrupt Status Register (DSISR), leading to incorrect reporting of page fault types. This issue was particularly evident when using the xmon 'dump' command, where read accesses were misclassified as writes. The vulnerability arose because the fault handling logic relied on an undefined DSISR value, causing stale information to be used in determining the fault type.

Impact

The vulnerability could lead to incorrect handling of page faults, with read operations being falsely reported as write operations. This misrepresentation could disrupt normal kernel operations and debugging processes.

Reproduction

The vulnerability can be reproduced by triggering a Data Segment Interrupt (SLB fault) that involves a read operation. This can be done by executing a load instruction that accesses data through the SLB. When the fault occurs, the DSISR will not reflect the correct status, leading to an incorrect error message that indicates a write fault instead of a read fault. This discrepancy can be observed using the xmon 'dump' command, which will show the faulty address and the misreported fault type.

Remediation

Users should upgrade to a version of the Linux kernel that includes the patch for this vulnerability. The patch is available in the official Linux kernel repositories.