Linux Kernel m68k Bus Error Handling Vulnerability in Exception Table Processing

A vulnerability exists in the Linux kernel m68k architecture related to how bus errors are handled, particularly for the 030 variant. The issue arises when the kernel task backtrace is logged via the /proc/sysrq_trigger, which can inadvertently cause a bus error by dereferencing a NULL pointer, especially when no workqueue is associated with the task. The current bus error handler for the 030 variant is not properly equipped to manage this situation. Instead of addressing the fault, it defaults to sending a segmentation fault signal or panicking, thereby bypassing the exception handling mechanism that could mitigate the issue. This vulnerability affects several versions of the Linux kernel m68k architecture.

Impact

The vulnerability can lead to improper handling of bus error exceptions, causing the system to send a segmentation fault signal or panic, rather than correctly processing the exception according to the established exception table. This could disrupt normal system operations and potentially lead to a denial of service.

Reproduction

The vulnerability can be reproduced on a system running the Linux kernel m68k architecture, specifically on the 030 variant. Triggering the issue involves forcing a task backtrace log through the /proc/sysrq_trigger, which will copy data in supervisor mode. If the logged task has no associated workqueue, this action will cause a bus error exception by dereferencing a NULL pointer. The 030 bus error handler will then fail to manage the fault appropriately, demonstrating the vulnerability.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that resolves this issue is available in the Linux kernel stable tree.