|
 |
36d4f3 |
From d899fb6f8a4b6370576e3a009e959bc98ee03c16 Mon Sep 17 00:00:00 2001
|
|
|
36d4f3 |
From: Ryan Sullivan <rysulliv@redhat.com>
|
|
|
36d4f3 |
Date: Mon, 16 Oct 2023 14:08:36 -0400
|
|
|
36d4f3 |
Subject: [KPATCH CVE-2023-3611] kpatch fixes for CVE-2023-3611
|
|
|
36d4f3 |
|
|
|
36d4f3 |
Kernels:
|
|
|
36d4f3 |
3.10.0-1160.90.1.el7
|
|
|
36d4f3 |
3.10.0-1160.92.1.el7
|
|
|
36d4f3 |
3.10.0-1160.95.1.el7
|
|
|
36d4f3 |
3.10.0-1160.99.1.el7
|
|
|
36d4f3 |
3.10.0-1160.102.1.el7
|
|
|
36d4f3 |
|
|
|
36d4f3 |
|
|
|
36d4f3 |
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/60
|
|
|
36d4f3 |
Approved-by: Joe Lawrence (@joe.lawrence)
|
|
|
36d4f3 |
Approved-by: Yannick Cote (@ycote1)
|
|
|
36d4f3 |
Changes since last build:
|
|
|
36d4f3 |
arches: x86_64 ppc64le
|
|
|
36d4f3 |
cls_fw.o: changed function: fw_change
|
|
|
36d4f3 |
cls_fw.o: changed function: fw_set_parms
|
|
|
36d4f3 |
cls_route.o: changed function: route4_change
|
|
|
36d4f3 |
cls_u32.o: changed function: u32_change
|
|
|
36d4f3 |
sch_qfq.o: changed function: qfq_enqueue
|
|
|
36d4f3 |
---------------------------
|
|
|
36d4f3 |
|
|
|
36d4f3 |
Modifications: none
|
|
|
36d4f3 |
|
|
|
36d4f3 |
commit 726e9f3d88c729cdae09768c94e588deebdb9d52
|
|
|
36d4f3 |
Author: Marcelo Tosatti <mtosatti@redhat.com>
|
|
|
36d4f3 |
Date: Mon Jan 23 17:17:17 2023 -0300
|
|
|
36d4f3 |
|
|
|
36d4f3 |
KVM: x86: rename argument to kvm_set_tsc_khz
|
|
|
36d4f3 |
|
|
|
36d4f3 |
commit 4941b8cb3746f09bb102f7a5d64d878e96a0c6cd
|
|
|
36d4f3 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2152838
|
|
|
36d4f3 |
JIRA: https://issues.redhat.com/browse/RHELPLAN-141963
|
|
|
36d4f3 |
Testing: Tested by QE
|
|
|
36d4f3 |
|
|
|
36d4f3 |
This refers to the desired (scaled) frequency, which is called
|
|
|
36d4f3 |
user_tsc_khz in the rest of the file.
|
|
|
36d4f3 |
|
|
|
36d4f3 |
Reviewed-by: Marcelo Tosatti <mtosatti@redhat.com>
|
|
|
36d4f3 |
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
|
36d4f3 |
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
|
|
|
36d4f3 |
|
|
|
36d4f3 |
commit 866faa0e99083ee93d04d3c37065cf8dbfc51a34
|
|
|
36d4f3 |
Author: Marcelo Tosatti <mtosatti@redhat.com>
|
|
|
36d4f3 |
Date: Mon Jan 23 17:24:19 2023 -0300
|
|
|
36d4f3 |
|
|
|
36d4f3 |
KVM: x86: rewrite handling of scaled TSC for kvmclock
|
|
|
36d4f3 |
|
|
|
36d4f3 |
commit 78db6a5037965429c04d708281f35a6e5562d31b
|
|
|
36d4f3 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2152838
|
|
|
36d4f3 |
Testing: Tested by QE
|
|
|
36d4f3 |
JIRA: https://issues.redhat.com/browse/RHELPLAN-141963
|
|
|
36d4f3 |
|
|
|
36d4f3 |
This is the same as before:
|
|
|
36d4f3 |
|
|
|
36d4f3 |
kvm_scale_tsc(tgt_tsc_khz)
|
|
|
36d4f3 |
= tgt_tsc_khz * ratio
|
|
|
36d4f3 |
= tgt_tsc_khz * user_tsc_khz / tsc_khz (see set_tsc_khz)
|
|
|
36d4f3 |
= user_tsc_khz (see kvm_guest_time_update)
|
|
|
36d4f3 |
= vcpu->arch.virtual_tsc_khz (see kvm_set_tsc_khz)
|
|
|
36d4f3 |
|
|
|
36d4f3 |
However, computing it through kvm_scale_tsc will make it possible
|
|
|
36d4f3 |
to include the NTP correction in tgt_tsc_khz.
|
|
|
36d4f3 |
|
|
|
36d4f3 |
Reviewed-by: Marcelo Tosatti <mtosatti@redhat.com>
|
|
|
36d4f3 |
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
|
36d4f3 |
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
|
|
|
36d4f3 |
|
|
|
36d4f3 |
commit bde6eebb5708ecd38db0023e657d38058e0d962f
|
|
|
36d4f3 |
Author: Marcelo Tosatti <mtosatti@redhat.com>
|
|
|
36d4f3 |
Date: Wed Jan 25 16:07:18 2023 -0300
|
|
|
36d4f3 |
|
|
|
36d4f3 |
KVM: x86: add bit to indicate correct tsc_shift
|
|
|
36d4f3 |
|
|
|
36d4f3 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2152838
|
|
|
36d4f3 |
Testing: Tested by QE
|
|
|
36d4f3 |
Upstream Status: RHEL7 only
|
|
|
36d4f3 |
JIRA: https://issues.redhat.com/browse/RHELPLAN-141963
|
|
|
36d4f3 |
|
|
|
36d4f3 |
This changeset is unique to RHEL-7 since it was decided
|
|
|
36d4f3 |
it is not necessary upstream:
|
|
|
36d4f3 |
|
|
|
36d4f3 |
"I don't think it's justifiable to further complicate the userspace API for a
|
|
|
36d4f3 |
bug that's been fixed six years ago. I'd be very surprised if any combination
|
|
|
36d4f3 |
of modern upstream {QEMU,kernel} is going to do a successful migration from
|
|
|
36d4f3 |
such an old {QEMU,kernel}. RHEL/CentOS are able to do so because *specific
|
|
|
36d4f3 |
pairs* have been tested, but as far as upstream is concerned this adds
|
|
|
36d4f3 |
complexity that absolutely no one will use."
|
|
|
36d4f3 |
|
|
|
36d4f3 |
Before commit 78db6a5037965429c04d708281f35a6e5562d31b,
|
|
|
36d4f3 |
kvm_guest_time_update() would use vcpu->virtual_tsc_khz to calculate
|
|
|
36d4f3 |
tsc_shift value in the vcpus pvclock structure written to guest memory.
|
|
|
36d4f3 |
|
|
|
36d4f3 |
For those kernels, if vcpu->virtual_tsc_khz != tsc_khz (which can be the
|
|
|
36d4f3 |
case when guest state is restored via migration, or if tsc-khz option is
|
|
|
36d4f3 |
passed to QEMU), and TSC scaling is not enabled (which happens if the
|
|
|
36d4f3 |
difference between the frequency requested via KVM_SET_TSC_KHZ and the
|
|
|
36d4f3 |
host TSC KHZ is smaller than 250ppm), then there can be a difference
|
|
|
36d4f3 |
between what KVM_GET_CLOCK would return and what the guest reads as
|
|
|
36d4f3 |
kvmclock value.
|
|
|
36d4f3 |
|
|
|
36d4f3 |
When KVM_SET_CLOCK'ing what is read with KVM_GET_CLOCK, the
|
|
|
36d4f3 |
guest can observe a forward or backwards time jump.
|
|
|
36d4f3 |
|
|
|
36d4f3 |
Advertise to userspace that current kernel contains
|
|
|
36d4f3 |
this fix, so QEMU can workaround the problem by reading
|
|
|
36d4f3 |
pvclock via guest memory directly otherwise.
|
|
|
36d4f3 |
|
|
|
36d4f3 |
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
|
|
|
36d4f3 |
|
|
|
36d4f3 |
commit 9dbd3713d82f45c9781f2dc6dd49dc3ee07ba980
|
|
|
36d4f3 |
Author: Davide Caratti <dcaratti@redhat.com>
|
|
|
36d4f3 |
Date: Tue Aug 8 12:55:43 2023 +0200
|
|
|
36d4f3 |
|
|
|
36d4f3 |
net/sched: sch_qfq: account for stab overhead in qfq_enqueue
|
|
|
36d4f3 |
|
|
|
36d4f3 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2225555
|
|
|
36d4f3 |
CVE: CVE-2023-3611
|
|
|
36d4f3 |
Upstream Status: net.git commit 3e337087c3b5
|
|
|
36d4f3 |
Conflicts:
|
|
|
36d4f3 |
- we don't have QFQ_MAX_LMAX defined in rhel-7 because of
|
|
|
36d4f3 |
missing upstream commit 25369891fcef ("net/sched: sch_qfq:
|
|
|
36d4f3 |
refactor parsing of netlink parameters"): use its value in
|
|
|
36d4f3 |
the test inside qfq_change_agg()
|
|
|
36d4f3 |
|
|
|
36d4f3 |
commit 3e337087c3b5805fe0b8a46ba622a962880b5d64
|
|
|
36d4f3 |
Author: Pedro Tammela <pctammela@mojatatu.com>
|
|
|
36d4f3 |
Date: Tue Jul 11 18:01:02 2023 -0300
|
|
|
36d4f3 |
|
|
|
36d4f3 |
net/sched: sch_qfq: account for stab overhead in qfq_enqueue
|
|
|
36d4f3 |
|
|
|
36d4f3 |
Lion says:
|
|
|
36d4f3 |
-------
|
|
|
36d4f3 |
In the QFQ scheduler a similar issue to CVE-2023-31436
|
|
|
36d4f3 |
persists.
|
|
|
36d4f3 |
|
|
|
36d4f3 |
Consider the following code in net/sched/sch_qfq.c:
|
|
|
36d4f3 |
|
|
|
36d4f3 |
static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch,
|
|
|
36d4f3 |
struct sk_buff **to_free)
|
|
|
36d4f3 |
{
|
|
|
36d4f3 |
unsigned int len = qdisc_pkt_len(skb), gso_segs;
|
|
|
36d4f3 |
|
|
|
36d4f3 |
// ...
|
|
|
36d4f3 |
|
|
|
36d4f3 |
if (unlikely(cl->agg->lmax < len)) {
|
|
|
36d4f3 |
pr_debug("qfq: increasing maxpkt from %u to %u for class %u",
|
|
|
36d4f3 |
cl->agg->lmax, len, cl->common.classid);
|
|
|
36d4f3 |
err = qfq_change_agg(sch, cl, cl->agg->class_weight, len);
|
|
|
36d4f3 |
if (err) {
|
|
|
36d4f3 |
cl->qstats.drops++;
|
|
|
36d4f3 |
return qdisc_drop(skb, sch, to_free);
|
|
|
36d4f3 |
}
|
|
|
36d4f3 |
|
|
|
36d4f3 |
// ...
|
|
|
36d4f3 |
|
|
|
36d4f3 |
}
|
|
|
36d4f3 |
|
|
|
36d4f3 |
Similarly to CVE-2023-31436, "lmax" is increased without any bounds
|
|
|
36d4f3 |
checks according to the packet length "len". Usually this would not
|
|
|
36d4f3 |
impose a problem because packet sizes are naturally limited.
|
|
|
36d4f3 |
|
|
|
36d4f3 |
This is however not the actual packet length, rather the
|
|
|
36d4f3 |
"qdisc_pkt_len(skb)" which might apply size transformations according to
|
|
|
36d4f3 |
"struct qdisc_size_table" as created by "qdisc_get_stab()" in
|
|
|
36d4f3 |
net/sched/sch_api.c if the TCA_STAB option was set when modifying the qdisc.
|
|
|
36d4f3 |
|
|
|
36d4f3 |
A user may choose virtually any size using such a table.
|
|
|
36d4f3 |
|
|
|
36d4f3 |
As a result the same issue as in CVE-2023-31436 can occur, allowing heap
|
|
|
36d4f3 |
out-of-bounds read / writes in the kmalloc-8192 cache.
|
|
|
36d4f3 |
-------
|
|
|
36d4f3 |
|
|
|
36d4f3 |
We can create the issue with the following commands:
|
|
|
36d4f3 |
|
|
|
36d4f3 |
tc qdisc add dev $DEV root handle 1: stab mtu 2048 tsize 512 mpu 0 \
|
|
|
36d4f3 |
overhead 999999999 linklayer ethernet qfq
|
|
|
36d4f3 |
tc class add dev $DEV parent 1: classid 1:1 htb rate 6mbit burst 15k
|
|
|
36d4f3 |
tc filter add dev $DEV parent 1: matchall classid 1:1
|
|
|
36d4f3 |
ping -I $DEV 1.1.1.2
|
|
|
36d4f3 |
|
|
|
36d4f3 |
This is caused by incorrectly assuming that qdisc_pkt_len() returns a
|
|
|
36d4f3 |
length within the QFQ_MIN_LMAX < len < QFQ_MAX_LMAX.
|
|
|
36d4f3 |
|
|
|
36d4f3 |
Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
|
|
|
36d4f3 |
Reported-by: Lion <nnamrec@gmail.com>
|
|
|
36d4f3 |
Reviewed-by: Eric Dumazet <edumazet@google.com>
|
|
|
36d4f3 |
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
|
|
|
36d4f3 |
Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
|
|
|
36d4f3 |
Reviewed-by: Simon Horman <simon.horman@corigine.com>
|
|
|
36d4f3 |
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
|
|
|
36d4f3 |
|
|
|
36d4f3 |
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
|
|
|
36d4f3 |
|
|
|
36d4f3 |
Signed-off-by: Ryan Sullivan <rysulliv@redhat.com>
|
|
|
36d4f3 |
---
|
|
|
36d4f3 |
net/sched/sch_qfq.c | 7 ++++++-
|
|
|
36d4f3 |
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
|
36d4f3 |
|
|
|
36d4f3 |
diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
|
|
|
36d4f3 |
index a36b3ec3271a..ca8c79456c80 100644
|
|
|
36d4f3 |
--- a/net/sched/sch_qfq.c
|
|
|
36d4f3 |
+++ b/net/sched/sch_qfq.c
|
|
|
36d4f3 |
@@ -387,8 +387,13 @@ static int qfq_change_agg(struct Qdisc *sch, struct qfq_class *cl, u32 weight,
|
|
|
36d4f3 |
u32 lmax)
|
|
|
36d4f3 |
{
|
|
|
36d4f3 |
struct qfq_sched *q = qdisc_priv(sch);
|
|
|
36d4f3 |
- struct qfq_aggregate *new_agg = qfq_find_agg(q, lmax, weight);
|
|
|
36d4f3 |
+ struct qfq_aggregate *new_agg;
|
|
|
36d4f3 |
|
|
|
36d4f3 |
+ /* 'lmax' can range from [QFQ_MIN_LMAX, pktlen + stab overhead] */
|
|
|
36d4f3 |
+ if (lmax > (1UL << QFQ_MTU_SHIFT))
|
|
|
36d4f3 |
+ return -EINVAL;
|
|
|
36d4f3 |
+
|
|
|
36d4f3 |
+ new_agg = qfq_find_agg(q, lmax, weight);
|
|
|
36d4f3 |
if (new_agg == NULL) { /* create new aggregate */
|
|
|
36d4f3 |
new_agg = kzalloc(sizeof(*new_agg), GFP_ATOMIC);
|
|
|
36d4f3 |
if (new_agg == NULL)
|
|
|
36d4f3 |
--
|
|
|
36d4f3 |
2.41.0
|
|
|
36d4f3 |
|
|
|
36d4f3 |
|