|
|
95fff8 |
From 9ab861c9a630d07a8ac0240f81dd0067b6c57963 Mon Sep 17 00:00:00 2001
|
|
|
95fff8 |
From: Joel Savitz <jsavitz@redhat.com>
|
|
|
95fff8 |
Date: Mon, 20 Sep 2021 13:49:09 -0400
|
|
|
95fff8 |
Subject: [KPATCH CVE-2021-37576] KVM: PPC: kpatch fixes for CVE-2021-37576
|
|
|
95fff8 |
|
|
|
95fff8 |
Kernels:
|
|
|
95fff8 |
3.10.0-1160.el7
|
|
|
95fff8 |
3.10.0-1160.2.1.el7
|
|
|
95fff8 |
3.10.0-1160.2.2.el7
|
|
|
95fff8 |
3.10.0-1160.6.1.el7
|
|
|
95fff8 |
3.10.0-1160.11.1.el7
|
|
|
95fff8 |
3.10.0-1160.15.2.el7
|
|
|
95fff8 |
3.10.0-1160.21.1.el7
|
|
|
95fff8 |
3.10.0-1160.24.1.el7
|
|
|
95fff8 |
3.10.0-1160.25.1.el7
|
|
|
95fff8 |
3.10.0-1160.31.1.el7
|
|
|
95fff8 |
3.10.0-1160.36.2.el7
|
|
|
95fff8 |
3.10.0-1160.41.1.el7
|
|
|
95fff8 |
3.10.0-1160.42.2.el7
|
|
|
95fff8 |
|
|
|
95fff8 |
Changes since last build:
|
|
|
95fff8 |
arches: ppc64le
|
|
|
95fff8 |
book3s_rtas.o: changed function: kvmppc_rtas_hcall
|
|
|
95fff8 |
---------------------------
|
|
|
95fff8 |
|
|
|
95fff8 |
Kernels:
|
|
|
95fff8 |
3.10.0-1160.2.1.el7
|
|
|
95fff8 |
3.10.0-1160.2.2.el7
|
|
|
95fff8 |
3.10.0-1160.6.1.el7
|
|
|
95fff8 |
3.10.0-1160.11.1.el7
|
|
|
95fff8 |
3.10.0-1160.15.2.el7
|
|
|
95fff8 |
3.10.0-1160.21.1.el7
|
|
|
95fff8 |
3.10.0-1160.24.1.el7
|
|
|
95fff8 |
3.10.0-1160.25.1.el7
|
|
|
95fff8 |
3.10.0-1160.31.1.el7
|
|
|
95fff8 |
3.10.0-1160.36.2.el7
|
|
|
95fff8 |
3.10.0-1160.41.1.el7
|
|
|
95fff8 |
3.10.0-1160.42.2.el7
|
|
|
95fff8 |
|
|
|
95fff8 |
Modifications: None
|
|
|
95fff8 |
Kpatch-MR: https://gitlab.com/kpatch-dev/rhel-7/-/merge_requests/8
|
|
|
95fff8 |
Approved-by: Artem Savkov (@artem.savkov)
|
|
|
95fff8 |
Approved-by: Joe Lawrence (@joe.lawrence)
|
|
|
95fff8 |
Approved-by: Yannick Cote (@ycote1)
|
|
|
95fff8 |
|
|
|
95fff8 |
Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-7/-/merge_requests/274
|
|
|
95fff8 |
|
|
|
95fff8 |
No reproducer available, tested via manual install and:
|
|
|
95fff8 |
KT0 test PASS (ppc64le only): https://beaker.engineering.redhat.com/jobs/5809981
|
|
|
95fff8 |
|
|
|
95fff8 |
for scratch build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=39840849
|
|
|
95fff8 |
|
|
|
95fff8 |
commit e1b729d6d332cc22fe641edc723324222096bf29
|
|
|
95fff8 |
Author: Jon Maloy <jmaloy@redhat.com>
|
|
|
95fff8 |
Date: Thu Aug 12 19:22:51 2021 -0400
|
|
|
95fff8 |
|
|
|
95fff8 |
KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow
|
|
|
95fff8 |
|
|
|
95fff8 |
Bugzilla: https://bugzilla.redhat.com/1988218
|
|
|
95fff8 |
Upstream Status: Merged
|
|
|
95fff8 |
Build Info: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=39246436
|
|
|
95fff8 |
CVE: CVE-2021-37576
|
|
|
95fff8 |
|
|
|
95fff8 |
commit f62f3c20647ebd5fb6ecb8f0b477b9281c44c10a
|
|
|
95fff8 |
Author: Nicholas Piggin <npiggin@gmail.com>
|
|
|
95fff8 |
Date: Tue Jul 20 20:43:09 2021 +1000
|
|
|
95fff8 |
|
|
|
95fff8 |
KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow
|
|
|
95fff8 |
|
|
|
95fff8 |
The kvmppc_rtas_hcall() sets the host rtas_args.rets pointer based on
|
|
|
95fff8 |
the rtas_args.nargs that was provided by the guest. That guest nargs
|
|
|
95fff8 |
value is not range checked, so the guest can cause the host rets pointer
|
|
|
95fff8 |
to be pointed outside the args array. The individual rtas function
|
|
|
95fff8 |
handlers check the nargs and nrets values to ensure they are correct,
|
|
|
95fff8 |
but if they are not, the handlers store a -3 (0xfffffffd) failure
|
|
|
95fff8 |
indication in rets[0] which corrupts host memory.
|
|
|
95fff8 |
|
|
|
95fff8 |
Fix this by testing up front whether the guest supplied nargs and nret
|
|
|
95fff8 |
would exceed the array size, and fail the hcall directly without storing
|
|
|
95fff8 |
a failure indication to rets[0].
|
|
|
95fff8 |
|
|
|
95fff8 |
Also expand on a comment about why we kill the guest and try not to
|
|
|
95fff8 |
return errors directly if we have a valid rets[0] pointer.
|
|
|
95fff8 |
|
|
|
95fff8 |
Fixes: 8e591cb72047 ("KVM: PPC: Book3S: Add infrastructure to implement kernel-side RTAS calls")
|
|
|
95fff8 |
Cc: stable@vger.kernel.org # v3.10+
|
|
|
95fff8 |
Reported-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
|
95fff8 |
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
|
|
|
95fff8 |
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
|
|
|
95fff8 |
|
|
|
95fff8 |
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
|
|
95fff8 |
|
|
|
95fff8 |
Signed-off-by: Joel Savitz <jsavitz@redhat.com>
|
|
|
95fff8 |
---
|
|
|
95fff8 |
arch/powerpc/kvm/book3s_rtas.c | 25 ++++++++++++++++++++++---
|
|
|
95fff8 |
1 file changed, 22 insertions(+), 3 deletions(-)
|
|
|
95fff8 |
|
|
|
95fff8 |
diff --git a/arch/powerpc/kvm/book3s_rtas.c b/arch/powerpc/kvm/book3s_rtas.c
|
|
|
95fff8 |
index ef27fbd5d9c5..d896c6854abc 100644
|
|
|
95fff8 |
--- a/arch/powerpc/kvm/book3s_rtas.c
|
|
|
95fff8 |
+++ b/arch/powerpc/kvm/book3s_rtas.c
|
|
|
95fff8 |
@@ -230,6 +230,17 @@ int kvmppc_rtas_hcall(struct kvm_vcpu *vcpu)
|
|
|
95fff8 |
* value so we can restore it on the way out.
|
|
|
95fff8 |
*/
|
|
|
95fff8 |
orig_rets = args.rets;
|
|
|
95fff8 |
+ if (be32_to_cpu(args.nargs) >= ARRAY_SIZE(args.args)) {
|
|
|
95fff8 |
+ /*
|
|
|
95fff8 |
+ * Don't overflow our args array: ensure there is room for
|
|
|
95fff8 |
+ * at least rets[0] (even if the call specifies 0 nret).
|
|
|
95fff8 |
+ *
|
|
|
95fff8 |
+ * Each handler must then check for the correct nargs and nret
|
|
|
95fff8 |
+ * values, but they may always return failure in rets[0].
|
|
|
95fff8 |
+ */
|
|
|
95fff8 |
+ rc = -EINVAL;
|
|
|
95fff8 |
+ goto fail;
|
|
|
95fff8 |
+ }
|
|
|
95fff8 |
args.rets = &args.args[be32_to_cpu(args.nargs)];
|
|
|
95fff8 |
|
|
|
95fff8 |
mutex_lock(&vcpu->kvm->lock);
|
|
|
95fff8 |
@@ -257,9 +268,17 @@ int kvmppc_rtas_hcall(struct kvm_vcpu *vcpu)
|
|
|
95fff8 |
fail:
|
|
|
95fff8 |
/*
|
|
|
95fff8 |
* We only get here if the guest has called RTAS with a bogus
|
|
|
95fff8 |
- * args pointer. That means we can't get to the args, and so we
|
|
|
95fff8 |
- * can't fail the RTAS call. So fail right out to userspace,
|
|
|
95fff8 |
- * which should kill the guest.
|
|
|
95fff8 |
+ * args pointer or nargs/nret values that would overflow the
|
|
|
95fff8 |
+ * array. That means we can't get to the args, and so we can't
|
|
|
95fff8 |
+ * fail the RTAS call. So fail right out to userspace, which
|
|
|
95fff8 |
+ * should kill the guest.
|
|
|
95fff8 |
+ *
|
|
|
95fff8 |
+ * SLOF should actually pass the hcall return value from the
|
|
|
95fff8 |
+ * rtas handler call in r3, so enter_rtas could be modified to
|
|
|
95fff8 |
+ * return a failure indication in r3 and we could return such
|
|
|
95fff8 |
+ * errors to the guest rather than failing to host userspace.
|
|
|
95fff8 |
+ * However old guests that don't test for failure could then
|
|
|
95fff8 |
+ * continue silently after errors, so for now we won't do this.
|
|
|
95fff8 |
*/
|
|
|
95fff8 |
return rc;
|
|
|
95fff8 |
}
|
|
|
95fff8 |
--
|
|
|
95fff8 |
2.26.3
|
|
|
95fff8 |
|
|
|
95fff8 |
|