Blame SOURCES/CVE-2021-37576.patch

ef11d8
From 9ab861c9a630d07a8ac0240f81dd0067b6c57963 Mon Sep 17 00:00:00 2001
ef11d8
From: Joel Savitz <jsavitz@redhat.com>
ef11d8
Date: Mon, 20 Sep 2021 13:49:09 -0400
ef11d8
Subject: [KPATCH CVE-2021-37576] KVM: PPC: kpatch fixes for CVE-2021-37576
ef11d8
ef11d8
Kernels:
ef11d8
3.10.0-1160.el7
ef11d8
3.10.0-1160.2.1.el7
ef11d8
3.10.0-1160.2.2.el7
ef11d8
3.10.0-1160.6.1.el7
ef11d8
3.10.0-1160.11.1.el7
ef11d8
3.10.0-1160.15.2.el7
ef11d8
3.10.0-1160.21.1.el7
ef11d8
3.10.0-1160.24.1.el7
ef11d8
3.10.0-1160.25.1.el7
ef11d8
3.10.0-1160.31.1.el7
ef11d8
3.10.0-1160.36.2.el7
ef11d8
3.10.0-1160.41.1.el7
ef11d8
3.10.0-1160.42.2.el7
ef11d8
ef11d8
Changes since last build:
ef11d8
arches: ppc64le
ef11d8
book3s_rtas.o: changed function: kvmppc_rtas_hcall
ef11d8
---------------------------
ef11d8
ef11d8
Kernels:
ef11d8
3.10.0-1160.2.1.el7
ef11d8
3.10.0-1160.2.2.el7
ef11d8
3.10.0-1160.6.1.el7
ef11d8
3.10.0-1160.11.1.el7
ef11d8
3.10.0-1160.15.2.el7
ef11d8
3.10.0-1160.21.1.el7
ef11d8
3.10.0-1160.24.1.el7
ef11d8
3.10.0-1160.25.1.el7
ef11d8
3.10.0-1160.31.1.el7
ef11d8
3.10.0-1160.36.2.el7
ef11d8
3.10.0-1160.41.1.el7
ef11d8
3.10.0-1160.42.2.el7
ef11d8
ef11d8
Modifications: None
ef11d8
Kpatch-MR: https://gitlab.com/kpatch-dev/rhel-7/-/merge_requests/8
ef11d8
Approved-by: Artem Savkov (@artem.savkov)
ef11d8
Approved-by: Joe Lawrence (@joe.lawrence)
ef11d8
Approved-by: Yannick Cote (@ycote1)
ef11d8
ef11d8
Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-7/-/merge_requests/274
ef11d8
ef11d8
No reproducer available, tested via manual install and:
ef11d8
KT0 test PASS (ppc64le only): https://beaker.engineering.redhat.com/jobs/5809981
ef11d8
ef11d8
for scratch build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=39840849
ef11d8
ef11d8
commit e1b729d6d332cc22fe641edc723324222096bf29
ef11d8
Author: Jon Maloy <jmaloy@redhat.com>
ef11d8
Date:   Thu Aug 12 19:22:51 2021 -0400
ef11d8
ef11d8
    KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow
ef11d8
ef11d8
    Bugzilla: https://bugzilla.redhat.com/1988218
ef11d8
    Upstream Status: Merged
ef11d8
    Build Info: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=39246436
ef11d8
    CVE: CVE-2021-37576
ef11d8
ef11d8
    commit f62f3c20647ebd5fb6ecb8f0b477b9281c44c10a
ef11d8
    Author: Nicholas Piggin <npiggin@gmail.com>
ef11d8
    Date:   Tue Jul 20 20:43:09 2021 +1000
ef11d8
ef11d8
        KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow
ef11d8
ef11d8
        The kvmppc_rtas_hcall() sets the host rtas_args.rets pointer based on
ef11d8
        the rtas_args.nargs that was provided by the guest. That guest nargs
ef11d8
        value is not range checked, so the guest can cause the host rets pointer
ef11d8
        to be pointed outside the args array. The individual rtas function
ef11d8
        handlers check the nargs and nrets values to ensure they are correct,
ef11d8
        but if they are not, the handlers store a -3 (0xfffffffd) failure
ef11d8
        indication in rets[0] which corrupts host memory.
ef11d8
ef11d8
        Fix this by testing up front whether the guest supplied nargs and nret
ef11d8
        would exceed the array size, and fail the hcall directly without storing
ef11d8
        a failure indication to rets[0].
ef11d8
ef11d8
        Also expand on a comment about why we kill the guest and try not to
ef11d8
        return errors directly if we have a valid rets[0] pointer.
ef11d8
ef11d8
        Fixes: 8e591cb72047 ("KVM: PPC: Book3S: Add infrastructure to implement kernel-side RTAS calls")
ef11d8
        Cc: stable@vger.kernel.org # v3.10+
ef11d8
        Reported-by: Alexey Kardashevskiy <aik@ozlabs.ru>
ef11d8
        Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
ef11d8
        Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
ef11d8
ef11d8
    Signed-off-by: Jon Maloy <jmaloy@redhat.com>
ef11d8
ef11d8
Signed-off-by: Joel Savitz <jsavitz@redhat.com>
ef11d8
---
ef11d8
 arch/powerpc/kvm/book3s_rtas.c | 25 ++++++++++++++++++++++---
ef11d8
 1 file changed, 22 insertions(+), 3 deletions(-)
ef11d8
ef11d8
diff --git a/arch/powerpc/kvm/book3s_rtas.c b/arch/powerpc/kvm/book3s_rtas.c
ef11d8
index ef27fbd5d9c5..d896c6854abc 100644
ef11d8
--- a/arch/powerpc/kvm/book3s_rtas.c
ef11d8
+++ b/arch/powerpc/kvm/book3s_rtas.c
ef11d8
@@ -230,6 +230,17 @@ int kvmppc_rtas_hcall(struct kvm_vcpu *vcpu)
ef11d8
 	 * value so we can restore it on the way out.
ef11d8
 	 */
ef11d8
 	orig_rets = args.rets;
ef11d8
+	if (be32_to_cpu(args.nargs) >= ARRAY_SIZE(args.args)) {
ef11d8
+		/*
ef11d8
+		 * Don't overflow our args array: ensure there is room for
ef11d8
+		 * at least rets[0] (even if the call specifies 0 nret).
ef11d8
+		 *
ef11d8
+		 * Each handler must then check for the correct nargs and nret
ef11d8
+		 * values, but they may always return failure in rets[0].
ef11d8
+		 */
ef11d8
+		rc = -EINVAL;
ef11d8
+		goto fail;
ef11d8
+	}
ef11d8
 	args.rets = &args.args[be32_to_cpu(args.nargs)];
ef11d8
 
ef11d8
 	mutex_lock(&vcpu->kvm->lock);
ef11d8
@@ -257,9 +268,17 @@ int kvmppc_rtas_hcall(struct kvm_vcpu *vcpu)
ef11d8
 fail:
ef11d8
 	/*
ef11d8
 	 * We only get here if the guest has called RTAS with a bogus
ef11d8
-	 * args pointer. That means we can't get to the args, and so we
ef11d8
-	 * can't fail the RTAS call. So fail right out to userspace,
ef11d8
-	 * which should kill the guest.
ef11d8
+	 * args pointer or nargs/nret values that would overflow the
ef11d8
+	 * array. That means we can't get to the args, and so we can't
ef11d8
+	 * fail the RTAS call. So fail right out to userspace, which
ef11d8
+	 * should kill the guest.
ef11d8
+	 *
ef11d8
+	 * SLOF should actually pass the hcall return value from the
ef11d8
+	 * rtas handler call in r3, so enter_rtas could be modified to
ef11d8
+	 * return a failure indication in r3 and we could return such
ef11d8
+	 * errors to the guest rather than failing to host userspace.
ef11d8
+	 * However old guests that don't test for failure could then
ef11d8
+	 * continue silently after errors, so for now we won't do this.
ef11d8
 	 */
ef11d8
 	return rc;
ef11d8
 }
ef11d8
-- 
ef11d8
2.26.3
ef11d8
ef11d8