diff --git a/SOURCES/CVE-2021-22543.patch b/SOURCES/CVE-2021-22543.patch new file mode 100644 index 0000000..1ba381a --- /dev/null +++ b/SOURCES/CVE-2021-22543.patch @@ -0,0 +1,145 @@ +From 710481f30b26856f462d3e5923bf69b32c12e097 Mon Sep 17 00:00:00 2001 +From: Artem Savkov +Date: Fri, 3 Sep 2021 16:00:17 +0200 +Subject: [KPATCH CVE-2021-22543] KVM: do not allow mapping valid but + non-reference-counted pages + +Kernels: +3.10.0-1160.el7 +3.10.0-1160.2.1.el7 +3.10.0-1160.2.2.el7 +3.10.0-1160.6.1.el7 +3.10.0-1160.11.1.el7 +3.10.0-1160.15.2.el7 +3.10.0-1160.21.1.el7 +3.10.0-1160.24.1.el7 +3.10.0-1160.25.1.el7 +3.10.0-1160.31.1.el7 +3.10.0-1160.36.2.el7 +3.10.0-1160.41.1.el7 + +Changes since last build: +[x86_64]: +kvm_main.o: changed function: __gfn_to_pfn_memslot + +[ppc64le]: +kvm_main.o: changed function: gfn_to_page +kvm_main.o: changed function: gfn_to_pfn +kvm_main.o: changed function: gfn_to_pfn_memslot +kvm_main.o: changed function: gfn_to_pfn_prot +kvm_main.o: changed function: hva_to_pfn +kvm_main.o: changed function: kvm_vcpu_gfn_to_page +kvm_main.o: changed function: kvm_vcpu_gfn_to_pfn + +--------------------------- + +Kernels: +3.10.0-1160.2.1.el7 +3.10.0-1160.2.2.el7 +3.10.0-1160.6.1.el7 +3.10.0-1160.11.1.el7 +3.10.0-1160.15.2.el7 +3.10.0-1160.21.1.el7 +3.10.0-1160.24.1.el7 +3.10.0-1160.25.1.el7 +3.10.0-1160.31.1.el7 +3.10.0-1160.36.2.el7 +3.10.0-1160.41.1.el7 +3.10.0-1160.42.2.el7 + +Modifications: none +Kpatch-MR: https://gitlab.com/kpatch-dev/rhel-7/-/merge_requests/7 +Approved-by: Yannick Cote (@ycote1) +Approved-by: Joe Lawrence (@joe.lawrence) +Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-7/-/merge_requests/259 + +commit 64b6dd5036622d9fab20cea237ae19402a1a2ee3 +Author: Jon Maloy +Date: Tue Jul 13 15:28:38 2021 -0400 + + KVM: do not allow mapping valid but non-reference-counted pages + + Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1975511 + Upstream: commit f8be156be163a052a067306417cd0ff679068c97 + CVE-2021-22543 + Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=39156005 + Conflicts: The upstream version hva_to_pfn_remapped() has been upgraded + with lock support and a 'writeable' parameter. Those changes + entail a code conflict, but not functional conflict, with + this commit. + + commit f8be156be163a052a067306417cd0ff679068c97 + Author: Nicholas Piggin + Date: Thu Jun 24 08:29:04 2021 -0400 + + KVM: do not allow mapping valid but non-reference-counted pages + + It's possible to create a region which maps valid but non-refcounted + pages (e.g., tail pages of non-compound higher order allocations). These + host pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family + of APIs, which take a reference to the page, which takes it from 0 to 1. + When the reference is dropped, this will free the page incorrectly. + + Fix this by only taking a reference on valid pages if it was non-zero, + which indicates it is participating in normal refcounting (and can be + released with put_page). + + This addresses CVE-2021-22543. + + Signed-off-by: Nicholas Piggin + Tested-by: Paolo Bonzini + Cc: stable@vger.kernel.org + Signed-off-by: Paolo Bonzini + + Signed-off-by: Jon Maloy + +Signed-off-by: Artem Savkov +--- + virt/kvm/kvm_main.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index 4b01a017b262..2f40d5fe257d 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -1479,6 +1479,13 @@ static bool vma_is_valid(struct vm_area_struct *vma, bool write_fault) + return true; + } + ++static int kvm_try_get_pfn(kvm_pfn_t pfn) ++{ ++ if (kvm_is_reserved_pfn(pfn)) ++ return 1; ++ return get_page_unless_zero(pfn_to_page(pfn)); ++} ++ + static int hva_to_pfn_remapped(struct vm_area_struct *vma, + unsigned long addr, bool *async, + bool write_fault, kvm_pfn_t *p_pfn) +@@ -1514,11 +1521,19 @@ static int hva_to_pfn_remapped(struct vm_area_struct *vma, + * Whoever called remap_pfn_range is also going to call e.g. + * unmap_mapping_range before the underlying pages are freed, + * causing a call to our MMU notifier. +- */ +- kvm_get_pfn(pfn); ++ * ++ * Certain IO or PFNMAP mappings can be backed with valid ++ * struct pages, but be allocated without refcounting e.g., ++ * tail pages of non-compound higher order allocations, which ++ * would then underflow the refcount when the caller does the ++ * required put_page. Don't allow those pages here. ++ */ + ++ if (!kvm_try_get_pfn(pfn)) ++ r = -EFAULT; + *p_pfn = pfn; +- return 0; ++ ++ return r; + } + + /* +-- +2.26.3 + + diff --git a/SOURCES/CVE-2021-37576.patch b/SOURCES/CVE-2021-37576.patch new file mode 100644 index 0000000..cf26c1d --- /dev/null +++ b/SOURCES/CVE-2021-37576.patch @@ -0,0 +1,144 @@ +From 9ab861c9a630d07a8ac0240f81dd0067b6c57963 Mon Sep 17 00:00:00 2001 +From: Joel Savitz +Date: Mon, 20 Sep 2021 13:49:09 -0400 +Subject: [KPATCH CVE-2021-37576] KVM: PPC: kpatch fixes for CVE-2021-37576 + +Kernels: +3.10.0-1160.el7 +3.10.0-1160.2.1.el7 +3.10.0-1160.2.2.el7 +3.10.0-1160.6.1.el7 +3.10.0-1160.11.1.el7 +3.10.0-1160.15.2.el7 +3.10.0-1160.21.1.el7 +3.10.0-1160.24.1.el7 +3.10.0-1160.25.1.el7 +3.10.0-1160.31.1.el7 +3.10.0-1160.36.2.el7 +3.10.0-1160.41.1.el7 +3.10.0-1160.42.2.el7 + +Changes since last build: +arches: ppc64le +book3s_rtas.o: changed function: kvmppc_rtas_hcall +--------------------------- + +Kernels: +3.10.0-1160.2.1.el7 +3.10.0-1160.2.2.el7 +3.10.0-1160.6.1.el7 +3.10.0-1160.11.1.el7 +3.10.0-1160.15.2.el7 +3.10.0-1160.21.1.el7 +3.10.0-1160.24.1.el7 +3.10.0-1160.25.1.el7 +3.10.0-1160.31.1.el7 +3.10.0-1160.36.2.el7 +3.10.0-1160.41.1.el7 +3.10.0-1160.42.2.el7 + +Modifications: None +Kpatch-MR: https://gitlab.com/kpatch-dev/rhel-7/-/merge_requests/8 +Approved-by: Artem Savkov (@artem.savkov) +Approved-by: Joe Lawrence (@joe.lawrence) +Approved-by: Yannick Cote (@ycote1) + +Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-7/-/merge_requests/274 + +No reproducer available, tested via manual install and: +KT0 test PASS (ppc64le only): https://beaker.engineering.redhat.com/jobs/5809981 + +for scratch build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=39840849 + +commit e1b729d6d332cc22fe641edc723324222096bf29 +Author: Jon Maloy +Date: Thu Aug 12 19:22:51 2021 -0400 + + KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow + + Bugzilla: https://bugzilla.redhat.com/1988218 + Upstream Status: Merged + Build Info: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=39246436 + CVE: CVE-2021-37576 + + commit f62f3c20647ebd5fb6ecb8f0b477b9281c44c10a + Author: Nicholas Piggin + Date: Tue Jul 20 20:43:09 2021 +1000 + + KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow + + The kvmppc_rtas_hcall() sets the host rtas_args.rets pointer based on + the rtas_args.nargs that was provided by the guest. That guest nargs + value is not range checked, so the guest can cause the host rets pointer + to be pointed outside the args array. The individual rtas function + handlers check the nargs and nrets values to ensure they are correct, + but if they are not, the handlers store a -3 (0xfffffffd) failure + indication in rets[0] which corrupts host memory. + + Fix this by testing up front whether the guest supplied nargs and nret + would exceed the array size, and fail the hcall directly without storing + a failure indication to rets[0]. + + Also expand on a comment about why we kill the guest and try not to + return errors directly if we have a valid rets[0] pointer. + + Fixes: 8e591cb72047 ("KVM: PPC: Book3S: Add infrastructure to implement kernel-side RTAS calls") + Cc: stable@vger.kernel.org # v3.10+ + Reported-by: Alexey Kardashevskiy + Signed-off-by: Nicholas Piggin + Signed-off-by: Michael Ellerman + + Signed-off-by: Jon Maloy + +Signed-off-by: Joel Savitz +--- + arch/powerpc/kvm/book3s_rtas.c | 25 ++++++++++++++++++++++--- + 1 file changed, 22 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/kvm/book3s_rtas.c b/arch/powerpc/kvm/book3s_rtas.c +index ef27fbd5d9c5..d896c6854abc 100644 +--- a/arch/powerpc/kvm/book3s_rtas.c ++++ b/arch/powerpc/kvm/book3s_rtas.c +@@ -230,6 +230,17 @@ int kvmppc_rtas_hcall(struct kvm_vcpu *vcpu) + * value so we can restore it on the way out. + */ + orig_rets = args.rets; ++ if (be32_to_cpu(args.nargs) >= ARRAY_SIZE(args.args)) { ++ /* ++ * Don't overflow our args array: ensure there is room for ++ * at least rets[0] (even if the call specifies 0 nret). ++ * ++ * Each handler must then check for the correct nargs and nret ++ * values, but they may always return failure in rets[0]. ++ */ ++ rc = -EINVAL; ++ goto fail; ++ } + args.rets = &args.args[be32_to_cpu(args.nargs)]; + + mutex_lock(&vcpu->kvm->lock); +@@ -257,9 +268,17 @@ int kvmppc_rtas_hcall(struct kvm_vcpu *vcpu) + fail: + /* + * We only get here if the guest has called RTAS with a bogus +- * args pointer. That means we can't get to the args, and so we +- * can't fail the RTAS call. So fail right out to userspace, +- * which should kill the guest. ++ * args pointer or nargs/nret values that would overflow the ++ * array. That means we can't get to the args, and so we can't ++ * fail the RTAS call. So fail right out to userspace, which ++ * should kill the guest. ++ * ++ * SLOF should actually pass the hcall return value from the ++ * rtas handler call in r3, so enter_rtas could be modified to ++ * return a failure indication in r3 and we could return such ++ * errors to the guest rather than failing to host userspace. ++ * However old guests that don't test for failure could then ++ * continue silently after errors, so for now we won't do this. + */ + return rc; + } +-- +2.26.3 + + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index 40ce19f..b0c544b 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -6,13 +6,19 @@ %define kernel_ver 3.10.0-1160.41.1.el7 %define kpatch_ver 0.9.2 %define rpm_ver 1 -%define rpm_rel 1 +%define rpm_rel 2 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. # # https://bugzilla.redhat.com/1997195 Source100: CVE-2021-3715.patch +# +# https://bugzilla.redhat.com/1975766 +Source101: CVE-2021-22543.patch +# +# https://bugzilla.redhat.com/1988221 +Source102: CVE-2021-37576.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -145,6 +151,10 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Wed Sep 29 2021 Joe Lawrence [1-2.el7] +- kernel: powerpc: KVM guest OS users can cause host OS memory corruption [1988221] {CVE-2021-37576} +- kernel: Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks [1975766] {CVE-2021-22543} + * Wed Sep 01 2021 Joe Lawrence [1-1.el7] - kernel: use-after-free in route4_change() in net/sched/cls_route.c [1997195] {CVE-2021-3715}