Blame SOURCES/CVE-2021-37576.patch

263871
From 9ab861c9a630d07a8ac0240f81dd0067b6c57963 Mon Sep 17 00:00:00 2001
263871
From: Joel Savitz <jsavitz@redhat.com>
263871
Date: Mon, 20 Sep 2021 13:49:09 -0400
263871
Subject: [KPATCH CVE-2021-37576] KVM: PPC: kpatch fixes for CVE-2021-37576
263871
263871
Kernels:
263871
3.10.0-1160.el7
263871
3.10.0-1160.2.1.el7
263871
3.10.0-1160.2.2.el7
263871
3.10.0-1160.6.1.el7
263871
3.10.0-1160.11.1.el7
263871
3.10.0-1160.15.2.el7
263871
3.10.0-1160.21.1.el7
263871
3.10.0-1160.24.1.el7
263871
3.10.0-1160.25.1.el7
263871
3.10.0-1160.31.1.el7
263871
3.10.0-1160.36.2.el7
263871
3.10.0-1160.41.1.el7
263871
3.10.0-1160.42.2.el7
263871
263871
Changes since last build:
263871
arches: ppc64le
263871
book3s_rtas.o: changed function: kvmppc_rtas_hcall
263871
---------------------------
263871
263871
Kernels:
263871
3.10.0-1160.2.1.el7
263871
3.10.0-1160.2.2.el7
263871
3.10.0-1160.6.1.el7
263871
3.10.0-1160.11.1.el7
263871
3.10.0-1160.15.2.el7
263871
3.10.0-1160.21.1.el7
263871
3.10.0-1160.24.1.el7
263871
3.10.0-1160.25.1.el7
263871
3.10.0-1160.31.1.el7
263871
3.10.0-1160.36.2.el7
263871
3.10.0-1160.41.1.el7
263871
3.10.0-1160.42.2.el7
263871
263871
Modifications: None
263871
Kpatch-MR: https://gitlab.com/kpatch-dev/rhel-7/-/merge_requests/8
263871
Approved-by: Artem Savkov (@artem.savkov)
263871
Approved-by: Joe Lawrence (@joe.lawrence)
263871
Approved-by: Yannick Cote (@ycote1)
263871
263871
Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-7/-/merge_requests/274
263871
263871
No reproducer available, tested via manual install and:
263871
KT0 test PASS (ppc64le only): https://beaker.engineering.redhat.com/jobs/5809981
263871
263871
for scratch build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=39840849
263871
263871
commit e1b729d6d332cc22fe641edc723324222096bf29
263871
Author: Jon Maloy <jmaloy@redhat.com>
263871
Date:   Thu Aug 12 19:22:51 2021 -0400
263871
263871
    KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow
263871
263871
    Bugzilla: https://bugzilla.redhat.com/1988218
263871
    Upstream Status: Merged
263871
    Build Info: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=39246436
263871
    CVE: CVE-2021-37576
263871
263871
    commit f62f3c20647ebd5fb6ecb8f0b477b9281c44c10a
263871
    Author: Nicholas Piggin <npiggin@gmail.com>
263871
    Date:   Tue Jul 20 20:43:09 2021 +1000
263871
263871
        KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow
263871
263871
        The kvmppc_rtas_hcall() sets the host rtas_args.rets pointer based on
263871
        the rtas_args.nargs that was provided by the guest. That guest nargs
263871
        value is not range checked, so the guest can cause the host rets pointer
263871
        to be pointed outside the args array. The individual rtas function
263871
        handlers check the nargs and nrets values to ensure they are correct,
263871
        but if they are not, the handlers store a -3 (0xfffffffd) failure
263871
        indication in rets[0] which corrupts host memory.
263871
263871
        Fix this by testing up front whether the guest supplied nargs and nret
263871
        would exceed the array size, and fail the hcall directly without storing
263871
        a failure indication to rets[0].
263871
263871
        Also expand on a comment about why we kill the guest and try not to
263871
        return errors directly if we have a valid rets[0] pointer.
263871
263871
        Fixes: 8e591cb72047 ("KVM: PPC: Book3S: Add infrastructure to implement kernel-side RTAS calls")
263871
        Cc: stable@vger.kernel.org # v3.10+
263871
        Reported-by: Alexey Kardashevskiy <aik@ozlabs.ru>
263871
        Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
263871
        Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
263871
263871
    Signed-off-by: Jon Maloy <jmaloy@redhat.com>
263871
263871
Signed-off-by: Joel Savitz <jsavitz@redhat.com>
263871
---
263871
 arch/powerpc/kvm/book3s_rtas.c | 25 ++++++++++++++++++++++---
263871
 1 file changed, 22 insertions(+), 3 deletions(-)
263871
263871
diff --git a/arch/powerpc/kvm/book3s_rtas.c b/arch/powerpc/kvm/book3s_rtas.c
263871
index ef27fbd5d9c5..d896c6854abc 100644
263871
--- a/arch/powerpc/kvm/book3s_rtas.c
263871
+++ b/arch/powerpc/kvm/book3s_rtas.c
263871
@@ -230,6 +230,17 @@ int kvmppc_rtas_hcall(struct kvm_vcpu *vcpu)
263871
 	 * value so we can restore it on the way out.
263871
 	 */
263871
 	orig_rets = args.rets;
263871
+	if (be32_to_cpu(args.nargs) >= ARRAY_SIZE(args.args)) {
263871
+		/*
263871
+		 * Don't overflow our args array: ensure there is room for
263871
+		 * at least rets[0] (even if the call specifies 0 nret).
263871
+		 *
263871
+		 * Each handler must then check for the correct nargs and nret
263871
+		 * values, but they may always return failure in rets[0].
263871
+		 */
263871
+		rc = -EINVAL;
263871
+		goto fail;
263871
+	}
263871
 	args.rets = &args.args[be32_to_cpu(args.nargs)];
263871
 
263871
 	mutex_lock(&vcpu->kvm->lock);
263871
@@ -257,9 +268,17 @@ int kvmppc_rtas_hcall(struct kvm_vcpu *vcpu)
263871
 fail:
263871
 	/*
263871
 	 * We only get here if the guest has called RTAS with a bogus
263871
-	 * args pointer. That means we can't get to the args, and so we
263871
-	 * can't fail the RTAS call. So fail right out to userspace,
263871
-	 * which should kill the guest.
263871
+	 * args pointer or nargs/nret values that would overflow the
263871
+	 * array. That means we can't get to the args, and so we can't
263871
+	 * fail the RTAS call. So fail right out to userspace, which
263871
+	 * should kill the guest.
263871
+	 *
263871
+	 * SLOF should actually pass the hcall return value from the
263871
+	 * rtas handler call in r3, so enter_rtas could be modified to
263871
+	 * return a failure indication in r3 and we could return such
263871
+	 * errors to the guest rather than failing to host userspace.
263871
+	 * However old guests that don't test for failure could then
263871
+	 * continue silently after errors, so for now we won't do this.
263871
 	 */
263871
 	return rc;
263871
 }
263871
-- 
263871
2.26.3
263871
263871