|
|
10ce47 |
From d755c1f10a580e972fafb7bebf24378b5b830b98 Mon Sep 17 00:00:00 2001
|
|
|
10ce47 |
From: Ryan Sullivan <rysulliv@redhat.com>
|
|
|
10ce47 |
Date: Tue, 7 Nov 2023 15:04:48 -0500
|
|
|
10ce47 |
Subject: [KPATCH CVE-2023-4128] kpatch fixes for CVE-2023-4128
|
|
|
10ce47 |
|
|
|
10ce47 |
Kernels:
|
|
|
10ce47 |
3.10.0-1160.90.1.el7
|
|
|
10ce47 |
3.10.0-1160.92.1.el7
|
|
|
10ce47 |
3.10.0-1160.95.1.el7
|
|
|
10ce47 |
3.10.0-1160.99.1.el7
|
|
|
10ce47 |
3.10.0-1160.102.1.el7
|
|
|
10ce47 |
|
|
|
10ce47 |
|
|
|
10ce47 |
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/62
|
|
|
10ce47 |
Approved-by: Joe Lawrence (@joe.lawrence)
|
|
|
10ce47 |
Approved-by: Yannick Cote (@ycote1)
|
|
|
10ce47 |
Changes since last build:
|
|
|
10ce47 |
arches: x86_64 ppc64le
|
|
|
10ce47 |
cls_fw.o: changed function: fw_change
|
|
|
10ce47 |
cls_fw.o: changed function: fw_set_parms
|
|
|
10ce47 |
cls_route.o: changed function: route4_change
|
|
|
10ce47 |
cls_u32.o: changed function: u32_change
|
|
|
10ce47 |
sch_qfq.o: changed function: qfq_enqueue
|
|
|
10ce47 |
---------------------------
|
|
|
10ce47 |
|
|
|
10ce47 |
Modifications: none
|
|
|
10ce47 |
|
|
|
10ce47 |
commit 726e9f3d88c729cdae09768c94e588deebdb9d52
|
|
|
10ce47 |
Author: Marcelo Tosatti <mtosatti@redhat.com>
|
|
|
10ce47 |
Date: Mon Jan 23 17:17:17 2023 -0300
|
|
|
10ce47 |
|
|
|
10ce47 |
KVM: x86: rename argument to kvm_set_tsc_khz
|
|
|
10ce47 |
|
|
|
10ce47 |
commit 4941b8cb3746f09bb102f7a5d64d878e96a0c6cd
|
|
|
10ce47 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2152838
|
|
|
10ce47 |
JIRA: https://issues.redhat.com/browse/RHELPLAN-141963
|
|
|
10ce47 |
Testing: Tested by QE
|
|
|
10ce47 |
|
|
|
10ce47 |
This refers to the desired (scaled) frequency, which is called
|
|
|
10ce47 |
user_tsc_khz in the rest of the file.
|
|
|
10ce47 |
|
|
|
10ce47 |
Reviewed-by: Marcelo Tosatti <mtosatti@redhat.com>
|
|
|
10ce47 |
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
|
10ce47 |
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
|
|
|
10ce47 |
|
|
|
10ce47 |
commit 866faa0e99083ee93d04d3c37065cf8dbfc51a34
|
|
|
10ce47 |
Author: Marcelo Tosatti <mtosatti@redhat.com>
|
|
|
10ce47 |
Date: Mon Jan 23 17:24:19 2023 -0300
|
|
|
10ce47 |
|
|
|
10ce47 |
KVM: x86: rewrite handling of scaled TSC for kvmclock
|
|
|
10ce47 |
|
|
|
10ce47 |
commit 78db6a5037965429c04d708281f35a6e5562d31b
|
|
|
10ce47 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2152838
|
|
|
10ce47 |
Testing: Tested by QE
|
|
|
10ce47 |
JIRA: https://issues.redhat.com/browse/RHELPLAN-141963
|
|
|
10ce47 |
|
|
|
10ce47 |
This is the same as before:
|
|
|
10ce47 |
|
|
|
10ce47 |
kvm_scale_tsc(tgt_tsc_khz)
|
|
|
10ce47 |
= tgt_tsc_khz * ratio
|
|
|
10ce47 |
= tgt_tsc_khz * user_tsc_khz / tsc_khz (see set_tsc_khz)
|
|
|
10ce47 |
= user_tsc_khz (see kvm_guest_time_update)
|
|
|
10ce47 |
= vcpu->arch.virtual_tsc_khz (see kvm_set_tsc_khz)
|
|
|
10ce47 |
|
|
|
10ce47 |
However, computing it through kvm_scale_tsc will make it possible
|
|
|
10ce47 |
to include the NTP correction in tgt_tsc_khz.
|
|
|
10ce47 |
|
|
|
10ce47 |
Reviewed-by: Marcelo Tosatti <mtosatti@redhat.com>
|
|
|
10ce47 |
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
|
10ce47 |
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
|
|
|
10ce47 |
|
|
|
10ce47 |
commit bde6eebb5708ecd38db0023e657d38058e0d962f
|
|
|
10ce47 |
Author: Marcelo Tosatti <mtosatti@redhat.com>
|
|
|
10ce47 |
Date: Wed Jan 25 16:07:18 2023 -0300
|
|
|
10ce47 |
|
|
|
10ce47 |
KVM: x86: add bit to indicate correct tsc_shift
|
|
|
10ce47 |
|
|
|
10ce47 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2152838
|
|
|
10ce47 |
Testing: Tested by QE
|
|
|
10ce47 |
Upstream Status: RHEL7 only
|
|
|
10ce47 |
JIRA: https://issues.redhat.com/browse/RHELPLAN-141963
|
|
|
10ce47 |
|
|
|
10ce47 |
This changeset is unique to RHEL-7 since it was decided
|
|
|
10ce47 |
it is not necessary upstream:
|
|
|
10ce47 |
|
|
|
10ce47 |
"I don't think it's justifiable to further complicate the userspace API for a
|
|
|
10ce47 |
bug that's been fixed six years ago. I'd be very surprised if any combination
|
|
|
10ce47 |
of modern upstream {QEMU,kernel} is going to do a successful migration from
|
|
|
10ce47 |
such an old {QEMU,kernel}. RHEL/CentOS are able to do so because *specific
|
|
|
10ce47 |
pairs* have been tested, but as far as upstream is concerned this adds
|
|
|
10ce47 |
complexity that absolutely no one will use."
|
|
|
10ce47 |
|
|
|
10ce47 |
Before commit 78db6a5037965429c04d708281f35a6e5562d31b,
|
|
|
10ce47 |
kvm_guest_time_update() would use vcpu->virtual_tsc_khz to calculate
|
|
|
10ce47 |
tsc_shift value in the vcpus pvclock structure written to guest memory.
|
|
|
10ce47 |
|
|
|
10ce47 |
For those kernels, if vcpu->virtual_tsc_khz != tsc_khz (which can be the
|
|
|
10ce47 |
case when guest state is restored via migration, or if tsc-khz option is
|
|
|
10ce47 |
passed to QEMU), and TSC scaling is not enabled (which happens if the
|
|
|
10ce47 |
difference between the frequency requested via KVM_SET_TSC_KHZ and the
|
|
|
10ce47 |
host TSC KHZ is smaller than 250ppm), then there can be a difference
|
|
|
10ce47 |
between what KVM_GET_CLOCK would return and what the guest reads as
|
|
|
10ce47 |
kvmclock value.
|
|
|
10ce47 |
|
|
|
10ce47 |
When KVM_SET_CLOCK'ing what is read with KVM_GET_CLOCK, the
|
|
|
10ce47 |
guest can observe a forward or backwards time jump.
|
|
|
10ce47 |
|
|
|
10ce47 |
Advertise to userspace that current kernel contains
|
|
|
10ce47 |
this fix, so QEMU can workaround the problem by reading
|
|
|
10ce47 |
pvclock via guest memory directly otherwise.
|
|
|
10ce47 |
|
|
|
10ce47 |
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
|
|
|
10ce47 |
|
|
|
10ce47 |
commit 55a81001d2c4927795b36be55f54675f325c9ef2
|
|
|
10ce47 |
Author: Davide Caratti <dcaratti@redhat.com>
|
|
|
10ce47 |
Date: Wed Aug 9 15:22:14 2023 +0200
|
|
|
10ce47 |
|
|
|
10ce47 |
net/sched: cls_route: No longer copy tcf_result on update to avoid use-after-free
|
|
|
10ce47 |
|
|
|
10ce47 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2228703
|
|
|
10ce47 |
CVE: CVE-2023-4128
|
|
|
10ce47 |
Upstream Status: net.git commit b80b829e9e2c
|
|
|
10ce47 |
|
|
|
10ce47 |
commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8
|
|
|
10ce47 |
Author: valis <sec@valis.email>
|
|
|
10ce47 |
Date: Sat Jul 29 08:32:02 2023 -0400
|
|
|
10ce47 |
|
|
|
10ce47 |
net/sched: cls_route: No longer copy tcf_result on update to avoid use-after-free
|
|
|
10ce47 |
|
|
|
10ce47 |
When route4_change() is called on an existing filter, the whole
|
|
|
10ce47 |
tcf_result struct is always copied into the new instance of the filter.
|
|
|
10ce47 |
|
|
|
10ce47 |
This causes a problem when updating a filter bound to a class,
|
|
|
10ce47 |
as tcf_unbind_filter() is always called on the old instance in the
|
|
|
10ce47 |
success path, decreasing filter_cnt of the still referenced class
|
|
|
10ce47 |
and allowing it to be deleted, leading to a use-after-free.
|
|
|
10ce47 |
|
|
|
10ce47 |
Fix this by no longer copying the tcf_result struct from the old filter.
|
|
|
10ce47 |
|
|
|
10ce47 |
Fixes: 1109c00547fc ("net: sched: RCU cls_route")
|
|
|
10ce47 |
Reported-by: valis <sec@valis.email>
|
|
|
10ce47 |
Reported-by: Bing-Jhong Billy Jheng <billy@starlabs.sg>
|
|
|
10ce47 |
Signed-off-by: valis <sec@valis.email>
|
|
|
10ce47 |
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
|
|
|
10ce47 |
Reviewed-by: Victor Nogueira <victor@mojatatu.com>
|
|
|
10ce47 |
Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
|
|
|
10ce47 |
Reviewed-by: M A Ramdhan <ramdhan@starlabs.sg>
|
|
|
10ce47 |
Link: https://lore.kernel.org/r/20230729123202.72406-4-jhs@mojatatu.com
|
|
|
10ce47 |
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
|
|
10ce47 |
|
|
|
10ce47 |
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
|
|
|
10ce47 |
|
|
|
10ce47 |
commit 820985c32b9616c7e793206ef8f8aff7c5ccfc8b
|
|
|
10ce47 |
Author: Davide Caratti <dcaratti@redhat.com>
|
|
|
10ce47 |
Date: Wed Aug 9 15:22:15 2023 +0200
|
|
|
10ce47 |
|
|
|
10ce47 |
net/sched: cls_fw: No longer copy tcf_result on update to avoid use-after-free
|
|
|
10ce47 |
|
|
|
10ce47 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2228703
|
|
|
10ce47 |
CVE: CVE-2023-4128
|
|
|
10ce47 |
Upstream Status: net.git commit 76e42ae83199
|
|
|
10ce47 |
Conflicts:
|
|
|
10ce47 |
- net/sched/cls_fw.c: context mismatch because of missing upstream commit
|
|
|
10ce47 |
a51486266c3b ("net: sched: remove NET_CLS_IND config option")
|
|
|
10ce47 |
|
|
|
10ce47 |
commit 76e42ae831991c828cffa8c37736ebfb831ad5ec
|
|
|
10ce47 |
Author: valis <sec@valis.email>
|
|
|
10ce47 |
Date: Sat Jul 29 08:32:01 2023 -0400
|
|
|
10ce47 |
|
|
|
10ce47 |
net/sched: cls_fw: No longer copy tcf_result on update to avoid use-after-free
|
|
|
10ce47 |
|
|
|
10ce47 |
When fw_change() is called on an existing filter, the whole
|
|
|
10ce47 |
tcf_result struct is always copied into the new instance of the filter.
|
|
|
10ce47 |
|
|
|
10ce47 |
This causes a problem when updating a filter bound to a class,
|
|
|
10ce47 |
as tcf_unbind_filter() is always called on the old instance in the
|
|
|
10ce47 |
success path, decreasing filter_cnt of the still referenced class
|
|
|
10ce47 |
and allowing it to be deleted, leading to a use-after-free.
|
|
|
10ce47 |
|
|
|
10ce47 |
Fix this by no longer copying the tcf_result struct from the old filter.
|
|
|
10ce47 |
|
|
|
10ce47 |
Fixes: e35a8ee5993b ("net: sched: fw use RCU")
|
|
|
10ce47 |
Reported-by: valis <sec@valis.email>
|
|
|
10ce47 |
Reported-by: Bing-Jhong Billy Jheng <billy@starlabs.sg>
|
|
|
10ce47 |
Signed-off-by: valis <sec@valis.email>
|
|
|
10ce47 |
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
|
|
|
10ce47 |
Reviewed-by: Victor Nogueira <victor@mojatatu.com>
|
|
|
10ce47 |
Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
|
|
|
10ce47 |
Reviewed-by: M A Ramdhan <ramdhan@starlabs.sg>
|
|
|
10ce47 |
Link: https://lore.kernel.org/r/20230729123202.72406-3-jhs@mojatatu.com
|
|
|
10ce47 |
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
|
|
10ce47 |
|
|
|
10ce47 |
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
|
|
|
10ce47 |
|
|
|
10ce47 |
commit 86b6be644c207dd3f4b3ecf4975a771608f0cece
|
|
|
10ce47 |
Author: Davide Caratti <dcaratti@redhat.com>
|
|
|
10ce47 |
Date: Wed Aug 9 15:23:37 2023 +0200
|
|
|
10ce47 |
|
|
|
10ce47 |
net/sched: cls_u32: No longer copy tcf_result on update to avoid use-after-free
|
|
|
10ce47 |
|
|
|
10ce47 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2228703
|
|
|
10ce47 |
CVE: CVE-2023-4128
|
|
|
10ce47 |
Upstream Status: net.git commit 3044b16e7c6f
|
|
|
10ce47 |
|
|
|
10ce47 |
commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81
|
|
|
10ce47 |
Author: valis <sec@valis.email>
|
|
|
10ce47 |
Date: Sat Jul 29 08:32:00 2023 -0400
|
|
|
10ce47 |
|
|
|
10ce47 |
net/sched: cls_u32: No longer copy tcf_result on update to avoid use-after-free
|
|
|
10ce47 |
|
|
|
10ce47 |
When u32_change() is called on an existing filter, the whole
|
|
|
10ce47 |
tcf_result struct is always copied into the new instance of the filter.
|
|
|
10ce47 |
|
|
|
10ce47 |
This causes a problem when updating a filter bound to a class,
|
|
|
10ce47 |
as tcf_unbind_filter() is always called on the old instance in the
|
|
|
10ce47 |
success path, decreasing filter_cnt of the still referenced class
|
|
|
10ce47 |
and allowing it to be deleted, leading to a use-after-free.
|
|
|
10ce47 |
|
|
|
10ce47 |
Fix this by no longer copying the tcf_result struct from the old filter.
|
|
|
10ce47 |
|
|
|
10ce47 |
Fixes: de5df63228fc ("net: sched: cls_u32 changes to knode must appear atomic to readers")
|
|
|
10ce47 |
Reported-by: valis <sec@valis.email>
|
|
|
10ce47 |
Reported-by: M A Ramdhan <ramdhan@starlabs.sg>
|
|
|
10ce47 |
Signed-off-by: valis <sec@valis.email>
|
|
|
10ce47 |
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
|
|
|
10ce47 |
Reviewed-by: Victor Nogueira <victor@mojatatu.com>
|
|
|
10ce47 |
Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
|
|
|
10ce47 |
Reviewed-by: M A Ramdhan <ramdhan@starlabs.sg>
|
|
|
10ce47 |
Link: https://lore.kernel.org/r/20230729123202.72406-2-jhs@mojatatu.com
|
|
|
10ce47 |
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
|
|
10ce47 |
|
|
|
10ce47 |
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
|
|
|
10ce47 |
|
|
|
10ce47 |
Signed-off-by: Ryan Sullivan <rysulliv@redhat.com>
|
|
|
10ce47 |
---
|
|
|
10ce47 |
net/sched/cls_fw.c | 1 -
|
|
|
10ce47 |
net/sched/cls_route.c | 1 -
|
|
|
10ce47 |
net/sched/cls_u32.c | 1 -
|
|
|
10ce47 |
3 files changed, 3 deletions(-)
|
|
|
10ce47 |
|
|
|
10ce47 |
diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
|
|
|
10ce47 |
index e05043266620..57563d1bf7a0 100644
|
|
|
10ce47 |
--- a/net/sched/cls_fw.c
|
|
|
10ce47 |
+++ b/net/sched/cls_fw.c
|
|
|
10ce47 |
@@ -274,7 +274,6 @@ static int fw_change(struct net *net, struct sk_buff *in_skb,
|
|
|
10ce47 |
return -ENOBUFS;
|
|
|
10ce47 |
|
|
|
10ce47 |
fnew->id = f->id;
|
|
|
10ce47 |
- fnew->res = f->res;
|
|
|
10ce47 |
#ifdef CONFIG_NET_CLS_IND
|
|
|
10ce47 |
fnew->ifindex = f->ifindex;
|
|
|
10ce47 |
#endif /* CONFIG_NET_CLS_IND */
|
|
|
10ce47 |
diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c
|
|
|
10ce47 |
index d97c5bcdfa43..0bd48bd0bf9b 100644
|
|
|
10ce47 |
--- a/net/sched/cls_route.c
|
|
|
10ce47 |
+++ b/net/sched/cls_route.c
|
|
|
10ce47 |
@@ -501,7 +501,6 @@ static int route4_change(struct net *net, struct sk_buff *in_skb,
|
|
|
10ce47 |
if (fold) {
|
|
|
10ce47 |
f->id = fold->id;
|
|
|
10ce47 |
f->iif = fold->iif;
|
|
|
10ce47 |
- f->res = fold->res;
|
|
|
10ce47 |
f->handle = fold->handle;
|
|
|
10ce47 |
|
|
|
10ce47 |
f->tp = fold->tp;
|
|
|
10ce47 |
diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
|
|
|
10ce47 |
index cc9398e10451..73e97f73447a 100644
|
|
|
10ce47 |
--- a/net/sched/cls_u32.c
|
|
|
10ce47 |
+++ b/net/sched/cls_u32.c
|
|
|
10ce47 |
@@ -864,7 +864,6 @@ static struct tc_u_knode *u32_init_knode(struct tcf_proto *tp,
|
|
|
10ce47 |
new->ifindex = n->ifindex;
|
|
|
10ce47 |
#endif
|
|
|
10ce47 |
new->fshift = n->fshift;
|
|
|
10ce47 |
- new->res = n->res;
|
|
|
10ce47 |
new->flags = n->flags;
|
|
|
10ce47 |
RCU_INIT_POINTER(new->ht_down, n->ht_down);
|
|
|
10ce47 |
|
|
|
10ce47 |
--
|
|
|
10ce47 |
2.41.0
|
|
|
10ce47 |
|
|
|
10ce47 |
|