From 8a3e286f2ff1f83ffd645cbad1cb49f80ab2ab00 Mon Sep 17 00:00:00 2001

From: Ryan Sullivan <rysulliv@redhat.com>

Date: Tue, 17 Oct 2023 13:28:46 -0400

Subject: [KPATCH CVE-2023-3776] kpatch fixes for CVE-2023-3776

Kernels:

3.10.0-1160.90.1.el7

3.10.0-1160.92.1.el7

3.10.0-1160.95.1.el7

3.10.0-1160.99.1.el7

3.10.0-1160.102.1.el7

Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/61

Approved-by: Joe Lawrence (@joe.lawrence)

Approved-by: Yannick Cote (@ycote1)

Changes since last build:

arches: x86_64 ppc64le

cls_fw.o: changed function: fw_change

cls_fw.o: changed function: fw_set_parms

cls_route.o: changed function: route4_change

cls_u32.o: changed function: u32_change

sch_qfq.o: changed function: qfq_enqueue

---------------------------

Modifications: none

commit 726e9f3d88c729cdae09768c94e588deebdb9d52

Author: Marcelo Tosatti <mtosatti@redhat.com>

Date:   Mon Jan 23 17:17:17 2023 -0300

    KVM: x86: rename argument to kvm_set_tsc_khz

    commit 4941b8cb3746f09bb102f7a5d64d878e96a0c6cd

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2152838

    JIRA: https://issues.redhat.com/browse/RHELPLAN-141963

    Testing: Tested by QE

    This refers to the desired (scaled) frequency, which is called

    user_tsc_khz in the rest of the file.

    Reviewed-by: Marcelo Tosatti <mtosatti@redhat.com>

    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

commit 866faa0e99083ee93d04d3c37065cf8dbfc51a34

Author: Marcelo Tosatti <mtosatti@redhat.com>

Date:   Mon Jan 23 17:24:19 2023 -0300

    KVM: x86: rewrite handling of scaled TSC for kvmclock

    commit 78db6a5037965429c04d708281f35a6e5562d31b

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2152838

    Testing: Tested by QE

    JIRA: https://issues.redhat.com/browse/RHELPLAN-141963

    This is the same as before:

        kvm_scale_tsc(tgt_tsc_khz)

            = tgt_tsc_khz * ratio

            = tgt_tsc_khz * user_tsc_khz / tsc_khz   (see set_tsc_khz)

            = user_tsc_khz                           (see kvm_guest_time_update)

            = vcpu->arch.virtual_tsc_khz             (see kvm_set_tsc_khz)

    However, computing it through kvm_scale_tsc will make it possible

    to include the NTP correction in tgt_tsc_khz.

    Reviewed-by: Marcelo Tosatti <mtosatti@redhat.com>

    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

commit bde6eebb5708ecd38db0023e657d38058e0d962f

Author: Marcelo Tosatti <mtosatti@redhat.com>

Date:   Wed Jan 25 16:07:18 2023 -0300

    KVM: x86: add bit to indicate correct tsc_shift

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2152838

    Testing: Tested by QE

    Upstream Status: RHEL7 only

    JIRA: https://issues.redhat.com/browse/RHELPLAN-141963

    This changeset is unique to RHEL-7 since it was decided

    it is not necessary upstream:

    "I don't think it's justifiable to further complicate the userspace API for a

    bug that's been fixed six years ago.  I'd be very surprised if any combination

    of modern upstream {QEMU,kernel} is going to do a successful migration from

    such an old {QEMU,kernel}.  RHEL/CentOS are able to do so because *specific

    pairs* have been tested, but as far as upstream is concerned this adds

    complexity that absolutely no one will use."

    Before commit 78db6a5037965429c04d708281f35a6e5562d31b,

    kvm_guest_time_update() would use vcpu->virtual_tsc_khz to calculate

    tsc_shift value in the vcpus pvclock structure written to guest memory.

    For those kernels, if vcpu->virtual_tsc_khz != tsc_khz (which can be the

    case when guest state is restored via migration, or if tsc-khz option is

    passed to QEMU), and TSC scaling is not enabled (which happens if the

    difference between the frequency requested via KVM_SET_TSC_KHZ and the

    host TSC KHZ is smaller than 250ppm), then there can be a difference

    between what KVM_GET_CLOCK would return and what the guest reads as

    kvmclock value.

    When KVM_SET_CLOCK'ing what is read with KVM_GET_CLOCK, the

    guest can observe a forward or backwards time jump.

    Advertise to userspace that current kernel contains

    this fix, so QEMU can workaround the problem by reading

    pvclock via guest memory directly otherwise.

    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

commit 373ed8339c956ce1d9049737bab779f143fc1267

Author: Davide Caratti <dcaratti@redhat.com>

Date:   Tue Aug 8 11:57:51 2023 +0200

    net/sched: cls_fw: Fix improper refcount update leads to use-after-free

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2225639

    CVE: CVE-2023-3776

    Upstream Status: net.git commit 0323bce598ee

    Conflicts:

     - net/sched/cls_fw.c: context mismatch because of missing backport

       of upstream commit a51486266c3b ("net: sched: remove NET_CLS_IND

       config option")

    commit 0323bce598eea038714f941ce2b22541c46d488f

    Author: M A Ramdhan <ramdhan@starlabs.sg>

    Date:   Wed Jul 5 12:15:30 2023 -0400

        net/sched: cls_fw: Fix improper refcount update leads to use-after-free

        In the event of a failure in tcf_change_indev(), fw_set_parms() will

        immediately return an error after incrementing or decrementing

        reference counter in tcf_bind_filter().  If attacker can control

        reference counter to zero and make reference freed, leading to

        use after free.

        In order to prevent this, move the point of possible failure above the

        point where the TC_FW_CLASSID is handled.

        Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")

        Reported-by: M A Ramdhan <ramdhan@starlabs.sg>

        Signed-off-by: M A Ramdhan <ramdhan@starlabs.sg>

        Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>

        Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>

        Message-ID: <20230705161530.52003-1-ramdhan@starlabs.sg>

        Signed-off-by: Jakub Kicinski <kuba@kernel.org>

    Signed-off-by: Davide Caratti <dcaratti@redhat.com>

Signed-off-by: Ryan Sullivan <rysulliv@redhat.com>

---

 net/sched/cls_fw.c | 10 +++++-----

 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c

index e05043266620..3427222f8e60 100644

--- a/net/sched/cls_fw.c

+++ b/net/sched/cls_fw.c

@@ -218,11 +218,6 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp,

 	if (err < 0)

 		return err;

-	if (tb[TCA_FW_CLASSID]) {

-		f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]);

-		tcf_bind_filter(tp, &f->res, base);

-	}

-

 #ifdef CONFIG_NET_CLS_IND

 	if (tb[TCA_FW_INDEV]) {

 		int ret;

@@ -241,6 +236,11 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp,

 	} else if (head->mask != 0xFFFFFFFF)

 		return err;

+	if (tb[TCA_FW_CLASSID]) {

+		f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]);

+		tcf_bind_filter(tp, &f->res, base);

+	}

+

 	return 0;

 }

-- 

2.41.0