|
|
a96b61 |
From 742fee241938f6089d67c4e779ba0d608a9d88e3 Mon Sep 17 00:00:00 2001
|
|
|
a96b61 |
From: Joe Lawrence <joe.lawrence@redhat.com>
|
|
|
a96b61 |
Date: Mon, 30 Aug 2021 16:54:36 -0400
|
|
|
a96b61 |
Subject: [KPATCH CVE-2021-37576] powerpc: kpatch fixes for CVE-2021-37576
|
|
|
a96b61 |
|
|
|
a96b61 |
Kernels:
|
|
|
a96b61 |
4.18.0-305.el8
|
|
|
a96b61 |
4.18.0-305.3.1.el8_4
|
|
|
a96b61 |
4.18.0-305.7.1.el8_4
|
|
|
a96b61 |
4.18.0-305.10.2.el8_4
|
|
|
a96b61 |
4.18.0-305.12.1.el8_4
|
|
|
a96b61 |
|
|
|
a96b61 |
arches: ppc64le
|
|
|
a96b61 |
Changes since last build:
|
|
|
a96b61 |
[ppc64le]:
|
|
|
a96b61 |
book3s_rtas.o: changed function: kvmppc_rtas_hcall
|
|
|
a96b61 |
|
|
|
a96b61 |
---------------------------
|
|
|
a96b61 |
|
|
|
a96b61 |
Kernels:
|
|
|
a96b61 |
4.18.0-305.el8
|
|
|
a96b61 |
4.18.0-305.3.1.el8_4
|
|
|
a96b61 |
4.18.0-305.7.1.el8_4
|
|
|
a96b61 |
4.18.0-305.10.2.el8_4
|
|
|
a96b61 |
4.18.0-305.12.1.el8_4
|
|
|
a96b61 |
|
|
|
a96b61 |
Modifications: none
|
|
|
a96b61 |
Approved-by: Yannick Cote (@ycote1)
|
|
|
a96b61 |
Approved-by: Artem Savkov (@artem.savkov)
|
|
|
a96b61 |
KPATCH-MR: https://gitlab.com/kpatch-dev/rhel-8/-/merge_requests/2
|
|
|
a96b61 |
|
|
|
a96b61 |
KT0 test PASS: https://beaker.engineering.redhat.com/jobs/5756102
|
|
|
a96b61 |
for kpatch-patch-4_18_0-305-1-5.el8 scratch build:
|
|
|
a96b61 |
https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=39394966
|
|
|
a96b61 |
|
|
|
a96b61 |
commit 82faab596fc8f92648f20e2fbc4211557b115c13
|
|
|
a96b61 |
Author: Jon Maloy <jmaloy@redhat.com>
|
|
|
a96b61 |
Date: Thu Aug 12 19:22:51 2021 -0400
|
|
|
a96b61 |
|
|
|
a96b61 |
KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow
|
|
|
a96b61 |
|
|
|
a96b61 |
Bugzilla: https://bugzilla.redhat.com/1988225
|
|
|
a96b61 |
Upstream Status: Merged
|
|
|
a96b61 |
Build Info: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=38936146
|
|
|
a96b61 |
CVE: CVE-2021-37576
|
|
|
a96b61 |
|
|
|
a96b61 |
commit f62f3c20647ebd5fb6ecb8f0b477b9281c44c10a
|
|
|
a96b61 |
Author: Nicholas Piggin <npiggin@gmail.com>
|
|
|
a96b61 |
Date: Tue Jul 20 20:43:09 2021 +1000
|
|
|
a96b61 |
|
|
|
a96b61 |
KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow
|
|
|
a96b61 |
|
|
|
a96b61 |
The kvmppc_rtas_hcall() sets the host rtas_args.rets pointer based on
|
|
|
a96b61 |
the rtas_args.nargs that was provided by the guest. That guest nargs
|
|
|
a96b61 |
value is not range checked, so the guest can cause the host rets pointer
|
|
|
a96b61 |
to be pointed outside the args array. The individual rtas function
|
|
|
a96b61 |
handlers check the nargs and nrets values to ensure they are correct,
|
|
|
a96b61 |
but if they are not, the handlers store a -3 (0xfffffffd) failure
|
|
|
a96b61 |
indication in rets[0] which corrupts host memory.
|
|
|
a96b61 |
|
|
|
a96b61 |
Fix this by testing up front whether the guest supplied nargs and nret
|
|
|
a96b61 |
would exceed the array size, and fail the hcall directly without storing
|
|
|
a96b61 |
a failure indication to rets[0].
|
|
|
a96b61 |
|
|
|
a96b61 |
Also expand on a comment about why we kill the guest and try not to
|
|
|
a96b61 |
return errors directly if we have a valid rets[0] pointer.
|
|
|
a96b61 |
|
|
|
a96b61 |
Fixes: 8e591cb72047 ("KVM: PPC: Book3S: Add infrastructure to implement kernel-side RTAS calls")
|
|
|
a96b61 |
Cc: stable@vger.kernel.org # v3.10+
|
|
|
a96b61 |
Reported-by: Alexey Kardashevskiy <aik@ozlabs.ru>
|
|
|
a96b61 |
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
|
|
|
a96b61 |
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
|
|
|
a96b61 |
|
|
|
a96b61 |
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
|
|
a96b61 |
|
|
|
a96b61 |
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
|
|
|
a96b61 |
---
|
|
|
a96b61 |
arch/powerpc/kvm/book3s_rtas.c | 25 ++++++++++++++++++++++---
|
|
|
a96b61 |
1 file changed, 22 insertions(+), 3 deletions(-)
|
|
|
a96b61 |
|
|
|
a96b61 |
diff --git a/arch/powerpc/kvm/book3s_rtas.c b/arch/powerpc/kvm/book3s_rtas.c
|
|
|
a96b61 |
index ceccacbf028e..52095f765e32 100644
|
|
|
a96b61 |
--- a/arch/powerpc/kvm/book3s_rtas.c
|
|
|
a96b61 |
+++ b/arch/powerpc/kvm/book3s_rtas.c
|
|
|
a96b61 |
@@ -245,6 +245,17 @@ int kvmppc_rtas_hcall(struct kvm_vcpu *vcpu)
|
|
|
a96b61 |
* value so we can restore it on the way out.
|
|
|
a96b61 |
*/
|
|
|
a96b61 |
orig_rets = args.rets;
|
|
|
a96b61 |
+ if (be32_to_cpu(args.nargs) >= ARRAY_SIZE(args.args)) {
|
|
|
a96b61 |
+ /*
|
|
|
a96b61 |
+ * Don't overflow our args array: ensure there is room for
|
|
|
a96b61 |
+ * at least rets[0] (even if the call specifies 0 nret).
|
|
|
a96b61 |
+ *
|
|
|
a96b61 |
+ * Each handler must then check for the correct nargs and nret
|
|
|
a96b61 |
+ * values, but they may always return failure in rets[0].
|
|
|
a96b61 |
+ */
|
|
|
a96b61 |
+ rc = -EINVAL;
|
|
|
a96b61 |
+ goto fail;
|
|
|
a96b61 |
+ }
|
|
|
a96b61 |
args.rets = &args.args[be32_to_cpu(args.nargs)];
|
|
|
a96b61 |
|
|
|
a96b61 |
mutex_lock(&vcpu->kvm->arch.rtas_token_lock);
|
|
|
a96b61 |
@@ -272,9 +283,17 @@ int kvmppc_rtas_hcall(struct kvm_vcpu *vcpu)
|
|
|
a96b61 |
fail:
|
|
|
a96b61 |
/*
|
|
|
a96b61 |
* We only get here if the guest has called RTAS with a bogus
|
|
|
a96b61 |
- * args pointer. That means we can't get to the args, and so we
|
|
|
a96b61 |
- * can't fail the RTAS call. So fail right out to userspace,
|
|
|
a96b61 |
- * which should kill the guest.
|
|
|
a96b61 |
+ * args pointer or nargs/nret values that would overflow the
|
|
|
a96b61 |
+ * array. That means we can't get to the args, and so we can't
|
|
|
a96b61 |
+ * fail the RTAS call. So fail right out to userspace, which
|
|
|
a96b61 |
+ * should kill the guest.
|
|
|
a96b61 |
+ *
|
|
|
a96b61 |
+ * SLOF should actually pass the hcall return value from the
|
|
|
a96b61 |
+ * rtas handler call in r3, so enter_rtas could be modified to
|
|
|
a96b61 |
+ * return a failure indication in r3 and we could return such
|
|
|
a96b61 |
+ * errors to the guest rather than failing to host userspace.
|
|
|
a96b61 |
+ * However old guests that don't test for failure could then
|
|
|
a96b61 |
+ * continue silently after errors, so for now we won't do this.
|
|
|
a96b61 |
*/
|
|
|
a96b61 |
return rc;
|
|
|
a96b61 |
}
|
|
|
a96b61 |
--
|
|
|
a96b61 |
2.31.1
|
|
|
a96b61 |
|
|
|
a96b61 |
|