diff --git a/SOURCES/CVE-2021-22543.patch b/SOURCES/CVE-2021-22543.patch new file mode 100644 index 0000000..665f710 --- /dev/null +++ b/SOURCES/CVE-2021-22543.patch @@ -0,0 +1,117 @@ +From 9cb8a03ebca7263af03701ef256248ca8e5c434d Mon Sep 17 00:00:00 2001 +From: Artem Savkov +Date: Wed, 7 Jul 2021 17:44:40 +0200 +Subject: [PATCH] KVM: do not allow mapping valid but non-reference-counted + pages + +Kernels: +4.18.0-305.el8 +4.18.0-305.3.1.el8_4 +4.18.0-305.7.1.el8_4 + +Changes since last build: +[x86_64]: +kvm_main.o: changed function: __gfn_to_pfn_memslot + +[ppc64le]: +kvm_main.o: changed function: gfn_to_pfn_memslot +kvm_main.o: changed function: hva_to_pfn + +--------------------------- + +Kernels: +4.18.0-305.el8 +4.18.0-305.3.1.el8_4 +4.18.0-305.7.1.el8_4 +4.18.0-305.10.2.el8_4 + +Modifications: none +Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-8/-/merge_requests/898 +Testing: kernel_write.c reproducer + +commit 9871aa051ac11ab8551be01d7394915a5530dbbd +Author: Jon Maloy +Date: Wed Jun 30 21:09:40 2021 -0400 + + KVM: do not allow mapping valid but non-reference-counted pages + + Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1975514 + Upstream: commit f8be156be163a052a067306417cd0ff679068c97 + CVE: CVE-2021-22543 + Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=37829337 + + commit f8be156be163a052a067306417cd0ff679068c97 + Author: Nicholas Piggin + Date: Thu Jun 24 08:29:04 2021 -0400 + + KVM: do not allow mapping valid but non-reference-counted pages + + It's possible to create a region which maps valid but non-refcounted + pages (e.g., tail pages of non-compound higher order allocations). These + host pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family + of APIs, which take a reference to the page, which takes it from 0 to 1. + When the reference is dropped, this will free the page incorrectly. + + Fix this by only taking a reference on valid pages if it was non-zero, + which indicates it is participating in normal refcounting (and can be + released with put_page). + + This addresses CVE-2021-22543. + + Signed-off-by: Nicholas Piggin + Tested-by: Paolo Bonzini + Cc: stable@vger.kernel.org + Signed-off-by: Paolo Bonzini + + Signed-off-by: Jon Maloy + +Signed-off-by: Artem Savkov +Acked-by: Yannick Cote +Acked-by: Joe Lawrence +--- + virt/kvm/kvm_main.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index d4ec73c304a31..9f1cf429954c7 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -1894,6 +1894,13 @@ static bool vma_is_valid(struct vm_area_struct *vma, bool write_fault) + return true; + } + ++static int kvm_try_get_pfn(kvm_pfn_t pfn) ++{ ++ if (kvm_is_reserved_pfn(pfn)) ++ return 1; ++ return get_page_unless_zero(pfn_to_page(pfn)); ++} ++ + static int hva_to_pfn_remapped(struct vm_area_struct *vma, + unsigned long addr, bool *async, + bool write_fault, bool *writable, +@@ -1936,11 +1943,19 @@ static int hva_to_pfn_remapped(struct vm_area_struct *vma, + * Whoever called remap_pfn_range is also going to call e.g. + * unmap_mapping_range before the underlying pages are freed, + * causing a call to our MMU notifier. ++ * ++ * Certain IO or PFNMAP mappings can be backed with valid ++ * struct pages, but be allocated without refcounting e.g., ++ * tail pages of non-compound higher order allocations, which ++ * would then underflow the refcount when the caller does the ++ * required put_page. Don't allow those pages here. + */ +- kvm_get_pfn(pfn); ++ if (!kvm_try_get_pfn(pfn)) ++ r = -EFAULT; + + *p_pfn = pfn; +- return 0; ++ ++ return r; + } + + /* +-- +2.26.3 + diff --git a/SOURCES/CVE-2021-22555.patch b/SOURCES/CVE-2021-22555.patch new file mode 100644 index 0000000..ff61b37 --- /dev/null +++ b/SOURCES/CVE-2021-22555.patch @@ -0,0 +1,160 @@ +From b8c2b76bf8026457489948693638df321c680e7b Mon Sep 17 00:00:00 2001 +From: Joel Savitz +Date: Fri, 23 Jul 2021 11:26:01 -0400 +Subject: [PATCH] netfilter: x_tables: kpatch fixes for CVE-2021-22555 + +Kernels: +4.18.0-305.el8 +4.18.0-305.3.1.el8_4 +4.18.0-305.7.1.el8_4 +4.18.0-305.10.2.el8_4 + +Changes since last build: +arches: x86_64 ppc64le +arp_tables.o: changed function: translate_compat_table +ip6_tables.o: changed function: translate_compat_table +ip_tables.o: changed function: translate_compat_table +x_tables.o: changed function: xt_compat_match_from_user +x_tables.o: changed function: xt_compat_target_from_user +--------------------------- + +Kernels: +4.18.0-305.el8 +4.18.0-305.3.1.el8_4 +4.18.0-305.7.1.el8_4 +4.18.0-305.10.2.el8_4 + +Modifications: none + +Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-8/-/merge_requests/951 + +KT0: https://beaker.engineering.redhat.com/jobs/5611476 (PASS for x86_64 and queued for ppc64le) +for scratch Build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=38312105 + +commit a6f41b0d134d0ca62a46da0204f02018d69f19dd +Author: Florian Westphal +Date: Thu Apr 15 17:12:32 2021 +0200 + + netfilter: x_tables: fix compat match/target pad out-of-bound write + + Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1980500 + Y-Commit: 67b5dd48280ef85610333da24be367188d0542cb + O-Bugzilla: 1980501 + CVE: CVE-2021-22555 + + Upstream Status: commit b29c457a65114 + + commit b29c457a6511435960115c0f548c4360d5f4801d + Author: Florian Westphal + Date: Wed Apr 7 21:38:57 2021 +0200 + + netfilter: x_tables: fix compat match/target pad out-of-bound write + + xt_compat_match/target_from_user doesn't check that zeroing the area + to start of next rule won't write past end of allocated ruleset blob. + + Remove this code and zero the entire blob beforehand. + + Reported-by: syzbot+cfc0247ac173f597aaaa@syzkaller.appspotmail.com + Reported-by: Andy Nguyen + Fixes: 9fa492cdc160c ("[NETFILTER]: x_tables: simplify compat API") + Signed-off-by: Florian Westphal + Signed-off-by: Pablo Neira Ayuso + + Signed-off-by: Florian Westphal + Signed-off-by: Jan Stancek + +Signed-off-by: Joel Savitz +Acked-by: Artem Savkov +Acked-by: Joe Lawrence +--- + net/ipv4/netfilter/arp_tables.c | 2 ++ + net/ipv4/netfilter/ip_tables.c | 2 ++ + net/ipv6/netfilter/ip6_tables.c | 2 ++ + net/netfilter/x_tables.c | 10 ++-------- + 4 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c +index ca20efe775ee4..d2ebbeaa9870b 100644 +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -1195,6 +1195,8 @@ static int translate_compat_table(struct net *net, + if (!newinfo) + goto out_unlock; + ++ memset(newinfo->entries, 0, size); ++ + newinfo->number = compatr->num_entries; + for (i = 0; i < NF_ARP_NUMHOOKS; i++) { + newinfo->hook_entry[i] = compatr->hook_entry[i]; +diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c +index 4cdfb76b9aa8c..8d1545c3bf7b1 100644 +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -1433,6 +1433,8 @@ translate_compat_table(struct net *net, + if (!newinfo) + goto out_unlock; + ++ memset(newinfo->entries, 0, size); ++ + newinfo->number = compatr->num_entries; + for (i = 0; i < NF_INET_NUMHOOKS; i++) { + newinfo->hook_entry[i] = compatr->hook_entry[i]; +diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c +index f7f25eb536d5b..b9d05ea5b9f0f 100644 +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -1448,6 +1448,8 @@ translate_compat_table(struct net *net, + if (!newinfo) + goto out_unlock; + ++ memset(newinfo->entries, 0, size); ++ + newinfo->number = compatr->num_entries; + for (i = 0; i < NF_INET_NUMHOOKS; i++) { + newinfo->hook_entry[i] = compatr->hook_entry[i]; +diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c +index eb66934f36ec2..e258429213cab 100644 +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -736,7 +736,7 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, + { + const struct xt_match *match = m->u.kernel.match; + struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m; +- int pad, off = xt_compat_match_offset(match); ++ int off = xt_compat_match_offset(match); + u_int16_t msize = cm->u.user.match_size; + char name[sizeof(m->u.user.name)]; + +@@ -746,9 +746,6 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, + match->compat_from_user(m->data, cm->data); + else + memcpy(m->data, cm->data, msize - sizeof(*cm)); +- pad = XT_ALIGN(match->matchsize) - match->matchsize; +- if (pad > 0) +- memset(m->data + match->matchsize, 0, pad); + + msize += off; + m->u.user.match_size = msize; +@@ -1119,7 +1116,7 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, + { + const struct xt_target *target = t->u.kernel.target; + struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t; +- int pad, off = xt_compat_target_offset(target); ++ int off = xt_compat_target_offset(target); + u_int16_t tsize = ct->u.user.target_size; + char name[sizeof(t->u.user.name)]; + +@@ -1129,9 +1126,6 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, + target->compat_from_user(t->data, ct->data); + else + memcpy(t->data, ct->data, tsize - sizeof(*ct)); +- pad = XT_ALIGN(target->targetsize) - target->targetsize; +- if (pad > 0) +- memset(t->data + target->targetsize, 0, pad); + + tsize += off; + t->u.user.target_size = tsize; +-- +2.26.3 + diff --git a/SOURCES/CVE-2021-3609.patch b/SOURCES/CVE-2021-3609.patch new file mode 100644 index 0000000..22e05c0 --- /dev/null +++ b/SOURCES/CVE-2021-3609.patch @@ -0,0 +1,108 @@ +From 61fe578156c4c9bad13e83efdf4a1546c1bab3cd Mon Sep 17 00:00:00 2001 +From: Artem Savkov +Date: Mon, 26 Jul 2021 12:27:34 +0200 +Subject: [PATCH] can: bcm: delay release of struct bcm_op after + synchronize_rcu() + +Kernels: +4.18.0-305.el8 +4.18.0-305.3.1.el8_4 +4.18.0-305.7.1.el8_4 +4.18.0-305.10.2.el8_4 + +Changes since last build: +arches: x86_64 ppc64le +bcm.o: changed function: bcm_release +bcm.o: changed function: bcm_sendmsg +--------------------------- + +Kernels: +4.18.0-305.el8 +4.18.0-305.3.1.el8_4 +4.18.0-305.7.1.el8_4 +4.18.0-305.10.2.el8_4 + +Modifications: none + +commit 14c1d51567d0ef31ef900f6d1641615924fdb239 +Author: Hangbin Liu +Date: Mon Jun 28 14:50:49 2021 +0800 + + can: bcm: delay release of struct bcm_op after synchronize_rcu() + + Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1975058 + Y-Commit: fc088504ba6bee277b7bdc93ab0988b648bb8b81 + + Upstream Status: net.git commit d5f9023fa61e + CVE: CVE-2021-3609 + O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1975059 + + commit d5f9023fa61ee8b94f37a93f08e94b136cf1e463 + Author: Thadeu Lima de Souza Cascardo + Date: Sat Jun 19 13:18:13 2021 -0300 + + can: bcm: delay release of struct bcm_op after synchronize_rcu() + + can_rx_register() callbacks may be called concurrently to the call to + can_rx_unregister(). The callbacks and callback data, though, are + protected by RCU and the struct sock reference count. + + So the callback data is really attached to the life of sk, meaning + that it should be released on sk_destruct. However, bcm_remove_op() + calls tasklet_kill(), and RCU callbacks may be called under RCU + softirq, so that cannot be used on kernels before the introduction of + HRTIMER_MODE_SOFT. + + However, bcm_rx_handler() is called under RCU protection, so after + calling can_rx_unregister(), we may call synchronize_rcu() in order to + wait for any RCU read-side critical sections to finish. That is, + bcm_rx_handler() won't be called anymore for those ops. So, we only + free them, after we do that synchronize_rcu(). + + Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol") + Link: https://lore.kernel.org/r/20210619161813.2098382-1-cascardo@canonical.com + Cc: linux-stable + Reported-by: syzbot+0f7e7e5e2f4f40fa89c0@syzkaller.appspotmail.com + Reported-by: Norbert Slusarek + Signed-off-by: Thadeu Lima de Souza Cascardo + Acked-by: Oliver Hartkopp + Signed-off-by: Marc Kleine-Budde + + Signed-off-by: Hangbin Liu + +Signed-off-by: Artem Savkov +Acked-by: Joe Lawrence +--- + net/can/bcm.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/net/can/bcm.c b/net/can/bcm.c +index 0af8f0db892a3..4ee2fd682afaa 100644 +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -802,6 +802,7 @@ static int bcm_delete_rx_op(struct list_head *ops, struct bcm_msg_head *mh, + bcm_rx_handler, op); + + list_del(&op->list); ++ synchronize_rcu(); + bcm_remove_op(op); + return 1; /* done */ + } +@@ -1527,9 +1528,13 @@ static int bcm_release(struct socket *sock) + REGMASK(op->can_id), + bcm_rx_handler, op); + +- bcm_remove_op(op); + } + ++ synchronize_rcu(); ++ ++ list_for_each_entry_safe(op, next, &bo->rx_ops, list) ++ bcm_remove_op(op); ++ + #if IS_ENABLED(CONFIG_PROC_FS) + /* remove procfs entry */ + if (net->can.bcmproc_dir && bo->bcm_proc_read) +-- +2.26.3 + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index b7f67ac..dd357ac 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -6,7 +6,7 @@ %define kernel_ver 4.18.0-305.el8 %define kpatch_ver 0.9.3 %define rpm_ver 1 -%define rpm_rel 3 +%define rpm_rel 4 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. @@ -22,6 +22,15 @@ Source102: CVE-2021-32399.patch # # https://bugzilla.redhat.com/1975190 Source103: CVE-2021-33909.patch +# +# https://bugzilla.redhat.com/1975762 +Source104: CVE-2021-22543.patch +# +# https://bugzilla.redhat.com/1980520 +Source105: CVE-2021-22555.patch +# +# https://bugzilla.redhat.com/1975066 +Source106: CVE-2021-3609.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -160,6 +169,11 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Tue Jul 27 2021 Artem Savkov [1-4.el8] +- race condition in net/can/bcm.c leads to local privilege escalation [1975066] {CVE-2021-3609} +- out-of-bounds write in xt_compat_target_from_user() in net/netfilter/x_tables.c [1980520] {CVE-2021-22555} +- Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks [1975762] {CVE-2021-22543} + * Mon Jul 12 2021 Artem Savkov [1-3.el8] - kernel: size_t-to-int conversion vulnerability in the filesystem layer [1975190] {CVE-2021-33909} - kernel: race condition for removal of the HCI controller [1971478] {CVE-2021-32399}