rpms / kpatch-patch-4_18_0-305_10_2

Clone
Source Code
GIT

Blame SOURCES/CVE-2021-37576.patch

c8
  1.   c8
  2.   SOURCES
  3.   CVE-2021-37576.patch
Blob History Raw
1f0161 
From 742fee241938f6089d67c4e779ba0d608a9d88e3 Mon Sep 17 00:00:00 2001
1f0161 
From: Joe Lawrence <joe.lawrence@redhat.com>
1f0161 
Date: Mon, 30 Aug 2021 16:54:36 -0400
1f0161 
Subject: [KPATCH CVE-2021-37576] powerpc: kpatch fixes for CVE-2021-37576
1f0161
1f0161 
Kernels:
1f0161 
4.18.0-305.el8
1f0161 
4.18.0-305.3.1.el8_4
1f0161 
4.18.0-305.7.1.el8_4
1f0161 
4.18.0-305.10.2.el8_4
1f0161 
4.18.0-305.12.1.el8_4
1f0161
1f0161 
arches: ppc64le
1f0161 
Changes since last build:
1f0161 
[ppc64le]:
1f0161 
book3s_rtas.o: changed function: kvmppc_rtas_hcall
1f0161
1f0161 
---------------------------
1f0161
1f0161 
Kernels:
1f0161 
4.18.0-305.el8
1f0161 
4.18.0-305.3.1.el8_4
1f0161 
4.18.0-305.7.1.el8_4
1f0161 
4.18.0-305.10.2.el8_4
1f0161 
4.18.0-305.12.1.el8_4
1f0161
1f0161 
Modifications: none
1f0161 
Approved-by: Yannick Cote (@ycote1)
1f0161 
Approved-by: Artem Savkov (@artem.savkov)
1f0161 
KPATCH-MR: https://gitlab.com/kpatch-dev/rhel-8/-/merge_requests/2
1f0161
1f0161 
KT0 test PASS: https://beaker.engineering.redhat.com/jobs/5756102
1f0161 
for kpatch-patch-4_18_0-305-1-5.el8 scratch build:
1f0161 
https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=39394966
1f0161
1f0161 
commit 82faab596fc8f92648f20e2fbc4211557b115c13
1f0161 
Author: Jon Maloy <jmaloy@redhat.com>
1f0161 
Date:   Thu Aug 12 19:22:51 2021 -0400
1f0161
1f0161 
    KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow
1f0161
1f0161 
    Bugzilla: https://bugzilla.redhat.com/1988225
1f0161 
    Upstream Status: Merged
1f0161 
    Build Info: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=38936146
1f0161 
    CVE: CVE-2021-37576
1f0161
1f0161 
    commit f62f3c20647ebd5fb6ecb8f0b477b9281c44c10a
1f0161 
    Author: Nicholas Piggin <npiggin@gmail.com>
1f0161 
    Date:   Tue Jul 20 20:43:09 2021 +1000
1f0161
1f0161 
        KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow
1f0161
1f0161 
        The kvmppc_rtas_hcall() sets the host rtas_args.rets pointer based on
1f0161 
        the rtas_args.nargs that was provided by the guest. That guest nargs
1f0161 
        value is not range checked, so the guest can cause the host rets pointer
1f0161 
        to be pointed outside the args array. The individual rtas function
1f0161 
        handlers check the nargs and nrets values to ensure they are correct,
1f0161 
        but if they are not, the handlers store a -3 (0xfffffffd) failure
1f0161 
        indication in rets[0] which corrupts host memory.
1f0161
1f0161 
        Fix this by testing up front whether the guest supplied nargs and nret
1f0161 
        would exceed the array size, and fail the hcall directly without storing
1f0161 
        a failure indication to rets[0].
1f0161
1f0161 
        Also expand on a comment about why we kill the guest and try not to
1f0161 
        return errors directly if we have a valid rets[0] pointer.
1f0161
1f0161 
        Fixes: 8e591cb72047 ("KVM: PPC: Book3S: Add infrastructure to implement kernel-side RTAS calls")
1f0161 
        Cc: stable@vger.kernel.org # v3.10+
1f0161 
        Reported-by: Alexey Kardashevskiy <aik@ozlabs.ru>
1f0161 
        Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
1f0161 
        Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
1f0161
1f0161 
    Signed-off-by: Jon Maloy <jmaloy@redhat.com>
1f0161
1f0161 
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
1f0161 
---
1f0161 
 arch/powerpc/kvm/book3s_rtas.c | 25 ++++++++++++++++++++++---
1f0161 
 1 file changed, 22 insertions(+), 3 deletions(-)
1f0161
1f0161 
diff --git a/arch/powerpc/kvm/book3s_rtas.c b/arch/powerpc/kvm/book3s_rtas.c
1f0161 
index ceccacbf028e..52095f765e32 100644
1f0161 
--- a/arch/powerpc/kvm/book3s_rtas.c
1f0161 
+++ b/arch/powerpc/kvm/book3s_rtas.c
1f0161 
@@ -245,6 +245,17 @@ int kvmppc_rtas_hcall(struct kvm_vcpu *vcpu)
1f0161 
 	 * value so we can restore it on the way out.
1f0161 
 	 */
1f0161 
 	orig_rets = args.rets;
1f0161 
+	if (be32_to_cpu(args.nargs) >= ARRAY_SIZE(args.args)) {
1f0161 
+		/*
1f0161 
+		 * Don't overflow our args array: ensure there is room for
1f0161 
+		 * at least rets[0] (even if the call specifies 0 nret).
1f0161 
+		 *
1f0161 
+		 * Each handler must then check for the correct nargs and nret
1f0161 
+		 * values, but they may always return failure in rets[0].
1f0161 
+		 */
1f0161 
+		rc = -EINVAL;
1f0161 
+		goto fail;
1f0161 
+	}
1f0161 
 	args.rets = &args.args[be32_to_cpu(args.nargs)];
1f0161
1f0161 
 	mutex_lock(&vcpu->kvm->arch.rtas_token_lock);
1f0161 
@@ -272,9 +283,17 @@ int kvmppc_rtas_hcall(struct kvm_vcpu *vcpu)
1f0161 
 fail:
1f0161 
 	/*
1f0161 
 	 * We only get here if the guest has called RTAS with a bogus
1f0161 
-	 * args pointer. That means we can't get to the args, and so we
1f0161 
-	 * can't fail the RTAS call. So fail right out to userspace,
1f0161 
-	 * which should kill the guest.
1f0161 
+	 * args pointer or nargs/nret values that would overflow the
1f0161 
+	 * array. That means we can't get to the args, and so we can't
1f0161 
+	 * fail the RTAS call. So fail right out to userspace, which
1f0161 
+	 * should kill the guest.
1f0161 
+	 *
1f0161 
+	 * SLOF should actually pass the hcall return value from the
1f0161 
+	 * rtas handler call in r3, so enter_rtas could be modified to
1f0161 
+	 * return a failure indication in r3 and we could return such
1f0161 
+	 * errors to the guest rather than failing to host userspace.
1f0161 
+	 * However old guests that don't test for failure could then
1f0161 
+	 * continue silently after errors, so for now we won't do this.
1f0161 
 	 */
1f0161 
 	return rc;
1f0161 
 }
1f0161 
--
1f0161 
2.31.1
1f0161
1f0161

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation