From 8215de5eb9e876d59d9c71e4171a9540da083648 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 07 2021 09:13:06 +0000 Subject: import kpatch-patch-4_18_0-305_12_1-1-1.el8_4 --- diff --git a/.gitignore b/.gitignore index e69de29..38e007d 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/kernel-4.18.0-305.12.1.el8_4.src.rpm +SOURCES/v0.9.3.tar.gz diff --git a/.kpatch-patch-4_18_0-305_12_1.metadata b/.kpatch-patch-4_18_0-305_12_1.metadata index e69de29..cfe3b79 100644 --- a/.kpatch-patch-4_18_0-305_12_1.metadata +++ b/.kpatch-patch-4_18_0-305_12_1.metadata @@ -0,0 +1,2 @@ +11486d821c4014c4994aa07e46f1eda517b3fcf5 SOURCES/kernel-4.18.0-305.12.1.el8_4.src.rpm +2b781cf5acd4869510950696e610b747ed508913 SOURCES/v0.9.3.tar.gz diff --git a/SOURCES/CVE-2021-37576.patch b/SOURCES/CVE-2021-37576.patch new file mode 100644 index 0000000..a4ec52f --- /dev/null +++ b/SOURCES/CVE-2021-37576.patch @@ -0,0 +1,127 @@ +From 742fee241938f6089d67c4e779ba0d608a9d88e3 Mon Sep 17 00:00:00 2001 +From: Joe Lawrence +Date: Mon, 30 Aug 2021 16:54:36 -0400 +Subject: [KPATCH CVE-2021-37576] powerpc: kpatch fixes for CVE-2021-37576 + +Kernels: +4.18.0-305.el8 +4.18.0-305.3.1.el8_4 +4.18.0-305.7.1.el8_4 +4.18.0-305.10.2.el8_4 +4.18.0-305.12.1.el8_4 + +arches: ppc64le +Changes since last build: +[ppc64le]: +book3s_rtas.o: changed function: kvmppc_rtas_hcall + +--------------------------- + +Kernels: +4.18.0-305.el8 +4.18.0-305.3.1.el8_4 +4.18.0-305.7.1.el8_4 +4.18.0-305.10.2.el8_4 +4.18.0-305.12.1.el8_4 + +Modifications: none +Approved-by: Yannick Cote (@ycote1) +Approved-by: Artem Savkov (@artem.savkov) +KPATCH-MR: https://gitlab.com/kpatch-dev/rhel-8/-/merge_requests/2 + +KT0 test PASS: https://beaker.engineering.redhat.com/jobs/5756102 +for kpatch-patch-4_18_0-305-1-5.el8 scratch build: +https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=39394966 + +commit 82faab596fc8f92648f20e2fbc4211557b115c13 +Author: Jon Maloy +Date: Thu Aug 12 19:22:51 2021 -0400 + + KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow + + Bugzilla: https://bugzilla.redhat.com/1988225 + Upstream Status: Merged + Build Info: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=38936146 + CVE: CVE-2021-37576 + + commit f62f3c20647ebd5fb6ecb8f0b477b9281c44c10a + Author: Nicholas Piggin + Date: Tue Jul 20 20:43:09 2021 +1000 + + KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow + + The kvmppc_rtas_hcall() sets the host rtas_args.rets pointer based on + the rtas_args.nargs that was provided by the guest. That guest nargs + value is not range checked, so the guest can cause the host rets pointer + to be pointed outside the args array. The individual rtas function + handlers check the nargs and nrets values to ensure they are correct, + but if they are not, the handlers store a -3 (0xfffffffd) failure + indication in rets[0] which corrupts host memory. + + Fix this by testing up front whether the guest supplied nargs and nret + would exceed the array size, and fail the hcall directly without storing + a failure indication to rets[0]. + + Also expand on a comment about why we kill the guest and try not to + return errors directly if we have a valid rets[0] pointer. + + Fixes: 8e591cb72047 ("KVM: PPC: Book3S: Add infrastructure to implement kernel-side RTAS calls") + Cc: stable@vger.kernel.org # v3.10+ + Reported-by: Alexey Kardashevskiy + Signed-off-by: Nicholas Piggin + Signed-off-by: Michael Ellerman + + Signed-off-by: Jon Maloy + +Signed-off-by: Joe Lawrence +--- + arch/powerpc/kvm/book3s_rtas.c | 25 ++++++++++++++++++++++--- + 1 file changed, 22 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/kvm/book3s_rtas.c b/arch/powerpc/kvm/book3s_rtas.c +index ceccacbf028e..52095f765e32 100644 +--- a/arch/powerpc/kvm/book3s_rtas.c ++++ b/arch/powerpc/kvm/book3s_rtas.c +@@ -245,6 +245,17 @@ int kvmppc_rtas_hcall(struct kvm_vcpu *vcpu) + * value so we can restore it on the way out. + */ + orig_rets = args.rets; ++ if (be32_to_cpu(args.nargs) >= ARRAY_SIZE(args.args)) { ++ /* ++ * Don't overflow our args array: ensure there is room for ++ * at least rets[0] (even if the call specifies 0 nret). ++ * ++ * Each handler must then check for the correct nargs and nret ++ * values, but they may always return failure in rets[0]. ++ */ ++ rc = -EINVAL; ++ goto fail; ++ } + args.rets = &args.args[be32_to_cpu(args.nargs)]; + + mutex_lock(&vcpu->kvm->arch.rtas_token_lock); +@@ -272,9 +283,17 @@ int kvmppc_rtas_hcall(struct kvm_vcpu *vcpu) + fail: + /* + * We only get here if the guest has called RTAS with a bogus +- * args pointer. That means we can't get to the args, and so we +- * can't fail the RTAS call. So fail right out to userspace, +- * which should kill the guest. ++ * args pointer or nargs/nret values that would overflow the ++ * array. That means we can't get to the args, and so we can't ++ * fail the RTAS call. So fail right out to userspace, which ++ * should kill the guest. ++ * ++ * SLOF should actually pass the hcall return value from the ++ * rtas handler call in r3, so enter_rtas could be modified to ++ * return a failure indication in r3 and we could return such ++ * errors to the guest rather than failing to host userspace. ++ * However old guests that don't test for failure could then ++ * continue silently after errors, so for now we won't do this. + */ + return rc; + } +-- +2.31.1 + + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index 5f26e12..2209251 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -1,17 +1,18 @@ # Set to 1 if building an empty subscription-only package. -%define empty_package 1 +%define empty_package 0 ####################################################### # Only need to update these variables and the changelog %define kernel_ver 4.18.0-305.12.1.el8_4 %define kpatch_ver 0.9.3 -%define rpm_ver 0 -%define rpm_rel 0 +%define rpm_ver 1 +%define rpm_rel 1 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. -Source100: XXX.patch -#Source101: YYY.patch +# +# https://bugzilla.redhat.com/1988230 +Source100: CVE-2021-37576.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -31,7 +32,7 @@ Summary: Live kernel patching module for kernel-%{kernel_ver_arch} Group: System Environment/Kernel License: GPLv2 -ExclusiveArch: x86_64 ppc64le +ExclusiveArch: ppc64le Conflicts: %{name} < %{version}-%{release} @@ -150,5 +151,8 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Wed Sep 01 2021 Artem Savkov [1-1.el8_4] +- powerpc: KVM guest OS users can cause host OS memory corruption [1988230] {CVE-2021-37576} + * Thu Jul 29 2021 Artem Savkov [0-0.el8_4] - An empty patch to subscribe to kpatch stream for kernel-4.18.0-305.12.1.el8_4 [1987277]