From 742fee241938f6089d67c4e779ba0d608a9d88e3 Mon Sep 17 00:00:00 2001 From: Joe Lawrence Date: Mon, 30 Aug 2021 16:54:36 -0400 Subject: [KPATCH CVE-2021-37576] powerpc: kpatch fixes for CVE-2021-37576 Kernels: 4.18.0-305.el8 4.18.0-305.3.1.el8_4 4.18.0-305.7.1.el8_4 4.18.0-305.10.2.el8_4 4.18.0-305.12.1.el8_4 arches: ppc64le Changes since last build: [ppc64le]: book3s_rtas.o: changed function: kvmppc_rtas_hcall --------------------------- Kernels: 4.18.0-305.el8 4.18.0-305.3.1.el8_4 4.18.0-305.7.1.el8_4 4.18.0-305.10.2.el8_4 4.18.0-305.12.1.el8_4 Modifications: none Approved-by: Yannick Cote (@ycote1) Approved-by: Artem Savkov (@artem.savkov) KPATCH-MR: https://gitlab.com/kpatch-dev/rhel-8/-/merge_requests/2 KT0 test PASS: https://beaker.engineering.redhat.com/jobs/5756102 for kpatch-patch-4_18_0-305-1-5.el8 scratch build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=39394966 commit 82faab596fc8f92648f20e2fbc4211557b115c13 Author: Jon Maloy Date: Thu Aug 12 19:22:51 2021 -0400 KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow Bugzilla: https://bugzilla.redhat.com/1988225 Upstream Status: Merged Build Info: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=38936146 CVE: CVE-2021-37576 commit f62f3c20647ebd5fb6ecb8f0b477b9281c44c10a Author: Nicholas Piggin Date: Tue Jul 20 20:43:09 2021 +1000 KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow The kvmppc_rtas_hcall() sets the host rtas_args.rets pointer based on the rtas_args.nargs that was provided by the guest. That guest nargs value is not range checked, so the guest can cause the host rets pointer to be pointed outside the args array. The individual rtas function handlers check the nargs and nrets values to ensure they are correct, but if they are not, the handlers store a -3 (0xfffffffd) failure indication in rets[0] which corrupts host memory. Fix this by testing up front whether the guest supplied nargs and nret would exceed the array size, and fail the hcall directly without storing a failure indication to rets[0]. Also expand on a comment about why we kill the guest and try not to return errors directly if we have a valid rets[0] pointer. Fixes: 8e591cb72047 ("KVM: PPC: Book3S: Add infrastructure to implement kernel-side RTAS calls") Cc: stable@vger.kernel.org # v3.10+ Reported-by: Alexey Kardashevskiy Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Signed-off-by: Jon Maloy Signed-off-by: Joe Lawrence --- arch/powerpc/kvm/book3s_rtas.c | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/arch/powerpc/kvm/book3s_rtas.c b/arch/powerpc/kvm/book3s_rtas.c index ceccacbf028e..52095f765e32 100644 --- a/arch/powerpc/kvm/book3s_rtas.c +++ b/arch/powerpc/kvm/book3s_rtas.c @@ -245,6 +245,17 @@ int kvmppc_rtas_hcall(struct kvm_vcpu *vcpu) * value so we can restore it on the way out. */ orig_rets = args.rets; + if (be32_to_cpu(args.nargs) >= ARRAY_SIZE(args.args)) { + /* + * Don't overflow our args array: ensure there is room for + * at least rets[0] (even if the call specifies 0 nret). + * + * Each handler must then check for the correct nargs and nret + * values, but they may always return failure in rets[0]. + */ + rc = -EINVAL; + goto fail; + } args.rets = &args.args[be32_to_cpu(args.nargs)]; mutex_lock(&vcpu->kvm->arch.rtas_token_lock); @@ -272,9 +283,17 @@ int kvmppc_rtas_hcall(struct kvm_vcpu *vcpu) fail: /* * We only get here if the guest has called RTAS with a bogus - * args pointer. That means we can't get to the args, and so we - * can't fail the RTAS call. So fail right out to userspace, - * which should kill the guest. + * args pointer or nargs/nret values that would overflow the + * array. That means we can't get to the args, and so we can't + * fail the RTAS call. So fail right out to userspace, which + * should kill the guest. + * + * SLOF should actually pass the hcall return value from the + * rtas handler call in r3, so enter_rtas could be modified to + * return a failure indication in r3 and we could return such + * errors to the guest rather than failing to host userspace. + * However old guests that don't test for failure could then + * continue silently after errors, so for now we won't do this. */ return rc; } -- 2.31.1