rpms / kpatch-patch-3_10_0-1160_102_1

Clone
Source Code
GIT

Files

c7
  1.   c7
  2.   SOURCES
  3.   CVE-2023-3776.patch
Blob Blame History Raw 
From 8a3e286f2ff1f83ffd645cbad1cb49f80ab2ab00 Mon Sep 17 00:00:00 2001
From: Ryan Sullivan <rysulliv@redhat.com>
Date: Tue, 17 Oct 2023 13:28:46 -0400
Subject: [KPATCH CVE-2023-3776] kpatch fixes for CVE-2023-3776

Kernels:
3.10.0-1160.90.1.el7
3.10.0-1160.92.1.el7
3.10.0-1160.95.1.el7
3.10.0-1160.99.1.el7
3.10.0-1160.102.1.el7


Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/61
Approved-by: Joe Lawrence (@joe.lawrence)
Approved-by: Yannick Cote (@ycote1)
Changes since last build:
arches: x86_64 ppc64le
cls_fw.o: changed function: fw_change
cls_fw.o: changed function: fw_set_parms
cls_route.o: changed function: route4_change
cls_u32.o: changed function: u32_change
sch_qfq.o: changed function: qfq_enqueue
---------------------------

Modifications: none

commit 726e9f3d88c729cdae09768c94e588deebdb9d52
Author: Marcelo Tosatti <mtosatti@redhat.com>
Date:   Mon Jan 23 17:17:17 2023 -0300

    KVM: x86: rename argument to kvm_set_tsc_khz

    commit 4941b8cb3746f09bb102f7a5d64d878e96a0c6cd
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2152838
    JIRA: https://issues.redhat.com/browse/RHELPLAN-141963
    Testing: Tested by QE

    This refers to the desired (scaled) frequency, which is called
    user_tsc_khz in the rest of the file.

    Reviewed-by: Marcelo Tosatti <mtosatti@redhat.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

commit 866faa0e99083ee93d04d3c37065cf8dbfc51a34
Author: Marcelo Tosatti <mtosatti@redhat.com>
Date:   Mon Jan 23 17:24:19 2023 -0300

    KVM: x86: rewrite handling of scaled TSC for kvmclock

    commit 78db6a5037965429c04d708281f35a6e5562d31b
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2152838
    Testing: Tested by QE
    JIRA: https://issues.redhat.com/browse/RHELPLAN-141963

    This is the same as before:

        kvm_scale_tsc(tgt_tsc_khz)
            = tgt_tsc_khz * ratio
            = tgt_tsc_khz * user_tsc_khz / tsc_khz   (see set_tsc_khz)
            = user_tsc_khz                           (see kvm_guest_time_update)
            = vcpu->arch.virtual_tsc_khz             (see kvm_set_tsc_khz)

    However, computing it through kvm_scale_tsc will make it possible
    to include the NTP correction in tgt_tsc_khz.

    Reviewed-by: Marcelo Tosatti <mtosatti@redhat.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

commit bde6eebb5708ecd38db0023e657d38058e0d962f
Author: Marcelo Tosatti <mtosatti@redhat.com>
Date:   Wed Jan 25 16:07:18 2023 -0300

    KVM: x86: add bit to indicate correct tsc_shift

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2152838
    Testing: Tested by QE
    Upstream Status: RHEL7 only
    JIRA: https://issues.redhat.com/browse/RHELPLAN-141963

    This changeset is unique to RHEL-7 since it was decided
    it is not necessary upstream:

    "I don't think it's justifiable to further complicate the userspace API for a
    bug that's been fixed six years ago.  I'd be very surprised if any combination
    of modern upstream {QEMU,kernel} is going to do a successful migration from
    such an old {QEMU,kernel}.  RHEL/CentOS are able to do so because *specific
    pairs* have been tested, but as far as upstream is concerned this adds
    complexity that absolutely no one will use."

    Before commit 78db6a5037965429c04d708281f35a6e5562d31b,
    kvm_guest_time_update() would use vcpu->virtual_tsc_khz to calculate
    tsc_shift value in the vcpus pvclock structure written to guest memory.

    For those kernels, if vcpu->virtual_tsc_khz != tsc_khz (which can be the
    case when guest state is restored via migration, or if tsc-khz option is
    passed to QEMU), and TSC scaling is not enabled (which happens if the
    difference between the frequency requested via KVM_SET_TSC_KHZ and the
    host TSC KHZ is smaller than 250ppm), then there can be a difference
    between what KVM_GET_CLOCK would return and what the guest reads as
    kvmclock value.

    When KVM_SET_CLOCK'ing what is read with KVM_GET_CLOCK, the
    guest can observe a forward or backwards time jump.

    Advertise to userspace that current kernel contains
    this fix, so QEMU can workaround the problem by reading
    pvclock via guest memory directly otherwise.

    Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

commit 373ed8339c956ce1d9049737bab779f143fc1267
Author: Davide Caratti <dcaratti@redhat.com>
Date:   Tue Aug 8 11:57:51 2023 +0200

    net/sched: cls_fw: Fix improper refcount update leads to use-after-free

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2225639
    CVE: CVE-2023-3776
    Upstream Status: net.git commit 0323bce598ee
    Conflicts:
     - net/sched/cls_fw.c: context mismatch because of missing backport
       of upstream commit a51486266c3b ("net: sched: remove NET_CLS_IND
       config option")

    commit 0323bce598eea038714f941ce2b22541c46d488f
    Author: M A Ramdhan <ramdhan@starlabs.sg>
    Date:   Wed Jul 5 12:15:30 2023 -0400

        net/sched: cls_fw: Fix improper refcount update leads to use-after-free

        In the event of a failure in tcf_change_indev(), fw_set_parms() will
        immediately return an error after incrementing or decrementing
        reference counter in tcf_bind_filter().  If attacker can control
        reference counter to zero and make reference freed, leading to
        use after free.

        In order to prevent this, move the point of possible failure above the
        point where the TC_FW_CLASSID is handled.

        Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
        Reported-by: M A Ramdhan <ramdhan@starlabs.sg>
        Signed-off-by: M A Ramdhan <ramdhan@starlabs.sg>
        Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
        Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
        Message-ID: <20230705161530.52003-1-ramdhan@starlabs.sg>
        Signed-off-by: Jakub Kicinski <kuba@kernel.org>

    Signed-off-by: Davide Caratti <dcaratti@redhat.com>

Signed-off-by: Ryan Sullivan <rysulliv@redhat.com>
---
 net/sched/cls_fw.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
index e05043266620..3427222f8e60 100644
--- a/net/sched/cls_fw.c
+++ b/net/sched/cls_fw.c
@@ -218,11 +218,6 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp,
 	if (err < 0)
 		return err;
 
-	if (tb[TCA_FW_CLASSID]) {
-		f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]);
-		tcf_bind_filter(tp, &f->res, base);
-	}
-
 #ifdef CONFIG_NET_CLS_IND
 	if (tb[TCA_FW_INDEV]) {
 		int ret;
@@ -241,6 +236,11 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp,
 	} else if (head->mask != 0xFFFFFFFF)
 		return err;
 
+	if (tb[TCA_FW_CLASSID]) {
+		f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]);
+		tcf_bind_filter(tp, &f->res, base);
+	}
+
 	return 0;
 }
 
-- 
2.41.0

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation