From 95fff875c2039c3b15e58c548bf650d24f7396f2 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Oct 12 2021 09:07:30 +0000
Subject: import kpatch-patch-3_10_0-1160_15_2-1-9.el7


---

diff --git a/SOURCES/CVE-2021-22543.patch b/SOURCES/CVE-2021-22543.patch
new file mode 100644
index 0000000..1ba381a
--- /dev/null
+++ b/SOURCES/CVE-2021-22543.patch
@@ -0,0 +1,145 @@
+From 710481f30b26856f462d3e5923bf69b32c12e097 Mon Sep 17 00:00:00 2001
+From: Artem Savkov <asavkov@redhat.com>
+Date: Fri, 3 Sep 2021 16:00:17 +0200
+Subject: [KPATCH CVE-2021-22543] KVM: do not allow mapping valid but
+ non-reference-counted pages
+
+Kernels:
+3.10.0-1160.el7
+3.10.0-1160.2.1.el7
+3.10.0-1160.2.2.el7
+3.10.0-1160.6.1.el7
+3.10.0-1160.11.1.el7
+3.10.0-1160.15.2.el7
+3.10.0-1160.21.1.el7
+3.10.0-1160.24.1.el7
+3.10.0-1160.25.1.el7
+3.10.0-1160.31.1.el7
+3.10.0-1160.36.2.el7
+3.10.0-1160.41.1.el7
+
+Changes since last build:
+[x86_64]:
+kvm_main.o: changed function: __gfn_to_pfn_memslot
+
+[ppc64le]:
+kvm_main.o: changed function: gfn_to_page
+kvm_main.o: changed function: gfn_to_pfn
+kvm_main.o: changed function: gfn_to_pfn_memslot
+kvm_main.o: changed function: gfn_to_pfn_prot
+kvm_main.o: changed function: hva_to_pfn
+kvm_main.o: changed function: kvm_vcpu_gfn_to_page
+kvm_main.o: changed function: kvm_vcpu_gfn_to_pfn
+
+---------------------------
+
+Kernels:
+3.10.0-1160.2.1.el7
+3.10.0-1160.2.2.el7
+3.10.0-1160.6.1.el7
+3.10.0-1160.11.1.el7
+3.10.0-1160.15.2.el7
+3.10.0-1160.21.1.el7
+3.10.0-1160.24.1.el7
+3.10.0-1160.25.1.el7
+3.10.0-1160.31.1.el7
+3.10.0-1160.36.2.el7
+3.10.0-1160.41.1.el7
+3.10.0-1160.42.2.el7
+
+Modifications: none
+Kpatch-MR: https://gitlab.com/kpatch-dev/rhel-7/-/merge_requests/7
+Approved-by: Yannick Cote (@ycote1)
+Approved-by: Joe Lawrence (@joe.lawrence)
+Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-7/-/merge_requests/259
+
+commit 64b6dd5036622d9fab20cea237ae19402a1a2ee3
+Author: Jon Maloy <jmaloy@redhat.com>
+Date:   Tue Jul 13 15:28:38 2021 -0400
+
+    KVM: do not allow mapping valid but non-reference-counted pages
+
+    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1975511
+    Upstream: commit f8be156be163a052a067306417cd0ff679068c97
+    CVE-2021-22543
+    Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=39156005
+    Conflicts: The upstream version hva_to_pfn_remapped() has been upgraded
+               with lock support and a 'writeable' parameter. Those changes
+               entail a code conflict, but not functional conflict, with
+               this commit.
+
+    commit f8be156be163a052a067306417cd0ff679068c97
+    Author: Nicholas Piggin <npiggin@gmail.com>
+    Date:   Thu Jun 24 08:29:04 2021 -0400
+
+        KVM: do not allow mapping valid but non-reference-counted pages
+
+        It's possible to create a region which maps valid but non-refcounted
+        pages (e.g., tail pages of non-compound higher order allocations). These
+        host pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family
+        of APIs, which take a reference to the page, which takes it from 0 to 1.
+        When the reference is dropped, this will free the page incorrectly.
+
+        Fix this by only taking a reference on valid pages if it was non-zero,
+        which indicates it is participating in normal refcounting (and can be
+        released with put_page).
+
+        This addresses CVE-2021-22543.
+
+        Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+        Tested-by: Paolo Bonzini <pbonzini@redhat.com>
+        Cc: stable@vger.kernel.org
+        Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+    Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+
+Signed-off-by: Artem Savkov <asavkov@redhat.com>
+---
+ virt/kvm/kvm_main.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
+index 4b01a017b262..2f40d5fe257d 100644
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -1479,6 +1479,13 @@ static bool vma_is_valid(struct vm_area_struct *vma, bool write_fault)
+ 	return true;
+ }
+ 
++static int kvm_try_get_pfn(kvm_pfn_t pfn)
++{
++	if (kvm_is_reserved_pfn(pfn))
++		return 1;
++	return get_page_unless_zero(pfn_to_page(pfn));
++}
++
+ static int hva_to_pfn_remapped(struct vm_area_struct *vma,
+ 			       unsigned long addr, bool *async,
+ 			       bool write_fault, kvm_pfn_t *p_pfn)
+@@ -1514,11 +1521,19 @@ static int hva_to_pfn_remapped(struct vm_area_struct *vma,
+ 	 * Whoever called remap_pfn_range is also going to call e.g.
+ 	 * unmap_mapping_range before the underlying pages are freed,
+ 	 * causing a call to our MMU notifier.
+-	 */ 
+-	kvm_get_pfn(pfn);
++	 *
++	 * Certain IO or PFNMAP mappings can be backed with valid
++	 * struct pages, but be allocated without refcounting e.g.,
++	 * tail pages of non-compound higher order allocations, which
++	 * would then underflow the refcount when the caller does the
++	 * required put_page. Don't allow those pages here.
++	 */
+ 
++	if (!kvm_try_get_pfn(pfn))
++		r = -EFAULT;
+ 	*p_pfn = pfn;
+-	return 0;
++
++	return r;
+ }
+ 
+ /*
+-- 
+2.26.3
+
+
diff --git a/SOURCES/CVE-2021-37576.patch b/SOURCES/CVE-2021-37576.patch
new file mode 100644
index 0000000..cf26c1d
--- /dev/null
+++ b/SOURCES/CVE-2021-37576.patch
@@ -0,0 +1,144 @@
+From 9ab861c9a630d07a8ac0240f81dd0067b6c57963 Mon Sep 17 00:00:00 2001
+From: Joel Savitz <jsavitz@redhat.com>
+Date: Mon, 20 Sep 2021 13:49:09 -0400
+Subject: [KPATCH CVE-2021-37576] KVM: PPC: kpatch fixes for CVE-2021-37576
+
+Kernels:
+3.10.0-1160.el7
+3.10.0-1160.2.1.el7
+3.10.0-1160.2.2.el7
+3.10.0-1160.6.1.el7
+3.10.0-1160.11.1.el7
+3.10.0-1160.15.2.el7
+3.10.0-1160.21.1.el7
+3.10.0-1160.24.1.el7
+3.10.0-1160.25.1.el7
+3.10.0-1160.31.1.el7
+3.10.0-1160.36.2.el7
+3.10.0-1160.41.1.el7
+3.10.0-1160.42.2.el7
+
+Changes since last build:
+arches: ppc64le
+book3s_rtas.o: changed function: kvmppc_rtas_hcall
+---------------------------
+
+Kernels:
+3.10.0-1160.2.1.el7
+3.10.0-1160.2.2.el7
+3.10.0-1160.6.1.el7
+3.10.0-1160.11.1.el7
+3.10.0-1160.15.2.el7
+3.10.0-1160.21.1.el7
+3.10.0-1160.24.1.el7
+3.10.0-1160.25.1.el7
+3.10.0-1160.31.1.el7
+3.10.0-1160.36.2.el7
+3.10.0-1160.41.1.el7
+3.10.0-1160.42.2.el7
+
+Modifications: None
+Kpatch-MR: https://gitlab.com/kpatch-dev/rhel-7/-/merge_requests/8
+Approved-by: Artem Savkov (@artem.savkov)
+Approved-by: Joe Lawrence (@joe.lawrence)
+Approved-by: Yannick Cote (@ycote1)
+
+Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-7/-/merge_requests/274
+
+No reproducer available, tested via manual install and:
+KT0 test PASS (ppc64le only): https://beaker.engineering.redhat.com/jobs/5809981
+
+for scratch build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=39840849
+
+commit e1b729d6d332cc22fe641edc723324222096bf29
+Author: Jon Maloy <jmaloy@redhat.com>
+Date:   Thu Aug 12 19:22:51 2021 -0400
+
+    KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow
+
+    Bugzilla: https://bugzilla.redhat.com/1988218
+    Upstream Status: Merged
+    Build Info: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=39246436
+    CVE: CVE-2021-37576
+
+    commit f62f3c20647ebd5fb6ecb8f0b477b9281c44c10a
+    Author: Nicholas Piggin <npiggin@gmail.com>
+    Date:   Tue Jul 20 20:43:09 2021 +1000
+
+        KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow
+
+        The kvmppc_rtas_hcall() sets the host rtas_args.rets pointer based on
+        the rtas_args.nargs that was provided by the guest. That guest nargs
+        value is not range checked, so the guest can cause the host rets pointer
+        to be pointed outside the args array. The individual rtas function
+        handlers check the nargs and nrets values to ensure they are correct,
+        but if they are not, the handlers store a -3 (0xfffffffd) failure
+        indication in rets[0] which corrupts host memory.
+
+        Fix this by testing up front whether the guest supplied nargs and nret
+        would exceed the array size, and fail the hcall directly without storing
+        a failure indication to rets[0].
+
+        Also expand on a comment about why we kill the guest and try not to
+        return errors directly if we have a valid rets[0] pointer.
+
+        Fixes: 8e591cb72047 ("KVM: PPC: Book3S: Add infrastructure to implement kernel-side RTAS calls")
+        Cc: stable@vger.kernel.org # v3.10+
+        Reported-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+        Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
+        Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+
+    Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+
+Signed-off-by: Joel Savitz <jsavitz@redhat.com>
+---
+ arch/powerpc/kvm/book3s_rtas.c | 25 ++++++++++++++++++++++---
+ 1 file changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/arch/powerpc/kvm/book3s_rtas.c b/arch/powerpc/kvm/book3s_rtas.c
+index ef27fbd5d9c5..d896c6854abc 100644
+--- a/arch/powerpc/kvm/book3s_rtas.c
++++ b/arch/powerpc/kvm/book3s_rtas.c
+@@ -230,6 +230,17 @@ int kvmppc_rtas_hcall(struct kvm_vcpu *vcpu)
+ 	 * value so we can restore it on the way out.
+ 	 */
+ 	orig_rets = args.rets;
++	if (be32_to_cpu(args.nargs) >= ARRAY_SIZE(args.args)) {
++		/*
++		 * Don't overflow our args array: ensure there is room for
++		 * at least rets[0] (even if the call specifies 0 nret).
++		 *
++		 * Each handler must then check for the correct nargs and nret
++		 * values, but they may always return failure in rets[0].
++		 */
++		rc = -EINVAL;
++		goto fail;
++	}
+ 	args.rets = &args.args[be32_to_cpu(args.nargs)];
+ 
+ 	mutex_lock(&vcpu->kvm->lock);
+@@ -257,9 +268,17 @@ int kvmppc_rtas_hcall(struct kvm_vcpu *vcpu)
+ fail:
+ 	/*
+ 	 * We only get here if the guest has called RTAS with a bogus
+-	 * args pointer. That means we can't get to the args, and so we
+-	 * can't fail the RTAS call. So fail right out to userspace,
+-	 * which should kill the guest.
++	 * args pointer or nargs/nret values that would overflow the
++	 * array. That means we can't get to the args, and so we can't
++	 * fail the RTAS call. So fail right out to userspace, which
++	 * should kill the guest.
++	 *
++	 * SLOF should actually pass the hcall return value from the
++	 * rtas handler call in r3, so enter_rtas could be modified to
++	 * return a failure indication in r3 and we could return such
++	 * errors to the guest rather than failing to host userspace.
++	 * However old guests that don't test for failure could then
++	 * continue silently after errors, so for now we won't do this.
+ 	 */
+ 	return rc;
+ }
+-- 
+2.26.3
+
+
diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec
index b7e6f27..bf935ec 100644
--- a/SPECS/kpatch-patch.spec
+++ b/SPECS/kpatch-patch.spec
@@ -6,7 +6,7 @@
 %define kernel_ver	3.10.0-1160.15.2.el7
 %define kpatch_ver	0.9.2
 %define rpm_ver		1
-%define rpm_rel		8
+%define rpm_rel		9
 
 %if !%{empty_package}
 # Patch sources below. DO NOT REMOVE THIS LINE.
@@ -38,6 +38,12 @@ Source107: CVE-2021-22555.patch
 #
 # https://bugzilla.redhat.com/1997195
 Source108: CVE-2021-3715.patch
+#
+# https://bugzilla.redhat.com/1975766
+Source109: CVE-2021-22543.patch
+#
+# https://bugzilla.redhat.com/1988221
+Source110: CVE-2021-37576.patch
 # End of patch sources. DO NOT REMOVE THIS LINE.
 %endif
 
@@ -170,6 +176,10 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}.
 %endif
 
 %changelog
+* Wed Sep 29 2021 Joe Lawrence <joe.lawrence@redhat.com> [1-9.el7]
+- kernel: powerpc: KVM guest OS users can cause host OS memory corruption [1988221] {CVE-2021-37576}
+- kernel: Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks [1975766] {CVE-2021-22543}
+
 * Tue Aug 31 2021 Joe Lawrence <joe.lawrence@redhat.com> [1-8.el7]
 - kernel: use-after-free in route4_change() in net/sched/cls_route.c [1997195] {CVE-2021-3715}