diff --git a/SOURCES/CVE-2020-36385.patch b/SOURCES/CVE-2020-36385.patch new file mode 100644 index 0000000..8681874 --- /dev/null +++ b/SOURCES/CVE-2020-36385.patch @@ -0,0 +1,145 @@ +From e77f229ecaf387f9f54430dbd277baf8c60b2716 Mon Sep 17 00:00:00 2001 +From: Joe Lawrence +Date: Wed, 27 Oct 2021 13:17:13 -0400 +Subject: [KPATCH CVE-2020-36385] RDMA/ucma: kpatch fixes for CVE-2020-36385 + +Kernels: +3.10.0-1160.6.1.el7 +3.10.0-1160.11.1.el7 +3.10.0-1160.15.2.el7 +3.10.0-1160.21.1.el7 +3.10.0-1160.24.1.el7 +3.10.0-1160.25.1.el7 +3.10.0-1160.31.1.el7 +3.10.0-1160.36.2.el7 +3.10.0-1160.41.1.el7 +3.10.0-1160.42.2.el7 +3.10.0-1160.45.1.el7 + +Changes since last build: +arches: x86_64 ppc64le +ucma.o: changed function: ucma_migrate_id +--------------------------- + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/12 +Approved-by: Artem Savkov (@artem.savkov) +Modifications: +- Avoid the complications of reworking all the locks (and preceding +commits) and apply a minimal patch to avoid the CVE condition. +- Always inline ucma_unlock_files() to avoid new function on x64_64 + +Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-7/-/merge_requests/231 + +KT0 test PASS: https://beaker.engineering.redhat.com/jobs/5948342 +for kpatch-patch-3_10_0-1160_6_1-1-11.el7 scratch build: +https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=40661892 + +commit c71835cc23a3793651a693ea6cb1100e0eb9a0b1 +Author: Kamal Heib +Date: Sun Aug 1 10:49:07 2021 +0300 + + RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy + + Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1978075 + CVE: CVE-2020-36385 + Conflicts: + Adjust the patch to use "mut" mutext instead xa_lock due to the missing + of: afcafe07af0e ("ucma: Convert ctx_idr to XArray"). + + commit f5449e74802c1112dea984aec8af7a33c4516af1 + Author: Jason Gunthorpe + Date: Mon Sep 14 08:59:56 2020 -0300 + + RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy + + ucma_destroy_id() assumes that all things accessing the ctx will do so via + the xarray. This assumption violated only in the case the FD is being + closed, then the ctx is reached via the ctx_list. Normally this is OK + since ucma_destroy_id() cannot run concurrenty with release(), however + with ucma_migrate_id() is involved this can violated as the close of the + 2nd FD can run concurrently with destroy on the first: + + CPU0 CPU1 + ucma_destroy_id(fda) + ucma_migrate_id(fda -> fdb) + ucma_get_ctx() + xa_lock() + _ucma_find_context() + xa_erase() + xa_unlock() + xa_lock() + ctx->file = new_file + list_move() + xa_unlock() + ucma_put_ctx() + + ucma_close(fdb) + _destroy_id() + kfree(ctx) + + _destroy_id() + wait_for_completion() + // boom, ctx was freed + + The ctx->file must be modified under the handler and xa_lock, and prior to + modification the ID must be rechecked that it is still reachable from + cur_file, ie there is no parallel destroy or migrate. + + To make this work remove the double locking and streamline the control + flow. The double locking was obsoleted by the handler lock now directly + preventing new uevents from being created, and the ctx_list cannot be read + while holding fgets on both files. Removing the double locking also + removes the need to check for the same file. + + Fixes: 88314e4dda1e ("RDMA/cma: add support for rdma_migrate_id()") + Link: https://lore.kernel.org/r/0-v1-05c5a4090305+3a872-ucma_syz_migrate_jgg@nvidia.com + Reported-and-tested-by: syzbot+cc6fc752b3819e082d0c@syzkaller.appspotmail.com + Signed-off-by: Jason Gunthorpe + + Signed-off-by: Kamal Heib + +Signed-off-by: Joe Lawrence +--- + drivers/infiniband/core/ucma.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c +index 608a780d9ebb..72e7eb893d03 100644 +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -1547,7 +1547,7 @@ static void ucma_lock_files(struct ucma_file *file1, struct ucma_file *file2) + } + } + +-static void ucma_unlock_files(struct ucma_file *file1, struct ucma_file *file2) ++static __always_inline void ucma_unlock_files(struct ucma_file *file1, struct ucma_file *file2) + { + if (file1 < file2) { + mutex_unlock(&file2->mut); +@@ -1610,6 +1610,14 @@ static ssize_t ucma_migrate_id(struct ucma_file *new_file, + ucma_lock_files(cur_file, new_file); + mutex_lock(&mut); + ++ /* CVE-2020-36385 kpatch: double check the context one last time */ ++ if (_ucma_find_context(cmd.id, cur_file) != ctx) { ++ mutex_unlock(&mut); ++ ucma_unlock_files(cur_file, new_file); ++ ret = -ENOENT; ++ goto err_unlock; ++ } ++ + list_move_tail(&ctx->list, &new_file->ctx_list); + ucma_move_events(ctx, new_file); + ctx->file = new_file; +@@ -1623,6 +1631,7 @@ response: + &resp, sizeof(resp))) + ret = -EFAULT; + ++err_unlock: + ucma_put_ctx(ctx); + file_put: + fdput(f); +-- +2.26.3 + + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index 0d9776e..e659395 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -6,7 +6,7 @@ %define kernel_ver 3.10.0-1160.21.1.el7 %define kpatch_ver 0.9.2 %define rpm_ver 1 -%define rpm_rel 7 +%define rpm_rel 8 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. @@ -38,6 +38,9 @@ Source107: CVE-2021-22543.patch # # https://bugzilla.redhat.com/1988221 Source108: CVE-2021-37576.patch +# +# https://bugzilla.redhat.com/1981703 +Source109: CVE-2020-36385.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -170,6 +173,9 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Fri Nov 12 2021 Joe Lawrence [1-8.el7] +- kernel: use-after-free in drivers/infiniband/core/ucma.c ctx use-after-free [1981703] {CVE-2020-36385} + * Wed Sep 29 2021 Joe Lawrence [1-7.el7] - kernel: powerpc: KVM guest OS users can cause host OS memory corruption [1988221] {CVE-2021-37576} - kernel: Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks [1975766] {CVE-2021-22543}