From: Joe Lawrence Date: Tue, 6 Jul 2021 13:18:44 -0400 Subject: [kernel team] [EMBARGOED KPATCH 7.9] seq_file: kpatch fix for CVE-2021-33909 Kernels: 3.10.0-1160.el7 3.10.0-1160.2.1.el7 3.10.0-1160.2.2.el7 3.10.0-1160.6.1.el7 3.10.0-1160.11.1.el7 3.10.0-1160.15.2.el7 3.10.0-1160.21.1.el7 3.10.0-1160.24.1.el7 3.10.0-1160.25.1.el7 3.10.0-1160.31.1.el7 Changes since last build: arches: x86_64 ppc64le seq_file.o: changed function: seq_read seq_file.o: changed function: single_open_size seq_file.o: changed function: traverse --------------------------- Kernels: 3.10.0-1160.el7 3.10.0-1160.2.1.el7 3.10.0-1160.2.2.el7 3.10.0-1160.6.1.el7 3.10.0-1160.11.1.el7 3.10.0-1160.15.2.el7 3.10.0-1160.21.1.el7 3.10.0-1160.24.1.el7 3.10.0-1160.25.1.el7 3.10.0-1160.31.1.el7 Modifications: - inline PAGE_CACHE_SHIFT rather than including linux/pagemap.h and fighting kABI fallout (and potentially more inadvertent changes) commit 1236d5dd5b9f13ccbb44979a5652a4b137b968a4 Author: Ian Kent Date: Thu Jul 1 09:13:59 2021 +0800 seq_file: Disallow extremely large seq buffer allocations Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1975251 Brew build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=37832573 Testing: The patch has been tested by Qualys and it has been confirmed the patch fixes the problem. Upstream status: RHEL only (CVE-2021-33909) Conflicts: include/fs.h uses PAGE_CACHE_SHIFT in the definition of MAX_RW_COUNT which isn't defined in fs/seq_file.c and including linux/pagemap.h breaks kabi (since it makes kabi aware of additional structs) even though there are no changes to any structures. So the include needs to be added and excluded from the kabi calculation. Author: Eric Sandeen seq_file: Disallow extremely large seq buffer allocations There is no reasonable need for a buffer larger than this, and it avoids int overflow pitfalls. Suggested-by: Al Viro Signed-off-by: Eric Sandeen Signed-off-by: Ian Kent Signed-off-by: Joe Lawrence Acked-by: Artem Savkov Acked-by: Yannick Cote --- Z-MR: https://gitlab.com/redhat/prdsc/rhel/src/kernel-private/rhel-7/-/merge_requests/7 KT0 test PASS: https://beaker.engineering.redhat.com/jobs/5525685 for kpatch-patch-3_10_0-1160-1-7.el7 scratch build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=37846414 fs/seq_file.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/fs/seq_file.c b/fs/seq_file.c index bc7a9ec855aa..daef8f4bdbd0 100644 --- a/fs/seq_file.c +++ b/fs/seq_file.c @@ -5,6 +5,26 @@ * initial implementation -- AV, Oct 2001. */ +/* inline linux/pagemap.h :: PAGE_CACHE_MASK and dependency values */ + +/* arch/x86/include/asm/page_types.h */ +#ifdef __x86_64__ +# define PAGE_CACHE_MASK (~((1UL << 12)-1)) +#endif + +/* arch/powerpc/include/asm/page.h */ +#ifdef __powerpc64__ +# if defined(CONFIG_PPC_256K_PAGES) +# define PAGE_CACHE_MASK (~((1 << 18) - 1)) +# elif defined(CONFIG_PPC_64K_PAGES) +# define PAGE_CACHE_MASK (~((1 << 16) - 1)) +# elif defined(CONFIG_PPC_16K_PAGES) +# define PAGE_CACHE_MASK (~((1 << 14) - 1)) +# else +# define PAGE_CACHE_MASK (~((1 << 12) - 1)) +# endif +#endif + #include #include #include @@ -26,6 +46,9 @@ static void seq_set_overflow(struct seq_file *m) static void *seq_buf_alloc(unsigned long size) { + if (unlikely(size > MAX_RW_COUNT)) + return NULL; + return kvmalloc(size, GFP_KERNEL); } -- 2.26.3