From: Joe Lawrence <joe.lawrence@redhat.com>

Date: Tue,  6 Jul 2021 13:18:44 -0400

Subject: [kernel team] [EMBARGOED KPATCH 7.9] seq_file: kpatch fix for

	CVE-2021-33909

Kernels:

3.10.0-1160.el7

3.10.0-1160.2.1.el7

3.10.0-1160.2.2.el7

3.10.0-1160.6.1.el7

3.10.0-1160.11.1.el7

3.10.0-1160.15.2.el7

3.10.0-1160.21.1.el7

3.10.0-1160.24.1.el7

3.10.0-1160.25.1.el7

3.10.0-1160.31.1.el7

Changes since last build:

arches: x86_64 ppc64le

seq_file.o: changed function: seq_read

seq_file.o: changed function: single_open_size

seq_file.o: changed function: traverse

---------------------------

Kernels:

3.10.0-1160.el7

3.10.0-1160.2.1.el7

3.10.0-1160.2.2.el7

3.10.0-1160.6.1.el7

3.10.0-1160.11.1.el7

3.10.0-1160.15.2.el7

3.10.0-1160.21.1.el7

3.10.0-1160.24.1.el7

3.10.0-1160.25.1.el7

3.10.0-1160.31.1.el7

Modifications:

- inline PAGE_CACHE_SHIFT rather than including linux/pagemap.h and

  fighting kABI fallout (and potentially more inadvertent changes)

commit 1236d5dd5b9f13ccbb44979a5652a4b137b968a4

Author: Ian Kent <ikent@redhat.com>

Date:   Thu Jul 1 09:13:59 2021 +0800

    seq_file: Disallow extremely large seq buffer allocations

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1975251

    Brew build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=37832573

    Testing: The patch has been tested by Qualys and it has been

             confirmed the patch fixes the problem.

    Upstream status: RHEL only (CVE-2021-33909)

    Conflicts: include/fs.h uses PAGE_CACHE_SHIFT in the definition of

      MAX_RW_COUNT which isn't defined in fs/seq_file.c and including

      linux/pagemap.h breaks kabi (since it makes kabi aware of additional

      structs) even though there are no changes to any structures. So the

      include needs to be added and excluded from the kabi calculation.

    Author: Eric Sandeen <sandeen@redhat.com>

    seq_file: Disallow extremely large seq buffer allocations

    There is no reasonable need for a buffer larger than this,

    and it avoids int overflow pitfalls.

    Suggested-by: Al Viro <viro@zeniv.linux.org.uk>

    Signed-off-by: Eric Sandeen <sandeen@redhat.com>

    Signed-off-by: Ian Kent <ikent@redhat.com>

Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>

Acked-by: Artem Savkov <asavkov@redhat.com>

Acked-by: Yannick Cote <ycote@redhat.com>

---

Z-MR: https://gitlab.com/redhat/prdsc/rhel/src/kernel-private/rhel-7/-/merge_requests/7

KT0 test PASS: https://beaker.engineering.redhat.com/jobs/5525685

for kpatch-patch-3_10_0-1160-1-7.el7 scratch build:

https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=37846414

 fs/seq_file.c | 23 +++++++++++++++++++++++

 1 file changed, 23 insertions(+)

diff --git a/fs/seq_file.c b/fs/seq_file.c

index bc7a9ec855aa..daef8f4bdbd0 100644

--- a/fs/seq_file.c

+++ b/fs/seq_file.c

@@ -5,6 +5,26 @@

  * initial implementation -- AV, Oct 2001.

  */

+/* inline linux/pagemap.h :: PAGE_CACHE_MASK and dependency values */

+

+/* arch/x86/include/asm/page_types.h */

+#ifdef __x86_64__

+# define PAGE_CACHE_MASK	(~((1UL << 12)-1))

+#endif

+

+/* arch/powerpc/include/asm/page.h */

+#ifdef __powerpc64__

+# if defined(CONFIG_PPC_256K_PAGES)

+#  define PAGE_CACHE_MASK	(~((1 << 18) - 1))

+# elif defined(CONFIG_PPC_64K_PAGES)

+#  define PAGE_CACHE_MASK	(~((1 << 16) - 1))

+# elif defined(CONFIG_PPC_16K_PAGES)

+#  define PAGE_CACHE_MASK	(~((1 << 14) - 1))

+# else

+#  define PAGE_CACHE_MASK	(~((1 << 12) - 1))

+# endif

+#endif

+

 #include <linux/fs.h>

 #include <linux/export.h>

 #include <linux/seq_file.h>

@@ -26,6 +46,9 @@ static void seq_set_overflow(struct seq_file *m)

 static void *seq_buf_alloc(unsigned long size)

 {

+	if (unlikely(size > MAX_RW_COUNT))

+		return NULL;

+

 	return kvmalloc(size, GFP_KERNEL);

 }

-- 

2.26.3