diff --git a/.gitignore b/.gitignore index e69de29..38377d0 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/kernel-3.10.0-1160.31.1.el7.src.rpm +SOURCES/v0.9.2.tar.gz diff --git a/.kpatch-patch-3_10_0-1160_31_1.metadata b/.kpatch-patch-3_10_0-1160_31_1.metadata index e69de29..3a5b0ba 100644 --- a/.kpatch-patch-3_10_0-1160_31_1.metadata +++ b/.kpatch-patch-3_10_0-1160_31_1.metadata @@ -0,0 +1,2 @@ +a0cd280284f0e39b71c4a5237a9b2c4386bba38e SOURCES/kernel-3.10.0-1160.31.1.el7.src.rpm +c0878679129add77d6fff57093640892ad941155 SOURCES/v0.9.2.tar.gz diff --git a/SOURCES/CVE-2021-33034.patch b/SOURCES/CVE-2021-33034.patch new file mode 100644 index 0000000..8090211 --- /dev/null +++ b/SOURCES/CVE-2021-33034.patch @@ -0,0 +1,244 @@ +From: Joe Lawrence +Subject: [RHEL7.9 KPATCH v2] bluetooth: kpatch fixes for CVE-2021-33034 +Date: Thu, 10 Jun 2021 16:45:14 -0400 + +Kernels: +3.10.0-1160.el7 +3.10.0-1160.2.1.el7 +3.10.0-1160.2.2.el7 +3.10.0-1160.6.1.el7 +3.10.0-1160.11.1.el7 +3.10.0-1160.15.2.el7 +3.10.0-1160.21.1.el7 +3.10.0-1160.24.1.el7 +3.10.0-1160.25.1.el7 +3.10.0-1160.31.1.el7 + +Changes since last build: +[x86_64]: +hci_event.o: changed function: hci_event_packet +hci_event.o: changed function: hci_loglink_complete_evt.isra.120 +hci_event.o: new function: hci_remote_name_evt.isra.69 +hci_event.o: new function: hci_user_passkey_request_evt.isra.111 + +[ppc64le]: +hci_event.o: changed function: hci_cmd_status_evt +hci_event.o: changed function: hci_event_packet +hci_event.o: changed function: hci_inquiry_complete_evt.isra.37 +hci_event.o: changed function: hci_inquiry_result_evt.isra.46 +hci_event.o: changed function: hci_keypress_notify_evt.isra.109 +hci_event.o: changed function: hci_le_meta_evt +hci_event.o: changed function: hci_link_key_request_evt.isra.49 +hci_event.o: changed function: hci_num_comp_blocks_evt.isra.117 +hci_event.o: changed function: hci_remote_ext_features_evt.isra.64 +hci_event.o: changed function: hci_sync_conn_complete_evt.isra.103 +hci_event.o: changed function: hci_user_passkey_notify_evt.isra.108 +hci_event.o: new function: conn_set_key +hci_event.o: new function: hci_auth_complete_evt.isra.61 +hci_event.o: new function: hci_conn_request_evt.isra.56 +hci_event.o: new function: hci_inquiry_result_with_rssi_evt.isra.47 +hci_event.o: new function: hci_io_capa_request_evt.isra.104 +hci_event.o: new function: hci_outgoing_auth_needed.isra.2.part.3 +hci_event.o: new function: hci_pscan_rep_mode_evt.isra.54 +hci_event.o: new function: hci_remote_host_features_evt.isra.55 +hci_event.o: new function: hci_simple_pair_complete_evt.isra.62 + +--------------------------- + +Kernels: +3.10.0-1160.el7 +3.10.0-1160.2.1.el7 +3.10.0-1160.2.2.el7 +3.10.0-1160.6.1.el7 +3.10.0-1160.11.1.el7 +3.10.0-1160.15.2.el7 +3.10.0-1160.21.1.el7 +3.10.0-1160.24.1.el7 +3.10.0-1160.25.1.el7 +3.10.0-1160.31.1.el7 + +Modifications: none + +commit e103bba0f15a04cb71a2a472973a1ad79aabfd7a +Author: Gopal Tiwari +Date: Thu May 20 12:01:15 2021 +0530 + + Bluetooth: verify AMP hci_chan before amp_destroy + + Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1962532 + + CVE: CVE-2021-33034 + + Testing: Sanity_only. + + Upstream: Merged. + + commit 5c4c8c9544099bb9043a10a5318130a943e32fc3 + Author: Archie Pusaka + Date: Mon Mar 22 14:03:11 2021 +0800 + + Bluetooth: verify AMP hci_chan before amp_destroy + + hci_chan can be created in 2 places: hci_loglink_complete_evt() if + it is an AMP hci_chan, or l2cap_conn_add() otherwise. In theory, + Only AMP hci_chan should be removed by a call to + hci_disconn_loglink_complete_evt(). However, the controller might mess + up, call that function, and destroy an hci_chan which is not initiated + by hci_loglink_complete_evt(). + + This patch adds a verification that the destroyed hci_chan must have + been init'd by hci_loglink_complete_evt(). + + Example crash call trace: + Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xe3/0x144 lib/dump_stack.c:118 + print_address_description+0x67/0x22a mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report mm/kasan/report.c:412 [inline] + kasan_report+0x251/0x28f mm/kasan/report.c:396 + hci_send_acl+0x3b/0x56e net/bluetooth/hci_core.c:4072 + l2cap_send_cmd+0x5af/0x5c2 net/bluetooth/l2cap_core.c:877 + l2cap_send_move_chan_cfm_icid+0x8e/0xb1 net/bluetooth/l2cap_core.c:4661 + l2cap_move_fail net/bluetooth/l2cap_core.c:5146 [inline] + l2cap_move_channel_rsp net/bluetooth/l2cap_core.c:5185 [inline] + l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:5464 [inline] + l2cap_sig_channel net/bluetooth/l2cap_core.c:5799 [inline] + l2cap_recv_frame+0x1d12/0x51aa net/bluetooth/l2cap_core.c:7023 + l2cap_recv_acldata+0x2ea/0x693 net/bluetooth/l2cap_core.c:7596 + hci_acldata_packet net/bluetooth/hci_core.c:4606 [inline] + hci_rx_work+0x2bd/0x45e net/bluetooth/hci_core.c:4796 + process_one_work+0x6f8/0xb50 kernel/workqueue.c:2175 + worker_thread+0x4fc/0x670 kernel/workqueue.c:2321 + kthread+0x2f0/0x304 kernel/kthread.c:253 + ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415 + + Allocated by task 38: + set_track mm/kasan/kasan.c:460 [inline] + kasan_kmalloc+0x8d/0x9a mm/kasan/kasan.c:553 + kmem_cache_alloc_trace+0x102/0x129 mm/slub.c:2787 + kmalloc include/linux/slab.h:515 [inline] + kzalloc include/linux/slab.h:709 [inline] + hci_chan_create+0x86/0x26d net/bluetooth/hci_conn.c:1674 + l2cap_conn_add.part.0+0x1c/0x814 net/bluetooth/l2cap_core.c:7062 + l2cap_conn_add net/bluetooth/l2cap_core.c:7059 [inline] + l2cap_connect_cfm+0x134/0x852 net/bluetooth/l2cap_core.c:7381 + hci_connect_cfm+0x9d/0x122 include/net/bluetooth/hci_core.h:1404 + hci_remote_ext_features_evt net/bluetooth/hci_event.c:4161 [inline] + hci_event_packet+0x463f/0x72fa net/bluetooth/hci_event.c:5981 + hci_rx_work+0x197/0x45e net/bluetooth/hci_core.c:4791 + process_one_work+0x6f8/0xb50 kernel/workqueue.c:2175 + worker_thread+0x4fc/0x670 kernel/workqueue.c:2321 + kthread+0x2f0/0x304 kernel/kthread.c:253 + ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415 + + Freed by task 1732: + set_track mm/kasan/kasan.c:460 [inline] + __kasan_slab_free mm/kasan/kasan.c:521 [inline] + __kasan_slab_free+0x106/0x128 mm/kasan/kasan.c:493 + slab_free_hook mm/slub.c:1409 [inline] + slab_free_freelist_hook+0xaa/0xf6 mm/slub.c:1436 + slab_free mm/slub.c:3009 [inline] + kfree+0x182/0x21e mm/slub.c:3972 + hci_disconn_loglink_complete_evt net/bluetooth/hci_event.c:4891 [inline] + hci_event_packet+0x6a1c/0x72fa net/bluetooth/hci_event.c:6050 + hci_rx_work+0x197/0x45e net/bluetooth/hci_core.c:4791 + process_one_work+0x6f8/0xb50 kernel/workqueue.c:2175 + worker_thread+0x4fc/0x670 kernel/workqueue.c:2321 + kthread+0x2f0/0x304 kernel/kthread.c:253 + ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415 + + The buggy address belongs to the object at ffff8881d7af9180 + which belongs to the cache kmalloc-128 of size 128 + The buggy address is located 24 bytes inside of + 128-byte region [ffff8881d7af9180, ffff8881d7af9200) + The buggy address belongs to the page: + page:ffffea00075ebe40 count:1 mapcount:0 mapping:ffff8881da403200 index:0x0 + flags: 0x8000000000000200(slab) + raw: 8000000000000200 dead000000000100 dead000000000200 ffff8881da403200 + raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000 + page dumped because: kasan: bad access detected + + Memory state around the buggy address: + ffff8881d7af9080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb + ffff8881d7af9100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc + >ffff8881d7af9180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff8881d7af9200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff8881d7af9280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + + Signed-off-by: Archie Pusaka + Reported-by: syzbot+98228e7407314d2d4ba2@syzkaller.appspotmail.com + Reviewed-by: Alain Michaud + Reviewed-by: Abhishek Pandit-Subedi + Signed-off-by: Marcel Holtmann + + Signed-off-by: Gopal Tiwari + +Signed-off-by: Joel Savitz for v1 +Signed-off-by: Joe Lawrence +Acked-by: Artem Savkov +Acked-by: Yannick Cote +--- + +v1: +- not posted, but Joel sent to my e-mail + +v2: +- minor code cleanup from v1, removed intermediate variables +- a bunchmore ppc64le inlines changed, but this time I didn't attempt + to steer the compiler. I assume it's a similar fool's errand as with + 8.4, only with even more functions to worry about. +- tested repro on ppc64le + +Z-Status: merged + +KT0 test PASS: https://beaker.engineering.redhat.com/jobs/5461337 +for kpatch-patch-3_10_0-1160-1-7.el7 scratch build: +https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=37392562 + + net/bluetooth/hci_event.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index e17aacbc5630..613b2493288f 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -29,6 +29,9 @@ + #include + #include + #include ++#include ++ ++#define KLP_CVE_2021_33034_HCHAN_AMP 0x2021330340000000 + + #include "hci_request.h" + #include "hci_debugfs.h" +@@ -4394,6 +4397,11 @@ static void hci_loglink_complete_evt(struct hci_dev *hdev, struct sk_buff *skb) + return; + + hchan->handle = le16_to_cpu(ev->handle); ++ if (!klp_shadow_get_or_alloc(hchan, KLP_CVE_2021_33034_HCHAN_AMP, ++ 0, GFP_KERNEL, NULL, NULL)) { ++ hci_chan_del(hchan); ++ return; ++ } + + BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan); + +@@ -4426,9 +4434,10 @@ static void hci_disconn_loglink_complete_evt(struct hci_dev *hdev, + hci_dev_lock(hdev); + + hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle)); +- if (!hchan) ++ if (!hchan || !klp_shadow_get(hchan, KLP_CVE_2021_33034_HCHAN_AMP)) + goto unlock; + ++ klp_shadow_free(hchan, KLP_CVE_2021_33034_HCHAN_AMP, NULL); + amp_destroy_logical_link(hchan, ev->reason); + + unlock: +-- +2.26.3 + + diff --git a/SOURCES/CVE-2021-33909.patch b/SOURCES/CVE-2021-33909.patch new file mode 100644 index 0000000..0a61ef6 --- /dev/null +++ b/SOURCES/CVE-2021-33909.patch @@ -0,0 +1,132 @@ +From: Joe Lawrence +Date: Tue, 6 Jul 2021 13:18:44 -0400 +Subject: [kernel team] [EMBARGOED KPATCH 7.9] seq_file: kpatch fix for + CVE-2021-33909 + +Kernels: +3.10.0-1160.el7 +3.10.0-1160.2.1.el7 +3.10.0-1160.2.2.el7 +3.10.0-1160.6.1.el7 +3.10.0-1160.11.1.el7 +3.10.0-1160.15.2.el7 +3.10.0-1160.21.1.el7 +3.10.0-1160.24.1.el7 +3.10.0-1160.25.1.el7 +3.10.0-1160.31.1.el7 + +Changes since last build: +arches: x86_64 ppc64le +seq_file.o: changed function: seq_read +seq_file.o: changed function: single_open_size +seq_file.o: changed function: traverse +--------------------------- + +Kernels: +3.10.0-1160.el7 +3.10.0-1160.2.1.el7 +3.10.0-1160.2.2.el7 +3.10.0-1160.6.1.el7 +3.10.0-1160.11.1.el7 +3.10.0-1160.15.2.el7 +3.10.0-1160.21.1.el7 +3.10.0-1160.24.1.el7 +3.10.0-1160.25.1.el7 +3.10.0-1160.31.1.el7 + +Modifications: +- inline PAGE_CACHE_SHIFT rather than including linux/pagemap.h and + fighting kABI fallout (and potentially more inadvertent changes) + +commit 1236d5dd5b9f13ccbb44979a5652a4b137b968a4 +Author: Ian Kent +Date: Thu Jul 1 09:13:59 2021 +0800 + + seq_file: Disallow extremely large seq buffer allocations + + Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1975251 + + Brew build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=37832573 + + Testing: The patch has been tested by Qualys and it has been + confirmed the patch fixes the problem. + + Upstream status: RHEL only (CVE-2021-33909) + + Conflicts: include/fs.h uses PAGE_CACHE_SHIFT in the definition of + MAX_RW_COUNT which isn't defined in fs/seq_file.c and including + linux/pagemap.h breaks kabi (since it makes kabi aware of additional + structs) even though there are no changes to any structures. So the + include needs to be added and excluded from the kabi calculation. + + Author: Eric Sandeen + + seq_file: Disallow extremely large seq buffer allocations + + There is no reasonable need for a buffer larger than this, + and it avoids int overflow pitfalls. + + Suggested-by: Al Viro + Signed-off-by: Eric Sandeen + + Signed-off-by: Ian Kent + +Signed-off-by: Joe Lawrence +Acked-by: Artem Savkov +Acked-by: Yannick Cote +--- + +Z-MR: https://gitlab.com/redhat/prdsc/rhel/src/kernel-private/rhel-7/-/merge_requests/7 + +KT0 test PASS: https://beaker.engineering.redhat.com/jobs/5525685 +for kpatch-patch-3_10_0-1160-1-7.el7 scratch build: +https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=37846414 + + fs/seq_file.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/fs/seq_file.c b/fs/seq_file.c +index bc7a9ec855aa..daef8f4bdbd0 100644 +--- a/fs/seq_file.c ++++ b/fs/seq_file.c +@@ -5,6 +5,26 @@ + * initial implementation -- AV, Oct 2001. + */ + ++/* inline linux/pagemap.h :: PAGE_CACHE_MASK and dependency values */ ++ ++/* arch/x86/include/asm/page_types.h */ ++#ifdef __x86_64__ ++# define PAGE_CACHE_MASK (~((1UL << 12)-1)) ++#endif ++ ++/* arch/powerpc/include/asm/page.h */ ++#ifdef __powerpc64__ ++# if defined(CONFIG_PPC_256K_PAGES) ++# define PAGE_CACHE_MASK (~((1 << 18) - 1)) ++# elif defined(CONFIG_PPC_64K_PAGES) ++# define PAGE_CACHE_MASK (~((1 << 16) - 1)) ++# elif defined(CONFIG_PPC_16K_PAGES) ++# define PAGE_CACHE_MASK (~((1 << 14) - 1)) ++# else ++# define PAGE_CACHE_MASK (~((1 << 12) - 1)) ++# endif ++#endif ++ + #include + #include + #include +@@ -26,6 +46,9 @@ static void seq_set_overflow(struct seq_file *m) + + static void *seq_buf_alloc(unsigned long size) + { ++ if (unlikely(size > MAX_RW_COUNT)) ++ return NULL; ++ + return kvmalloc(size, GFP_KERNEL); + } + +-- +2.26.3 + + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index 35bade2..840edcd 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -1,17 +1,21 @@ # Set to 1 if building an empty subscription-only package. -%define empty_package 1 +%define empty_package 0 ####################################################### # Only need to update these variables and the changelog %define kernel_ver 3.10.0-1160.31.1.el7 %define kpatch_ver 0.9.2 -%define rpm_ver 0 -%define rpm_rel 0 +%define rpm_ver 1 +%define rpm_rel 1 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. -Source100: XXX.patch -#Source101: YYY.patch +# +# https://bugzilla.redhat.com/1962518 +Source100: CVE-2021-33034.patch +# +# https://bugzilla.redhat.com/1975256 +Source101: CVE-2021-33909.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -144,5 +148,9 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Fri Jul 09 2021 Joe Lawrence [1-1.el7] +- kernel: size_t-to-int conversion vulnerability in the filesystem layer [1975256] {CVE-2021-33909} +- kernel: use-after-free in net/bluetooth/hci_event.c when destroying an hci_chan [1962518] {CVE-2021-33034} + * Wed Jun 02 2021 Artem Savkov [0-0.el7] - An empty patch to subscribe to kpatch stream for kernel-3.10.0-1160.31.1.el7 [1967127]