rpms / kpatch-patch-3_10_0-1160_41_1

Clone
Source Code
GIT

Blame SOURCES/CVE-2021-22543.patch

c7
  1.   a0fe1f0478398b533072237d424b0fe1bfd76e66
  2.   SOURCES
  3.   CVE-2021-22543.patch
Blob History Raw
a0fe1f 
From 710481f30b26856f462d3e5923bf69b32c12e097 Mon Sep 17 00:00:00 2001
a0fe1f 
From: Artem Savkov <asavkov@redhat.com>
a0fe1f 
Date: Fri, 3 Sep 2021 16:00:17 +0200
a0fe1f 
Subject: [KPATCH CVE-2021-22543] KVM: do not allow mapping valid but
a0fe1f 
 non-reference-counted pages
a0fe1f
a0fe1f 
Kernels:
a0fe1f 
3.10.0-1160.el7
a0fe1f 
3.10.0-1160.2.1.el7
a0fe1f 
3.10.0-1160.2.2.el7
a0fe1f 
3.10.0-1160.6.1.el7
a0fe1f 
3.10.0-1160.11.1.el7
a0fe1f 
3.10.0-1160.15.2.el7
a0fe1f 
3.10.0-1160.21.1.el7
a0fe1f 
3.10.0-1160.24.1.el7
a0fe1f 
3.10.0-1160.25.1.el7
a0fe1f 
3.10.0-1160.31.1.el7
a0fe1f 
3.10.0-1160.36.2.el7
a0fe1f 
3.10.0-1160.41.1.el7
a0fe1f
a0fe1f 
Changes since last build:
a0fe1f 
[x86_64]:
a0fe1f 
kvm_main.o: changed function: __gfn_to_pfn_memslot
a0fe1f
a0fe1f 
[ppc64le]:
a0fe1f 
kvm_main.o: changed function: gfn_to_page
a0fe1f 
kvm_main.o: changed function: gfn_to_pfn
a0fe1f 
kvm_main.o: changed function: gfn_to_pfn_memslot
a0fe1f 
kvm_main.o: changed function: gfn_to_pfn_prot
a0fe1f 
kvm_main.o: changed function: hva_to_pfn
a0fe1f 
kvm_main.o: changed function: kvm_vcpu_gfn_to_page
a0fe1f 
kvm_main.o: changed function: kvm_vcpu_gfn_to_pfn
a0fe1f
a0fe1f 
---------------------------
a0fe1f
a0fe1f 
Kernels:
a0fe1f 
3.10.0-1160.2.1.el7
a0fe1f 
3.10.0-1160.2.2.el7
a0fe1f 
3.10.0-1160.6.1.el7
a0fe1f 
3.10.0-1160.11.1.el7
a0fe1f 
3.10.0-1160.15.2.el7
a0fe1f 
3.10.0-1160.21.1.el7
a0fe1f 
3.10.0-1160.24.1.el7
a0fe1f 
3.10.0-1160.25.1.el7
a0fe1f 
3.10.0-1160.31.1.el7
a0fe1f 
3.10.0-1160.36.2.el7
a0fe1f 
3.10.0-1160.41.1.el7
a0fe1f 
3.10.0-1160.42.2.el7
a0fe1f
a0fe1f 
Modifications: none
a0fe1f 
Kpatch-MR: https://gitlab.com/kpatch-dev/rhel-7/-/merge_requests/7
a0fe1f 
Approved-by: Yannick Cote (@ycote1)
a0fe1f 
Approved-by: Joe Lawrence (@joe.lawrence)
a0fe1f 
Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-7/-/merge_requests/259
a0fe1f
a0fe1f 
commit 64b6dd5036622d9fab20cea237ae19402a1a2ee3
a0fe1f 
Author: Jon Maloy <jmaloy@redhat.com>
a0fe1f 
Date:   Tue Jul 13 15:28:38 2021 -0400
a0fe1f
a0fe1f 
    KVM: do not allow mapping valid but non-reference-counted pages
a0fe1f
a0fe1f 
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1975511
a0fe1f 
    Upstream: commit f8be156be163a052a067306417cd0ff679068c97
a0fe1f 
    CVE-2021-22543
a0fe1f 
    Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=39156005
a0fe1f 
    Conflicts: The upstream version hva_to_pfn_remapped() has been upgraded
a0fe1f 
               with lock support and a 'writeable' parameter. Those changes
a0fe1f 
               entail a code conflict, but not functional conflict, with
a0fe1f 
               this commit.
a0fe1f
a0fe1f 
    commit f8be156be163a052a067306417cd0ff679068c97
a0fe1f 
    Author: Nicholas Piggin <npiggin@gmail.com>
a0fe1f 
    Date:   Thu Jun 24 08:29:04 2021 -0400
a0fe1f
a0fe1f 
        KVM: do not allow mapping valid but non-reference-counted pages
a0fe1f
a0fe1f 
        It's possible to create a region which maps valid but non-refcounted
a0fe1f 
        pages (e.g., tail pages of non-compound higher order allocations). These
a0fe1f 
        host pages can then be returned by gfn_to_page, gfn_to_pfn, etc., family
a0fe1f 
        of APIs, which take a reference to the page, which takes it from 0 to 1.
a0fe1f 
        When the reference is dropped, this will free the page incorrectly.
a0fe1f
a0fe1f 
        Fix this by only taking a reference on valid pages if it was non-zero,
a0fe1f 
        which indicates it is participating in normal refcounting (and can be
a0fe1f 
        released with put_page).
a0fe1f
a0fe1f 
        This addresses CVE-2021-22543.
a0fe1f
a0fe1f 
        Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
a0fe1f 
        Tested-by: Paolo Bonzini <pbonzini@redhat.com>
a0fe1f 
        Cc: stable@vger.kernel.org
a0fe1f 
        Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
a0fe1f
a0fe1f 
    Signed-off-by: Jon Maloy <jmaloy@redhat.com>
a0fe1f
a0fe1f 
Signed-off-by: Artem Savkov <asavkov@redhat.com>
a0fe1f 
---
a0fe1f 
 virt/kvm/kvm_main.c | 21 ++++++++++++++++++---
a0fe1f 
 1 file changed, 18 insertions(+), 3 deletions(-)
a0fe1f
a0fe1f 
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
a0fe1f 
index 4b01a017b262..2f40d5fe257d 100644
a0fe1f 
--- a/virt/kvm/kvm_main.c
a0fe1f 
+++ b/virt/kvm/kvm_main.c
a0fe1f 
@@ -1479,6 +1479,13 @@ static bool vma_is_valid(struct vm_area_struct *vma, bool write_fault)
a0fe1f 
 	return true;
a0fe1f 
 }
a0fe1f
a0fe1f 
+static int kvm_try_get_pfn(kvm_pfn_t pfn)
a0fe1f 
+{
a0fe1f 
+	if (kvm_is_reserved_pfn(pfn))
a0fe1f 
+		return 1;
a0fe1f 
+	return get_page_unless_zero(pfn_to_page(pfn));
a0fe1f 
+}
a0fe1f 
+
a0fe1f 
 static int hva_to_pfn_remapped(struct vm_area_struct *vma,
a0fe1f 
 			       unsigned long addr, bool *async,
a0fe1f 
 			       bool write_fault, kvm_pfn_t *p_pfn)
a0fe1f 
@@ -1514,11 +1521,19 @@ static int hva_to_pfn_remapped(struct vm_area_struct *vma,
a0fe1f 
 	 * Whoever called remap_pfn_range is also going to call e.g.
a0fe1f 
 	 * unmap_mapping_range before the underlying pages are freed,
a0fe1f 
 	 * causing a call to our MMU notifier.
a0fe1f 
-	 */
a0fe1f 
-	kvm_get_pfn(pfn);
a0fe1f 
+	 *
a0fe1f 
+	 * Certain IO or PFNMAP mappings can be backed with valid
a0fe1f 
+	 * struct pages, but be allocated without refcounting e.g.,
a0fe1f 
+	 * tail pages of non-compound higher order allocations, which
a0fe1f 
+	 * would then underflow the refcount when the caller does the
a0fe1f 
+	 * required put_page. Don't allow those pages here.
a0fe1f 
+	 */
a0fe1f
a0fe1f 
+	if (!kvm_try_get_pfn(pfn))
a0fe1f 
+		r = -EFAULT;
a0fe1f 
 	*p_pfn = pfn;
a0fe1f 
-	return 0;
a0fe1f 
+
a0fe1f 
+	return r;
a0fe1f 
 }
a0fe1f
a0fe1f 
 /*
a0fe1f 
--
a0fe1f 
2.26.3
a0fe1f
a0fe1f

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation