diff --git a/SOURCES/CVE-2021-37576.patch b/SOURCES/CVE-2021-37576.patch new file mode 100644 index 0000000..a4ec52f --- /dev/null +++ b/SOURCES/CVE-2021-37576.patch @@ -0,0 +1,127 @@ +From 742fee241938f6089d67c4e779ba0d608a9d88e3 Mon Sep 17 00:00:00 2001 +From: Joe Lawrence +Date: Mon, 30 Aug 2021 16:54:36 -0400 +Subject: [KPATCH CVE-2021-37576] powerpc: kpatch fixes for CVE-2021-37576 + +Kernels: +4.18.0-305.el8 +4.18.0-305.3.1.el8_4 +4.18.0-305.7.1.el8_4 +4.18.0-305.10.2.el8_4 +4.18.0-305.12.1.el8_4 + +arches: ppc64le +Changes since last build: +[ppc64le]: +book3s_rtas.o: changed function: kvmppc_rtas_hcall + +--------------------------- + +Kernels: +4.18.0-305.el8 +4.18.0-305.3.1.el8_4 +4.18.0-305.7.1.el8_4 +4.18.0-305.10.2.el8_4 +4.18.0-305.12.1.el8_4 + +Modifications: none +Approved-by: Yannick Cote (@ycote1) +Approved-by: Artem Savkov (@artem.savkov) +KPATCH-MR: https://gitlab.com/kpatch-dev/rhel-8/-/merge_requests/2 + +KT0 test PASS: https://beaker.engineering.redhat.com/jobs/5756102 +for kpatch-patch-4_18_0-305-1-5.el8 scratch build: +https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=39394966 + +commit 82faab596fc8f92648f20e2fbc4211557b115c13 +Author: Jon Maloy +Date: Thu Aug 12 19:22:51 2021 -0400 + + KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow + + Bugzilla: https://bugzilla.redhat.com/1988225 + Upstream Status: Merged + Build Info: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=38936146 + CVE: CVE-2021-37576 + + commit f62f3c20647ebd5fb6ecb8f0b477b9281c44c10a + Author: Nicholas Piggin + Date: Tue Jul 20 20:43:09 2021 +1000 + + KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow + + The kvmppc_rtas_hcall() sets the host rtas_args.rets pointer based on + the rtas_args.nargs that was provided by the guest. That guest nargs + value is not range checked, so the guest can cause the host rets pointer + to be pointed outside the args array. The individual rtas function + handlers check the nargs and nrets values to ensure they are correct, + but if they are not, the handlers store a -3 (0xfffffffd) failure + indication in rets[0] which corrupts host memory. + + Fix this by testing up front whether the guest supplied nargs and nret + would exceed the array size, and fail the hcall directly without storing + a failure indication to rets[0]. + + Also expand on a comment about why we kill the guest and try not to + return errors directly if we have a valid rets[0] pointer. + + Fixes: 8e591cb72047 ("KVM: PPC: Book3S: Add infrastructure to implement kernel-side RTAS calls") + Cc: stable@vger.kernel.org # v3.10+ + Reported-by: Alexey Kardashevskiy + Signed-off-by: Nicholas Piggin + Signed-off-by: Michael Ellerman + + Signed-off-by: Jon Maloy + +Signed-off-by: Joe Lawrence +--- + arch/powerpc/kvm/book3s_rtas.c | 25 ++++++++++++++++++++++--- + 1 file changed, 22 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/kvm/book3s_rtas.c b/arch/powerpc/kvm/book3s_rtas.c +index ceccacbf028e..52095f765e32 100644 +--- a/arch/powerpc/kvm/book3s_rtas.c ++++ b/arch/powerpc/kvm/book3s_rtas.c +@@ -245,6 +245,17 @@ int kvmppc_rtas_hcall(struct kvm_vcpu *vcpu) + * value so we can restore it on the way out. + */ + orig_rets = args.rets; ++ if (be32_to_cpu(args.nargs) >= ARRAY_SIZE(args.args)) { ++ /* ++ * Don't overflow our args array: ensure there is room for ++ * at least rets[0] (even if the call specifies 0 nret). ++ * ++ * Each handler must then check for the correct nargs and nret ++ * values, but they may always return failure in rets[0]. ++ */ ++ rc = -EINVAL; ++ goto fail; ++ } + args.rets = &args.args[be32_to_cpu(args.nargs)]; + + mutex_lock(&vcpu->kvm->arch.rtas_token_lock); +@@ -272,9 +283,17 @@ int kvmppc_rtas_hcall(struct kvm_vcpu *vcpu) + fail: + /* + * We only get here if the guest has called RTAS with a bogus +- * args pointer. That means we can't get to the args, and so we +- * can't fail the RTAS call. So fail right out to userspace, +- * which should kill the guest. ++ * args pointer or nargs/nret values that would overflow the ++ * array. That means we can't get to the args, and so we can't ++ * fail the RTAS call. So fail right out to userspace, which ++ * should kill the guest. ++ * ++ * SLOF should actually pass the hcall return value from the ++ * rtas handler call in r3, so enter_rtas could be modified to ++ * return a failure indication in r3 and we could return such ++ * errors to the guest rather than failing to host userspace. ++ * However old guests that don't test for failure could then ++ * continue silently after errors, so for now we won't do this. + */ + return rc; + } +-- +2.31.1 + + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index 846d2af..856d06b 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -6,7 +6,7 @@ %define kernel_ver 4.18.0-305.3.1.el8_4 %define kpatch_ver 0.9.3 %define rpm_ver 1 -%define rpm_rel 3 +%define rpm_rel 4 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. @@ -28,6 +28,9 @@ Source104: CVE-2021-22555.patch # # https://bugzilla.redhat.com/1975066 Source105: CVE-2021-3609.patch +# +# https://bugzilla.redhat.com/1988230 +Source106: CVE-2021-37576.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -47,7 +50,7 @@ Summary: Live kernel patching module for kernel-%{kernel_ver_arch} Group: System Environment/Kernel License: GPLv2 -ExclusiveArch: x86_64 ppc64le +ExclusiveArch: ppc64le Conflicts: %{name} < %{version}-%{release} @@ -166,6 +169,9 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Wed Sep 01 2021 Artem Savkov [1-4.el8_4] +- powerpc: KVM guest OS users can cause host OS memory corruption [1988230] {CVE-2021-37576} + * Tue Jul 27 2021 Artem Savkov [1-3.el8_4] - race condition in net/can/bcm.c leads to local privilege escalation [1975066] {CVE-2021-3609} - out-of-bounds write in xt_compat_target_from_user() in net/netfilter/x_tables.c [1980520] {CVE-2021-22555}