From dfa836934686eb5b0dd0cfb7957bd9d5327fba4a Mon Sep 17 00:00:00 2001 From: "C. Erastus Toe" Date: Mon, 7 Mar 2022 22:39:18 -0500 Subject: [KPATCH CVE-2021-4028] kpatch fixes for CVE-2021-4028 Kernels: 4.18.0-348.el8 4.18.0-348.2.1.el8_5 4.18.0-348.7.1.el8_5 4.18.0-348.12.2.el8_5 4.18.0-348.19.1.el8_5 Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/40 Approved-by: Joe Lawrence (@joe.lawrence) Changes since last build: [x86_64]: cma.o: changed function: rdma_listen nf_tables_api.o: changed function: __nf_tables_abort nf_tables_api.o: changed function: __nft_release_basechain nf_tables_api.o: changed function: nf_tables_commit nf_tables_api.o: changed function: nf_tables_exit_net nf_tables_api.o: changed function: nf_tables_newrule nf_tables_api.o: changed function: nf_tables_rule_destroy nf_tables_api.o: changed function: nft_delrule nf_tables_api.o: new function: nft_rule_expr_deactivate nf_tables_offload.o: changed function: nft_flow_rule_create [ppc64le]: cma.o: changed function: rdma_listen nf_tables_api.o: changed function: __nf_tables_abort nf_tables_api.o: changed function: __nft_release_basechain nf_tables_api.o: changed function: nf_tables_commit nf_tables_api.o: changed function: nf_tables_exit_net nf_tables_api.o: changed function: nf_tables_newrule nf_tables_api.o: changed function: nf_tables_trans_destroy_work nf_tables_api.o: changed function: nft_delrule nf_tables_offload.o: changed function: nft_flow_rule_create --------------------------- Modifications: none commit bbccf3dd6a13b14389ee537fb0f1b549752dae08 Author: Kamal Heib Date: Thu Jan 6 10:43:05 2022 +0200 RDMA/cma: Do not change route.addr.src_addr.ss_family Bugzilla: https://bugzilla.redhat.com/2032073 CVE: CVE-2021-4028 Y-Commit: 46f48bc7901a8066a310cd528881f67d9f67a16d O-Bugzilla: http://bugzilla.redhat.com/2032074 O-CVE: CVE-2021-4028 commit bc0bdc5afaa740d782fbf936aaeebd65e5c2921d Author: Jason Gunthorpe Date: Wed Sep 15 17:21:43 2021 -0300 RDMA/cma: Do not change route.addr.src_addr.ss_family If the state is not idle then rdma_bind_addr() will immediately fail and no change to global state should happen. For instance if the state is already RDMA_CM_LISTEN then this will corrupt the src_addr and would cause the test in cma_cancel_operation(): if (cma_any_addr(cma_src_addr(id_priv)) && !id_priv->cma_dev) To view a mangled src_addr, eg with a IPv6 loopback address but an IPv4 family, failing the test. This would manifest as this trace from syzkaller: BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 lib/list_debug.c:26 Read of size 8 at addr ffff8881546491e0 by task syz-executor.1/32204 CPU: 1 PID: 32204 Comm: syz-executor.1 Not tainted 5.12.0-rc8-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 __list_add_valid+0x93/0xa0 lib/list_debug.c:26 __list_add include/linux/list.h:67 [inline] list_add_tail include/linux/list.h:100 [inline] cma_listen_on_all drivers/infiniband/core/cma.c:2557 [inline] rdma_listen+0x787/0xe00 drivers/infiniband/core/cma.c:3751 ucma_listen+0x16a/0x210 drivers/infiniband/core/ucma.c:1102 ucma_write+0x259/0x350 drivers/infiniband/core/ucma.c:1732 vfs_write+0x28e/0xa30 fs/read_write.c:603 ksys_write+0x1ee/0x250 fs/read_write.c:658 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae Which is indicating that an rdma_id_private was destroyed without doing cma_cancel_listens(). Instead of trying to re-use the src_addr memory to indirectly create an any address build one explicitly on the stack and bind to that as any other normal flow would do. Link: https://lore.kernel.org/r/0-v1-9fbb33f5e201+2a-cma_listen_jgg@nvidia.com Cc: stable@vger.kernel.org Fixes: 732d41c545bb ("RDMA/cma: Make the locking for automatic state transition more clear") Reported-by: syzbot+6bb0528b13611047209c@syzkaller.appspotmail.com Tested-by: Hao Sun Reviewed-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Kamal Heib Signed-off-by: Bruno Meneguele Signed-off-by: C. Erastus Toe --- drivers/infiniband/core/cma.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c index 5b9022a8c9ec..f716de3fd7e5 100644 --- a/drivers/infiniband/core/cma.c +++ b/drivers/infiniband/core/cma.c @@ -3716,9 +3716,13 @@ int rdma_listen(struct rdma_cm_id *id, int backlog) int ret; if (!cma_comp_exch(id_priv, RDMA_CM_ADDR_BOUND, RDMA_CM_LISTEN)) { + struct sockaddr_in any_in = { + .sin_family = AF_INET, + .sin_addr.s_addr = htonl(INADDR_ANY), + }; + /* For a well behaved ULP state will be RDMA_CM_IDLE */ - id->route.addr.src_addr.ss_family = AF_INET; - ret = rdma_bind_addr(id, cma_src_addr(id_priv)); + ret = rdma_bind_addr(id, (struct sockaddr *)&any_in); if (ret) return ret; if (WARN_ON(!cma_comp_exch(id_priv, RDMA_CM_ADDR_BOUND, -- 2.34.1