Update with 5.14.0-284.25.1.el9_2 security fixes
This commit is contained in:
parent
75f7cb2046
commit
e7e939cd1c
@ -0,0 +1,87 @@
|
|||||||
|
From 6f404ab35a9a684cb6ee146a39413698bba17fe4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com>
|
||||||
|
Date: Wed, 2 Aug 2023 12:50:36 +0000
|
||||||
|
Subject: [PATCH 1/5] KVM: x86/mmu: Fix race condition in direct_page_fault
|
||||||
|
|
||||||
|
make_mmu_pages_available() must be called with mmu_lock held for write.
|
||||||
|
However, if the TDP MMU is used, it will be called with mmu_lock held for
|
||||||
|
read.
|
||||||
|
This function does nothing unless shadow pages are used, so there is no
|
||||||
|
race unless nested TDP is used.
|
||||||
|
Since nested TDP uses shadow pages, old shadow pages may be zapped by this
|
||||||
|
function even when the TDP MMU is enabled.
|
||||||
|
Since shadow pages are never allocated by kvm_tdp_mmu_map(), a race
|
||||||
|
condition can be avoided by not calling make_mmu_pages_available() if the
|
||||||
|
TDP MMU is currently in use.
|
||||||
|
|
||||||
|
I encountered this when repeatedly starting and stopping nested VM.
|
||||||
|
It can be artificially caused by allocating a large number of nested TDP
|
||||||
|
SPTEs.
|
||||||
|
|
||||||
|
For example, the following BUG and general protection fault are caused in
|
||||||
|
the host kernel.
|
||||||
|
|
||||||
|
pte_list_remove: 00000000cd54fc10 many->many
|
||||||
|
------------[ cut here ]------------
|
||||||
|
kernel BUG at arch/x86/kvm/mmu/mmu.c:963!
|
||||||
|
invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
|
||||||
|
RIP: 0010:pte_list_remove.cold+0x16/0x48 [kvm]
|
||||||
|
Call Trace:
|
||||||
|
<TASK>
|
||||||
|
drop_spte+0xe0/0x180 [kvm]
|
||||||
|
mmu_page_zap_pte+0x4f/0x140 [kvm]
|
||||||
|
__kvm_mmu_prepare_zap_page+0x62/0x3e0 [kvm]
|
||||||
|
kvm_mmu_zap_oldest_mmu_pages+0x7d/0xf0 [kvm]
|
||||||
|
direct_page_fault+0x3cb/0x9b0 [kvm]
|
||||||
|
kvm_tdp_page_fault+0x2c/0xa0 [kvm]
|
||||||
|
kvm_mmu_page_fault+0x207/0x930 [kvm]
|
||||||
|
npf_interception+0x47/0xb0 [kvm_amd]
|
||||||
|
svm_invoke_exit_handler+0x13c/0x1a0 [kvm_amd]
|
||||||
|
svm_handle_exit+0xfc/0x2c0 [kvm_amd]
|
||||||
|
kvm_arch_vcpu_ioctl_run+0xa79/0x1780 [kvm]
|
||||||
|
kvm_vcpu_ioctl+0x29b/0x6f0 [kvm]
|
||||||
|
__x64_sys_ioctl+0x95/0xd0
|
||||||
|
do_syscall_64+0x5c/0x90
|
||||||
|
|
||||||
|
general protection fault, probably for non-canonical address
|
||||||
|
0xdead000000000122: 0000 [#1] PREEMPT SMP NOPTI
|
||||||
|
RIP: 0010:kvm_mmu_commit_zap_page.part.0+0x4b/0xe0 [kvm]
|
||||||
|
Call Trace:
|
||||||
|
<TASK>
|
||||||
|
kvm_mmu_zap_oldest_mmu_pages+0xae/0xf0 [kvm]
|
||||||
|
direct_page_fault+0x3cb/0x9b0 [kvm]
|
||||||
|
kvm_tdp_page_fault+0x2c/0xa0 [kvm]
|
||||||
|
kvm_mmu_page_fault+0x207/0x930 [kvm]
|
||||||
|
npf_interception+0x47/0xb0 [kvm_amd]
|
||||||
|
|
||||||
|
CVE: CVE-2022-45869
|
||||||
|
Fixes: a2855afc7ee8 ("KVM: x86/mmu: Allow parallel page faults for the TDP MMU")
|
||||||
|
Signed-off-by: Kazuki Takiguchi <takiguchi.kazuki171@gmail.com>
|
||||||
|
Cc: stable@vger.kernel.org
|
||||||
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
|
||||||
|
Conflicts: dropped hunk in direct_page_fault because the following backported commits do the same thing
|
||||||
|
a158127f55b98c ("KVM: x86/mmu: Split out TDP MMU page fault handling")
|
||||||
|
1290f90e77186b ("KVM: x86/mmu: Stop needlessly making MMU pages available for TDP MMU faults")
|
||||||
|
|
||||||
|
Signed-off-by: Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com>
|
||||||
|
Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>
|
||||||
|
---
|
||||||
|
arch/x86/kvm/mmu/mmu.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
|
||||||
|
index 05c137831..2968f8137 100644
|
||||||
|
--- a/arch/x86/kvm/mmu/mmu.c
|
||||||
|
+++ b/arch/x86/kvm/mmu/mmu.c
|
||||||
|
@@ -2432,6 +2432,7 @@ static bool __kvm_mmu_prepare_zap_page(struct kvm *kvm,
|
||||||
|
{
|
||||||
|
bool list_unstable, zapped_root = false;
|
||||||
|
|
||||||
|
+ lockdep_assert_held_write(&kvm->mmu_lock);
|
||||||
|
trace_kvm_mmu_prepare_zap_page(sp);
|
||||||
|
++kvm->stat.mmu_shadow_zapped;
|
||||||
|
*nr_zapped = mmu_zap_unsync_children(kvm, sp, invalid_list);
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -0,0 +1,45 @@
|
|||||||
|
From c9e34f92dafffe1fd37ba7ef7fb198002576bea1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com>
|
||||||
|
Date: Wed, 2 Aug 2023 12:54:02 +0000
|
||||||
|
Subject: [PATCH 2/5] prlimit: do_prlimit needs to have a speculation check
|
||||||
|
|
||||||
|
CVE: CVE-2023-0458
|
||||||
|
|
||||||
|
commit 739790605705ddcf18f21782b9c99ad7d53a8c11
|
||||||
|
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||||
|
Date: Fri Jan 20 11:03:20 2023 +0100
|
||||||
|
|
||||||
|
prlimit: do_prlimit needs to have a speculation check
|
||||||
|
|
||||||
|
do_prlimit() adds the user-controlled resource value to a pointer that
|
||||||
|
will subsequently be dereferenced. In order to help prevent this
|
||||||
|
codepath from being used as a spectre "gadget" a barrier needs to be
|
||||||
|
added after checking the range.
|
||||||
|
|
||||||
|
Reported-by: Jordy Zomer <jordyzomer@google.com>
|
||||||
|
Tested-by: Jordy Zomer <jordyzomer@google.com>
|
||||||
|
Suggested-by: Linus Torvalds <torvalds@linuxfoundation.org>
|
||||||
|
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||||
|
|
||||||
|
Signed-off-by: Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com>
|
||||||
|
Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>
|
||||||
|
---
|
||||||
|
kernel/sys.c | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/kernel/sys.c b/kernel/sys.c
|
||||||
|
index 75852f64d..45480f6f6 100644
|
||||||
|
--- a/kernel/sys.c
|
||||||
|
+++ b/kernel/sys.c
|
||||||
|
@@ -1439,6 +1439,8 @@ static int do_prlimit(struct task_struct *tsk, unsigned int resource,
|
||||||
|
|
||||||
|
if (resource >= RLIM_NLIMITS)
|
||||||
|
return -EINVAL;
|
||||||
|
+ resource = array_index_nospec(resource, RLIM_NLIMITS);
|
||||||
|
+
|
||||||
|
if (new_rlim) {
|
||||||
|
if (new_rlim->rlim_cur > new_rlim->rlim_max)
|
||||||
|
return -EINVAL;
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -0,0 +1,95 @@
|
|||||||
|
From 4758c1f8ad5385e53ea85739ad9f6fa6dfc0abda Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com>
|
||||||
|
Date: Wed, 2 Aug 2023 12:55:46 +0000
|
||||||
|
Subject: [PATCH 3/5] x86/speculation: Allow enabling STIBP with legacy IBRS
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
When plain IBRS is enabled (not enhanced IBRS), the logic in
|
||||||
|
spectre_v2_user_select_mitigation() determines that STIBP is not needed.
|
||||||
|
|
||||||
|
The IBRS bit implicitly protects against cross-thread branch target
|
||||||
|
injection. However, with legacy IBRS, the IBRS bit is cleared on
|
||||||
|
returning to userspace for performance reasons which leaves userspace
|
||||||
|
threads vulnerable to cross-thread branch target injection against which
|
||||||
|
STIBP protects.
|
||||||
|
|
||||||
|
Exclude IBRS from the spectre_v2_in_ibrs_mode() check to allow for
|
||||||
|
enabling STIBP (through seccomp/prctl() by default or always-on, if
|
||||||
|
selected by spectre_v2_user kernel cmdline parameter).
|
||||||
|
|
||||||
|
[ bp: Massage. ]
|
||||||
|
|
||||||
|
Fixes: 7c693f54c873 ("x86/speculation: Add spectre_v2=ibrs option to support Kernel IBRS")
|
||||||
|
Reported-by: José Oliveira <joseloliveira11@gmail.com>
|
||||||
|
Reported-by: Rodrigo Branco <rodrigo@kernelhacking.com>
|
||||||
|
Signed-off-by: KP Singh <kpsingh@kernel.org>
|
||||||
|
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
|
||||||
|
Signed-off-by: Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com>
|
||||||
|
Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>
|
||||||
|
---
|
||||||
|
arch/x86/kernel/cpu/bugs.c | 25 ++++++++++++++++++-------
|
||||||
|
1 file changed, 18 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
|
||||||
|
index da7c361f4..e13c4ecdc 100644
|
||||||
|
--- a/arch/x86/kernel/cpu/bugs.c
|
||||||
|
+++ b/arch/x86/kernel/cpu/bugs.c
|
||||||
|
@@ -1095,14 +1095,18 @@ spectre_v2_parse_user_cmdline(void)
|
||||||
|
return SPECTRE_V2_USER_CMD_AUTO;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static inline bool spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode)
|
||||||
|
+static inline bool spectre_v2_in_eibrs_mode(enum spectre_v2_mitigation mode)
|
||||||
|
{
|
||||||
|
- return mode == SPECTRE_V2_IBRS ||
|
||||||
|
- mode == SPECTRE_V2_EIBRS ||
|
||||||
|
+ return mode == SPECTRE_V2_EIBRS ||
|
||||||
|
mode == SPECTRE_V2_EIBRS_RETPOLINE ||
|
||||||
|
mode == SPECTRE_V2_EIBRS_LFENCE;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static inline bool spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode)
|
||||||
|
+{
|
||||||
|
+ return spectre_v2_in_eibrs_mode(mode) || mode == SPECTRE_V2_IBRS;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static void __init
|
||||||
|
spectre_v2_user_select_mitigation(void)
|
||||||
|
{
|
||||||
|
@@ -1165,12 +1169,19 @@ spectre_v2_user_select_mitigation(void)
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
- * If no STIBP, IBRS or enhanced IBRS is enabled, or SMT impossible,
|
||||||
|
- * STIBP is not required.
|
||||||
|
+ * If no STIBP, enhanced IBRS is enabled, or SMT impossible, STIBP
|
||||||
|
+ * is not required.
|
||||||
|
+ *
|
||||||
|
+ * Enhanced IBRS also protects against cross-thread branch target
|
||||||
|
+ * injection in user-mode as the IBRS bit remains always set which
|
||||||
|
+ * implicitly enables cross-thread protections. However, in legacy IBRS
|
||||||
|
+ * mode, the IBRS bit is set only on kernel entry and cleared on return
|
||||||
|
+ * to userspace. This disables the implicit cross-thread protection,
|
||||||
|
+ * so allow for STIBP to be selected in that case.
|
||||||
|
*/
|
||||||
|
if (!boot_cpu_has(X86_FEATURE_STIBP) ||
|
||||||
|
!smt_possible ||
|
||||||
|
- spectre_v2_in_ibrs_mode(spectre_v2_enabled))
|
||||||
|
+ spectre_v2_in_eibrs_mode(spectre_v2_enabled))
|
||||||
|
return;
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -2295,7 +2306,7 @@ static ssize_t mmio_stale_data_show_state(char *buf)
|
||||||
|
|
||||||
|
static char *stibp_state(void)
|
||||||
|
{
|
||||||
|
- if (spectre_v2_in_ibrs_mode(spectre_v2_enabled))
|
||||||
|
+ if (spectre_v2_in_eibrs_mode(spectre_v2_enabled))
|
||||||
|
return "";
|
||||||
|
|
||||||
|
switch (spectre_v2_user_stibp) {
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -0,0 +1,180 @@
|
|||||||
|
From 4308d0e03dfe439f30b356630beb8b941bf84bf7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com>
|
||||||
|
Date: Wed, 2 Aug 2023 13:05:59 +0000
|
||||||
|
Subject: [PATCH 4/5] ipvlan:Fix out-of-bounds caused by unclear skb->cb
|
||||||
|
|
||||||
|
CVE: CVE-2023-3090
|
||||||
|
|
||||||
|
commit 90cbed5247439a966b645b34eb0a2e037836ea8e
|
||||||
|
Author: t.feng <fengtao40@huawei.com>
|
||||||
|
Date: Wed May 10 11:50:44 2023 +0800
|
||||||
|
|
||||||
|
ipvlan:Fix out-of-bounds caused by unclear skb->cb
|
||||||
|
|
||||||
|
If skb enqueue the qdisc, fq_skb_cb(skb)->time_to_send is changed which
|
||||||
|
is actually skb->cb, and IPCB(skb_in)->opt will be used in
|
||||||
|
__ip_options_echo. It is possible that memcpy is out of bounds and lead
|
||||||
|
to stack overflow.
|
||||||
|
We should clear skb->cb before ip_local_out or ip6_local_out.
|
||||||
|
|
||||||
|
v2:
|
||||||
|
1. clean the stack info
|
||||||
|
2. use IPCB/IP6CB instead of skb->cb
|
||||||
|
|
||||||
|
crash on stable-5.10(reproduce in kasan kernel).
|
||||||
|
Stack info:
|
||||||
|
[ 2203.651571] BUG: KASAN: stack-out-of-bounds in
|
||||||
|
__ip_options_echo+0x589/0x800
|
||||||
|
[ 2203.653327] Write of size 4 at addr ffff88811a388f27 by task
|
||||||
|
swapper/3/0
|
||||||
|
[ 2203.655460] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Not tainted
|
||||||
|
5.10.0-60.18.0.50.h856.kasan.eulerosv2r11.x86_64 #1
|
||||||
|
[ 2203.655466] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
|
||||||
|
BIOS rel-1.10.2-0-g5f4c7b1-20181220_000000-szxrtosci10000 04/01/2014
|
||||||
|
[ 2203.655475] Call Trace:
|
||||||
|
[ 2203.655481] <IRQ>
|
||||||
|
[ 2203.655501] dump_stack+0x9c/0xd3
|
||||||
|
[ 2203.655514] print_address_description.constprop.0+0x19/0x170
|
||||||
|
[ 2203.655530] __kasan_report.cold+0x6c/0x84
|
||||||
|
[ 2203.655586] kasan_report+0x3a/0x50
|
||||||
|
[ 2203.655586] kasan_report+0x3a/0x50
|
||||||
|
[ 2203.655594] check_memory_region+0xfd/0x1f0
|
||||||
|
[ 2203.655594] check_memory_region+0xfd/0x1f0
|
||||||
|
[ 2203.655601] memcpy+0x39/0x60
|
||||||
|
[ 2203.655608] __ip_options_echo+0x589/0x800
|
||||||
|
[ 2203.655654] __icmp_send+0x59a/0x960
|
||||||
|
[ 2203.655755] nf_send_unreach+0x129/0x3d0 [nf_reject_ipv4]
|
||||||
|
[ 2203.655763] reject_tg+0x77/0x1bf [ipt_REJECT]
|
||||||
|
[ 2203.655772] ipt_do_table+0x691/0xa40 [ip_tables]
|
||||||
|
[ 2203.655821] nf_hook_slow+0x69/0x100
|
||||||
|
[ 2203.655828] __ip_local_out+0x21e/0x2b0
|
||||||
|
[ 2203.655857] ip_local_out+0x28/0x90
|
||||||
|
[ 2203.655868] ipvlan_process_v4_outbound+0x21e/0x260 [ipvlan]
|
||||||
|
[ 2203.655931] ipvlan_xmit_mode_l3+0x3bd/0x400 [ipvlan]
|
||||||
|
[ 2203.655967] ipvlan_queue_xmit+0xb3/0x190 [ipvlan]
|
||||||
|
[ 2203.655977] ipvlan_start_xmit+0x2e/0xb0 [ipvlan]
|
||||||
|
[ 2203.655984] xmit_one.constprop.0+0xe1/0x280
|
||||||
|
[ 2203.655992] dev_hard_start_xmit+0x62/0x100
|
||||||
|
[ 2203.656000] sch_direct_xmit+0x215/0x640
|
||||||
|
[ 2203.656028] __qdisc_run+0x153/0x1f0
|
||||||
|
[ 2203.656069] __dev_queue_xmit+0x77f/0x1030
|
||||||
|
[ 2203.656173] ip_finish_output2+0x59b/0xc20
|
||||||
|
[ 2203.656244] __ip_finish_output.part.0+0x318/0x3d0
|
||||||
|
[ 2203.656312] ip_finish_output+0x168/0x190
|
||||||
|
[ 2203.656320] ip_output+0x12d/0x220
|
||||||
|
[ 2203.656357] __ip_queue_xmit+0x392/0x880
|
||||||
|
[ 2203.656380] __tcp_transmit_skb+0x1088/0x11c0
|
||||||
|
[ 2203.656436] __tcp_retransmit_skb+0x475/0xa30
|
||||||
|
[ 2203.656505] tcp_retransmit_skb+0x2d/0x190
|
||||||
|
[ 2203.656512] tcp_retransmit_timer+0x3af/0x9a0
|
||||||
|
[ 2203.656519] tcp_write_timer_handler+0x3ba/0x510
|
||||||
|
[ 2203.656529] tcp_write_timer+0x55/0x180
|
||||||
|
[ 2203.656542] call_timer_fn+0x3f/0x1d0
|
||||||
|
[ 2203.656555] expire_timers+0x160/0x200
|
||||||
|
[ 2203.656562] run_timer_softirq+0x1f4/0x480
|
||||||
|
[ 2203.656606] __do_softirq+0xfd/0x402
|
||||||
|
[ 2203.656613] asm_call_irq_on_stack+0x12/0x20
|
||||||
|
[ 2203.656617] </IRQ>
|
||||||
|
[ 2203.656623] do_softirq_own_stack+0x37/0x50
|
||||||
|
[ 2203.656631] irq_exit_rcu+0x134/0x1a0
|
||||||
|
[ 2203.656639] sysvec_apic_timer_interrupt+0x36/0x80
|
||||||
|
[ 2203.656646] asm_sysvec_apic_timer_interrupt+0x12/0x20
|
||||||
|
[ 2203.656654] RIP: 0010:default_idle+0x13/0x20
|
||||||
|
[ 2203.656663] Code: 89 f0 5d 41 5c 41 5d 41 5e c3 cc cc cc cc cc cc cc
|
||||||
|
cc cc cc cc cc cc 0f 1f 44 00 00 0f 1f 44 00 00 0f 00 2d 9f 32 57 00 fb
|
||||||
|
f4 <c3> cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 be 08
|
||||||
|
[ 2203.656668] RSP: 0018:ffff88810036fe78 EFLAGS: 00000256
|
||||||
|
[ 2203.656676] RAX: ffffffffaf2a87f0 RBX: ffff888100360000 RCX:
|
||||||
|
ffffffffaf290191
|
||||||
|
[ 2203.656681] RDX: 0000000000098b5e RSI: 0000000000000004 RDI:
|
||||||
|
ffff88811a3c4f60
|
||||||
|
[ 2203.656686] RBP: 0000000000000000 R08: 0000000000000001 R09:
|
||||||
|
ffff88811a3c4f63
|
||||||
|
[ 2203.656690] R10: ffffed10234789ec R11: 0000000000000001 R12:
|
||||||
|
0000000000000003
|
||||||
|
[ 2203.656695] R13: ffff888100360000 R14: 0000000000000000 R15:
|
||||||
|
0000000000000000
|
||||||
|
[ 2203.656729] default_idle_call+0x5a/0x150
|
||||||
|
[ 2203.656735] cpuidle_idle_call+0x1c6/0x220
|
||||||
|
[ 2203.656780] do_idle+0xab/0x100
|
||||||
|
[ 2203.656786] cpu_startup_entry+0x19/0x20
|
||||||
|
[ 2203.656793] secondary_startup_64_no_verify+0xc2/0xcb
|
||||||
|
|
||||||
|
[ 2203.657409] The buggy address belongs to the page:
|
||||||
|
[ 2203.658648] page:0000000027a9842f refcount:1 mapcount:0
|
||||||
|
mapping:0000000000000000 index:0x0 pfn:0x11a388
|
||||||
|
[ 2203.658665] flags:
|
||||||
|
0x17ffffc0001000(reserved|node=0|zone=2|lastcpupid=0x1fffff)
|
||||||
|
[ 2203.658675] raw: 0017ffffc0001000 ffffea000468e208 ffffea000468e208
|
||||||
|
0000000000000000
|
||||||
|
[ 2203.658682] raw: 0000000000000000 0000000000000000 00000001ffffffff
|
||||||
|
0000000000000000
|
||||||
|
[ 2203.658686] page dumped because: kasan: bad access detected
|
||||||
|
|
||||||
|
To reproduce(ipvlan with IPVLAN_MODE_L3):
|
||||||
|
Env setting:
|
||||||
|
=======================================================
|
||||||
|
modprobe ipvlan ipvlan_default_mode=1
|
||||||
|
sysctl net.ipv4.conf.eth0.forwarding=1
|
||||||
|
iptables -t nat -A POSTROUTING -s 20.0.0.0/255.255.255.0 -o eth0 -j
|
||||||
|
MASQUERADE
|
||||||
|
ip link add gw link eth0 type ipvlan
|
||||||
|
ip -4 addr add 20.0.0.254/24 dev gw
|
||||||
|
ip netns add net1
|
||||||
|
ip link add ipv1 link eth0 type ipvlan
|
||||||
|
ip link set ipv1 netns net1
|
||||||
|
ip netns exec net1 ip link set ipv1 up
|
||||||
|
ip netns exec net1 ip -4 addr add 20.0.0.4/24 dev ipv1
|
||||||
|
ip netns exec net1 route add default gw 20.0.0.254
|
||||||
|
ip netns exec net1 tc qdisc add dev ipv1 root netem loss 10%
|
||||||
|
ifconfig gw up
|
||||||
|
iptables -t filter -A OUTPUT -p tcp --dport 8888 -j REJECT --reject-with
|
||||||
|
icmp-port-unreachable
|
||||||
|
=======================================================
|
||||||
|
And then excute the shell(curl any address of eth0 can reach):
|
||||||
|
|
||||||
|
for((i=1;i<=100000;i++))
|
||||||
|
do
|
||||||
|
ip netns exec net1 curl x.x.x.x:8888
|
||||||
|
done
|
||||||
|
=======================================================
|
||||||
|
|
||||||
|
Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.")
|
||||||
|
Signed-off-by: "t.feng" <fengtao40@huawei.com>
|
||||||
|
Suggested-by: Florian Westphal <fw@strlen.de>
|
||||||
|
Reviewed-by: Paolo Abeni <pabeni@redhat.com>
|
||||||
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||||
|
|
||||||
|
Signed-off-by: Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com>
|
||||||
|
Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>
|
||||||
|
---
|
||||||
|
drivers/net/ipvlan/ipvlan_core.c | 6 ++++++
|
||||||
|
1 file changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
|
||||||
|
index fe584e8ac..ab14c06d1 100644
|
||||||
|
--- a/drivers/net/ipvlan/ipvlan_core.c
|
||||||
|
+++ b/drivers/net/ipvlan/ipvlan_core.c
|
||||||
|
@@ -437,6 +437,9 @@ static int ipvlan_process_v4_outbound(struct sk_buff *skb)
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
skb_dst_set(skb, &rt->dst);
|
||||||
|
+
|
||||||
|
+ memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
|
||||||
|
+
|
||||||
|
err = ip_local_out(net, skb->sk, skb);
|
||||||
|
if (unlikely(net_xmit_eval(err)))
|
||||||
|
dev->stats.tx_errors++;
|
||||||
|
@@ -475,6 +478,9 @@ static int ipvlan_process_v6_outbound(struct sk_buff *skb)
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
skb_dst_set(skb, dst);
|
||||||
|
+
|
||||||
|
+ memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
|
||||||
|
+
|
||||||
|
err = ip6_local_out(net, skb->sk, skb);
|
||||||
|
if (unlikely(net_xmit_eval(err)))
|
||||||
|
dev->stats.tx_errors++;
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -0,0 +1,49 @@
|
|||||||
|
From 68e161867609dafcee1a20343990547a8da9be83 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com>
|
||||||
|
Date: Wed, 2 Aug 2023 13:10:03 +0000
|
||||||
|
Subject: [PATCH 5/5] net/sched: flower: fix possible OOB write
|
||||||
|
in-fl_set_geneve_opt()
|
||||||
|
|
||||||
|
CVE: CVE-2023-35788
|
||||||
|
|
||||||
|
commit 4d56304e5827c8cc8cc18c75343d283af7c4825c
|
||||||
|
Author: Hangyu Hua <hbh25y@gmail.com>
|
||||||
|
Date: Wed May 31 18:28:04 2023 +0800
|
||||||
|
|
||||||
|
net/sched: flower: fix possible OOB write in fl_set_geneve_opt()
|
||||||
|
|
||||||
|
If we send two TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets and their total
|
||||||
|
size is 252 bytes(key->enc_opts.len = 252) then
|
||||||
|
key->enc_opts.len = opt->length = data_len / 4 = 0 when the third
|
||||||
|
TCA_FLOWER_KEY_ENC_OPTS_GENEVE packet enters fl_set_geneve_opt. This
|
||||||
|
bypasses the next bounds check and results in an out-of-bounds.
|
||||||
|
|
||||||
|
Fixes: 0a6e77784f49 ("net/sched: allow flower to match tunnel options")
|
||||||
|
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
|
||||||
|
Reviewed-by: Simon Horman <simon.horman@corigine.com>
|
||||||
|
Reviewed-by: Pieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com>
|
||||||
|
Link: https://lore.kernel.org/r/20230531102805.27090-1-hbh25y@gmail.com
|
||||||
|
|
||||||
|
Signed-off-by: Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com>
|
||||||
|
Reviewed-by: Laurence Rochfort <laurence.rochfort@oracle.com>
|
||||||
|
---
|
||||||
|
net/sched/cls_flower.c | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
|
||||||
|
index 041d63ff8..65b68bf36 100644
|
||||||
|
--- a/net/sched/cls_flower.c
|
||||||
|
+++ b/net/sched/cls_flower.c
|
||||||
|
@@ -1145,6 +1145,9 @@ static int fl_set_geneve_opt(const struct nlattr *nla, struct fl_flow_key *key,
|
||||||
|
if (option_len > sizeof(struct geneve_opt))
|
||||||
|
data_len = option_len - sizeof(struct geneve_opt);
|
||||||
|
|
||||||
|
+ if (key->enc_opts.len > FLOW_DIS_TUN_OPTS_MAX - 4)
|
||||||
|
+ return -ERANGE;
|
||||||
|
+
|
||||||
|
opt = (struct geneve_opt *)&key->enc_opts.data[key->enc_opts.len];
|
||||||
|
memset(opt, 0xff, option_len);
|
||||||
|
opt->length = data_len / 4;
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -161,13 +161,13 @@ Summary: The Linux kernel
|
|||||||
# define buildid .local
|
# define buildid .local
|
||||||
%define specversion 5.14.0
|
%define specversion 5.14.0
|
||||||
%define patchversion 5.14
|
%define patchversion 5.14
|
||||||
%define pkgrelease 284.18.1
|
%define pkgrelease 284.25.1
|
||||||
%define kversion 5
|
%define kversion 5
|
||||||
%define tarfile_release 5.14.0-284.18.1.el9_2
|
%define tarfile_release 5.14.0-284.18.1.el9_2
|
||||||
# This is needed to do merge window version magic
|
# This is needed to do merge window version magic
|
||||||
%define patchlevel 14
|
%define patchlevel 14
|
||||||
# This allows pkg_release to have configurable %%{?dist} tag
|
# This allows pkg_release to have configurable %%{?dist} tag
|
||||||
%define specrelease 284.18.1%{?buildid}%{?dist}
|
%define specrelease 284.25.1%{?buildid}%{?dist}
|
||||||
# This defines the kabi tarball version
|
# This defines the kabi tarball version
|
||||||
%define kabiversion 5.14.0-284.18.1.el9_2
|
%define kabiversion 5.14.0-284.18.1.el9_2
|
||||||
|
|
||||||
@ -900,6 +900,13 @@ Source4002: gating.yaml
|
|||||||
Patch1: patch-%{patchversion}-redhat.patch
|
Patch1: patch-%{patchversion}-redhat.patch
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
# Patches from Oracle Linux kernel package
|
||||||
|
Patch1200: 1200-KVM-x86-mmu-Fix-race-condition-in-direct_page_fault.patch
|
||||||
|
Patch1201: 1201-prlimit-do_prlimit-needs-to-have-a-speculation-check.patch
|
||||||
|
Patch1202: 1202-x86-speculation-Allow-enabling-STIBP-with-legacy-IBR.patch
|
||||||
|
Patch1203: 1203-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch
|
||||||
|
Patch1204: 1204-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch
|
||||||
|
|
||||||
# empty final patch to facilitate testing of kernel patches
|
# empty final patch to facilitate testing of kernel patches
|
||||||
Patch999999: linux-kernel-test.patch
|
Patch999999: linux-kernel-test.patch
|
||||||
|
|
||||||
@ -1553,6 +1560,11 @@ cp -a %{SOURCE1} .
|
|||||||
ApplyOptionalPatch patch-%{patchversion}-redhat.patch
|
ApplyOptionalPatch patch-%{patchversion}-redhat.patch
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
ApplyPatch 1200-KVM-x86-mmu-Fix-race-condition-in-direct_page_fault.patch
|
||||||
|
ApplyPatch 1201-prlimit-do_prlimit-needs-to-have-a-speculation-check.patch
|
||||||
|
ApplyPatch 1202-x86-speculation-Allow-enabling-STIBP-with-legacy-IBR.patch
|
||||||
|
ApplyPatch 1203-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch
|
||||||
|
ApplyPatch 1204-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch
|
||||||
ApplyOptionalPatch linux-kernel-test.patch
|
ApplyOptionalPatch linux-kernel-test.patch
|
||||||
|
|
||||||
# END OF PATCH APPLICATIONS
|
# END OF PATCH APPLICATIONS
|
||||||
@ -3422,6 +3434,13 @@ fi
|
|||||||
#
|
#
|
||||||
#
|
#
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Aug 01 2023 Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com> - [5.14.0-284.25.1.el9_2]
|
||||||
|
- KVM x86 mmuFix race condition in direct_page_fault
|
||||||
|
- prlimit do_prlimit needs to have a speculation check
|
||||||
|
- x86 speculation Allow enabling STIBP with legacy IBR
|
||||||
|
- ipvlan Fix out of bounds caused by unclear skb cb
|
||||||
|
- net sched flower fix possible OOB write in fl_set_geneve_opt
|
||||||
|
|
||||||
* Wed May 31 2023 Herton R. Krzesinski <herton@redhat.com> [5.14.0-284.18.1.el9_2]
|
* Wed May 31 2023 Herton R. Krzesinski <herton@redhat.com> [5.14.0-284.18.1.el9_2]
|
||||||
- x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL (Baoquan He) [2210614 2116317]
|
- x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL (Baoquan He) [2210614 2116317]
|
||||||
- bluetooth: Perform careful capability checks in hci_sock_ioctl() (Ricardo Robaina) [2196340 2196341] {CVE-2023-2002}
|
- bluetooth: Perform careful capability checks in hci_sock_ioctl() (Ricardo Robaina) [2196340 2196341] {CVE-2023-2002}
|
||||||
|
Loading…
Reference in New Issue
Block a user