Livepatched CVE-2023-1281 in kernel 5.15.94.1-1.cm2. (#5276)

2023-04-11 13:35:03 -07:00 · 2023-04-11 13:35:03 -07:00 · c9a8dc735e
--- a/SPECS-SIGNED/livepatch-5.15.94.1-1.cm2-signed/livepatch-5.15.94.1-1.cm2-signed.spec
+++ b/SPECS-SIGNED/livepatch-5.15.94.1-1.cm2-signed/livepatch-5.15.94.1-1.cm2-signed.spec
@ -0,0 +1,123 @@
+# The default %%__os_install_post macro ends up stripping the signatures off of the kernel module.
+%define __os_install_post %{__os_install_post_leave_signatures} %{nil}
+
+%global debug_package %{nil}
+
+%define kernel_version_release 5.15.94.1-1.cm2
+%define kernel_version %(echo %{kernel_version_release} | grep -oP "^[^-]+")
+%define kernel_release %(echo %{kernel_version_release} | grep -oP "(?<=-).+")
+
+%define livepatch_unsigned_name livepatch-%{kernel_version_release}
+
+# Kpatch module names allow only alphanumeric characters and '_'.
+%define livepatch_name %(value="%{livepatch_unsigned_name}-%{version}-%{release}"; echo "${value//[^a-zA-Z0-9_]/_}")
+%define livepatch_install_dir %{_libdir}/livepatching/%{kernel_version_release}
+%define livepatch_module_name %{livepatch_name}.ko
+%define livepatch_module_path %{livepatch_install_dir}/%{livepatch_module_name}
+
+%define patch_applicable_for_kernel [[ -f "%{livepatch_module_path}" && "$(uname -r)" == "%{kernel_version_release}" ]]
+%define patch_installed kpatch list | grep -qP "%{livepatch_name}.*%{kernel_version_release}"
+%define patch_loaded    kpatch list | grep -qP "%{livepatch_name}.*enabled"
+
+# Install patch if the RUNNING kernel matches.
+# No-op for initial (empty) livepatch.
+%define install_if_should \
+if %{patch_applicable_for_kernel} && ! %{patch_installed} \
+then \
+    kpatch install %{livepatch_module_path} \
+fi
+
+# Load patch, if the RUNNING kernel matches.
+# No-op for initial (empty) livepatch.
+%define load_if_should \
+if %{patch_applicable_for_kernel} && ! %{patch_loaded} \
+then \
+    kpatch load %{livepatch_module_path} \
+fi
+
+%define uninstall_if_should \
+if %{patch_installed} \
+then \
+    kpatch uninstall %{livepatch_name} \
+fi
+
+%define unload_if_should \
+if %{patch_loaded} \
+then \
+    kpatch unload %{livepatch_name} \
+fi
+
+Summary:        Set of livepatches for kernel %{kernel_version_release}
+Name:           %{livepatch_unsigned_name}-signed
+Version:        1.0.0
+Release:        2%{?dist}
+License:        MIT
+Vendor:         Microsoft Corporation
+Distribution:   Mariner
+Group:          System Environment/Base
+URL:            https://github.com/microsoft/CBL-Mariner
+Source0:        https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/%{kernel_version}.tar.gz#/%{livepatch_module_name}
+
+ExclusiveArch:  x86_64
+
+%description
+A set of kernel livepatches addressing CVEs present in Mariner's
+5.15.94.1-1.cm2 kernel.
+
+Patches list ('*' - fixed, '!' - unfixable through livepatching, kernel update required):
+*CVE-2023-1281
+
+%package -n     %{livepatch_unsigned_name}
+Summary:        %{summary}
+
+Requires:       coreutils
+Requires:       livepatching-filesystem
+
+Requires(post): coreutils
+Requires(post): kpatch
+
+Requires(preun): kpatch
+
+Provides:       livepatch = %{kernel_version_release}
+
+%description -n %{livepatch_unsigned_name}
+A set of kernel livepatches addressing CVEs present in Mariner's
+5.15.94.1-1.cm2 kernel.
+
+Patches list ('*' - fixed, '!' - unfixable through livepatching, kernel update required):
+*CVE-2023-1281
+
+%install
+install -dm 755 %{buildroot}%{livepatch_install_dir}
+install -m 744 %{SOURCE0} %{buildroot}%{livepatch_module_path}
+
+%post -n %{livepatch_unsigned_name}
+%load_if_should
+%install_if_should
+
+%preun -n %{livepatch_unsigned_name}
+%uninstall_if_should
+%unload_if_should
+
+# Re-enable patch on rollbacks to supported kernel.
+%triggerin -n %{livepatch_unsigned_name} -- kernel = %{kernel_version_release}
+%load_if_should
+%install_if_should
+
+# Prevent the patch from being loaded after a reboot to a different kernel.
+# Previous kernel is still running, do NOT unload the livepatch.
+%triggerin -n %{livepatch_unsigned_name} -- kernel > %{kernel_version_release}, kernel < %{kernel_version_release}
+%uninstall_if_should
+
+%files -n %{livepatch_unsigned_name}
+%defattr(-,root,root)
+%dir %{livepatch_install_dir}
+%{livepatch_module_path}
+
+%changelog
+* Mon Apr 10 2023 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.0.0-2
+- Patching CVE-2023-1281.
+
+* Wed Feb 22 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.0.0-1
+- Original version for CBL-Mariner.
+- License verified.
--- a/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md
+++ b/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md
--- a/SPECS/LICENSES-AND-NOTICES/data/licenses.json
+++ b/SPECS/LICENSES-AND-NOTICES/data/licenses.json
@ -2194,6 +2194,7 @@
                "livepatch-5.15.92.1-1.cm2",
                "livepatch-5.15.92.1-2.cm2",
                "livepatch-5.15.94.1-1.cm2",
+                "livepatch-5.15.94.1-1.cm2-signed",
                "livepatch-5.15.95.1-1.cm2",
                "livepatch-5.15.98.1-1.cm2",
                "livepatching",
--- a/SPECS/livepatch-5.15.94.1-1.cm2/CVE-2023-1281.patch
+++ b/SPECS/livepatch-5.15.94.1-1.cm2/CVE-2023-1281.patch
@ -0,0 +1,105 @@
+From becf55394f6acb60dd60634a1c797e73c747f9da Mon Sep 17 00:00:00 2001
+From: Pedro Tammela <pctammela@mojatatu.com>
+Date: Thu, 9 Feb 2023 11:37:39 -0300
+Subject: [PATCH] net/sched: tcindex: update imperfect hash filters respecting
+ rcu
+
+commit ee059170b1f7e94e55fa6cadee544e176a6e59c2 upstream.
+
+The imperfect hash area can be updated while packets are traversing,
+which will cause a use-after-free when 'tcf_exts_exec()' is called
+with the destroyed tcf_ext.
+
+CPU 0:               CPU 1:
+tcindex_set_parms    tcindex_classify
+tcindex_lookup
+                     tcindex_lookup
+tcf_exts_change
+                     tcf_exts_exec [UAF]
+
+Stop operating on the shared area directly, by using a local copy,
+and update the filter with 'rcu_replace_pointer()'. Delete the old
+filter version only after a rcu grace period elapsed.
+
+Fixes: 9b0d4446b569 ("net: sched: avoid atomic swap in tcf_exts_change")
+Reported-by: valis <sec@valis.email>
+Suggested-by: valis <sec@valis.email>
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
+Link: https://lore.kernel.org/r/20230209143739.279867-1-pctammela@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/cls_tcindex.c | 34 ++++++++++++++++++++++++++++++----
+ 1 file changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c
+index 8d1ef858db87..ac3deffc24bf 100644
+--- a/net/sched/cls_tcindex.c
+++ b/net/sched/cls_tcindex.c
+@@ -12,6 +12,7 @@
+ #include <linux/errno.h>
+ #include <linux/slab.h>
+ #include <linux/refcount.h>
+#include <linux/rcupdate.h>
+ #include <net/act_api.h>
+ #include <net/netlink.h>
+ #include <net/pkt_cls.h>
+@@ -338,6 +339,7 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base,
+ 	struct tcf_result cr = {};
+ 	int err, balloc = 0;
+ 	struct tcf_exts e;
+	bool update_h = false;
+ 
+ 	err = tcf_exts_init(&e, net, TCA_TCINDEX_ACT, TCA_TCINDEX_POLICE);
+ 	if (err < 0)
+@@ -455,10 +457,13 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base,
+ 		}
+ 	}
+ 
+-	if (cp->perfect)
+	if (cp->perfect) {
+ 		r = cp->perfect + handle;
+-	else
+-		r = tcindex_lookup(cp, handle) ? : &new_filter_result;
+	} else {
+		/* imperfect area is updated in-place using rcu */
+		update_h = !!tcindex_lookup(cp, handle);
+		r = &new_filter_result;
+	}
+ 
+ 	if (r == &new_filter_result) {
+ 		f = kzalloc(sizeof(*f), GFP_KERNEL);
+@@ -484,7 +489,28 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base,
+ 
+ 	rcu_assign_pointer(tp->root, cp);
+ 
+-	if (r == &new_filter_result) {
+	if (update_h) {
+		struct tcindex_filter __rcu **fp;
+		struct tcindex_filter *cf;
+
+		f->result.res = r->res;
+		tcf_exts_change(&f->result.exts, &r->exts);
+
+		/* imperfect area bucket */
+		fp = cp->h + (handle % cp->hash);
+
+		/* lookup the filter, guaranteed to exist */
+		for (cf = rcu_dereference_bh_rtnl(*fp); cf;
+		     fp = &cf->next, cf = rcu_dereference_bh_rtnl(*fp))
+			if (cf->key == handle)
+				break;
+
+		f->next = cf->next;
+
+		cf = rcu_replace_pointer(*fp, f, 1);
+		tcf_exts_get_net(&cf->result.exts);
+		tcf_queue_work(&cf->rwork, tcindex_destroy_fexts_work);
+	} else if (r == &new_filter_result) {
+ 		struct tcindex_filter *nfp;
+ 		struct tcindex_filter __rcu **fp;
+ 
+-- 
+2.34.1
+
--- a/SPECS/livepatch-5.15.94.1-1.cm2/livepatch-5.15.94.1-1.cm2.spec
+++ b/SPECS/livepatch-5.15.94.1-1.cm2/livepatch-5.15.94.1-1.cm2.spec
@ -64,7 +64,7 @@ fi
 Summary:        Set of livepatches for kernel %{kernel_version_release}
 Name:           livepatch-%{kernel_version_release}
 Version:        1.0.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -73,6 +73,7 @@ URL:            https://github.com/microsoft/CBL-Mariner
 Source0:        https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/%{kernel_version}.tar.gz#/kernel-%{kernel_version}.tar.gz
 Source1:        config-%{kernel_version_release}
 Source2:        mariner-%{kernel_version_release}.pem
+Patch0:         CVE-2023-1281.patch

 ExclusiveArch:  x86_64

@ -184,6 +185,9 @@ addressing CVEs present in Mariner's %{kernel_version_release} kernel.
 %endif

 %changelog
+* Mon Apr 10 2023 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.0.0-2
+- Patching CVE-2023-1281.
+
 * Wed Feb 22 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.0.0-1
 - Original version for CBL-Mariner.
 - License verified.