From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 21 Feb 2019 12:10:35 +0000 (+0100)
Subject: 4.4-stable patches
X-Git-Tag: v3.18.136~17
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3f1192da71437a5bda01ebbecb5fe7d2b76ceda0;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	kvm-fix-kvm_ioctl_create_device-reference-counting-cve-2019-6974.patch
	x86-livepatch-treat-r_x86_64_plt32-as-r_x86_64_pc32.patch
---

diff --git a/queue-4.4/kvm-fix-kvm_ioctl_create_device-reference-counting-cve-2019-6974.patch b/queue-4.4/kvm-fix-kvm_ioctl_create_device-reference-counting-cve-2019-6974.patch
new file mode 100644
index 00000000000..bd5e365bd00
--- /dev/null
+++ b/queue-4.4/kvm-fix-kvm_ioctl_create_device-reference-counting-cve-2019-6974.patch
@@ -0,0 +1,55 @@
+From cfa39381173d5f969daf43582c95ad679189cbc9 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Sat, 26 Jan 2019 01:54:33 +0100
+Subject: kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974)
+
+From: Jann Horn <jannh@google.com>
+
+commit cfa39381173d5f969daf43582c95ad679189cbc9 upstream.
+
+kvm_ioctl_create_device() does the following:
+
+1. creates a device that holds a reference to the VM object (with a borrowed
+   reference, the VM's refcount has not been bumped yet)
+2. initializes the device
+3. transfers the reference to the device to the caller's file descriptor table
+4. calls kvm_get_kvm() to turn the borrowed reference to the VM into a real
+   reference
+
+The ownership transfer in step 3 must not happen before the reference to the VM
+becomes a proper, non-borrowed reference, which only happens in step 4.
+After step 3, an attacker can close the file descriptor and drop the borrowed
+reference, which can cause the refcount of the kvm object to drop to zero.
+
+This means that we need to grab a reference for the device before
+anon_inode_getfd(), otherwise the VM can disappear from under us.
+
+Fixes: 852b6d57dc7f ("kvm: add device control API")
+Cc: stable@kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/kvm_main.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -2711,14 +2711,15 @@ static int kvm_ioctl_create_device(struc
+ 		return ret;
+ 	}
+ 
++	kvm_get_kvm(kvm);
+ 	ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC);
+ 	if (ret < 0) {
++		kvm_put_kvm(kvm);
+ 		ops->destroy(dev);
+ 		return ret;
+ 	}
+ 
+ 	list_add(&dev->vm_node, &kvm->devices);
+-	kvm_get_kvm(kvm);
+ 	cd->fd = ret;
+ 	return 0;
+ }
diff --git a/queue-4.4/series b/queue-4.4/series
index 6e25f1ec2f2..be6ff282291 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -10,3 +10,5 @@ tcp-clear-icsk_backoff-in-tcp_write_queue_purge.patch
 vxlan-test-dev-flags-iff_up-before-calling-netif_rx.patch
 net-stmmac-fix-a-race-in-eee-enable-callback.patch
 net-ipv4-use-a-dedicated-counter-for-icmp_v4-redirect-packets.patch
+x86-livepatch-treat-r_x86_64_plt32-as-r_x86_64_pc32.patch
+kvm-fix-kvm_ioctl_create_device-reference-counting-cve-2019-6974.patch
diff --git a/queue-4.4/x86-livepatch-treat-r_x86_64_plt32-as-r_x86_64_pc32.patch b/queue-4.4/x86-livepatch-treat-r_x86_64_plt32-as-r_x86_64_pc32.patch
new file mode 100644
index 00000000000..519c72914ec
--- /dev/null
+++ b/queue-4.4/x86-livepatch-treat-r_x86_64_plt32-as-r_x86_64_pc32.patch
@@ -0,0 +1,42 @@
+From chenzefeng2@huawei.com  Thu Feb 21 12:46:27 2019
+From: "chenzefeng (A)" <chenzefeng2@huawei.com>
+Date: Wed, 20 Feb 2019 12:37:54 +0000
+Subject: [PATCH] x86: livepatch: Treat R_X86_64_PLT32 as R_X86_64_PC32
+To: "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
+Cc: "stable@vger.kernel.org" <stable@vger.kernel.org>, Petr Mladek <pmladek@suse.com>, Jiri Kosina <jikos@kernel.org>, "hjl.tools@gmail.com" <hjl.tools@gmail.com>, "chengjian (D)" <cj.chengjian@huawei.com>
+Message-ID: <79A62BFA453EFB42B7A4E40AD8F3A2264F2AB257@DGGEMA503-MBX.china.huawei.com>
+
+Signed-off-by: chenzefeng <chenzefeng2@huawei.com>
+
+On x86-64, for 32-bit PC-relacive branches, we can generate PLT32
+relocation, instead of PC32 relocation. and R_X86_64_PLT32 can be
+treated the same as R_X86_64_PC32 since linux kernel doesn't use PLT.
+
+commit b21ebf2fb4cd ("x86: Treat R_X86_64_PLT32 as R_X86_64_PC32") been
+fixed for the module loading, but not fixed for livepatch relocation,
+which will fail to load livepatch with the error message as follow:
+relocation failed for symbol <symbol name> at <symbol address>
+
+This issue only effacted the kernel version from 4.0 to 4.6, becauce the
+function klp_write_module_reloc is introduced by: commit b700e7f03df5
+("livepatch: kernel: add support for live patching") and deleted by:
+commit 425595a7fc20 ("livepatch: reuse module loader code to write
+relocations")
+
+Signed-off-by: chenzefeng <chenzefeng2@huawei.com>
+Reviewed-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/livepatch.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/kernel/livepatch.c
++++ b/arch/x86/kernel/livepatch.c
+@@ -58,6 +58,7 @@ int klp_write_module_reloc(struct module
+ 		val = (s32)value;
+ 		break;
+ 	case R_X86_64_PC32:
++	case R_X86_64_PLT32:
+ 		val = (u32)(value - loc);
+ 		break;
+ 	default: