kernels: Fix CVE-2020-14331

Fix CVE-2020-14331, which is a buffer over-write vulnerability in
the scrolling functionality of the VGA console driver (vgacon).

Change-Id: I53d42c8d60784ee76005af49b64432a9173b49fe
Signed-off-by: Srivatsa S. Bhat (VMware) <[email protected]>
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/10507
Reviewed-by: Srinidhi Rao <[email protected]>
Tested-by: Srivatsa S. Bhat <[email protected]>

SPECS/linux/4.19-0001-vgacon-Fix-buffer-over-write-vulnerability-in-vgacon.patch

@@ -0,0 +1,51 @@
+From a677521392c1330707d35840b6bd0e4d0dccd2e9 Mon Sep 17 00:00:00 2001
+From: Yunhai Zhang <[email protected]>
+Date: Sun, 26 Jul 2020 23:23:51 -0700
+Subject: [PATCH] vgacon: Fix buffer over write vulnerability in vgacon
+ scrollback handling
+
+[ This patch is not yet merged upstream. ]
+
+There is a buffer over write in vgacon_scrollback_update:
+                scr_memcpyw(vgacon_scrollback_cur->data +
+                            vgacon_scrollback_cur->tail,
+                            p, c->vc_size_row);
+
+Here vgacon_scrollback_cur->data is a buffer of size
+vgacon_scrollback_cur->size which is a multiple of c->vc_size_row,
+vgacon_scrollback_cur->tail increase c->vc_size_row each time and reset
+to zero
+when reach vgacon_scrollback_cur->size. Thus, the copy does not seem to
+overflow. However, c->vc_size_row can be reset by calling
+ioctl(VT_RESIZE), and
+a crafted new c->vc_size_row can cause the copy to overflow.
+
+Fix it by adding an explicit check to prevent the overflow.
+
+This fixes CVE-2020-14331.
+
+Not-Yet-Signed-off-by: Yunhai Zhang <[email protected]>
+[ Srivatsa: Added commit message based on bug report from Yunhai. ]
+Signed-off-by: Srivatsa S. Bhat (VMware) <[email protected]>
+---
+ drivers/video/console/vgacon.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c
+index bfaa9ec4bc1f..4479f91cf362 100644
+--- a/drivers/video/console/vgacon.c
++++ b/drivers/video/console/vgacon.c
+@@ -251,6 +251,10 @@ static void vgacon_scrollback_update(struct vc_data *c, int t, int count)
+ 	p = (void *) (c->vc_origin + t * c->vc_size_row);
+
+ 	while (count--) {
++		if (vgacon_scrollback_cur->tail + c->vc_size_row >=
++		    vgacon_scrollback_cur->size)
++			vgacon_scrollback_cur->tail = 0;
++
+ 		scr_memcpyw(vgacon_scrollback_cur->data +
+ 			    vgacon_scrollback_cur->tail,
+ 			    p, c->vc_size_row);
+-- 
+2.17.1
+

SPECS/linux/linux-aws.spec

@@ -3,7 +3,7 @@
 Summary:        Kernel
 Name:           linux-aws
 Version:        4.19.127
-Release:        1%{?kat_build:.kat}%{?dist}
+Release:        2%{?kat_build:.kat}%{?dist}
 License:    	GPLv2
 URL:        	http://www.kernel.org/
 Group:        	System Environment/Kernel
@@ -45,6 +45,8 @@ Patch19:        0001-ath9k-release-allocated-buffer-if-timed-out.patch
 # TODO: Is CONFIG_HYPERV_VSOCKETS the same?
 #Patch23:        0014-hv_sock-introduce-Hyper-V-Sockets.patch
 Patch26:        4.18-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
+# Fix for CVE-2020-14331
+Patch27:        4.19-0001-vgacon-Fix-buffer-over-write-vulnerability-in-vgacon.patch
 # Fix CVE-2017-1000252
 Patch28:        kvm-dont-accept-wrong-gsi-values.patch
 # Out-of-tree patches from AppArmor:
@@ -190,6 +192,7 @@ Kernel driver for oprofile, a statistical profiler for Linux systems
 %patch18 -p1
 %patch19 -p1
 %patch26 -p1
+%patch27 -p1
 %patch28 -p1
 %patch29 -p1
 %patch30 -p1
@@ -422,6 +425,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg
 %endif
 
 %changelog
+*   Mon Jul 27 2020 Srivatsa S. Bhat (VMware) <[email protected]> 4.19.127-2
+-   Fix CVE-2020-14331
 *   Tue Jun 23 2020 Keerthana K <[email protected]> 4.19.127-1
 -   Update to version 4.19.127
 *   Tue Jun 02 2020 Vikash Bansal <[email protected]> 4.19.112-6

SPECS/linux/linux-esx.spec

@@ -3,7 +3,7 @@
 Summary:        Kernel
 Name:           linux-esx
 Version:        4.19.127
-Release:        2%{?kat_build:.kat}%{?dist}
+Release:        3%{?kat_build:.kat}%{?dist}
 License:        GPLv2
 URL:            http://www.kernel.org/
 Group:          System Environment/Kernel
@@ -50,6 +50,8 @@ Patch20:        07-vmware-only.patch
 Patch21:        initramfs-support-for-page-aligned-format-newca.patch
 
 Patch22:        4.18-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
+# Fix for CVE-2020-14331
+Patch23:        4.19-0001-vgacon-Fix-buffer-over-write-vulnerability-in-vgacon.patch
 # Fix CVE-2017-1000252
 Patch24:        kvm-dont-accept-wrong-gsi-values.patch
 # RDRAND-based RNG driver to enhance the kernel's entropy pool:
@@ -160,6 +162,7 @@ This Linux package contains hmac sha generator kernel module.
 %patch20 -p1
 %patch21 -p1
 %patch22 -p1
+%patch23 -p1
 %patch24 -p1
 %patch25 -p1
 %patch26 -p1
@@ -308,6 +311,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg
 /lib/modules/%{uname_r}/extra/.hmac_generator.ko.xz.hmac
 
 %changelog
+*   Mon Jul 27 2020 Srivatsa S. Bhat (VMware) <[email protected]> 4.19.127-3
+-   Fix CVE-2020-14331
 *   Tue Jun 23 2020 Tapas Kundu <[email protected]> 4.19.127-2
 -   Mass Removal Python2
 *   Tue Jun 23 2020 Keerthana K <[email protected]> 4.19.127-1

SPECS/linux/linux-secure.spec

@@ -3,7 +3,7 @@
 Summary:        Kernel
 Name:           linux-secure
 Version:        4.19.127
-Release:        2%{?kat_build:.kat}%{?dist}
+Release:        3%{?kat_build:.kat}%{?dist}
 License:        GPLv2
 URL:            http://www.kernel.org/
 Group:          System Environment/Kernel
@@ -47,6 +47,8 @@ Patch20:        0001-ath9k_htc-release-allocated-buffer-if-timed-out.patch
 # Fix CVE-2019-19074
 Patch21:        0001-ath9k-release-allocated-buffer-if-timed-out.patch
 Patch26:        4.18-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
+# Fix for CVE-2020-14331
+Patch30:        4.19-0001-vgacon-Fix-buffer-over-write-vulnerability-in-vgacon.patch
 # Fix CVE-2017-1000252
 Patch31:        kvm-dont-accept-wrong-gsi-values.patch
 # Out-of-tree patches from AppArmor:
@@ -153,6 +155,7 @@ This Linux package contains hmac sha generator kernel module.
 %patch20 -p1
 %patch21 -p1
 %patch26 -p1
+%patch30 -p1
 %patch31 -p1
 %patch32 -p1
 %patch33 -p1
@@ -324,6 +327,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg
 /usr/src/linux-headers-%{uname_r}
 
 %changelog
+*   Mon Jul 27 2020 Srivatsa S. Bhat (VMware) <[email protected]> 4.19.127-3
+-   Fix CVE-2020-14331
 *   Tue Jun 23 2020 Tapas Kundu <[email protected]> 4.19.127-2
 -   Require python3
 *   Tue Jun 23 2020 Keerthana K <[email protected]> 4.19.127-1

SPECS/linux/linux.spec

@@ -14,7 +14,7 @@
 Summary:        Kernel
 Name:           linux
 Version:        4.19.127
-Release:        2%{?kat_build:.kat}%{?dist}
+Release:        3%{?kat_build:.kat}%{?dist}
 License:    	GPLv2
 URL:        	http://www.kernel.org/
 Group:        	System Environment/Kernel
@@ -71,6 +71,9 @@ Patch20:        perf-Make-perf-able-to-build-with-latest-libbfd.patch
 # TODO: Is CONFIG_HYPERV_VSOCKETS the same?
 #Patch23:        0014-hv_sock-introduce-Hyper-V-Sockets.patch
 Patch26:        4.18-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
+
+# Fix for CVE-2020-14331
+Patch27:        4.19-0001-vgacon-Fix-buffer-over-write-vulnerability-in-vgacon.patch
 # Fix CVE-2017-1000252
 Patch28:        kvm-dont-accept-wrong-gsi-values.patch
 # Out-of-tree patches from AppArmor:
@@ -298,6 +301,7 @@ This Linux package contains hmac sha generator kernel module.
 %patch19 -p1
 %patch20 -p1
 %patch26 -p1
+%patch27 -p1
 %patch28 -p1
 %patch29 -p1
 %patch30 -p1
@@ -689,6 +693,8 @@ getent group sgx_prv >/dev/null || groupadd -r sgx_prv
 %endif
 
 %changelog
+*   Mon Jul 27 2020 Srivatsa S. Bhat (VMware) <[email protected]> 4.19.127-3
+-   Fix CVE-2020-14331
 *   Fri Jul 17 2020 Srivatsa S. Bhat (VMware) <[email protected]> 4.19.127-2
 -   Fix aarch64 build failure due to missing i40e man pages.
 *   Tue Jun 23 2020 Keerthana K <[email protected]> 4.19.127-1