rpms / kpatch-patch-3_10_0-1160_105_1

Clone
Source Code
GIT

Files

  1.   277db707ba1e3777b6bae437153456e47e2d3802
  2.   SOURCES
  3.   CVE-2022-42896.patch
Blob Blame History Raw 
From 5fe8bfedd40a614374fdcb430694de00aedae2c5 Mon Sep 17 00:00:00 2001
From: Joe Lawrence <joe.lawrence@redhat.com>
Date: Thu, 18 Jan 2024 09:42:47 -0500
Subject: [KPATCH CVE-2022-42896] kpatch fixes for CVE-2022-42896
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Kernels:
3.10.0-1160.95.1.el7
3.10.0-1160.99.1.el7
3.10.0-1160.102.1.el7
3.10.0-1160.105.1.el7


Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/66
Changes since last build:
[x86_64]:
igb_main.o: changed function: igb_configure
l2cap_core.o: changed function: l2cap_chan_hold
l2cap_core.o: changed function: l2cap_conn_get
l2cap_core.o: changed function: l2cap_global_chan_by_psm
l2cap_core.o: changed function: l2cap_recv_frame
l2cap_core.o: new function: klp_l2cap_le_sig_cmd
sch_atm.o: changed function: atm_tc_peek
sch_atm.o: changed function: sch_atm_dequeue
sch_drr.o: changed function: drr_dequeue
sch_dsmark.o: changed function: dsmark_peek
sch_hfsc.o: changed function: hfsc_enqueue
sch_hfsc.o: changed function: qdisc_peek_len
sch_multiq.o: changed function: multiq_peek
sch_prio.o: changed function: prio_peek
sch_qfq.o: changed function: qfq_dequeue
sch_qfq.o: changed function: qfq_enqueue
sch_red.o: changed function: red_peek
sch_sfb.o: changed function: sfb_peek
sch_tbf.o: changed function: tbf_dequeue

[ppc64le]:
l2cap_core.o: changed function: __l2cap_chan_add
l2cap_core.o: changed function: __l2cap_physical_cfm
l2cap_core.o: changed function: __set_monitor_timer
l2cap_core.o: changed function: __set_retrans_timer.part.24
l2cap_core.o: changed function: l2cap_ack_timeout
l2cap_core.o: changed function: l2cap_build_conf_req
l2cap_core.o: changed function: l2cap_chan_busy
l2cap_core.o: changed function: l2cap_chan_close
l2cap_core.o: changed function: l2cap_chan_connect
l2cap_core.o: changed function: l2cap_chan_del
l2cap_core.o: changed function: l2cap_chan_hold
l2cap_core.o: changed function: l2cap_chan_put
l2cap_core.o: changed function: l2cap_chan_send
l2cap_core.o: changed function: l2cap_chan_timeout
l2cap_core.o: changed function: l2cap_conn_add.part.28
l2cap_core.o: changed function: l2cap_conn_del
l2cap_core.o: changed function: l2cap_conn_start
l2cap_core.o: changed function: l2cap_connect
l2cap_core.o: changed function: l2cap_connect_cfm
l2cap_core.o: changed function: l2cap_connect_create_rsp
l2cap_core.o: changed function: l2cap_data_channel
l2cap_core.o: changed function: l2cap_disconn_cfm
l2cap_core.o: changed function: l2cap_do_create
l2cap_core.o: changed function: l2cap_do_start
l2cap_core.o: changed function: l2cap_ertm_resend
l2cap_core.o: changed function: l2cap_ertm_send
l2cap_core.o: changed function: l2cap_global_fixed_chan
l2cap_core.o: changed function: l2cap_handle_rej
l2cap_core.o: changed function: l2cap_handle_srej
l2cap_core.o: changed function: l2cap_logical_cfm
l2cap_core.o: changed function: l2cap_monitor_timeout
l2cap_core.o: changed function: l2cap_move_done
l2cap_core.o: changed function: l2cap_move_setup
l2cap_core.o: changed function: l2cap_parse_conf_rsp.constprop.36
l2cap_core.o: changed function: l2cap_pass_to_tx
l2cap_core.o: changed function: l2cap_process_reqseq
l2cap_core.o: changed function: l2cap_recv_frame
l2cap_core.o: changed function: l2cap_retrans_timeout
l2cap_core.o: changed function: l2cap_retransmit_all
l2cap_core.o: changed function: l2cap_rx
l2cap_core.o: changed function: l2cap_rx_state_recv
l2cap_core.o: changed function: l2cap_security_cfm
l2cap_core.o: changed function: l2cap_send_ack
l2cap_core.o: changed function: l2cap_send_efs_conf_rsp
l2cap_core.o: changed function: l2cap_send_i_or_rr_or_rnr
l2cap_core.o: changed function: l2cap_send_move_chan_cfm
l2cap_core.o: changed function: l2cap_send_move_chan_cfm_icid
l2cap_core.o: changed function: l2cap_send_move_chan_req
l2cap_core.o: changed function: l2cap_send_rr_or_rnr
l2cap_core.o: changed function: l2cap_send_sframe
l2cap_core.o: changed function: l2cap_send_srej
l2cap_core.o: changed function: l2cap_send_srej_tail
l2cap_core.o: changed function: l2cap_start_connection
l2cap_core.o: new function: l2cap_connect_req
sch_atm.o: changed function: atm_tc_bind_filter
sch_atm.o: changed function: atm_tc_change
sch_atm.o: changed function: atm_tc_delete
sch_atm.o: changed function: atm_tc_destroy
sch_atm.o: changed function: atm_tc_enqueue
sch_atm.o: changed function: atm_tc_find
sch_atm.o: changed function: atm_tc_graft
sch_atm.o: changed function: atm_tc_leaf
sch_atm.o: changed function: atm_tc_peek
sch_atm.o: changed function: atm_tc_put
sch_atm.o: changed function: atm_tc_reset
sch_atm.o: changed function: atm_tc_tcf_block
sch_atm.o: changed function: sch_atm_dequeue
sch_drr.o: changed function: drr_dequeue
sch_dsmark.o: changed function: dsmark_bind_filter
sch_dsmark.o: changed function: dsmark_change
sch_dsmark.o: changed function: dsmark_destroy
sch_dsmark.o: changed function: dsmark_dump_class
sch_dsmark.o: changed function: dsmark_init
sch_dsmark.o: changed function: dsmark_peek
sch_dsmark.o: changed function: dsmark_reset
sch_hfsc.o: changed function: hfsc_change_class
sch_hfsc.o: changed function: hfsc_dequeue
sch_hfsc.o: changed function: hfsc_enqueue
sch_multiq.o: changed function: multiq_peek
sch_prio.o: changed function: prio_peek
sch_qfq.o: changed function: qfq_dequeue
sch_qfq.o: changed function: qfq_enqueue
sch_red.o: changed function: red_peek
sch_sfb.o: changed function: sfb_peek
sch_tbf.o: changed function: tbf_dequeue

---------------------------

Modifications:
- function l2cap_le_sig_cmd has no fentry/mcount call, so add a "klp_"
  prefix to the patched version and its callers
- for ppc64le, add __attribute__((optimize("-fno-optimize-sibling-calls")))
    l2cap_chan_hold()
    l2cap_disconn_cfm()
    l2cap_handle_rej()
    l2cap_handle_srej()
    l2cap_monitor_timeout()
    l2cap_pass_to_tx()
    l2cap_retransmit_all()
    l2cap_send_efs_conf_rsp()
    l2cap_send_sframe()

commit d8f15b60a96ba8ce5d3d55518eb939d9bebd87a9
Author: David Marlin <dmarlin@redhat.com>
Date:   Tue Jan 9 23:44:57 2024 -0600

    Bluetooth: L2CAP: Fix L2CAP_CR_SCID_IN_USE value

    JIRA: https://issues.redhat.com/browse/RHEL-2742
    CVE: CVE-2022-42896

    commit d8edd9ed156a1a840f1b1c2dbbf458684d6eea6e
    Author: Marcin Kraglak <marcin.kraglak@tieto.com>
    Date:   Wed Mar 8 14:09:41 2017 +0100

        Bluetooth: L2CAP: Fix L2CAP_CR_SCID_IN_USE value

        Fix issue found during L2CAP qualification test TP/LE/CFC/BV-20-C.

        Signed-off-by: Marcin Kraglak <marcin.kraglak@tieto.com>
        Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

    Signed-off-by: David Marlin <dmarlin@redhat.com>

commit ae6cdce73d24b5cdccb89f88552bd6a9074f0aed
Author: David Marlin <dmarlin@redhat.com>
Date:   Tue Jan 9 23:45:05 2024 -0600

    Bluetooth: Use separate L2CAP LE credit based connection result values

    JIRA: https://issues.redhat.com/browse/RHEL-2742
    CVE: CVE-2022-42896

    commit 571f739083e2544b343b5998608de679519de4e9
    Author: Mallikarjun Phulari <mallikarjun.phulari@intel.com>
    Date:   Fri Oct 5 14:48:12 2018 +0530

        Bluetooth: Use separate L2CAP LE credit based connection result values

        Add the result values specific to L2CAP LE credit based connections
        and change the old result values wherever they were used.

        Signed-off-by: Mallikarjun Phulari <mallikarjun.phulari@intel.com>
        Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

    Signed-off-by: David Marlin <dmarlin@redhat.com>

commit b45513e7819c6d7fe8bcd8bcf94670e0da9cc949
Author: David Marlin <dmarlin@redhat.com>
Date:   Tue Jan 9 23:46:25 2024 -0600

    Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM

    JIRA: https://issues.redhat.com/browse/RHEL-2742

    CVE: CVE-2022-42896

    Conflicts:
    Our 3.10 tree does not include support for Bluetooth Enhanced Credit Based Mode,
    so omit hunk #2 of:
      711f8c3fb3db  Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM

    commit 711f8c3fb3db61897080468586b970c87c61d9e4
    Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Date:   Mon Oct 31 16:10:32 2022 -0700

        Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM

        The Bluetooth spec states that the valid range for SPSM is from
        0x0001-0x00ff so it is invalid to accept values outside of this range:

          BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
          page 1059:
          Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges

        CVE: CVE-2022-42896
        CC: stable@vger.kernel.org
        Reported-by: Tamás Koczka <poprdi@google.com>
        Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
        Reviewed-by: Tedd Ho-Jeong An <tedd.an@intel.com>

    Signed-off-by: David Marlin <dmarlin@redhat.com>

commit a766b7a5d576eb559319776f8fa400f00128937e
Author: David Marlin <dmarlin@redhat.com>
Date:   Tue Jan 9 23:47:13 2024 -0600

    Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm

    JIRA: https://issues.redhat.com/browse/RHEL-2742
    CVE: CVE-2022-42896

    commit f937b758a188d6fd328a81367087eddbb2fce50f
    Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Date:   Mon Oct 31 16:10:33 2022 -0700

        Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm

        l2cap_global_chan_by_psm shall not return fixed channels as they are not
        meant to be connected by (S)PSM.

        Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
        Reviewed-by: Tedd Ho-Jeong An <tedd.an@intel.com>

    Signed-off-by: David Marlin <dmarlin@redhat.com>

Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
---
 include/net/bluetooth/l2cap.h | 17 +++++++----
 net/bluetooth/l2cap_core.c    | 55 +++++++++++++++++++++++++----------
 2 files changed, 50 insertions(+), 22 deletions(-)

diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
index 45f3a951974c..1b0dfbb0eb82 100644
--- a/include/net/bluetooth/l2cap.h
+++ b/include/net/bluetooth/l2cap.h
@@ -277,12 +277,17 @@ struct l2cap_conn_rsp {
 #define L2CAP_CR_SEC_BLOCK	0x0003
 #define L2CAP_CR_NO_MEM		0x0004
 #define L2CAP_CR_BAD_AMP	0x0005
-#define L2CAP_CR_AUTHENTICATION	0x0005
-#define L2CAP_CR_AUTHORIZATION	0x0006
-#define L2CAP_CR_BAD_KEY_SIZE	0x0007
-#define L2CAP_CR_ENCRYPTION	0x0008
-#define L2CAP_CR_INVALID_SCID	0x0009
-#define L2CAP_CR_SCID_IN_USE	0x0010
+
+/* credit based connect results */
+#define L2CAP_CR_LE_SUCCESS		0x0000
+#define L2CAP_CR_LE_BAD_PSM		0x0002
+#define L2CAP_CR_LE_NO_MEM		0x0004
+#define L2CAP_CR_LE_AUTHENTICATION	0x0005
+#define L2CAP_CR_LE_AUTHORIZATION	0x0006
+#define L2CAP_CR_LE_BAD_KEY_SIZE	0x0007
+#define L2CAP_CR_LE_ENCRYPTION		0x0008
+#define L2CAP_CR_LE_INVALID_SCID	0x0009
+#define L2CAP_CR_LE_SCID_IN_USE		0X000A
 
 /* connect/create channel status */
 #define L2CAP_CS_NO_INFO	0x0000
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 4338810b0d58..a3bed86517e7 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -480,6 +480,7 @@ static void l2cap_chan_destroy(struct kref *kref)
 	kfree(chan);
 }
 
+__attribute__((optimize("-fno-optimize-sibling-calls")))
 void l2cap_chan_hold(struct l2cap_chan *c)
 {
 	BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref));
@@ -682,9 +683,9 @@ static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan)
 	u16 result;
 
 	if (test_bit(FLAG_DEFER_SETUP, &chan->flags))
-		result = L2CAP_CR_AUTHORIZATION;
+		result = L2CAP_CR_LE_AUTHORIZATION;
 	else
-		result = L2CAP_CR_BAD_PSM;
+		result = L2CAP_CR_LE_BAD_PSM;
 
 	l2cap_state_change(chan, BT_DISCONN);
 
@@ -1067,6 +1068,7 @@ static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan,
 	return skb;
 }
 
+__attribute__((optimize("-fno-optimize-sibling-calls")))
 static void l2cap_send_sframe(struct l2cap_chan *chan,
 			      struct l2cap_ctrl *control)
 {
@@ -1792,7 +1794,7 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
 		if (link_type == LE_LINK && c->src_type == BDADDR_BREDR)
 			continue;
 
-		if (c->psm == psm) {
+		if (c->chan_type != L2CAP_CHAN_FIXED && c->psm == psm) {
 			int src_match, dst_match;
 			int src_any, dst_any;
 
@@ -1822,6 +1824,7 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm,
 	return c1;
 }
 
+__attribute__((optimize("-fno-optimize-sibling-calls")))
 static void l2cap_monitor_timeout(struct work_struct *work)
 {
 	struct l2cap_chan *chan = container_of(work, struct l2cap_chan,
@@ -2062,6 +2065,7 @@ static void l2cap_retransmit(struct l2cap_chan *chan,
 	l2cap_ertm_resend(chan);
 }
 
+__attribute__((optimize("-fno-optimize-sibling-calls")))
 static void l2cap_retransmit_all(struct l2cap_chan *chan,
 				 struct l2cap_ctrl *control)
 {
@@ -2862,6 +2866,7 @@ static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
 	}
 }
 
+__attribute__((optimize("-fno-optimize-sibling-calls")))
 static void l2cap_pass_to_tx(struct l2cap_chan *chan,
 			     struct l2cap_ctrl *control)
 {
@@ -3702,7 +3707,7 @@ void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan)
 	rsp.mtu     = cpu_to_le16(chan->imtu);
 	rsp.mps     = cpu_to_le16(chan->mps);
 	rsp.credits = cpu_to_le16(chan->rx_credits);
-	rsp.result  = cpu_to_le16(L2CAP_CR_SUCCESS);
+	rsp.result  = cpu_to_le16(L2CAP_CR_LE_SUCCESS);
 
 	l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp),
 		       &rsp);
@@ -4055,6 +4060,8 @@ static inline void set_default_fcs(struct l2cap_chan *chan)
 		chan->fcs = L2CAP_FCS_CRC16;
 }
 
+
+__attribute__((optimize("-fno-optimize-sibling-calls")))
 static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data,
 				    u8 ident, u16 flags)
 {
@@ -5318,7 +5325,7 @@ static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
 	credits = __le16_to_cpu(rsp->credits);
 	result  = __le16_to_cpu(rsp->result);
 
-	if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23 ||
+	if (result == L2CAP_CR_LE_SUCCESS && (mtu < 23 || mps < 23 ||
 					   dcid < L2CAP_CID_DYN_START ||
 					   dcid > L2CAP_CID_LE_DYN_END))
 		return -EPROTO;
@@ -5339,7 +5346,7 @@ static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
 	l2cap_chan_lock(chan);
 
 	switch (result) {
-	case L2CAP_CR_SUCCESS:
+	case L2CAP_CR_LE_SUCCESS:
 		if (__l2cap_get_chan_by_dcid(conn, dcid)) {
 			err = -EBADSLT;
 			break;
@@ -5353,8 +5360,8 @@ static int l2cap_le_connect_rsp(struct l2cap_conn *conn,
 		l2cap_chan_ready(chan);
 		break;
 
-	case L2CAP_CR_AUTHENTICATION:
-	case L2CAP_CR_ENCRYPTION:
+	case L2CAP_CR_LE_AUTHENTICATION:
+	case L2CAP_CR_LE_ENCRYPTION:
 		/* If we already have MITM protection we can't do
 		 * anything.
 		 */
@@ -5493,11 +5500,24 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
 	BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm),
 	       scid, mtu, mps);
 
+	/* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A
+	 * page 1059:
+	 *
+	 * Valid range: 0x0001-0x00ff
+	 *
+	 * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges
+	 */
+	if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) {
+		result = L2CAP_CR_LE_BAD_PSM;
+		chan = NULL;
+		goto response;
+	}
+
 	/* Check if we have socket listening on psm */
 	pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src,
 					 &conn->hcon->dst, LE_LINK);
 	if (!pchan) {
-		result = L2CAP_CR_BAD_PSM;
+		result = L2CAP_CR_LE_BAD_PSM;
 		chan = NULL;
 		goto response;
 	}
@@ -5507,28 +5527,28 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
 
 	if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
 				     SMP_ALLOW_STK)) {
-		result = L2CAP_CR_AUTHENTICATION;
+		result = L2CAP_CR_LE_AUTHENTICATION;
 		chan = NULL;
 		goto response_unlock;
 	}
 
 	/* Check for valid dynamic CID range */
 	if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) {
-		result = L2CAP_CR_INVALID_SCID;
+		result = L2CAP_CR_LE_INVALID_SCID;
 		chan = NULL;
 		goto response_unlock;
 	}
 
 	/* Check if we already have channel with that dcid */
 	if (__l2cap_get_chan_by_dcid(conn, scid)) {
-		result = L2CAP_CR_SCID_IN_USE;
+		result = L2CAP_CR_LE_SCID_IN_USE;
 		chan = NULL;
 		goto response_unlock;
 	}
 
 	chan = pchan->ops->new_connection(pchan);
 	if (!chan) {
-		result = L2CAP_CR_NO_MEM;
+		result = L2CAP_CR_LE_NO_MEM;
 		goto response_unlock;
 	}
 
@@ -5563,7 +5583,7 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
 		chan->ops->defer(chan);
 	} else {
 		l2cap_chan_ready(chan);
-		result = L2CAP_CR_SUCCESS;
+		result = L2CAP_CR_LE_SUCCESS;
 	}
 
 response_unlock:
@@ -5665,7 +5685,7 @@ done:
 	return 0;
 }
 
-static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
+static inline int klp_l2cap_le_sig_cmd(struct l2cap_conn *conn,
 				   struct l2cap_cmd_hdr *cmd, u16 cmd_len,
 				   u8 *data)
 {
@@ -5738,7 +5758,7 @@ static inline void l2cap_le_sig_channel(struct l2cap_conn *conn,
 		goto drop;
 	}
 
-	err = l2cap_le_sig_cmd(conn, cmd, len, skb->data);
+	err = klp_l2cap_le_sig_cmd(conn, cmd, len, skb->data);
 	if (err) {
 		struct l2cap_cmd_rej_unk rej;
 
@@ -6012,6 +6032,7 @@ static int l2cap_rx_queued_iframes(struct l2cap_chan *chan)
 	return err;
 }
 
+__attribute__((optimize("-fno-optimize-sibling-calls")))
 static void l2cap_handle_srej(struct l2cap_chan *chan,
 			      struct l2cap_ctrl *control)
 {
@@ -6070,6 +6091,7 @@ static void l2cap_handle_srej(struct l2cap_chan *chan,
 	}
 }
 
+__attribute__((optimize("-fno-optimize-sibling-calls")))
 static void l2cap_handle_rej(struct l2cap_chan *chan,
 			     struct l2cap_ctrl *control)
 {
@@ -7442,6 +7464,7 @@ int l2cap_disconn_ind(struct hci_conn *hcon)
 	return conn->disc_reason;
 }
 
+__attribute__((optimize("-fno-optimize-sibling-calls")))
 static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
 {
 	if (hcon->type != ACL_LINK && hcon->type != LE_LINK)
-- 
2.44.0

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation