diff --git a/SOURCES/CVE-2023-4622.patch b/SOURCES/CVE-2023-4622.patch new file mode 100644 index 0000000..5bbd73d --- /dev/null +++ b/SOURCES/CVE-2023-4622.patch @@ -0,0 +1,179 @@ +From 3709b9a67cdd88761a540b32a1f89007f0e1b5b3 Mon Sep 17 00:00:00 2001 +From: Ryan Sullivan +Date: Tue, 20 Feb 2024 13:30:50 -0500 +Subject: [KPATCH CVE-2023-4622] kpatch fixes for CVE-2023-4622 + +Kernels: +3.10.0-1160.99.1.el7 +3.10.0-1160.102.1.el7 +3.10.0-1160.105.1.el7 +3.10.0-1160.108.1.el7 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/68 +Approved-by: Joe Lawrence (@joe.lawrence) +Changes since last build: +[x86_64]: +af_unix.o: changed function: unix_stream_sendpage +sch_hfsc.o: changed function: hfsc_change_class + +[ppc64le]: +af_unix.o: changed function: unix_stream_sendpage + +--------------------------- + +Modifications: none + +commit 5697266978cafba4a0784a2bc81588abeb3d94a8 +Author: Guillaume Nault +Date: Wed Jan 31 13:11:14 2024 +0100 + + af_unix: Fix null-ptr-deref in unix_stream_sendpage(). + + JIRA: https://issues.redhat.com/browse/RHEL-16144 + Upstream Status: git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git + CVE: CVE-2023-4622 + + commit 790c2f9d15b594350ae9bca7b236f2b1859de02c + Author: Kuniyuki Iwashima + Date: Mon Aug 21 10:55:05 2023 -0700 + + af_unix: Fix null-ptr-deref in unix_stream_sendpage(). + + Bing-Jhong Billy Jheng reported null-ptr-deref in unix_stream_sendpage() + with detailed analysis and a nice repro. + + unix_stream_sendpage() tries to add data to the last skb in the peer's + recv queue without locking the queue. + + If the peer's FD is passed to another socket and the socket's FD is + passed to the peer, there is a loop between them. If we close both + sockets without receiving FD, the sockets will be cleaned up by garbage + collection. + + The garbage collection iterates such sockets and unlinks skb with + FD from the socket's receive queue under the queue's lock. + + So, there is a race where unix_stream_sendpage() could access an skb + locklessly that is being released by garbage collection, resulting in + use-after-free. + + To avoid the issue, unix_stream_sendpage() must lock the peer's recv + queue. + + Note the issue does not exist in 6.5+ thanks to the recent sendpage() + refactoring. + + This patch is originally written by Linus Torvalds. + + BUG: unable to handle page fault for address: ffff988004dd6870 + PF: supervisor read access in kernel mode + PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + PREEMPT SMP PTI + CPU: 4 PID: 297 Comm: garbage_uaf Not tainted 6.1.46 #1 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 + RIP: 0010:kmem_cache_alloc_node+0xa2/0x1e0 + Code: c0 0f 84 32 01 00 00 41 83 fd ff 74 10 48 8b 00 48 c1 e8 3a 41 39 c5 0f 85 1c 01 00 00 41 8b 44 24 28 49 8b 3c 24 48 8d 4a 40 <49> 8b 1c 06 4c 89 f0 65 48 0f c7 0f 0f 94 c0 84 c0 74 a1 41 8b 44 + RSP: 0018:ffffc9000079fac0 EFLAGS: 00000246 + RAX: 0000000000000070 RBX: 0000000000000005 RCX: 000000000001a284 + RDX: 000000000001a244 RSI: 0000000000400cc0 RDI: 000000000002eee0 + RBP: 0000000000400cc0 R08: 0000000000400cc0 R09: 0000000000000003 + R10: 0000000000000001 R11: 0000000000000000 R12: ffff888003970f00 + R13: 00000000ffffffff R14: ffff988004dd6800 R15: 00000000000000e8 + FS: 00007f174d6f3600(0000) GS:ffff88807db00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: ffff988004dd6870 CR3: 00000000092be000 CR4: 00000000007506e0 + PKRU: 55555554 + Call Trace: + + ? __die_body.cold+0x1a/0x1f + ? page_fault_oops+0xa9/0x1e0 + ? fixup_exception+0x1d/0x310 + ? exc_page_fault+0xa8/0x150 + ? asm_exc_page_fault+0x22/0x30 + ? kmem_cache_alloc_node+0xa2/0x1e0 + ? __alloc_skb+0x16c/0x1e0 + __alloc_skb+0x16c/0x1e0 + alloc_skb_with_frags+0x48/0x1e0 + sock_alloc_send_pskb+0x234/0x270 + unix_stream_sendmsg+0x1f5/0x690 + sock_sendmsg+0x5d/0x60 + ____sys_sendmsg+0x210/0x260 + ___sys_sendmsg+0x83/0xd0 + ? kmem_cache_alloc+0xc6/0x1c0 + ? avc_disable+0x20/0x20 + ? percpu_counter_add_batch+0x53/0xc0 + ? alloc_empty_file+0x5d/0xb0 + ? alloc_file+0x91/0x170 + ? alloc_file_pseudo+0x94/0x100 + ? __fget_light+0x9f/0x120 + __sys_sendmsg+0x54/0xa0 + do_syscall_64+0x3b/0x90 + entry_SYSCALL_64_after_hwframe+0x69/0xd3 + RIP: 0033:0x7f174d639a7d + Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 8a c1 f4 ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 33 44 89 c7 48 89 44 24 08 e8 de c1 f4 ff 48 + RSP: 002b:00007ffcb563ea50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f174d639a7d + RDX: 0000000000000000 RSI: 00007ffcb563eab0 RDI: 0000000000000007 + RBP: 00007ffcb563eb10 R08: 0000000000000000 R09: 00000000ffffffff + R10: 00000000004040a0 R11: 0000000000000293 R12: 00007ffcb563ec28 + R13: 0000000000401398 R14: 0000000000403e00 R15: 00007f174d72c000 + + + Fixes: 869e7c62486e ("net: af_unix: implement stream sendpage support") + Reported-by: Bing-Jhong Billy Jheng + Reviewed-by: Bing-Jhong Billy Jheng + Co-developed-by: Linus Torvalds + Signed-off-by: Linus Torvalds + Signed-off-by: Kuniyuki Iwashima + Signed-off-by: Greg Kroah-Hartman + + Signed-off-by: Guillaume Nault + +Signed-off-by: Ryan Sullivan +--- + net/unix/af_unix.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index a264b4598872..033986a95c3d 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -1960,6 +1960,7 @@ static ssize_t unix_stream_sendpage(struct socket *socket, struct page *page, + + if (false) { + alloc_skb: ++ spin_unlock(&other->sk_receive_queue.lock); + unix_state_unlock(other); + mutex_unlock(&unix_sk(other)->iolock); + newskb = sock_alloc_send_pskb(sk, 0, 0, flags & MSG_DONTWAIT, +@@ -1999,6 +2000,7 @@ alloc_skb: + init_scm = false; + } + ++ spin_lock(&other->sk_receive_queue.lock); + skb = skb_peek_tail(&other->sk_receive_queue); + if (tail && tail == skb) { + skb = newskb; +@@ -2029,14 +2031,11 @@ alloc_skb: + atomic_add(size, &sk->sk_wmem_alloc); + + if (newskb) { +- err = unix_scm_to_skb(&scm, skb, false); +- if (err) +- goto err_state_unlock; +- spin_lock(&other->sk_receive_queue.lock); ++ unix_scm_to_skb(&scm, skb, false); + __skb_queue_tail(&other->sk_receive_queue, newskb); +- spin_unlock(&other->sk_receive_queue.lock); + } + ++ spin_unlock(&other->sk_receive_queue.lock); + unix_state_unlock(other); + mutex_unlock(&unix_sk(other)->iolock); + +-- +2.44.0 + + diff --git a/SOURCES/CVE-2023-4623.patch b/SOURCES/CVE-2023-4623.patch new file mode 100644 index 0000000..df3b095 --- /dev/null +++ b/SOURCES/CVE-2023-4623.patch @@ -0,0 +1,152 @@ +From e42a36dc8c4dfa5eb51abe028d5dbf7ccc1f5a6f Mon Sep 17 00:00:00 2001 +From: Joe Lawrence +Date: Mon, 27 Nov 2023 13:25:03 -0500 +Subject: [KPATCH CVE-2023-4623] kpatch fixes for CVE-2023-4623 + +Kernels: +3.10.0-1160.92.1.el7 +3.10.0-1160.95.1.el7 +3.10.0-1160.99.1.el7 +3.10.0-1160.102.1.el7 +3.10.0-1160.105.1.el7 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/63 +Changes since last build: +[x86_64]: +af_unix.o: changed function: unix_stream_sendpage +sch_hfsc.o: changed function: hfsc_change_class + +[ppc64le]: +af_unix.o: changed function: unix_stream_sendpage + +--------------------------- + +Modifications: none + +commit 85dbd5b056f6c63f122abbf6b07974adb66c8c10 +Author: Davide Caratti +Date: Tue Nov 21 18:08:36 2023 +0100 + + net/sched: sch_hfsc: Ensure inner classes have fsc curve + + JIRA: https://issues.redhat.com/browse/RHEL-16458 + CVE: CVE-2023-4623 + Upstream Status: net.git commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f + + commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f + Author: Budimir Markovic + Date: Thu Aug 24 01:49:05 2023 -0700 + + net/sched: sch_hfsc: Ensure inner classes have fsc curve + + HFSC assumes that inner classes have an fsc curve, but it is currently + possible for classes without an fsc curve to become parents. This leads + to bugs including a use-after-free. + + Don't allow non-root classes without HFSC_FSC to become parents. + + Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") + Reported-by: Budimir Markovic + Signed-off-by: Budimir Markovic + Acked-by: Jamal Hadi Salim + Link: https://lore.kernel.org/r/20230824084905.422-1-markovicbudimir@gmail.com + Signed-off-by: Jakub Kicinski + + Signed-off-by: Davide Caratti + +commit d5ca9824c050deefa376decdba70e7f992397a58 +Author: Davide Caratti +Date: Tue Nov 21 18:08:37 2023 +0100 + + net/sched: sch_hfsc: upgrade 'rt' to 'sc' when it becomes a inner curve + + JIRA: https://issues.redhat.com/browse/RHEL-16458 + CVE: CVE-2023-4623 + Upstream Status: net.git commit a13b67c9a015c4e21601ef9aa4ec9c5d972df1b4 + + commit a13b67c9a015c4e21601ef9aa4ec9c5d972df1b4 + Author: Pedro Tammela + Date: Tue Oct 17 11:36:02 2023 -0300 + + net/sched: sch_hfsc: upgrade 'rt' to 'sc' when it becomes a inner curve + + Christian Theune says: + I upgraded from 6.1.38 to 6.1.55 this morning and it broke my traffic shaping script, + leaving me with a non-functional uplink on a remote router. + + A 'rt' curve cannot be used as a inner curve (parent class), but we were + allowing such configurations since the qdisc was introduced. Such + configurations would trigger a UAF as Budimir explains: + The parent will have vttree_insert() called on it in init_vf(), + but will not have vttree_remove() called on it in update_vf() + because it does not have the HFSC_FSC flag set. + + The qdisc always assumes that inner classes have the HFSC_FSC flag set. + This is by design as it doesn't make sense 'qdisc wise' for an 'rt' + curve to be an inner curve. + + Budimir's original patch disallows users to add classes with a 'rt' + parent, but this is too strict as it breaks users that have been using + 'rt' as a inner class. Another approach, taken by this patch, is to + upgrade the inner 'rt' into a 'sc', warning the user in the process. + It avoids the UAF reported by Budimir while also being more permissive + to bad scripts/users/code using 'rt' as a inner class. + + Users checking the `tc class ls [...]` or `tc class get [...]` dumps would + observe the curve change and are potentially breaking with this change. + + v1->v2: https://lore.kernel.org/all/20231013151057.2611860-1-pctammela@mojatatu.com/ + - Correct 'Fixes' tag and merge with revert (Jakub) + + Cc: Christian Theune + Cc: Budimir Markovic + Fixes: b3d26c5702c7 ("net/sched: sch_hfsc: Ensure inner classes have fsc curve") + Signed-off-by: Pedro Tammela + Acked-by: Jamal Hadi Salim + Link: https://lore.kernel.org/r/20231017143602.3191556-1-pctammela@mojatatu.com + Signed-off-by: Jakub Kicinski + + Signed-off-by: Davide Caratti + +Signed-off-by: Joe Lawrence +--- + net/sched/sch_hfsc.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c +index fb14b551f65d..63e768f5ce21 100644 +--- a/net/sched/sch_hfsc.c ++++ b/net/sched/sch_hfsc.c +@@ -913,6 +913,14 @@ hfsc_change_usc(struct hfsc_class *cl, struct tc_service_curve *usc, + cl->cl_flags |= HFSC_USC; + } + ++static void ++hfsc_upgrade_rt(struct hfsc_class *cl) ++{ ++ cl->cl_fsc = cl->cl_rsc; ++ rtsc_init(&cl->cl_virtual, &cl->cl_fsc, cl->cl_vt, cl->cl_total); ++ cl->cl_flags |= HFSC_FSC; ++} ++ + static const struct nla_policy hfsc_policy[TCA_HFSC_MAX + 1] = { + [TCA_HFSC_RSC] = { .len = sizeof(struct tc_service_curve) }, + [TCA_HFSC_FSC] = { .len = sizeof(struct tc_service_curve) }, +@@ -1072,6 +1080,12 @@ hfsc_change_class(struct Qdisc *sch, u32 classid, u32 parentid, + cl->cf_tree = RB_ROOT; + + sch_tree_lock(sch); ++ /* Check if the inner class is a misconfigured 'rt' */ ++ if (!(parent->cl_flags & HFSC_FSC) && parent != &q->root) { ++ NL_SET_ERR_MSG(extack, ++ "Forced curve change on parent 'rt' to 'sc'"); ++ hfsc_upgrade_rt(parent); ++ } + qdisc_class_hash_insert(&q->clhash, &cl->cl_common); + list_add_tail(&cl->siblings, &parent->children); + if (parent->level == 0) +-- +2.44.0 + + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index c8db0b6..0e2feb7 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -6,7 +6,7 @@ %define kernel_ver 3.10.0-1160.105.1.el7 %define kpatch_ver 0.9.2 %define rpm_ver 1 -%define rpm_rel 2 +%define rpm_rel 3 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. @@ -22,6 +22,12 @@ Source102: CVE-2023-45871.patch # # https://issues.redhat.com/browse/RHEL-14416 Source103: CVE-2023-4921.patch +# +# https://issues.redhat.com/browse/RHEL-17942 +Source104: CVE-2023-4622.patch +# +# https://issues.redhat.com/browse/RHEL-16619 +Source105: CVE-2023-4623.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -156,6 +162,10 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Tue Apr 16 2024 Yannick Cote [1-3.el7] +- kernel: net/sched: sch_hfsc UAF [RHEL-16619] {CVE-2023-4623} +- kernel: use after free in unix_stream_sendpage [RHEL-17942] {CVE-2023-4622} + * Wed Mar 06 2024 Yannick Cote [1-2.el7] - kernel: use-after-free in sch_qfq network scheduler [RHEL-14416] {CVE-2023-4921} - kernel: IGB driver inadequate buffer size for frames larger than MTU [RHEL-15213] {CVE-2023-45871}