From fb740daa8619c775119a2c1e734419cb26e828a1 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Aug 31 2021 08:43:54 +0000
Subject: import kpatch-patch-3_10_0-1160_2_1-1-8.el7


---

diff --git a/SOURCES/CVE-2021-22555.patch b/SOURCES/CVE-2021-22555.patch
new file mode 100644
index 0000000..0a85d0e
--- /dev/null
+++ b/SOURCES/CVE-2021-22555.patch
@@ -0,0 +1,170 @@
+From: Joel Savitz <jsavitz@redhat.com>
+Subject: [KPATCH 7.9] netfilter: x_tables: kpatch fixes for CVE-2021-22555
+Date: Wed, 28 Jul 2021 12:03:15 -0400
+
+Kernels:
+3.10.0-1160.el7
+3.10.0-1160.2.1.el7
+3.10.0-1160.2.2.el7
+3.10.0-1160.6.1.el7
+3.10.0-1160.11.1.el7
+3.10.0-1160.15.2.el7
+3.10.0-1160.21.1.el7
+3.10.0-1160.24.1.el7
+3.10.0-1160.25.1.el7
+3.10.0-1160.31.1.el7
+3.10.0-1160.36.2.el7
+
+Changes since last build:
+arches: x86_64 ppc64le
+arp_tables.o: changed function: translate_compat_table
+ip6_tables.o: changed function: translate_compat_table
+ip_tables.o: changed function: translate_compat_table
+x_tables.o: changed function: xt_compat_match_from_user
+x_tables.o: changed function: xt_compat_target_from_user
+---------------------------
+
+Kernels:
+3.10.0-1160.el7
+3.10.0-1160.2.1.el7
+3.10.0-1160.2.2.el7
+3.10.0-1160.6.1.el7
+3.10.0-1160.11.1.el7
+3.10.0-1160.15.2.el7
+3.10.0-1160.21.1.el7
+3.10.0-1160.24.1.el7
+3.10.0-1160.25.1.el7
+3.10.0-1160.31.1.el7
+3.10.0-1160.36.2.el7
+
+Modifications: none
+
+Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-7/-/merge_requests/201
+KT0 test PASS: https://beaker.engineering.redhat.com/jobs/5642298
+for scratch build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=38448253
+
+commit 06215319786b979bed0f5eb3138de0506db9d39f
+Author: Florian Westphal <fwestpha@redhat.com>
+Date:   Fri Jul 9 11:42:55 2021 +0200
+
+    netfilter: x_tables: fix compat match/target pad out-of-bound write
+
+    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1980489
+    Upstream Status: commit b29c457a65114
+    CVE: CVE-2021-22555
+
+    commit b29c457a6511435960115c0f548c4360d5f4801d
+    Author: Florian Westphal <fw@strlen.de>
+    Date:   Wed Apr 7 21:38:57 2021 +0200
+
+        netfilter: x_tables: fix compat match/target pad out-of-bound write
+
+        xt_compat_match/target_from_user doesn't check that zeroing the area
+        to start of next rule won't write past end of allocated ruleset blob.
+
+        Remove this code and zero the entire blob beforehand.
+
+        Reported-by: syzbot+cfc0247ac173f597aaaa@syzkaller.appspotmail.com
+        Reported-by: Andy Nguyen <theflow@google.com>
+        Fixes: 9fa492cdc160c ("[NETFILTER]: x_tables: simplify compat API")
+        Signed-off-by: Florian Westphal <fw@strlen.de>
+        Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+    Signed-off-by: Florian Westphal <fwestpha@redhat.com>
+
+Signed-off-by: Joel Savitz <jsavitz@redhat.com>
+Acked-by: Joe Lawrence <joe.lawrence@redhat.com>
+Acked-by: Artem Savkov <asavkov@redhat.com>
+Acked-by: Yannick Cote <ycote@redhat.com>
+---
+ net/ipv4/netfilter/arp_tables.c |  2 ++
+ net/ipv4/netfilter/ip_tables.c  |  2 ++
+ net/ipv6/netfilter/ip6_tables.c |  2 ++
+ net/netfilter/x_tables.c        | 10 ++--------
+ 4 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
+index 602d92697038..66ad3b4e194c 100644
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -1364,6 +1364,8 @@ static int translate_compat_table(struct xt_table_info **pinfo,
+ 	if (!newinfo)
+ 		goto out_unlock;
+ 
++	memset(newinfo->entries, 0, size);
++
+ 	newinfo->number = compatr->num_entries;
+ 	for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
+ 		newinfo->hook_entry[i] = info->hook_entry[i];
+diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
+index 3559f7ffa430..d9de653be67e 100644
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -1622,6 +1622,8 @@ translate_compat_table(struct net *net,
+ 	if (!newinfo)
+ 		goto out_unlock;
+ 
++	memset(newinfo->entries, 0, size);
++
+ 	newinfo->number = compatr->num_entries;
+ 	for (i = 0; i < NF_INET_NUMHOOKS; i++) {
+ 		newinfo->hook_entry[i] = compatr->hook_entry[i];
+diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
+index 1772a1797e79..d112bfc86aac 100644
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -1626,6 +1626,8 @@ translate_compat_table(struct net *net,
+ 	if (!newinfo)
+ 		goto out_unlock;
+ 
++	memset(newinfo->entries, 0, size);
++
+ 	newinfo->number = compatr->num_entries;
+ 	for (i = 0; i < NF_INET_NUMHOOKS; i++) {
+ 		newinfo->hook_entry[i] = compatr->hook_entry[i];
+diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
+index 76e40ff48b10..affd08ce7df8 100644
+--- a/net/netfilter/x_tables.c
++++ b/net/netfilter/x_tables.c
+@@ -564,7 +564,7 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
+ {
+ 	const struct xt_match *match = m->u.kernel.match;
+ 	struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;
+-	int pad, off = xt_compat_match_offset(match);
++	int off = xt_compat_match_offset(match);
+ 	u_int16_t msize = cm->u.user.match_size;
+ 	char name[sizeof(m->u.user.name)];
+ 
+@@ -574,9 +574,6 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
+ 		match->compat_from_user(m->data, cm->data);
+ 	else
+ 		memcpy(m->data, cm->data, msize - sizeof(*cm));
+-	pad = XT_ALIGN(match->matchsize) - match->matchsize;
+-	if (pad > 0)
+-		memset(m->data + match->matchsize, 0, pad);
+ 
+ 	msize += off;
+ 	m->u.user.match_size = msize;
+@@ -913,7 +910,7 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
+ {
+ 	const struct xt_target *target = t->u.kernel.target;
+ 	struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
+-	int pad, off = xt_compat_target_offset(target);
++	int off = xt_compat_target_offset(target);
+ 	u_int16_t tsize = ct->u.user.target_size;
+ 	char name[sizeof(t->u.user.name)];
+ 
+@@ -923,9 +920,6 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
+ 		target->compat_from_user(t->data, ct->data);
+ 	else
+ 		memcpy(t->data, ct->data, tsize - sizeof(*ct));
+-	pad = XT_ALIGN(target->targetsize) - target->targetsize;
+-	if (pad > 0)
+-		memset(t->data + target->targetsize, 0, pad);
+ 
+ 	tsize += off;
+ 	t->u.user.target_size = tsize;
+-- 
+2.27.0
+
+
diff --git a/SOURCES/CVE-2021-32399.patch b/SOURCES/CVE-2021-32399.patch
new file mode 100644
index 0000000..37c9586
--- /dev/null
+++ b/SOURCES/CVE-2021-32399.patch
@@ -0,0 +1,123 @@
+From: Artem Savkov <asavkov@redhat.com>
+Subject: [RHEL-7.9 CVE-2021-32399 KPATCH] bluetooth: eliminate the potential race condition when removing the HCI controller
+Date: Wed,  7 Jul 2021 17:13:32 +0200
+
+Kernels:
+3.10.0-1160.el7
+3.10.0-1160.2.1.el7
+3.10.0-1160.2.2.el7
+3.10.0-1160.6.1.el7
+3.10.0-1160.11.1.el7
+3.10.0-1160.15.2.el7
+3.10.0-1160.21.1.el7
+3.10.0-1160.24.1.el7
+3.10.0-1160.25.1.el7
+3.10.0-1160.31.1.el7
+
+Changes since last build:
+[x86_64]:
+hci_request.o: changed function: hci_req_sync
+
+[ppc64le]:
+hci_request.o: changed function: bg_scan_update
+hci_request.o: changed function: connectable_update_work
+hci_request.o: changed function: discov_off
+hci_request.o: changed function: discov_update
+hci_request.o: changed function: discoverable_update_work
+hci_request.o: changed function: hci_req_sync
+hci_request.o: changed function: le_scan_disable_work
+hci_request.o: changed function: le_scan_restart_work
+hci_request.o: changed function: scan_update_work
+
+---------------------------
+
+Kernels:
+3.10.0-1160.el7
+3.10.0-1160.2.1.el7
+3.10.0-1160.2.2.el7
+3.10.0-1160.6.1.el7
+3.10.0-1160.11.1.el7
+3.10.0-1160.15.2.el7
+3.10.0-1160.21.1.el7
+3.10.0-1160.24.1.el7
+3.10.0-1160.25.1.el7
+3.10.0-1160.31.1.el7
+3.10.0-1160.36.2.el7
+
+Modifications: none
+Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-7/-/merge_requests/171
+
+commit 168b363c94eac82c2e3531bd2ae9dfa2f369d4be
+Author: Gopal Tiwari <gtiwari@redhat.com>
+Date:   Mon Jun 14 13:04:00 2021 +0530
+
+    bluetooth: eliminate the potential race condition when removing the HCI controller
+
+    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1971457
+
+    Upstream: merged.
+
+    Testing: Sanity_only.
+
+    commit e2cb6b891ad2b8caa9131e3be70f45243df82a80
+    Author: Lin Ma <linma@zju.edu.cn>
+    Date:   Mon Apr 12 19:17:57 2021 +0800
+
+        bluetooth: eliminate the potential race condition when removing the HCI controller
+
+        There is a possible race condition vulnerability between issuing a HCI
+        command and removing the cont.  Specifically, functions hci_req_sync()
+        and hci_dev_do_close() can race each other like below:
+
+        thread-A in hci_req_sync()      |   thread-B in hci_dev_do_close()
+                                        |   hci_req_sync_lock(hdev);
+        test_bit(HCI_UP, &hdev->flags); |
+        ...                             |   test_and_clear_bit(HCI_UP, &hdev->flags)
+        hci_req_sync_lock(hdev);        |
+                                        |
+        In this commit we alter the sequence in function hci_req_sync(). Hence,
+        the thread-A cannot issue th.
+
+        Signed-off-by: Lin Ma <linma@zju.edu.cn>
+        Cc: Marcel Holtmann <marcel@holtmann.org>
+        Fixes: 7c6a329e4447 ("[Bluetooth] Fix regression from using default link policy")
+        Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+    Signed-off-by: Gopal Tiwari <gtiwari@redhat.com>
+
+Signed-off-by: Artem Savkov <asavkov@redhat.com>
+Acked-by: Joe Lawrence <joe.lawrence@redhat.com>
+Acked-by: Yannick Cote <ycote@redhat.com>
+---
+ net/bluetooth/hci_request.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/net/bluetooth/hci_request.c b/net/bluetooth/hci_request.c
+index 1015d9c8d97dd..9e25e77042503 100644
+--- a/net/bluetooth/hci_request.c
++++ b/net/bluetooth/hci_request.c
+@@ -275,12 +275,16 @@ int hci_req_sync(struct hci_dev *hdev, int (*req)(struct hci_request *req,
+ {
+ 	int ret;
+ 
+-	if (!test_bit(HCI_UP, &hdev->flags))
+-		return -ENETDOWN;
+-
+ 	/* Serialize all requests */
+ 	hci_req_sync_lock(hdev);
+-	ret = __hci_req_sync(hdev, req, opt, timeout, hci_status);
++	/* check the state after obtaing the lock to protect the HCI_UP
++	 * against any races from hci_dev_do_close when the controller
++	 * gets removed.
++	 */
++	if (test_bit(HCI_UP, &hdev->flags))
++		ret = __hci_req_sync(hdev, req, opt, timeout, hci_status);
++	else
++		ret = -ENETDOWN;
+ 	hci_req_sync_unlock(hdev);
+ 
+ 	return ret;
+-- 
+2.26.3
+
+
diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec
index ff93c12..6d42570 100644
--- a/SPECS/kpatch-patch.spec
+++ b/SPECS/kpatch-patch.spec
@@ -6,7 +6,7 @@
 %define kernel_ver	3.10.0-1160.2.1.el7
 %define kpatch_ver	0.9.2
 %define rpm_ver		1
-%define rpm_rel		7
+%define rpm_rel		8
 
 %if !%{empty_package}
 # Patch sources below. DO NOT REMOVE THIS LINE.
@@ -32,6 +32,12 @@ Source105: CVE-2021-33034.patch
 #
 # https://bugzilla.redhat.com/1975256
 Source106: CVE-2021-33909.patch
+#
+# https://bugzilla.redhat.com/1971474
+Source107: CVE-2021-32399.patch
+#
+# https://bugzilla.redhat.com/1980516
+Source108: CVE-2021-22555.patch
 # End of patch sources. DO NOT REMOVE THIS LINE.
 %endif
 
@@ -164,6 +170,10 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}.
 %endif
 
 %changelog
+* Mon Aug 16 2021 Joe Lawrence <joe.lawrence@redhat.com> [1-8.el7]
+- kernel: out-of-bounds write in xt_compat_target_from_user() in net/netfilter/x_tables.c [1980516] {CVE-2021-22555}
+- kpatch: kernel: race condition for removal of the HCI controller [1971474] {CVE-2021-32399}
+
 * Fri Jul 09 2021 Joe Lawrence <joe.lawrence@redhat.com> [1-7.el7]
 - kernel: size_t-to-int conversion vulnerability in the filesystem layer [1975256] {CVE-2021-33909}
 - kernel: use-after-free in net/bluetooth/hci_event.c when destroying an hci_chan [1962518] {CVE-2021-33034}