Blame SOURCES/CVE-2021-22555.patch

b3ed2d
From: Joel Savitz <jsavitz@redhat.com>
b3ed2d
Subject: [KPATCH 7.9] netfilter: x_tables: kpatch fixes for CVE-2021-22555
b3ed2d
Date: Wed, 28 Jul 2021 12:03:15 -0400
b3ed2d
b3ed2d
Kernels:
b3ed2d
3.10.0-1160.el7
b3ed2d
3.10.0-1160.2.1.el7
b3ed2d
3.10.0-1160.2.2.el7
b3ed2d
3.10.0-1160.6.1.el7
b3ed2d
3.10.0-1160.11.1.el7
b3ed2d
3.10.0-1160.15.2.el7
b3ed2d
3.10.0-1160.21.1.el7
b3ed2d
3.10.0-1160.24.1.el7
b3ed2d
3.10.0-1160.25.1.el7
b3ed2d
3.10.0-1160.31.1.el7
b3ed2d
3.10.0-1160.36.2.el7
b3ed2d
b3ed2d
Changes since last build:
b3ed2d
arches: x86_64 ppc64le
b3ed2d
arp_tables.o: changed function: translate_compat_table
b3ed2d
ip6_tables.o: changed function: translate_compat_table
b3ed2d
ip_tables.o: changed function: translate_compat_table
b3ed2d
x_tables.o: changed function: xt_compat_match_from_user
b3ed2d
x_tables.o: changed function: xt_compat_target_from_user
b3ed2d
---------------------------
b3ed2d
b3ed2d
Kernels:
b3ed2d
3.10.0-1160.el7
b3ed2d
3.10.0-1160.2.1.el7
b3ed2d
3.10.0-1160.2.2.el7
b3ed2d
3.10.0-1160.6.1.el7
b3ed2d
3.10.0-1160.11.1.el7
b3ed2d
3.10.0-1160.15.2.el7
b3ed2d
3.10.0-1160.21.1.el7
b3ed2d
3.10.0-1160.24.1.el7
b3ed2d
3.10.0-1160.25.1.el7
b3ed2d
3.10.0-1160.31.1.el7
b3ed2d
3.10.0-1160.36.2.el7
b3ed2d
b3ed2d
Modifications: none
b3ed2d
b3ed2d
Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-7/-/merge_requests/201
b3ed2d
KT0 test PASS: https://beaker.engineering.redhat.com/jobs/5642298
b3ed2d
for scratch build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=38448253
b3ed2d
b3ed2d
commit 06215319786b979bed0f5eb3138de0506db9d39f
b3ed2d
Author: Florian Westphal <fwestpha@redhat.com>
b3ed2d
Date:   Fri Jul 9 11:42:55 2021 +0200
b3ed2d
b3ed2d
    netfilter: x_tables: fix compat match/target pad out-of-bound write
b3ed2d
b3ed2d
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1980489
b3ed2d
    Upstream Status: commit b29c457a65114
b3ed2d
    CVE: CVE-2021-22555
b3ed2d
b3ed2d
    commit b29c457a6511435960115c0f548c4360d5f4801d
b3ed2d
    Author: Florian Westphal <fw@strlen.de>
b3ed2d
    Date:   Wed Apr 7 21:38:57 2021 +0200
b3ed2d
b3ed2d
        netfilter: x_tables: fix compat match/target pad out-of-bound write
b3ed2d
b3ed2d
        xt_compat_match/target_from_user doesn't check that zeroing the area
b3ed2d
        to start of next rule won't write past end of allocated ruleset blob.
b3ed2d
b3ed2d
        Remove this code and zero the entire blob beforehand.
b3ed2d
b3ed2d
        Reported-by: syzbot+cfc0247ac173f597aaaa@syzkaller.appspotmail.com
b3ed2d
        Reported-by: Andy Nguyen <theflow@google.com>
b3ed2d
        Fixes: 9fa492cdc160c ("[NETFILTER]: x_tables: simplify compat API")
b3ed2d
        Signed-off-by: Florian Westphal <fw@strlen.de>
b3ed2d
        Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
b3ed2d
b3ed2d
    Signed-off-by: Florian Westphal <fwestpha@redhat.com>
b3ed2d
b3ed2d
Signed-off-by: Joel Savitz <jsavitz@redhat.com>
b3ed2d
Acked-by: Joe Lawrence <joe.lawrence@redhat.com>
b3ed2d
Acked-by: Artem Savkov <asavkov@redhat.com>
b3ed2d
Acked-by: Yannick Cote <ycote@redhat.com>
b3ed2d
---
b3ed2d
 net/ipv4/netfilter/arp_tables.c |  2 ++
b3ed2d
 net/ipv4/netfilter/ip_tables.c  |  2 ++
b3ed2d
 net/ipv6/netfilter/ip6_tables.c |  2 ++
b3ed2d
 net/netfilter/x_tables.c        | 10 ++--------
b3ed2d
 4 files changed, 8 insertions(+), 8 deletions(-)
b3ed2d
b3ed2d
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
b3ed2d
index 602d92697038..66ad3b4e194c 100644
b3ed2d
--- a/net/ipv4/netfilter/arp_tables.c
b3ed2d
+++ b/net/ipv4/netfilter/arp_tables.c
b3ed2d
@@ -1364,6 +1364,8 @@ static int translate_compat_table(struct xt_table_info **pinfo,
b3ed2d
 	if (!newinfo)
b3ed2d
 		goto out_unlock;
b3ed2d
 
b3ed2d
+	memset(newinfo->entries, 0, size);
b3ed2d
+
b3ed2d
 	newinfo->number = compatr->num_entries;
b3ed2d
 	for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
b3ed2d
 		newinfo->hook_entry[i] = info->hook_entry[i];
b3ed2d
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
b3ed2d
index 3559f7ffa430..d9de653be67e 100644
b3ed2d
--- a/net/ipv4/netfilter/ip_tables.c
b3ed2d
+++ b/net/ipv4/netfilter/ip_tables.c
b3ed2d
@@ -1622,6 +1622,8 @@ translate_compat_table(struct net *net,
b3ed2d
 	if (!newinfo)
b3ed2d
 		goto out_unlock;
b3ed2d
 
b3ed2d
+	memset(newinfo->entries, 0, size);
b3ed2d
+
b3ed2d
 	newinfo->number = compatr->num_entries;
b3ed2d
 	for (i = 0; i < NF_INET_NUMHOOKS; i++) {
b3ed2d
 		newinfo->hook_entry[i] = compatr->hook_entry[i];
b3ed2d
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
b3ed2d
index 1772a1797e79..d112bfc86aac 100644
b3ed2d
--- a/net/ipv6/netfilter/ip6_tables.c
b3ed2d
+++ b/net/ipv6/netfilter/ip6_tables.c
b3ed2d
@@ -1626,6 +1626,8 @@ translate_compat_table(struct net *net,
b3ed2d
 	if (!newinfo)
b3ed2d
 		goto out_unlock;
b3ed2d
 
b3ed2d
+	memset(newinfo->entries, 0, size);
b3ed2d
+
b3ed2d
 	newinfo->number = compatr->num_entries;
b3ed2d
 	for (i = 0; i < NF_INET_NUMHOOKS; i++) {
b3ed2d
 		newinfo->hook_entry[i] = compatr->hook_entry[i];
b3ed2d
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
b3ed2d
index 76e40ff48b10..affd08ce7df8 100644
b3ed2d
--- a/net/netfilter/x_tables.c
b3ed2d
+++ b/net/netfilter/x_tables.c
b3ed2d
@@ -564,7 +564,7 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
b3ed2d
 {
b3ed2d
 	const struct xt_match *match = m->u.kernel.match;
b3ed2d
 	struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;
b3ed2d
-	int pad, off = xt_compat_match_offset(match);
b3ed2d
+	int off = xt_compat_match_offset(match);
b3ed2d
 	u_int16_t msize = cm->u.user.match_size;
b3ed2d
 	char name[sizeof(m->u.user.name)];
b3ed2d
 
b3ed2d
@@ -574,9 +574,6 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
b3ed2d
 		match->compat_from_user(m->data, cm->data);
b3ed2d
 	else
b3ed2d
 		memcpy(m->data, cm->data, msize - sizeof(*cm));
b3ed2d
-	pad = XT_ALIGN(match->matchsize) - match->matchsize;
b3ed2d
-	if (pad > 0)
b3ed2d
-		memset(m->data + match->matchsize, 0, pad);
b3ed2d
 
b3ed2d
 	msize += off;
b3ed2d
 	m->u.user.match_size = msize;
b3ed2d
@@ -913,7 +910,7 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
b3ed2d
 {
b3ed2d
 	const struct xt_target *target = t->u.kernel.target;
b3ed2d
 	struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
b3ed2d
-	int pad, off = xt_compat_target_offset(target);
b3ed2d
+	int off = xt_compat_target_offset(target);
b3ed2d
 	u_int16_t tsize = ct->u.user.target_size;
b3ed2d
 	char name[sizeof(t->u.user.name)];
b3ed2d
 
b3ed2d
@@ -923,9 +920,6 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
b3ed2d
 		target->compat_from_user(t->data, ct->data);
b3ed2d
 	else
b3ed2d
 		memcpy(t->data, ct->data, tsize - sizeof(*ct));
b3ed2d
-	pad = XT_ALIGN(target->targetsize) - target->targetsize;
b3ed2d
-	if (pad > 0)
b3ed2d
-		memset(t->data + target->targetsize, 0, pad);
b3ed2d
 
b3ed2d
 	tsize += off;
b3ed2d
 	t->u.user.target_size = tsize;
b3ed2d
-- 
b3ed2d
2.27.0
b3ed2d
b3ed2d