diff --git a/SOURCES/CVE-2021-3715.patch b/SOURCES/CVE-2021-3715.patch new file mode 100644 index 0000000..da30361 --- /dev/null +++ b/SOURCES/CVE-2021-3715.patch @@ -0,0 +1,99 @@ +From: Artem Savkov +Subject: [RHEL-7.9 CVE-2021-3715 KPATCH] net_sched: cls_route: remove the right filter from hashtable +Date: Mon, 30 Aug 2021 17:33:51 +0200 + +Kernels: +3.10.0-1160.el7 +3.10.0-1160.2.1.el7 +3.10.0-1160.2.2.el7 +3.10.0-1160.6.1.el7 +3.10.0-1160.11.1.el7 +3.10.0-1160.15.2.el7 +3.10.0-1160.21.1.el7 +3.10.0-1160.24.1.el7 +3.10.0-1160.25.1.el7 +3.10.0-1160.31.1.el7 +3.10.0-1160.36.2.el7 +3.10.0-1160.41.1.el7 + +Changes since last build: +arches: x86_64 ppc64le +cls_route.o: changed function: route4_change +--------------------------- + +Kernels: +3.10.0-1160.el7 +3.10.0-1160.2.1.el7 +3.10.0-1160.2.2.el7 +3.10.0-1160.6.1.el7 +3.10.0-1160.11.1.el7 +3.10.0-1160.15.2.el7 +3.10.0-1160.21.1.el7 +3.10.0-1160.24.1.el7 +3.10.0-1160.25.1.el7 +3.10.0-1160.31.1.el7 +3.10.0-1160.36.2.el7 + +Modifications: none +Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-7/-/merge_requests/251 + +commit f4e1814eb56167451ddd819fccb951178f97660b +Author: Ivan Vecera +Date: Tue Aug 17 12:21:33 2021 +0200 + + net_sched: cls_route: remove the right filter from hashtable + + Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1992926 + + commit ef299cc3fa1a9e1288665a9fdc8bff55629fd359 + Author: Cong Wang + Date: Fri Mar 13 22:29:54 2020 -0700 + + net_sched: cls_route: remove the right filter from hashtable + + route4_change() allocates a new filter and copies values from + the old one. After the new filter is inserted into the hash + table, the old filter should be removed and freed, as the final + step of the update. + + However, the current code mistakenly removes the new one. This + looks apparently wrong to me, and it causes double "free" and + use-after-free too, as reported by syzbot. + + Reported-and-tested-by: syzbot+f9b32aaacd60305d9687@syzkaller.appspotmail.com + Reported-and-tested-by: syzbot+2f8c233f131943d6056d@syzkaller.appspotmail.com + Reported-and-tested-by: syzbot+9c2df9fd5e9445b74e01@syzkaller.appspotmail.com + Fixes: 1109c00547fc ("net: sched: RCU cls_route") + Cc: Jamal Hadi Salim + Cc: Jiri Pirko + Cc: John Fastabend + Signed-off-by: Cong Wang + Signed-off-by: David S. Miller + + Signed-off-by: Ivan Vecera + +Signed-off-by: Artem Savkov +Acked-by: Joe Lawrence +--- + net/sched/cls_route.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c +index 7bd464e8d084..2fed29fa504e 100644 +--- a/net/sched/cls_route.c ++++ b/net/sched/cls_route.c +@@ -534,8 +534,8 @@ static int route4_change(struct net *net, struct sk_buff *in_skb, + fp = &b->ht[h]; + for (pfp = rtnl_dereference(*fp); pfp; + fp = &pfp->next, pfp = rtnl_dereference(*fp)) { +- if (pfp == f) { +- *fp = f->next; ++ if (pfp == fold) { ++ rcu_assign_pointer(*fp, fold->next); + break; + } + } +-- +2.31.1 + + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index 20deac5..2b5c67b 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -6,7 +6,7 @@ %define kernel_ver 3.10.0-1160.2.2.el7 %define kpatch_ver 0.9.2 %define rpm_ver 1 -%define rpm_rel 8 +%define rpm_rel 9 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. @@ -38,6 +38,9 @@ Source107: CVE-2021-32399.patch # # https://bugzilla.redhat.com/1980516 Source108: CVE-2021-22555.patch +# +# https://bugzilla.redhat.com/1997195 +Source109: CVE-2021-3715.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -170,6 +173,9 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Tue Aug 31 2021 Joe Lawrence [1-9.el7] +- kernel: use-after-free in route4_change() in net/sched/cls_route.c [1997195] {CVE-2021-3715} + * Mon Aug 16 2021 Joe Lawrence [1-8.el7] - kernel: out-of-bounds write in xt_compat_target_from_user() in net/netfilter/x_tables.c [1980516] {CVE-2021-22555} - kpatch: kernel: race condition for removal of the HCI controller [1971474] {CVE-2021-32399}