From d6dc1581c25221b17e1447f5eea0ee156a69e986 Mon Sep 17 00:00:00 2001

From: Joe Lawrence <joe.lawrence@redhat.com>

Date: Fri, 25 Mar 2022 14:49:39 -0400

Subject: [KPATCH CVE-2022-0492] cgroup-v1: kpatch fixes for CVE-2022-0492

Content-type: text/plain

Kernels:

3.10.0-1160.24.1.el7

3.10.0-1160.25.1.el7

3.10.0-1160.31.1.el7

3.10.0-1160.36.2.el7

3.10.0-1160.41.1.el7

3.10.0-1160.42.2.el7

3.10.0-1160.45.1.el7

3.10.0-1160.49.1.el7

3.10.0-1160.53.1.el7

3.10.0-1160.59.1.el7

Changes since last build:

arches: x86_64 ppc64le

cgroup.o: changed function: cgroup_release_agent_write

cgroup.o: changed function: parse_cgroupfs_options

---------------------------

Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/36

Approved-by: Yannick Cote (@ycote1)

Modifications: none

commit a1d7f90e939b5ca2fddb1e295c6cf8bfb97a69f0

Author: Waiman Long <longman@redhat.com>

Date:   Wed Feb 9 09:23:49 2022 -0500

    cgroup-v1: Require capabilities to set release_agent

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2052162

    CVE: CVE-2022-0492

    Conflicts:

     1) For RHEL7, the right file to be modified is kernel/cgroup.c.

     2) The cgroup filesystem files in RHEL7 are created via direct

        manipulation of dentries and inode and credential at the time of

        creation are not stored. So the init_user_ns comparison check in

        the upstream commit isn't applicable. It is also less important

        and so the checks are dropped.

     3) The cgroup mount parameter parsing is done in

        parse_cgroupfs_options() instead.

    commit 24f6008564183aa120d07c03d9289519c2fe02af

    Author: Eric W. Biederman <ebiederm@xmission.com>

    Date:   Thu, 20 Jan 2022 11:04:01 -0600

        cgroup-v1: Require capabilities to set release_agent

        The cgroup release_agent is called with call_usermodehelper.  The function

        call_usermodehelper starts the release_agent with a full set fo capabilities.

        Therefore require capabilities when setting the release_agaent.

        Reported-by: Tabitha Sable <tabitha.c.sable@gmail.com>

        Tested-by: Tabitha Sable <tabitha.c.sable@gmail.com>

        Fixes: 81a6a5cdd2c5 ("Task Control Groups: automatic userspace notification of idle cgroups")

        Cc: stable@vger.kernel.org # v2.6.24+

        Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

        Signed-off-by: Tejun Heo <tj@kernel.org>

    Signed-off-by: Waiman Long <longman@redhat.com>

Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>

---

 kernel/cgroup.c | 15 +++++++++++++++

 1 file changed, 15 insertions(+)

diff --git a/kernel/cgroup.c b/kernel/cgroup.c

index 4777d5bc3142..e4138e5a7879 100644

--- a/kernel/cgroup.c

+++ b/kernel/cgroup.c

@@ -1149,6 +1149,13 @@ static int parse_cgroupfs_options(char *data, struct cgroup_sb_opts *opts)

 			/* Specifying two release agents is forbidden */

 			if (opts->release_agent)

 				return -EINVAL;

+			/*

+			 * Release agent gets called with all capabilities,

+			 * require capabilities to set release agent.

+			 */

+			if (!capable(CAP_SYS_ADMIN))

+				return -EPERM;

+

 			opts->release_agent =

 				kstrndup(token + 14, PATH_MAX - 1, GFP_KERNEL);

 			if (!opts->release_agent)

@@ -2196,6 +2203,14 @@ static int cgroup_release_agent_write(struct cgroup *cgrp, struct cftype *cft,

 	BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX);

 	if (strlen(buffer) >= PATH_MAX)

 		return -EINVAL;

+

+	/*

+	 * Release agent gets called with all capabilities,

+	 * require capabilities to set release agent.

+	 */

+	if (!capable(CAP_SYS_ADMIN))

+		return -EPERM;

+

 	if (!cgroup_lock_live_group(cgrp))

 		return -ENODEV;

 	mutex_lock(&cgroup_root_mutex);

-- 

2.26.3