From ecc5fe7e1c6f53306e28bed6659aa45d3ada2ef7 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: May 18 2022 12:33:48 +0000
Subject: import kpatch-patch-3_10_0-1160_31_1-1-8.el7


---

diff --git a/SOURCES/CVE-2022-0492.patch b/SOURCES/CVE-2022-0492.patch
new file mode 100644
index 0000000..3f32890
--- /dev/null
+++ b/SOURCES/CVE-2022-0492.patch
@@ -0,0 +1,107 @@
+From d6dc1581c25221b17e1447f5eea0ee156a69e986 Mon Sep 17 00:00:00 2001
+From: Joe Lawrence <joe.lawrence@redhat.com>
+Date: Fri, 25 Mar 2022 14:49:39 -0400
+Subject: [KPATCH CVE-2022-0492] cgroup-v1: kpatch fixes for CVE-2022-0492
+Content-type: text/plain
+
+Kernels:
+3.10.0-1160.24.1.el7
+3.10.0-1160.25.1.el7
+3.10.0-1160.31.1.el7
+3.10.0-1160.36.2.el7
+3.10.0-1160.41.1.el7
+3.10.0-1160.42.2.el7
+3.10.0-1160.45.1.el7
+3.10.0-1160.49.1.el7
+3.10.0-1160.53.1.el7
+3.10.0-1160.59.1.el7
+
+Changes since last build:
+arches: x86_64 ppc64le
+cgroup.o: changed function: cgroup_release_agent_write
+cgroup.o: changed function: parse_cgroupfs_options
+---------------------------
+
+Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/36
+Approved-by: Yannick Cote (@ycote1)
+Modifications: none
+
+commit a1d7f90e939b5ca2fddb1e295c6cf8bfb97a69f0
+Author: Waiman Long <longman@redhat.com>
+Date:   Wed Feb 9 09:23:49 2022 -0500
+
+    cgroup-v1: Require capabilities to set release_agent
+
+    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2052162
+    CVE: CVE-2022-0492
+    Conflicts:
+     1) For RHEL7, the right file to be modified is kernel/cgroup.c.
+     2) The cgroup filesystem files in RHEL7 are created via direct
+        manipulation of dentries and inode and credential at the time of
+        creation are not stored. So the init_user_ns comparison check in
+        the upstream commit isn't applicable. It is also less important
+        and so the checks are dropped.
+     3) The cgroup mount parameter parsing is done in
+        parse_cgroupfs_options() instead.
+
+    commit 24f6008564183aa120d07c03d9289519c2fe02af
+    Author: Eric W. Biederman <ebiederm@xmission.com>
+    Date:   Thu, 20 Jan 2022 11:04:01 -0600
+
+        cgroup-v1: Require capabilities to set release_agent
+
+        The cgroup release_agent is called with call_usermodehelper.  The function
+        call_usermodehelper starts the release_agent with a full set fo capabilities.
+        Therefore require capabilities when setting the release_agaent.
+
+        Reported-by: Tabitha Sable <tabitha.c.sable@gmail.com>
+        Tested-by: Tabitha Sable <tabitha.c.sable@gmail.com>
+        Fixes: 81a6a5cdd2c5 ("Task Control Groups: automatic userspace notification of idle cgroups")
+        Cc: stable@vger.kernel.org # v2.6.24+
+        Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+        Signed-off-by: Tejun Heo <tj@kernel.org>
+
+    Signed-off-by: Waiman Long <longman@redhat.com>
+
+Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
+---
+ kernel/cgroup.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/kernel/cgroup.c b/kernel/cgroup.c
+index 4777d5bc3142..e4138e5a7879 100644
+--- a/kernel/cgroup.c
++++ b/kernel/cgroup.c
+@@ -1149,6 +1149,13 @@ static int parse_cgroupfs_options(char *data, struct cgroup_sb_opts *opts)
+ 			/* Specifying two release agents is forbidden */
+ 			if (opts->release_agent)
+ 				return -EINVAL;
++			/*
++			 * Release agent gets called with all capabilities,
++			 * require capabilities to set release agent.
++			 */
++			if (!capable(CAP_SYS_ADMIN))
++				return -EPERM;
++
+ 			opts->release_agent =
+ 				kstrndup(token + 14, PATH_MAX - 1, GFP_KERNEL);
+ 			if (!opts->release_agent)
+@@ -2196,6 +2203,14 @@ static int cgroup_release_agent_write(struct cgroup *cgrp, struct cftype *cft,
+ 	BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX);
+ 	if (strlen(buffer) >= PATH_MAX)
+ 		return -EINVAL;
++
++	/*
++	 * Release agent gets called with all capabilities,
++	 * require capabilities to set release agent.
++	 */
++	if (!capable(CAP_SYS_ADMIN))
++		return -EPERM;
++
+ 	if (!cgroup_lock_live_group(cgrp))
+ 		return -ENODEV;
+ 	mutex_lock(&cgroup_root_mutex);
+-- 
+2.26.3
+
+
diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec
index fc4a362..00d7145 100644
--- a/SPECS/kpatch-patch.spec
+++ b/SPECS/kpatch-patch.spec
@@ -6,7 +6,7 @@
 %define kernel_ver	3.10.0-1160.31.1.el7
 %define kpatch_ver	0.9.2
 %define rpm_ver		1
-%define rpm_rel		7
+%define rpm_rel		8
 
 %if !%{empty_package}
 # Patch sources below. DO NOT REMOVE THIS LINE.
@@ -55,6 +55,9 @@ Source113: CVE-2021-4028.patch
 #
 # https://bugzilla.redhat.com/2032491
 Source114: CVE-2021-4083.patch
+#
+# https://bugzilla.redhat.com/2052183
+Source115: CVE-2022-0492.patch
 # End of patch sources. DO NOT REMOVE THIS LINE.
 %endif
 
@@ -187,6 +190,9 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}.
 %endif
 
 %changelog
+* Thu May 12 2022 Joe Lawrence <joe.lawrence@redhat.com> [1-8.el7]
+- kernel: cgroups v1 release_agent feature may allow privilege escalation [2052183] {CVE-2022-0492}
+
 * Thu Mar 24 2022 Joe Lawrence <joe.lawrence@redhat.com> [1-7.el7]
 - kernel: fget: check that the fd still exists after getting a ref to it [2032491] {CVE-2021-4083}
 - kernel: use-after-free in RDMA listen() [2033360] {CVE-2021-4028}