Blame SOURCES/CVE-2022-0492.patch

d0bf3c
From d6dc1581c25221b17e1447f5eea0ee156a69e986 Mon Sep 17 00:00:00 2001
d0bf3c
From: Joe Lawrence <joe.lawrence@redhat.com>
d0bf3c
Date: Fri, 25 Mar 2022 14:49:39 -0400
d0bf3c
Subject: [KPATCH CVE-2022-0492] cgroup-v1: kpatch fixes for CVE-2022-0492
d0bf3c
Content-type: text/plain
d0bf3c
d0bf3c
Kernels:
d0bf3c
3.10.0-1160.24.1.el7
d0bf3c
3.10.0-1160.25.1.el7
d0bf3c
3.10.0-1160.31.1.el7
d0bf3c
3.10.0-1160.36.2.el7
d0bf3c
3.10.0-1160.41.1.el7
d0bf3c
3.10.0-1160.42.2.el7
d0bf3c
3.10.0-1160.45.1.el7
d0bf3c
3.10.0-1160.49.1.el7
d0bf3c
3.10.0-1160.53.1.el7
d0bf3c
3.10.0-1160.59.1.el7
d0bf3c
d0bf3c
Changes since last build:
d0bf3c
arches: x86_64 ppc64le
d0bf3c
cgroup.o: changed function: cgroup_release_agent_write
d0bf3c
cgroup.o: changed function: parse_cgroupfs_options
d0bf3c
---------------------------
d0bf3c
d0bf3c
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/36
d0bf3c
Approved-by: Yannick Cote (@ycote1)
d0bf3c
Modifications: none
d0bf3c
d0bf3c
commit a1d7f90e939b5ca2fddb1e295c6cf8bfb97a69f0
d0bf3c
Author: Waiman Long <longman@redhat.com>
d0bf3c
Date:   Wed Feb 9 09:23:49 2022 -0500
d0bf3c
d0bf3c
    cgroup-v1: Require capabilities to set release_agent
d0bf3c
d0bf3c
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2052162
d0bf3c
    CVE: CVE-2022-0492
d0bf3c
    Conflicts:
d0bf3c
     1) For RHEL7, the right file to be modified is kernel/cgroup.c.
d0bf3c
     2) The cgroup filesystem files in RHEL7 are created via direct
d0bf3c
        manipulation of dentries and inode and credential at the time of
d0bf3c
        creation are not stored. So the init_user_ns comparison check in
d0bf3c
        the upstream commit isn't applicable. It is also less important
d0bf3c
        and so the checks are dropped.
d0bf3c
     3) The cgroup mount parameter parsing is done in
d0bf3c
        parse_cgroupfs_options() instead.
d0bf3c
d0bf3c
    commit 24f6008564183aa120d07c03d9289519c2fe02af
d0bf3c
    Author: Eric W. Biederman <ebiederm@xmission.com>
d0bf3c
    Date:   Thu, 20 Jan 2022 11:04:01 -0600
d0bf3c
d0bf3c
        cgroup-v1: Require capabilities to set release_agent
d0bf3c
d0bf3c
        The cgroup release_agent is called with call_usermodehelper.  The function
d0bf3c
        call_usermodehelper starts the release_agent with a full set fo capabilities.
d0bf3c
        Therefore require capabilities when setting the release_agaent.
d0bf3c
d0bf3c
        Reported-by: Tabitha Sable <tabitha.c.sable@gmail.com>
d0bf3c
        Tested-by: Tabitha Sable <tabitha.c.sable@gmail.com>
d0bf3c
        Fixes: 81a6a5cdd2c5 ("Task Control Groups: automatic userspace notification of idle cgroups")
d0bf3c
        Cc: stable@vger.kernel.org # v2.6.24+
d0bf3c
        Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
d0bf3c
        Signed-off-by: Tejun Heo <tj@kernel.org>
d0bf3c
d0bf3c
    Signed-off-by: Waiman Long <longman@redhat.com>
d0bf3c
d0bf3c
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
d0bf3c
---
d0bf3c
 kernel/cgroup.c | 15 +++++++++++++++
d0bf3c
 1 file changed, 15 insertions(+)
d0bf3c
d0bf3c
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
d0bf3c
index 4777d5bc3142..e4138e5a7879 100644
d0bf3c
--- a/kernel/cgroup.c
d0bf3c
+++ b/kernel/cgroup.c
d0bf3c
@@ -1149,6 +1149,13 @@ static int parse_cgroupfs_options(char *data, struct cgroup_sb_opts *opts)
d0bf3c
 			/* Specifying two release agents is forbidden */
d0bf3c
 			if (opts->release_agent)
d0bf3c
 				return -EINVAL;
d0bf3c
+			/*
d0bf3c
+			 * Release agent gets called with all capabilities,
d0bf3c
+			 * require capabilities to set release agent.
d0bf3c
+			 */
d0bf3c
+			if (!capable(CAP_SYS_ADMIN))
d0bf3c
+				return -EPERM;
d0bf3c
+
d0bf3c
 			opts->release_agent =
d0bf3c
 				kstrndup(token + 14, PATH_MAX - 1, GFP_KERNEL);
d0bf3c
 			if (!opts->release_agent)
d0bf3c
@@ -2196,6 +2203,14 @@ static int cgroup_release_agent_write(struct cgroup *cgrp, struct cftype *cft,
d0bf3c
 	BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX);
d0bf3c
 	if (strlen(buffer) >= PATH_MAX)
d0bf3c
 		return -EINVAL;
d0bf3c
+
d0bf3c
+	/*
d0bf3c
+	 * Release agent gets called with all capabilities,
d0bf3c
+	 * require capabilities to set release agent.
d0bf3c
+	 */
d0bf3c
+	if (!capable(CAP_SYS_ADMIN))
d0bf3c
+		return -EPERM;
d0bf3c
+
d0bf3c
 	if (!cgroup_lock_live_group(cgrp))
d0bf3c
 		return -ENODEV;
d0bf3c
 	mutex_lock(&cgroup_root_mutex);
d0bf3c
-- 
d0bf3c
2.26.3
d0bf3c
d0bf3c