From d6dc1581c25221b17e1447f5eea0ee156a69e986 Mon Sep 17 00:00:00 2001
From: Joe Lawrence <joe.lawrence@redhat.com>
Date: Fri, 25 Mar 2022 14:49:39 -0400
Subject: [KPATCH CVE-2022-0492] cgroup-v1: kpatch fixes for CVE-2022-0492
Content-type: text/plain
Kernels:
3.10.0-1160.24.1.el7
3.10.0-1160.25.1.el7
3.10.0-1160.31.1.el7
3.10.0-1160.36.2.el7
3.10.0-1160.41.1.el7
3.10.0-1160.42.2.el7
3.10.0-1160.45.1.el7
3.10.0-1160.49.1.el7
3.10.0-1160.53.1.el7
3.10.0-1160.59.1.el7
Changes since last build:
arches: x86_64 ppc64le
cgroup.o: changed function: cgroup_release_agent_write
cgroup.o: changed function: parse_cgroupfs_options
---------------------------
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/36
Approved-by: Yannick Cote (@ycote1)
Modifications: none
commit a1d7f90e939b5ca2fddb1e295c6cf8bfb97a69f0
Author: Waiman Long <longman@redhat.com>
Date: Wed Feb 9 09:23:49 2022 -0500
cgroup-v1: Require capabilities to set release_agent
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2052162
CVE: CVE-2022-0492
Conflicts:
1) For RHEL7, the right file to be modified is kernel/cgroup.c.
2) The cgroup filesystem files in RHEL7 are created via direct
manipulation of dentries and inode and credential at the time of
creation are not stored. So the init_user_ns comparison check in
the upstream commit isn't applicable. It is also less important
and so the checks are dropped.
3) The cgroup mount parameter parsing is done in
parse_cgroupfs_options() instead.
commit 24f6008564183aa120d07c03d9289519c2fe02af
Author: Eric W. Biederman <ebiederm@xmission.com>
Date: Thu, 20 Jan 2022 11:04:01 -0600
cgroup-v1: Require capabilities to set release_agent
The cgroup release_agent is called with call_usermodehelper. The function
call_usermodehelper starts the release_agent with a full set fo capabilities.
Therefore require capabilities when setting the release_agaent.
Reported-by: Tabitha Sable <tabitha.c.sable@gmail.com>
Tested-by: Tabitha Sable <tabitha.c.sable@gmail.com>
Fixes: 81a6a5cdd2c5 ("Task Control Groups: automatic userspace notification of idle cgroups")
Cc: stable@vger.kernel.org # v2.6.24+
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Waiman Long <longman@redhat.com>
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
---
kernel/cgroup.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 4777d5bc3142..e4138e5a7879 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -1149,6 +1149,13 @@ static int parse_cgroupfs_options(char *data, struct cgroup_sb_opts *opts)
/* Specifying two release agents is forbidden */
if (opts->release_agent)
return -EINVAL;
+ /*
+ * Release agent gets called with all capabilities,
+ * require capabilities to set release agent.
+ */
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+
opts->release_agent =
kstrndup(token + 14, PATH_MAX - 1, GFP_KERNEL);
if (!opts->release_agent)
@@ -2196,6 +2203,14 @@ static int cgroup_release_agent_write(struct cgroup *cgrp, struct cftype *cft,
BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX);
if (strlen(buffer) >= PATH_MAX)
return -EINVAL;
+
+ /*
+ * Release agent gets called with all capabilities,
+ * require capabilities to set release agent.
+ */
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+
if (!cgroup_lock_live_group(cgrp))
return -ENODEV;
mutex_lock(&cgroup_root_mutex);
--
2.26.3