diff --git a/SOURCES/CVE-2022-1966.patch b/SOURCES/CVE-2022-1966.patch new file mode 100644 index 0000000..6e0a25a --- /dev/null +++ b/SOURCES/CVE-2022-1966.patch @@ -0,0 +1,176 @@ +From bdeb7f1c4651240043b0b8a2a5432fc9760cfadf Mon Sep 17 00:00:00 2001 +From: Joe Lawrence +Date: Wed, 15 Jun 2022 16:10:31 -0400 +Subject: [KPATCH CVE-2022-1966] kpatch fixes for CVE-2022-1966 + +Kernels: +3.10.0-1160.36.2.el7 +3.10.0-1160.41.1.el7 +3.10.0-1160.42.2.el7 +3.10.0-1160.45.1.el7 +3.10.0-1160.49.1.el7 +3.10.0-1160.53.1.el7 +3.10.0-1160.59.1.el7 +3.10.0-1160.62.1.el7 +3.10.0-1160.66.1.el7 + +Changes since last build: +arches: x86_64 ppc64le +nf_tables_api.o: changed function: nft_expr_init +nft_dynset.o: changed function: nft_dynset_init +--------------------------- + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/42 +Approved-by: Yannick Cote (@ycote1) +Modifications: none + +commit c511e60bebd0546f8ec47a3c1691ab01d262b8e4 +Author: Phil Sutter +Date: Fri Jun 3 16:54:42 2022 +0200 + + netfilter: nf_tables: fix memory leak if expr init fails + + Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2093000 + Upstream Status: commit 6cafaf4764a32 + + commit 6cafaf4764a32597c2195aa5411b87728e1fde8a + Author: Liping Zhang + Date: Mon Jun 20 21:11:45 2016 +0800 + + netfilter: nf_tables: fix memory leak if expr init fails + + If expr init fails then we need to free it. + + So when the user add a nft rule as follows: + + # nft add rule filter input tcp dport 22 flow table ssh \ + { ip saddr limit rate 0/second } + + memory leak will happen. + + Signed-off-by: Liping Zhang + Signed-off-by: Pablo Neira Ayuso + + Signed-off-by: Phil Sutter + +commit 4a4cc18bcf8f43c93dbf39cb52308dfaea4ec346 +Author: Phil Sutter +Date: Fri Jun 3 16:54:43 2022 +0200 + + netfilter: nf_tables: disallow non-stateful expression in sets earlier + + Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2093000 + Upstream Status: net.git commit 520778042ccca + CVE: CVE-2022-1966 + Conflicts: + * RHEL7 does not have nft_set_elem_expr_alloc(), remove + NFT_EXPR_STATEFUL check from nft_dynset_init() instead + * Context change in nft_expr_init() as RHEL7 does not have .release_ops + * Adjusted new NFT_EXPR_STATEFUL check as upstream renamed 'info' into + 'expr_info' + + commit 520778042ccca019f3ffa136dd0ca565c486cedd + Author: Pablo Neira Ayuso + Date: Wed May 25 10:36:38 2022 +0200 + + netfilter: nf_tables: disallow non-stateful expression in sets earlier + + Since 3e135cd499bf ("netfilter: nft_dynset: dynamic stateful expression + instantiation"), it is possible to attach stateful expressions to set + elements. + + cd5125d8f518 ("netfilter: nf_tables: split set destruction in deactivate + and destroy phase") introduces conditional destruction on the object to + accomodate transaction semantics. + + nft_expr_init() calls expr->ops->init() first, then check for + NFT_STATEFUL_EXPR, this stills allows to initialize a non-stateful + lookup expressions which points to a set, which might lead to UAF since + the set is not properly detached from the set->binding for this case. + Anyway, this combination is non-sense from nf_tables perspective. + + This patch fixes this problem by checking for NFT_STATEFUL_EXPR before + expr->ops->init() is called. + + The reporter provides a KASAN splat and a poc reproducer (similar to + those autogenerated by syzbot to report use-after-free errors). It is + unknown to me if they are using syzbot or if they use similar automated + tool to locate the bug that they are reporting. + + For the record, this is the KASAN splat. + + [ 85.431824] ================================================================== + [ 85.432901] BUG: KASAN: use-after-free in nf_tables_bind_set+0x81b/0xa20 + [ 85.433825] Write of size 8 at addr ffff8880286f0e98 by task poc/776 + [ 85.434756] + [ 85.434999] CPU: 1 PID: 776 Comm: poc Tainted: G W 5.18.0+ #2 + [ 85.436023] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 + + Fixes: 0b2d8a7b638b ("netfilter: nf_tables: add helper functions for expression handling") + Reported-and-tested-by: Aaron Adams + Signed-off-by: Pablo Neira Ayuso + + Signed-off-by: Phil Sutter + +Signed-off-by: Joe Lawrence +--- + net/netfilter/nf_tables_api.c | 16 +++++++++++----- + net/netfilter/nft_dynset.c | 4 ---- + 2 files changed, 11 insertions(+), 9 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 0f46d90715a3..44738b987690 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -1739,21 +1739,27 @@ struct nft_expr *nft_expr_init(const struct nft_ctx *ctx, + + err = nf_tables_expr_parse(ctx, nla, &info); + if (err < 0) +- goto err1; ++ goto err_expr_parse; ++ ++ err = -EOPNOTSUPP; ++ if (!(info.ops->type->flags & NFT_EXPR_STATEFUL)) ++ goto err_expr_stateful; + + err = -ENOMEM; + expr = kzalloc(info.ops->size, GFP_KERNEL); + if (expr == NULL) +- goto err2; ++ goto err_expr_stateful; + + err = nf_tables_newexpr(ctx, &info, expr); + if (err < 0) +- goto err2; ++ goto err_expr_new; + + return expr; +-err2: ++err_expr_new: ++ kfree(expr); ++err_expr_stateful: + module_put(info.ops->type->owner); +-err1: ++err_expr_parse: + return ERR_PTR(err); + } + +diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c +index 3f9f8e82716e..0cf187230050 100644 +--- a/net/netfilter/nft_dynset.c ++++ b/net/netfilter/nft_dynset.c +@@ -174,10 +174,6 @@ static int nft_dynset_init(const struct nft_ctx *ctx, + priv->expr = nft_expr_init(ctx, tb[NFTA_DYNSET_EXPR]); + if (IS_ERR(priv->expr)) + return PTR_ERR(priv->expr); +- +- err = -EOPNOTSUPP; +- if (!(priv->expr->ops->type->flags & NFT_EXPR_STATEFUL)) +- goto err1; + } else if (set->flags & NFT_SET_EVAL) + return -EINVAL; + +-- +2.34.3 + + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index a9a029e..9d5c4e4 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -6,7 +6,7 @@ %define kernel_ver 3.10.0-1160.42.2.el7 %define kpatch_ver 0.9.2 %define rpm_ver 1 -%define rpm_rel 5 +%define rpm_rel 6 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. @@ -43,6 +43,9 @@ Source109: CVE-2021-4083.patch # # https://bugzilla.redhat.com/2052183 Source110: CVE-2022-0492.patch +# +# https://bugzilla.redhat.com/2093010 +Source111: CVE-2022-1966.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -175,6 +178,9 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Fri Jun 17 2022 Yannick Cote [1-6.el7] +- kernel: a use-after-free write in the netfilter subsystem can lead to privilege escalation to root [2093010] {CVE-2022-1966} + * Thu May 12 2022 Joe Lawrence [1-5.el7] - kernel: cgroups v1 release_agent feature may allow privilege escalation [2052183] {CVE-2022-0492}