From d6dc1581c25221b17e1447f5eea0ee156a69e986 Mon Sep 17 00:00:00 2001 From: Joe Lawrence Date: Fri, 25 Mar 2022 14:49:39 -0400 Subject: [KPATCH CVE-2022-0492] cgroup-v1: kpatch fixes for CVE-2022-0492 Content-type: text/plain Kernels: 3.10.0-1160.24.1.el7 3.10.0-1160.25.1.el7 3.10.0-1160.31.1.el7 3.10.0-1160.36.2.el7 3.10.0-1160.41.1.el7 3.10.0-1160.42.2.el7 3.10.0-1160.45.1.el7 3.10.0-1160.49.1.el7 3.10.0-1160.53.1.el7 3.10.0-1160.59.1.el7 Changes since last build: arches: x86_64 ppc64le cgroup.o: changed function: cgroup_release_agent_write cgroup.o: changed function: parse_cgroupfs_options --------------------------- Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/36 Approved-by: Yannick Cote (@ycote1) Modifications: none commit a1d7f90e939b5ca2fddb1e295c6cf8bfb97a69f0 Author: Waiman Long Date: Wed Feb 9 09:23:49 2022 -0500 cgroup-v1: Require capabilities to set release_agent Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2052162 CVE: CVE-2022-0492 Conflicts: 1) For RHEL7, the right file to be modified is kernel/cgroup.c. 2) The cgroup filesystem files in RHEL7 are created via direct manipulation of dentries and inode and credential at the time of creation are not stored. So the init_user_ns comparison check in the upstream commit isn't applicable. It is also less important and so the checks are dropped. 3) The cgroup mount parameter parsing is done in parse_cgroupfs_options() instead. commit 24f6008564183aa120d07c03d9289519c2fe02af Author: Eric W. Biederman Date: Thu, 20 Jan 2022 11:04:01 -0600 cgroup-v1: Require capabilities to set release_agent The cgroup release_agent is called with call_usermodehelper. The function call_usermodehelper starts the release_agent with a full set fo capabilities. Therefore require capabilities when setting the release_agaent. Reported-by: Tabitha Sable Tested-by: Tabitha Sable Fixes: 81a6a5cdd2c5 ("Task Control Groups: automatic userspace notification of idle cgroups") Cc: stable@vger.kernel.org # v2.6.24+ Signed-off-by: "Eric W. Biederman" Signed-off-by: Tejun Heo Signed-off-by: Waiman Long Signed-off-by: Joe Lawrence --- kernel/cgroup.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/kernel/cgroup.c b/kernel/cgroup.c index 4777d5bc3142..e4138e5a7879 100644 --- a/kernel/cgroup.c +++ b/kernel/cgroup.c @@ -1149,6 +1149,13 @@ static int parse_cgroupfs_options(char *data, struct cgroup_sb_opts *opts) /* Specifying two release agents is forbidden */ if (opts->release_agent) return -EINVAL; + /* + * Release agent gets called with all capabilities, + * require capabilities to set release agent. + */ + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + opts->release_agent = kstrndup(token + 14, PATH_MAX - 1, GFP_KERNEL); if (!opts->release_agent) @@ -2196,6 +2203,14 @@ static int cgroup_release_agent_write(struct cgroup *cgrp, struct cftype *cft, BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX); if (strlen(buffer) >= PATH_MAX) return -EINVAL; + + /* + * Release agent gets called with all capabilities, + * require capabilities to set release agent. + */ + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + if (!cgroup_lock_live_group(cgrp)) return -ENODEV; mutex_lock(&cgroup_root_mutex); -- 2.26.3