diff --git a/.gitignore b/.gitignore index e69de29..1b41387 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/kernel-3.10.0-1160.76.1.el7.src.rpm +SOURCES/v0.9.2.tar.gz diff --git a/.kpatch-patch-3_10_0-1160_76_1.metadata b/.kpatch-patch-3_10_0-1160_76_1.metadata index e69de29..e2b81bb 100644 --- a/.kpatch-patch-3_10_0-1160_76_1.metadata +++ b/.kpatch-patch-3_10_0-1160_76_1.metadata @@ -0,0 +1,2 @@ +da4926767498dda56e534cc12261899f0ae75ce6 SOURCES/kernel-3.10.0-1160.76.1.el7.src.rpm +c0878679129add77d6fff57093640892ad941155 SOURCES/v0.9.2.tar.gz diff --git a/SOURCES/CVE-2022-2588.patch b/SOURCES/CVE-2022-2588.patch new file mode 100644 index 0000000..7c78b1a --- /dev/null +++ b/SOURCES/CVE-2022-2588.patch @@ -0,0 +1,85 @@ +From 9729284acf8441ad27c2c87d2d91e5faef742d98 Mon Sep 17 00:00:00 2001 +From: Julia Denham +Date: Wed, 5 Oct 2022 09:14:27 -0400 +Subject: [KPATCH CVE-2022-2588] kpatch fixes for CVE-2022-2588 + +Kernels: +3.10.0-1160.45.1.el7 +3.10.0-1160.62.1.el7 +3.10.0-1160.66.1.el7 +3.10.0-1160.71.1.el7 +3.10.0-1160.76.1.el7 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/45 +Approved-by: Joe Lawrence (@joe.lawrence) +Approved-by: Yannick Cote (@ycote1) +Changes since last build: +arches: x86_64 ppc64le +cls_route.o: changed function: route4_change +--------------------------- + +Modifications: none + +commit 74eb26c74da4446e9b826103e61361531c6ca716 +Author: Davide Caratti +Date: Mon Aug 29 15:47:31 2022 +0200 + + net_sched: cls_route: remove from list when handle is 0 + + Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2121809 + Upstream Status: net.git commit 9ad36309e271 + CVE: CVE-2022-2588 + Conflicts: None + + commit 9ad36309e2719a884f946678e0296be10f0bb4c1 + Author: Thadeu Lima de Souza Cascardo + Date: Tue Aug 9 14:05:18 2022 -0300 + + net_sched: cls_route: remove from list when handle is 0 + + When a route filter is replaced and the old filter has a 0 handle, the old + one won't be removed from the hashtable, while it will still be freed. + + The test was there since before commit 1109c00547fc ("net: sched: RCU + cls_route"), when a new filter was not allocated when there was an old one. + The old filter was reused and the reinserting would only be necessary if an + old filter was replaced. That was still wrong for the same case where the + old handle was 0. + + Remove the old filter from the list independently from its handle value. + + This fixes CVE-2022-2588, also reported as ZDI-CAN-17440. + + Reported-by: Zhenpeng Lin + Signed-off-by: Thadeu Lima de Souza Cascardo + Reviewed-by: Kamal Mostafa + Cc: + Acked-by: Jamal Hadi Salim + Link: https://lore.kernel.org/r/20220809170518.164662-1-cascardo@canonical.com + Signed-off-by: Jakub Kicinski + + Signed-off-by: Davide Caratti + +Signed-off-by: Julia Denham +--- + net/sched/cls_route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c +index 2fed29fa504e..d97c5bcdfa43 100644 +--- a/net/sched/cls_route.c ++++ b/net/sched/cls_route.c +@@ -526,7 +526,7 @@ static int route4_change(struct net *net, struct sk_buff *in_skb, + rcu_assign_pointer(f->next, f1); + rcu_assign_pointer(*fp, f); + +- if (fold && fold->handle && f->handle != fold->handle) { ++ if (fold) { + th = to_hash(fold->handle); + h = from_hash(fold->handle >> 16); + b = rtnl_dereference(head->table[th]); +-- +2.37.3 + + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index d9d541a..5d038af 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -1,17 +1,18 @@ # Set to 1 if building an empty subscription-only package. -%define empty_package 1 +%define empty_package 0 ####################################################### # Only need to update these variables and the changelog %define kernel_ver 3.10.0-1160.76.1.el7 %define kpatch_ver 0.9.2 -%define rpm_ver 0 -%define rpm_rel 0 +%define rpm_ver 1 +%define rpm_rel 1 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. -Source100: XXX.patch -#Source101: YYY.patch +# +# https://bugzilla.redhat.com/2122586 +Source100: CVE-2022-2588.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -144,5 +145,8 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Thu Oct 13 2022 Yannick Cote [1-1.el7] +- kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation [2122586] {CVE-2022-2588} + * Thu Jul 28 2022 Joe Lawrence [0-0.el7] - An empty patch to subscribe to kpatch stream for kernel-3.10.0-1160.76.1.el7 [2112108]