diff --git a/SOURCES/CVE-2023-35788.patch b/SOURCES/CVE-2023-35788.patch new file mode 100644 index 0000000..d38a811 --- /dev/null +++ b/SOURCES/CVE-2023-35788.patch @@ -0,0 +1,88 @@ +From 8a2f5f2c9ef2495c8e50f319ae3445c3b92e0633 Mon Sep 17 00:00:00 2001 +From: Ryan Sullivan +Date: Tue, 25 Jul 2023 11:39:53 -0400 +Subject: [KPATCH CVE-2023-35788] kpatch fixes for CVE-2023-35788 + +Kernels: +3.10.0-1160.83.1.el7 +3.10.0-1160.88.1.el7 +3.10.0-1160.90.1.el7 +3.10.0-1160.92.1.el7 +3.10.0-1160.95.1.el7 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/56 +Approved-by: Joe Lawrence (@joe.lawrence) +Changes since last build: +arches: x86_64 ppc64le +cls_flower.o: changed function: fl_set_geneve_opt +--------------------------- + +Modifications: +adds noinline to fl_set_geneve_opt() definition to make sure that +kpatch-build can correlate static local variables during the build +process + +commit ab0aa1bec5258018fc29e01570fc30d8261b9c03 +Author: Davide Caratti +Date: Mon Jun 26 15:48:59 2023 +0200 + + net/sched: flower: fix possible OOB write in fl_set_geneve_opt() + + Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2216982 + Upstream Status: net.git commit 4d56304e5827 + CVE: CVE-2023-35788 + + commit 4d56304e5827c8cc8cc18c75343d283af7c4825c + Author: Hangyu Hua + Date: Wed May 31 18:28:04 2023 +0800 + + net/sched: flower: fix possible OOB write in fl_set_geneve_opt() + + If we send two TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets and their total + size is 252 bytes(key->enc_opts.len = 252) then + key->enc_opts.len = opt->length = data_len / 4 = 0 when the third + TCA_FLOWER_KEY_ENC_OPTS_GENEVE packet enters fl_set_geneve_opt. This + bypasses the next bounds check and results in an out-of-bounds. + + Fixes: 0a6e77784f49 ("net/sched: allow flower to match tunnel options") + Signed-off-by: Hangyu Hua + Reviewed-by: Simon Horman + Reviewed-by: Pieter Jansen van Vuuren + Link: https://lore.kernel.org/r/20230531102805.27090-1-hbh25y@gmail.com + Signed-off-by: Paolo Abeni + + Signed-off-by: Davide Caratti + +Signed-off-by: Ryan Sullivan +--- + net/sched/cls_flower.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c +index 68287b05c847..dfd219bf9cca 100644 +--- a/net/sched/cls_flower.c ++++ b/net/sched/cls_flower.c +@@ -587,7 +587,7 @@ static void fl_set_key_ip(struct nlattr **tb, bool encap, + fl_set_key_val(tb, &key->ttl, ttl_key, &mask->ttl, ttl_mask, sizeof(key->ttl)); + } + +-static int fl_set_geneve_opt(const struct nlattr *nla, struct fl_flow_key *key, ++noinline static int fl_set_geneve_opt(const struct nlattr *nla, struct fl_flow_key *key, + int depth, int option_len) + { + struct nlattr *tb[TCA_FLOWER_KEY_ENC_OPT_GENEVE_MAX + 1]; +@@ -598,6 +598,9 @@ static int fl_set_geneve_opt(const struct nlattr *nla, struct fl_flow_key *key, + if (option_len > sizeof(struct geneve_opt)) + data_len = option_len - sizeof(struct geneve_opt); + ++ if (key->enc_opts.len > FLOW_DIS_TUN_OPTS_MAX - 4) ++ return -ERANGE; ++ + opt = (struct geneve_opt *)&key->enc_opts.data[key->enc_opts.len]; + memset(opt, 0xff, option_len); + opt->length = data_len / 4; +-- +2.40.1 + + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index e7cc537..4937aab 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -6,7 +6,7 @@ %define kernel_ver 3.10.0-1160.83.1.el7 %define kpatch_ver 0.9.2 %define rpm_ver 1 -%define rpm_rel 2 +%define rpm_rel 3 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. @@ -19,6 +19,9 @@ Source101: CVE-2022-3564.patch # # https://bugzilla.redhat.com/2196588 Source102: CVE-2023-32233.patch +# +# https://bugzilla.redhat.com/2217003 +Source103: CVE-2023-35788.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -153,6 +156,9 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Tue Aug 15 2023 Yannick Cote [1-3.el7] +- kernel: cls_flower: out-of-bounds write in fl_set_geneve_opt() [2217003] {CVE-2023-35788} + * Wed Jul 05 2023 Yannick Cote [1-2.el7] - kernel: netfilter: use-after-free in nf_tables when processing batch requests can lead to privilege escalation [2196588] {CVE-2023-32233} - kernel: use-after-free caused by l2cap_reassemble_sdu() in net/bluetooth/l2cap_core.c [2153001] {CVE-2022-3564}