From f1789a3f6e1fa5d5808eb04ffe86d64d1f2e59e8 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 10 2023 10:06:52 +0000 Subject: import kpatch-patch-3_10_0-1160_90_1-1-3.el7 --- diff --git a/SOURCES/CVE-2023-32233-full.patch b/SOURCES/CVE-2023-32233-full.patch new file mode 100644 index 0000000..2d908a1 --- /dev/null +++ b/SOURCES/CVE-2023-32233-full.patch @@ -0,0 +1,252 @@ +From 432fd316587463b7ecb99dd24807776bea6f3c22 Mon Sep 17 00:00:00 2001 +From: Joe Lawrence +Date: Thu, 10 Aug 2023 15:16:18 -0400 +Subject: [KPATCH CVE-2023-32233] kpatch fixes for CVE-2023-32233 + +Kernels: +3.10.0-1160.83.1.el7 +3.10.0-1160.88.1.el7 +3.10.0-1160.90.1.el7 +3.10.0-1160.92.1.el7 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/58 +Approved-by: Yannick Cote (@ycote1) +Changes since last build: +[x86_64]: +cls_u32.o: changed function: u32_set_parms.isra.21 +nf_tables_api.o: changed function: nf_tables_newsetelem +nf_tables_api.o: changed function: nf_tables_set_lookup +nf_tables_api.o: changed function: nf_tables_set_lookup_byid +nft_byteorder.o: changed function: nft_byteorder_eval +nft_dynset.o: changed function: nft_dynset_init +nft_lookup.o: changed function: nft_lookup_init + +[ppc64le]: +cls_u32.o: changed function: u32_set_parms.isra.21 +nf_tables_api.o: changed function: nf_tables_delset +nf_tables_api.o: changed function: nf_tables_dump_set +nf_tables_api.o: changed function: nf_tables_getset +nf_tables_api.o: changed function: nf_tables_getsetelem +nf_tables_api.o: changed function: nf_tables_newsetelem +nf_tables_api.o: changed function: nf_tables_set_lookup +nf_tables_api.o: changed function: nf_tables_set_lookup_byid +nft_byteorder.o: changed function: nft_byteorder_eval +nft_dynset.o: changed function: nft_dynset_init +nft_lookup.o: changed function: nft_lookup_init + +--------------------------- + +Modifications: +- Use KLP_CVE_2023_32233 shadow variable for set->removed +- For ppc64le, add -fno-optimize-sibling-calls attribute for + nf_tables_api.c :: nf_tables_getsetelem() + +commit cde71785485c5f12520ed90f93e3e2f78270a7b7 +Author: Florian Westphal +Date: Thu Jul 13 16:10:39 2023 +0200 + + netfilter: nf_tables: do not allow SET_ID to refer to another table + + Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2196159 + Upstream Status: commit 470ee20e069a6 + + Conflicts: + net/netfilter/nf_tables_api.c + + We lack commit 6ab3443e9e796 ("netfilter: nf_tables: pass ctx to nf_tables_expr_destroy()"), + which added the "nft_table" pointer to struct nft_set. + We can't easily pick this one up becaue it makes the kabi checker trip over + the nft_set layout change, and RH_KABI_EXTEND can't be used at the structures + end because nft_set last member is a VLA. + + Fortunately we can work around it by changing + "set->table" to "trans->ctx.table", we only need this check in the transaction phase. + + commit 470ee20e069a6d05ae549f7d0ef2bdbcee6a81b2 + Author: Thadeu Lima de Souza Cascardo + Date: Tue Aug 9 14:01:46 2022 -0300 + + netfilter: nf_tables: do not allow SET_ID to refer to another table + + When doing lookups for sets on the same batch by using its ID, a set from a + different table can be used. + + Then, when the table is removed, a reference to the set may be kept after + the set is freed, leading to a potential use-after-free. + + When looking for sets by ID, use the table that was used for the lookup by + name, and only return sets belonging to that same table. + + This fixes CVE-2022-2586, also reported as ZDI-CAN-17470. + + Reported-by: Team Orca of Sea Security (@seasecresponse) + Fixes: 958bee14d071 ("netfilter: nf_tables: use new transaction infrastructure to handle sets") + Signed-off-by: Thadeu Lima de Souza Cascardo + Cc: + Signed-off-by: Pablo Neira Ayuso + + Signed-off-by: Florian Westphal + +commit 6a38a385344448ab2f4e68e833fcf9a7e3d62128 +Author: Florian Westphal +Date: Thu Jul 13 16:11:38 2023 +0200 + + netfilter: nf_tables: skip deactivated anonymous sets during lookups + + Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2196159 + Upstream Status: RHEL7 only + CVE: CVE-2023-32233 + + The fix for the above CVE was incomplete in *RHEL7*. + its not enough to check if the set is scheduled for removal when + an element is supposed to be deleted, this check needs to be done + for all other element operations too, e.g. when an element is + supposed to be *added* to a set. + + Move the check to the two functions that do the set lookup. + sets that are scheduled for removal/pending in the transaction + are no longer found if they have the "removed" bit set. + + Fixes: ffb7eb4b21c69 ("netfilter: nf_tables: deactivate anonymous set from preparation phase") + Reported-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Joe Lawrence +--- + include/net/netfilter/nf_tables.h | 1 + + net/netfilter/nf_tables_api.c | 40 +++++++++++++++++++++++-------- + net/netfilter/nft_dynset.c | 1 + + net/netfilter/nft_lookup.c | 1 + + 4 files changed, 33 insertions(+), 10 deletions(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index 2ea0683b5860..3e356aba44ea 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -390,6 +390,7 @@ static inline struct nft_set *nft_set_container_of(const void *priv) + struct nft_set *nf_tables_set_lookup(const struct nft_table *table, + const struct nlattr *nla); + struct nft_set *nf_tables_set_lookup_byid(const struct net *net, ++ const struct nft_table *table, + const struct nlattr *nla); + + static inline unsigned long nft_set_gc_interval(const struct nft_set *set) +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index feff3b92a617..ed8a787ac400 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2450,22 +2450,45 @@ struct nft_set *nf_tables_set_lookup(const struct nft_table *table, + return ERR_PTR(-EINVAL); + + list_for_each_entry(set, &table->sets, list) { +- if (!nla_strcmp(nla, set->name)) +- return set; ++ ++ u16 *klp_removed; ++ ++ klp_removed = klp_shadow_get(set, KLP_CVE_2023_32233); ++ if (klp_removed) { ++ if (!nla_strcmp(nla, set->name) && !(*klp_removed)) ++ return set; ++ } else { ++ if (!nla_strcmp(nla, set->name)) ++ return set; ++ } + } + return ERR_PTR(-ENOENT); + } + + struct nft_set *nf_tables_set_lookup_byid(const struct net *net, ++ const struct nft_table *table, + const struct nlattr *nla) + { + struct nft_trans *trans; + u32 id = ntohl(nla_get_be32(nla)); + + list_for_each_entry(trans, &net->nft.commit_list, list) { +- if (trans->msg_type == NFT_MSG_NEWSET && +- id == nft_trans_set_id(trans)) +- return nft_trans_set(trans); ++ if (trans->msg_type == NFT_MSG_NEWSET) { ++ struct nft_set *set = nft_trans_set(trans); ++ u16 *klp_removed; ++ klp_removed = klp_shadow_get(set, KLP_CVE_2023_32233); ++ ++ if (klp_removed) { ++ if (id == nft_trans_set_id(trans) && ++ trans->ctx.table == table && ++ !(*klp_removed)) ++ return set; ++ } else { ++ if (id == nft_trans_set_id(trans) && ++ trans->ctx.table == table) ++ return set; ++ } ++ } + } + return ERR_PTR(-ENOENT); + } +@@ -3335,6 +3358,7 @@ nla_put_failure: + return -ENOSPC; + } + ++__attribute__((optimize("-fno-optimize-sibling-calls"))) + static int nf_tables_getsetelem(struct sock *nlsk, struct sk_buff *skb, + const struct nlmsghdr *nlh, + const struct nlattr * const nla[]) +@@ -3680,6 +3704,7 @@ static int nf_tables_newsetelem(struct net *net, struct sock *nlsk, + if (IS_ERR(set)) { + if (nla[NFTA_SET_ELEM_LIST_SET_ID]) { + set = nf_tables_set_lookup_byid(net, ++ ctx.table, + nla[NFTA_SET_ELEM_LIST_SET_ID]); + } + if (IS_ERR(set)) +@@ -3791,7 +3816,6 @@ static int nf_tables_delsetelem(struct net *net, struct sock *nlsk, + struct nft_set *set; + struct nft_ctx ctx; + int rem, err = 0; +- u16 *klp_removed; + + err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla); + if (err < 0) +@@ -3803,10 +3827,6 @@ static int nf_tables_delsetelem(struct net *net, struct sock *nlsk, + if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT) + return -EBUSY; + +- klp_removed = klp_shadow_get(set, KLP_CVE_2023_32233); +- if (klp_removed && *klp_removed) +- return -ENOENT; +- + if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) { + struct nft_set_dump_args args = { + .iter = { +diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c +index 4d6d3af26a5b..211e5beab83f 100644 +--- a/net/netfilter/nft_dynset.c ++++ b/net/netfilter/nft_dynset.c +@@ -119,6 +119,7 @@ static int nft_dynset_init(const struct nft_ctx *ctx, + if (IS_ERR(set)) { + if (tb[NFTA_DYNSET_SET_ID]) + set = nf_tables_set_lookup_byid(ctx->net, ++ ctx->table, + tb[NFTA_DYNSET_SET_ID]); + if (IS_ERR(set)) + return PTR_ERR(set); +diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c +index ab98a5cb7128..63eff5caae5a 100644 +--- a/net/netfilter/nft_lookup.c ++++ b/net/netfilter/nft_lookup.c +@@ -74,6 +74,7 @@ static int nft_lookup_init(const struct nft_ctx *ctx, + if (IS_ERR(set)) { + if (tb[NFTA_LOOKUP_SET_ID]) { + set = nf_tables_set_lookup_byid(ctx->net, ++ ctx->table, + tb[NFTA_LOOKUP_SET_ID]); + } + if (IS_ERR(set)) +-- +2.40.1 + + diff --git a/SOURCES/CVE-2023-35001.patch b/SOURCES/CVE-2023-35001.patch new file mode 100644 index 0000000..3307f1c --- /dev/null +++ b/SOURCES/CVE-2023-35001.patch @@ -0,0 +1,269 @@ +From fd863f1e7bad09d4bcfd8f3ccdc9e11936b5b95d Mon Sep 17 00:00:00 2001 +From: Ryan Sullivan +Date: Wed, 26 Jul 2023 12:05:43 -0400 +Subject: [KPATCH CVE-2023-35001] kpatch fixes for CVE-2023-35001 + +Kernels: +3.10.0-1160.83.1.el7 +3.10.0-1160.88.1.el7 +3.10.0-1160.90.1.el7 +3.10.0-1160.92.1.el7 +3.10.0-1160.95.1.el7 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/57 +Approved-by: Joe Lawrence (@joe.lawrence) +Changes since last build: +[x86_64]: +cls_u32.o: changed function: u32_set_parms.isra.21 +nf_tables_api.o: changed function: nf_tables_newsetelem +nf_tables_api.o: changed function: nf_tables_set_lookup +nf_tables_api.o: changed function: nf_tables_set_lookup_byid +nft_byteorder.o: changed function: nft_byteorder_eval +nft_dynset.o: changed function: nft_dynset_init +nft_lookup.o: changed function: nft_lookup_init + +[ppc64le]: +cls_u32.o: changed function: u32_set_parms.isra.21 +nf_tables_api.o: changed function: nf_tables_delset +nf_tables_api.o: changed function: nf_tables_dump_set +nf_tables_api.o: changed function: nf_tables_getset +nf_tables_api.o: changed function: nf_tables_getsetelem +nf_tables_api.o: changed function: nf_tables_newsetelem +nf_tables_api.o: changed function: nf_tables_set_lookup +nf_tables_api.o: changed function: nf_tables_set_lookup_byid +nft_byteorder.o: changed function: nft_byteorder_eval +nft_dynset.o: changed function: nft_dynset_init +nft_lookup.o: changed function: nft_lookup_init + +--------------------------- + +Modifications: none + +commit ae6665a8a3635fd72671f488b17a63f9334d2841 +Author: Florian Westphal +Date: Tue Jul 11 16:03:12 2023 +0200 + + netfilter: nf_tables: prevent OOB access in nft_byteorder_eval + + Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2221720 + Upstream Status: net commit caf3ef7468f75 + CVE: CVE-2023-35001 + + commit caf3ef7468f7534771b5c44cd8dbd6f7f87c2cbd + Author: Thadeu Lima de Souza Cascardo + Date: Wed Jul 5 18:05:35 2023 -0300 + + netfilter: nf_tables: prevent OOB access in nft_byteorder_eval + + When evaluating byteorder expressions with size 2, a union with 32-bit and + 16-bit members is used. Since the 16-bit members are aligned to 32-bit, + the array accesses will be out-of-bounds. + + It may lead to a stack-out-of-bounds access like the one below: + + [ 23.095215] ================================================================== + [ 23.095625] BUG: KASAN: stack-out-of-bounds in nft_byteorder_eval+0x13c/0x320 + [ 23.096020] Read of size 2 at addr ffffc90000007948 by task ping/115 + [ 23.096358] + [ 23.096456] CPU: 0 PID: 115 Comm: ping Not tainted 6.4.0+ #413 + [ 23.096770] Call Trace: + [ 23.096910] + [ 23.097030] dump_stack_lvl+0x60/0xc0 + [ 23.097218] print_report+0xcf/0x630 + [ 23.097388] ? nft_byteorder_eval+0x13c/0x320 + [ 23.097577] ? kasan_addr_to_slab+0xd/0xc0 + [ 23.097760] ? nft_byteorder_eval+0x13c/0x320 + [ 23.097949] kasan_report+0xc9/0x110 + [ 23.098106] ? nft_byteorder_eval+0x13c/0x320 + [ 23.098298] __asan_load2+0x83/0xd0 + [ 23.098453] nft_byteorder_eval+0x13c/0x320 + [ 23.098659] nft_do_chain+0x1c8/0xc50 + [ 23.098852] ? __pfx_nft_do_chain+0x10/0x10 + [ 23.099078] ? __kasan_check_read+0x11/0x20 + [ 23.099295] ? __pfx___lock_acquire+0x10/0x10 + [ 23.099535] ? __pfx___lock_acquire+0x10/0x10 + [ 23.099745] ? __kasan_check_read+0x11/0x20 + [ 23.099929] nft_do_chain_ipv4+0xfe/0x140 + [ 23.100105] ? __pfx_nft_do_chain_ipv4+0x10/0x10 + [ 23.100327] ? lock_release+0x204/0x400 + [ 23.100515] ? nf_hook.constprop.0+0x340/0x550 + [ 23.100779] nf_hook_slow+0x6c/0x100 + [ 23.100977] ? __pfx_nft_do_chain_ipv4+0x10/0x10 + [ 23.101223] nf_hook.constprop.0+0x334/0x550 + [ 23.101443] ? __pfx_ip_local_deliver_finish+0x10/0x10 + [ 23.101677] ? __pfx_nf_hook.constprop.0+0x10/0x10 + [ 23.101882] ? __pfx_ip_rcv_finish+0x10/0x10 + [ 23.102071] ? __pfx_ip_local_deliver_finish+0x10/0x10 + [ 23.102291] ? rcu_read_lock_held+0x4b/0x70 + [ 23.102481] ip_local_deliver+0xbb/0x110 + [ 23.102665] ? __pfx_ip_rcv+0x10/0x10 + [ 23.102839] ip_rcv+0x199/0x2a0 + [ 23.102980] ? __pfx_ip_rcv+0x10/0x10 + [ 23.103140] __netif_receive_skb_one_core+0x13e/0x150 + [ 23.103362] ? __pfx___netif_receive_skb_one_core+0x10/0x10 + [ 23.103647] ? mark_held_locks+0x48/0xa0 + [ 23.103819] ? process_backlog+0x36c/0x380 + [ 23.103999] __netif_receive_skb+0x23/0xc0 + [ 23.104179] process_backlog+0x91/0x380 + [ 23.104350] __napi_poll.constprop.0+0x66/0x360 + [ 23.104589] ? net_rx_action+0x1cb/0x610 + [ 23.104811] net_rx_action+0x33e/0x610 + [ 23.105024] ? _raw_spin_unlock+0x23/0x50 + [ 23.105257] ? __pfx_net_rx_action+0x10/0x10 + [ 23.105485] ? mark_held_locks+0x48/0xa0 + [ 23.105741] __do_softirq+0xfa/0x5ab + [ 23.105956] ? __dev_queue_xmit+0x765/0x1c00 + [ 23.106193] do_softirq.part.0+0x49/0xc0 + [ 23.106423] + [ 23.106547] + [ 23.106670] __local_bh_enable_ip+0xf5/0x120 + [ 23.106903] __dev_queue_xmit+0x789/0x1c00 + [ 23.107131] ? __pfx___dev_queue_xmit+0x10/0x10 + [ 23.107381] ? find_held_lock+0x8e/0xb0 + [ 23.107585] ? lock_release+0x204/0x400 + [ 23.107798] ? neigh_resolve_output+0x185/0x350 + [ 23.108049] ? mark_held_locks+0x48/0xa0 + [ 23.108265] ? neigh_resolve_output+0x185/0x350 + [ 23.108514] neigh_resolve_output+0x246/0x350 + [ 23.108753] ? neigh_resolve_output+0x246/0x350 + [ 23.109003] ip_finish_output2+0x3c3/0x10b0 + [ 23.109250] ? __pfx_ip_finish_output2+0x10/0x10 + [ 23.109510] ? __pfx_nf_hook+0x10/0x10 + [ 23.109732] __ip_finish_output+0x217/0x390 + [ 23.109978] ip_finish_output+0x2f/0x130 + [ 23.110207] ip_output+0xc9/0x170 + [ 23.110404] ip_push_pending_frames+0x1a0/0x240 + [ 23.110652] raw_sendmsg+0x102e/0x19e0 + [ 23.110871] ? __pfx_raw_sendmsg+0x10/0x10 + [ 23.111093] ? lock_release+0x204/0x400 + [ 23.111304] ? __mod_lruvec_page_state+0x148/0x330 + [ 23.111567] ? find_held_lock+0x8e/0xb0 + [ 23.111777] ? find_held_lock+0x8e/0xb0 + [ 23.111993] ? __rcu_read_unlock+0x7c/0x2f0 + [ 23.112225] ? aa_sk_perm+0x18a/0x550 + [ 23.112431] ? filemap_map_pages+0x4f1/0x900 + [ 23.112665] ? __pfx_aa_sk_perm+0x10/0x10 + [ 23.112880] ? find_held_lock+0x8e/0xb0 + [ 23.113098] inet_sendmsg+0xa0/0xb0 + [ 23.113297] ? inet_sendmsg+0xa0/0xb0 + [ 23.113500] ? __pfx_inet_sendmsg+0x10/0x10 + [ 23.113727] sock_sendmsg+0xf4/0x100 + [ 23.113924] ? move_addr_to_kernel.part.0+0x4f/0xa0 + [ 23.114190] __sys_sendto+0x1d4/0x290 + [ 23.114391] ? __pfx___sys_sendto+0x10/0x10 + [ 23.114621] ? __pfx_mark_lock.part.0+0x10/0x10 + [ 23.114869] ? lock_release+0x204/0x400 + [ 23.115076] ? find_held_lock+0x8e/0xb0 + [ 23.115287] ? rcu_is_watching+0x23/0x60 + [ 23.115503] ? __rseq_handle_notify_resume+0x6e2/0x860 + [ 23.115778] ? __kasan_check_write+0x14/0x30 + [ 23.116008] ? blkcg_maybe_throttle_current+0x8d/0x770 + [ 23.116285] ? mark_held_locks+0x28/0xa0 + [ 23.116503] ? do_syscall_64+0x37/0x90 + [ 23.116713] __x64_sys_sendto+0x7f/0xb0 + [ 23.116924] do_syscall_64+0x59/0x90 + [ 23.117123] ? irqentry_exit_to_user_mode+0x25/0x30 + [ 23.117387] ? irqentry_exit+0x77/0xb0 + [ 23.117593] ? exc_page_fault+0x92/0x140 + [ 23.117806] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + [ 23.118081] RIP: 0033:0x7f744aee2bba + [ 23.118282] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 + [ 23.119237] RSP: 002b:00007ffd04a7c9f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c + [ 23.119644] RAX: ffffffffffffffda RBX: 00007ffd04a7e0a0 RCX: 00007f744aee2bba + [ 23.120023] RDX: 0000000000000040 RSI: 000056488e9e6300 RDI: 0000000000000003 + [ 23.120413] RBP: 000056488e9e6300 R08: 00007ffd04a80320 R09: 0000000000000010 + [ 23.120809] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040 + [ 23.121219] R13: 00007ffd04a7dc38 R14: 00007ffd04a7ca00 R15: 00007ffd04a7e0a0 + [ 23.121617] + [ 23.121749] + [ 23.121845] The buggy address belongs to the virtual mapping at + [ 23.121845] [ffffc90000000000, ffffc90000009000) created by: + [ 23.121845] irq_init_percpu_irqstack+0x1cf/0x270 + [ 23.122707] + [ 23.122803] The buggy address belongs to the physical page: + [ 23.123104] page:0000000072ac19f0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x24a09 + [ 23.123609] flags: 0xfffffc0001000(reserved|node=0|zone=1|lastcpupid=0x1fffff) + [ 23.123998] page_type: 0xffffffff() + [ 23.124194] raw: 000fffffc0001000 ffffea0000928248 ffffea0000928248 0000000000000000 + [ 23.124610] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 + [ 23.125023] page dumped because: kasan: bad access detected + [ 23.125326] + [ 23.125421] Memory state around the buggy address: + [ 23.125682] ffffc90000007800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + [ 23.126072] ffffc90000007880: 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 f2 f2 00 + [ 23.126455] >ffffc90000007900: 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 + [ 23.126840] ^ + [ 23.127138] ffffc90000007980: 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 + [ 23.127522] ffffc90000007a00: f3 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 + [ 23.127906] ================================================================== + [ 23.128324] Disabling lock debugging due to kernel taint + + Using simple s16 pointers for the 16-bit accesses fixes the problem. For + the 32-bit accesses, src and dst can be used directly. + + Fixes: 96518518cc41 ("netfilter: add nftables") + Cc: stable@vger.kernel.org + Reported-by: Tanguy DUBROCA (@SidewayRE) from @Synacktiv working with ZDI + Signed-off-by: Thadeu Lima de Souza Cascardo + Reviewed-by: Florian Westphal + Signed-off-by: Pablo Neira Ayuso + + Signed-off-by: Florian Westphal + +Signed-off-by: Ryan Sullivan +--- + net/netfilter/nft_byteorder.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/net/netfilter/nft_byteorder.c b/net/netfilter/nft_byteorder.c +index 13d4e421a6b3..46a8f894717c 100644 +--- a/net/netfilter/nft_byteorder.c ++++ b/net/netfilter/nft_byteorder.c +@@ -33,11 +33,11 @@ static void nft_byteorder_eval(const struct nft_expr *expr, + const struct nft_byteorder *priv = nft_expr_priv(expr); + u32 *src = ®s->data[priv->sreg]; + u32 *dst = ®s->data[priv->dreg]; +- union { u32 u32; u16 u16; } *s, *d; ++ u16 *s16, *d16; + unsigned int i; + +- s = (void *)src; +- d = (void *)dst; ++ s16 = (void *)src; ++ d16 = (void *)dst; + + switch (priv->size) { + case 8: { +@@ -63,11 +63,11 @@ static void nft_byteorder_eval(const struct nft_expr *expr, + switch (priv->op) { + case NFT_BYTEORDER_NTOH: + for (i = 0; i < priv->len / 4; i++) +- d[i].u32 = ntohl((__force __be32)s[i].u32); ++ dst[i] = ntohl((__force __be32)src[i]); + break; + case NFT_BYTEORDER_HTON: + for (i = 0; i < priv->len / 4; i++) +- d[i].u32 = (__force __u32)htonl(s[i].u32); ++ dst[i] = (__force __u32)htonl(src[i]); + break; + } + break; +@@ -75,11 +75,11 @@ static void nft_byteorder_eval(const struct nft_expr *expr, + switch (priv->op) { + case NFT_BYTEORDER_NTOH: + for (i = 0; i < priv->len / 2; i++) +- d[i].u16 = ntohs((__force __be16)s[i].u16); ++ d16[i] = ntohs((__force __be16)s16[i]); + break; + case NFT_BYTEORDER_HTON: + for (i = 0; i < priv->len / 2; i++) +- d[i].u16 = (__force __u16)htons(s[i].u16); ++ d16[i] = (__force __u16)htons(s16[i]); + break; + } + break; +-- +2.40.1 + + diff --git a/SOURCES/CVE-2023-3609.patch b/SOURCES/CVE-2023-3609.patch new file mode 100644 index 0000000..c72ccc5 --- /dev/null +++ b/SOURCES/CVE-2023-3609.patch @@ -0,0 +1,142 @@ +From 889eaaeaa5aa88308347b90f53e1bd2301a50dec Mon Sep 17 00:00:00 2001 +From: Ryan Sullivan +Date: Mon, 25 Sep 2023 10:50:48 -0400 +Subject: [KPATCH CVE-2023-3609] kpatch fixes for CVE-2023-3609 + +Kernels: +3.10.0-1160.88.1.el7 +3.10.0-1160.90.1.el7 +3.10.0-1160.92.1.el7 +3.10.0-1160.95.1.el7 +3.10.0-1160.99.1.el7 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/59 +Approved-by: Yannick Cote (@ycote1) +Changes since last build: +[x86_64]: +cls_u32.o: changed function: u32_set_parms.isra.21 +nf_tables_api.o: changed function: nf_tables_newsetelem +nf_tables_api.o: changed function: nf_tables_set_lookup +nf_tables_api.o: changed function: nf_tables_set_lookup_byid +nft_byteorder.o: changed function: nft_byteorder_eval +nft_dynset.o: changed function: nft_dynset_init +nft_lookup.o: changed function: nft_lookup_init + +[ppc64le]: +cls_u32.o: changed function: u32_set_parms.isra.21 +nf_tables_api.o: changed function: nf_tables_delset +nf_tables_api.o: changed function: nf_tables_dump_set +nf_tables_api.o: changed function: nf_tables_getset +nf_tables_api.o: changed function: nf_tables_getsetelem +nf_tables_api.o: changed function: nf_tables_newsetelem +nf_tables_api.o: changed function: nf_tables_set_lookup +nf_tables_api.o: changed function: nf_tables_set_lookup_byid +nft_byteorder.o: changed function: nft_byteorder_eval +nft_dynset.o: changed function: nft_dynset_init +nft_lookup.o: changed function: nft_lookup_init + +--------------------------- + +Modifications: none + +commit 867fb59af8011c735d38c08d6e6ecef67265cb4e +Author: Davide Caratti +Date: Tue Aug 8 11:18:31 2023 +0200 + + net/sched: cls_u32: Fix reference counter leak leading to overflow + + Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2225486 + CVE: CVE-2023-3609 + Upstream Status: net.git commit 04c55383fa56 + Conflicts: + - net/sched/cls_u32.c: we still have CONFIG_NET_CLS_IND in rhel7, + because of missing upstream commit a51486266c3b ("net: sched: remove + NET_CLS_IND config option"), so the patch has been manually reworked + to preserve use of #ifdef CONFIG_NET_CLS_IND + - we also don't have extacks because of missing backport of upstream + commit 4b981dbc2272 ("net: sched: cls_u32: add extack support"), so + the call to tcf_change_indev() has no 'extack' parameter + + commit 04c55383fa5689357bcdd2c8036725a55ed632bc + Author: Lee Jones + Date: Thu Jun 8 08:29:03 2023 +0100 + + net/sched: cls_u32: Fix reference counter leak leading to overflow + + In the event of a failure in tcf_change_indev(), u32_set_parms() will + immediately return without decrementing the recently incremented + reference counter. If this happens enough times, the counter will + rollover and the reference freed, leading to a double free which can be + used to do 'bad things'. + + In order to prevent this, move the point of possible failure above the + point where the reference counter is incremented. Also save any + meaningful return values to be applied to the return data at the + appropriate point in time. + + This issue was caught with KASAN. + + Fixes: 705c7091262d ("net: sched: cls_u32: no need to call tcf_exts_change for newly allocated struct") + Suggested-by: Eric Dumazet + Signed-off-by: Lee Jones + Reviewed-by: Eric Dumazet + Acked-by: Jamal Hadi Salim + Signed-off-by: David S. Miller + + Signed-off-by: Davide Caratti + +Signed-off-by: Ryan Sullivan +--- + net/sched/cls_u32.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c +index 269dcb08fed5..cc9398e10451 100644 +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -768,11 +768,22 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp, + struct nlattr *est, bool ovr) + { + int err; ++#ifdef CONFIG_NET_CLS_IND ++ int ifindex = -1; ++#endif + + err = tcf_exts_validate(net, tp, tb, est, &n->exts, ovr); + if (err < 0) + return err; + ++#ifdef CONFIG_NET_CLS_IND ++ if (tb[TCA_U32_INDEV]) { ++ ifindex = tcf_change_indev(net, tb[TCA_U32_INDEV]); ++ if (ifindex < 0) ++ return -EINVAL; ++ } ++#endif ++ + if (tb[TCA_U32_LINK]) { + u32 handle = nla_get_u32(tb[TCA_U32_LINK]); + struct tc_u_hnode *ht_down = NULL, *ht_old; +@@ -800,14 +811,10 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp, + } + + #ifdef CONFIG_NET_CLS_IND +- if (tb[TCA_U32_INDEV]) { +- int ret; +- ret = tcf_change_indev(net, tb[TCA_U32_INDEV]); +- if (ret < 0) +- return -EINVAL; +- n->ifindex = ret; +- } ++ if (ifindex >= 0) ++ n->ifindex = ifindex; + #endif ++ + return 0; + } + +-- +2.40.1 + + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index 2a63e73..dbf6fb7 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -6,7 +6,7 @@ %define kernel_ver 3.10.0-1160.90.1.el7 %define kpatch_ver 0.9.2 %define rpm_ver 1 -%define rpm_rel 2 +%define rpm_rel 3 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. @@ -19,6 +19,15 @@ Source101: CVE-2023-32233.patch # # https://bugzilla.redhat.com/2217003 Source102: CVE-2023-35788.patch +# +# https://bugzilla.redhat.com/2196588 +Source103: CVE-2023-32233-full.patch +# +# https://bugzilla.redhat.com/2221747 +Source104: CVE-2023-35001.patch +# +# https://bugzilla.redhat.com/2225510 +Source105: CVE-2023-3609.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -153,6 +162,11 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Mon Sep 25 2023 Yannick Cote [1-3.el7] +- kernel: net/sched: cls_u32 component reference counter leak if tcf_change_indev() fails [2225510] {CVE-2023-3609} +- kernel: nf_tables: stack-out-of-bounds-read in nft_byteorder_eval() [2221747] {CVE-2023-35001} +- kernel: netfilter: use-after-free in nf_tables when processing batch requests can lead to privilege escalation [2196588] {CVE-2023-32233} + * Tue Aug 15 2023 Yannick Cote [1-2.el7] - kernel: cls_flower: out-of-bounds write in fl_set_geneve_opt() [2217003] {CVE-2023-35788}