diff --git a/.gitignore b/.gitignore index e69de29..8837ad0 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/kernel-3.10.0-1160.99.1.el7.src.rpm +SOURCES/v0.9.2.tar.gz diff --git a/.kpatch-patch-3_10_0-1160_99_1.metadata b/.kpatch-patch-3_10_0-1160_99_1.metadata index e69de29..6098dba 100644 --- a/.kpatch-patch-3_10_0-1160_99_1.metadata +++ b/.kpatch-patch-3_10_0-1160_99_1.metadata @@ -0,0 +1,2 @@ +645dcf38f50cb19fcde18e8294e18f7644d66e2a SOURCES/kernel-3.10.0-1160.99.1.el7.src.rpm +c0878679129add77d6fff57093640892ad941155 SOURCES/v0.9.2.tar.gz diff --git a/SOURCES/CVE-2023-32233-full2.patch b/SOURCES/CVE-2023-32233-full2.patch new file mode 100644 index 0000000..0eb52d6 --- /dev/null +++ b/SOURCES/CVE-2023-32233-full2.patch @@ -0,0 +1,226 @@ +From 0a078bf71d41c66168b4740bee12d8f1a7d94f80 Mon Sep 17 00:00:00 2001 +From: Joe Lawrence +Date: Thu, 10 Aug 2023 15:09:04 -0400 +Subject: [KPATCH 7.9] kpatch fixes for CVE-2023-32233 +Content-type: text/plain + +Kernels: +3.10.0-1160.95.1.el7 + + +Changes since last build: +[x86_64]: +cls_u32.o: changed function: u32_set_parms.isra.21 +nf_tables_api.o: changed function: nf_tables_delsetelem +nf_tables_api.o: changed function: nf_tables_newsetelem +nf_tables_api.o: changed function: nf_tables_set_lookup +nf_tables_api.o: changed function: nf_tables_set_lookup_byid +nf_tables_api.o: changed function: nft_validate_register_store +nft_byteorder.o: changed function: nft_byteorder_eval +nft_dynset.o: changed function: nft_dynset_init +nft_lookup.o: changed function: nft_lookup_init + +[ppc64le]: +cls_u32.o: changed function: u32_set_parms.isra.21 +nf_tables_api.o: changed function: nf_tables_bind_check_setelem +nf_tables_api.o: changed function: nf_tables_delset +nf_tables_api.o: changed function: nf_tables_delsetelem +nf_tables_api.o: changed function: nf_tables_dump_set +nf_tables_api.o: changed function: nf_tables_getset +nf_tables_api.o: changed function: nf_tables_getsetelem +nf_tables_api.o: changed function: nf_tables_newset +nf_tables_api.o: changed function: nf_tables_newsetelem +nf_tables_api.o: changed function: nf_tables_set_lookup +nf_tables_api.o: changed function: nf_tables_set_lookup_byid +nf_tables_api.o: changed function: nft_add_set_elem +nf_tables_api.o: changed function: nft_validate_register_store +nft_byteorder.o: changed function: nft_byteorder_eval +nft_dynset.o: changed function: nft_dynset_init +nft_lookup.o: changed function: nft_lookup_init + +--------------------------- + +Modifications: +- For ppc64le, add -fno-optimize-sibling-calls attribute for + nf_tables_api.c :: nf_tables_getsetelem() + +commit cde71785485c5f12520ed90f93e3e2f78270a7b7 +Author: Florian Westphal +Date: Thu Jul 13 16:10:39 2023 +0200 + + netfilter: nf_tables: do not allow SET_ID to refer to another table + + Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2196159 + Upstream Status: commit 470ee20e069a6 + + Conflicts: + net/netfilter/nf_tables_api.c + + We lack commit 6ab3443e9e796 ("netfilter: nf_tables: pass ctx to nf_tables_expr_destroy()"), + which added the "nft_table" pointer to struct nft_set. + We can't easily pick this one up becaue it makes the kabi checker trip over + the nft_set layout change, and RH_KABI_EXTEND can't be used at the structures + end because nft_set last member is a VLA. + + Fortunately we can work around it by changing + "set->table" to "trans->ctx.table", we only need this check in the transaction phase. + + commit 470ee20e069a6d05ae549f7d0ef2bdbcee6a81b2 + Author: Thadeu Lima de Souza Cascardo + Date: Tue Aug 9 14:01:46 2022 -0300 + + netfilter: nf_tables: do not allow SET_ID to refer to another table + + When doing lookups for sets on the same batch by using its ID, a set from a + different table can be used. + + Then, when the table is removed, a reference to the set may be kept after + the set is freed, leading to a potential use-after-free. + + When looking for sets by ID, use the table that was used for the lookup by + name, and only return sets belonging to that same table. + + This fixes CVE-2022-2586, also reported as ZDI-CAN-17470. + + Reported-by: Team Orca of Sea Security (@seasecresponse) + Fixes: 958bee14d071 ("netfilter: nf_tables: use new transaction infrastructure to handle sets") + Signed-off-by: Thadeu Lima de Souza Cascardo + Cc: + Signed-off-by: Pablo Neira Ayuso + + Signed-off-by: Florian Westphal + +commit 6a38a385344448ab2f4e68e833fcf9a7e3d62128 +Author: Florian Westphal +Date: Thu Jul 13 16:11:38 2023 +0200 + + netfilter: nf_tables: skip deactivated anonymous sets during lookups + + Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2196159 + Upstream Status: RHEL7 only + CVE: CVE-2023-32233 + + The fix for the above CVE was incomplete in *RHEL7*. + its not enough to check if the set is scheduled for removal when + an element is supposed to be deleted, this check needs to be done + for all other element operations too, e.g. when an element is + supposed to be *added* to a set. + + Move the check to the two functions that do the set lookup. + sets that are scheduled for removal/pending in the transaction + are no longer found if they have the "removed" bit set. + + Fixes: ffb7eb4b21c69 ("netfilter: nf_tables: deactivate anonymous set from preparation phase") + Reported-by: Phil Sutter + Signed-off-by: Florian Westphal + +Signed-off-by: Joe Lawrence +--- + include/net/netfilter/nf_tables.h | 1 + + net/netfilter/nf_tables_api.c | 19 ++++++++++++------- + net/netfilter/nft_dynset.c | 1 + + net/netfilter/nft_lookup.c | 1 + + 4 files changed, 15 insertions(+), 7 deletions(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index c0fadaa475e8..f763ef31bee7 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -396,6 +396,7 @@ static inline struct nft_set *nft_set_container_of(const void *priv) + struct nft_set *nf_tables_set_lookup(const struct nft_table *table, + const struct nlattr *nla); + struct nft_set *nf_tables_set_lookup_byid(const struct net *net, ++ const struct nft_table *table, + const struct nlattr *nla); + + static inline unsigned long nft_set_gc_interval(const struct nft_set *set) +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index e5c639ae2e76..273130af8386 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2431,22 +2431,28 @@ struct nft_set *nf_tables_set_lookup(const struct nft_table *table, + return ERR_PTR(-EINVAL); + + list_for_each_entry(set, &table->sets, list) { +- if (!nla_strcmp(nla, set->name)) ++ if (!nla_strcmp(nla, set->name) && !set->removed) + return set; + } + return ERR_PTR(-ENOENT); + } + + struct nft_set *nf_tables_set_lookup_byid(const struct net *net, ++ const struct nft_table *table, + const struct nlattr *nla) + { + struct nft_trans *trans; + u32 id = ntohl(nla_get_be32(nla)); + + list_for_each_entry(trans, &net->nft.commit_list, list) { +- if (trans->msg_type == NFT_MSG_NEWSET && +- id == nft_trans_set_id(trans)) +- return nft_trans_set(trans); ++ if (trans->msg_type == NFT_MSG_NEWSET) { ++ struct nft_set *set = nft_trans_set(trans); ++ ++ if (id == nft_trans_set_id(trans) && ++ trans->ctx.table == table && ++ !set->removed) ++ return set; ++ } + } + return ERR_PTR(-ENOENT); + } +@@ -3295,6 +3301,7 @@ nla_put_failure: + return -ENOSPC; + } + ++__attribute__((optimize("-fno-optimize-sibling-calls"))) + static int nf_tables_getsetelem(struct sock *nlsk, struct sk_buff *skb, + const struct nlmsghdr *nlh, + const struct nlattr * const nla[]) +@@ -3640,6 +3647,7 @@ static int nf_tables_newsetelem(struct net *net, struct sock *nlsk, + if (IS_ERR(set)) { + if (nla[NFTA_SET_ELEM_LIST_SET_ID]) { + set = nf_tables_set_lookup_byid(net, ++ ctx.table, + nla[NFTA_SET_ELEM_LIST_SET_ID]); + } + if (IS_ERR(set)) +@@ -3762,9 +3770,6 @@ static int nf_tables_delsetelem(struct net *net, struct sock *nlsk, + if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT) + return -EBUSY; + +- if (set->removed) +- return -ENOENT; +- + if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) { + struct nft_set_dump_args args = { + .iter = { +diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c +index 9c11a024d96d..c50dd3221fa5 100644 +--- a/net/netfilter/nft_dynset.c ++++ b/net/netfilter/nft_dynset.c +@@ -119,6 +119,7 @@ static int nft_dynset_init(const struct nft_ctx *ctx, + if (IS_ERR(set)) { + if (tb[NFTA_DYNSET_SET_ID]) + set = nf_tables_set_lookup_byid(ctx->net, ++ ctx->table, + tb[NFTA_DYNSET_SET_ID]); + if (IS_ERR(set)) + return PTR_ERR(set); +diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c +index f57f7b8f2400..7a3c09fd50ef 100644 +--- a/net/netfilter/nft_lookup.c ++++ b/net/netfilter/nft_lookup.c +@@ -74,6 +74,7 @@ static int nft_lookup_init(const struct nft_ctx *ctx, + if (IS_ERR(set)) { + if (tb[NFTA_LOOKUP_SET_ID]) { + set = nf_tables_set_lookup_byid(ctx->net, ++ ctx->table, + tb[NFTA_LOOKUP_SET_ID]); + } + if (IS_ERR(set)) +-- +2.41.0 + diff --git a/SOURCES/CVE-2023-35001.patch b/SOURCES/CVE-2023-35001.patch new file mode 100644 index 0000000..fe74ae6 --- /dev/null +++ b/SOURCES/CVE-2023-35001.patch @@ -0,0 +1,276 @@ +From fd863f1e7bad09d4bcfd8f3ccdc9e11936b5b95d Mon Sep 17 00:00:00 2001 +From: Ryan Sullivan +Date: Wed, 26 Jul 2023 12:05:43 -0400 +Subject: [KPATCH CVE-2023-35001] kpatch fixes for CVE-2023-35001 + +Kernels: +3.10.0-1160.83.1.el7 +3.10.0-1160.88.1.el7 +3.10.0-1160.90.1.el7 +3.10.0-1160.92.1.el7 +3.10.0-1160.95.1.el7 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/57 +Approved-by: Joe Lawrence (@joe.lawrence) +Changes since last build: +[x86_64]: +cls_u32.o: changed function: u32_set_parms.isra.21 +nf_tables_api.o: changed function: nf_tables_delsetelem +nf_tables_api.o: changed function: nf_tables_newsetelem +nf_tables_api.o: changed function: nf_tables_set_lookup +nf_tables_api.o: changed function: nf_tables_set_lookup_byid +nf_tables_api.o: changed function: nft_validate_register_store +nft_byteorder.o: changed function: nft_byteorder_eval +nft_dynset.o: changed function: nft_dynset_init +nft_lookup.o: changed function: nft_lookup_init + +[ppc64le]: +cls_u32.o: changed function: u32_set_parms.isra.21 +nf_tables_api.o: changed function: nf_tables_bind_check_setelem +nf_tables_api.o: changed function: nf_tables_delset +nf_tables_api.o: changed function: nf_tables_delsetelem +nf_tables_api.o: changed function: nf_tables_dump_set +nf_tables_api.o: changed function: nf_tables_getset +nf_tables_api.o: changed function: nf_tables_getsetelem +nf_tables_api.o: changed function: nf_tables_newset +nf_tables_api.o: changed function: nf_tables_newsetelem +nf_tables_api.o: changed function: nf_tables_set_lookup +nf_tables_api.o: changed function: nf_tables_set_lookup_byid +nf_tables_api.o: changed function: nft_add_set_elem +nf_tables_api.o: changed function: nft_validate_register_store +nft_byteorder.o: changed function: nft_byteorder_eval +nft_dynset.o: changed function: nft_dynset_init +nft_lookup.o: changed function: nft_lookup_init + +--------------------------- + +Modifications: none + +commit ae6665a8a3635fd72671f488b17a63f9334d2841 +Author: Florian Westphal +Date: Tue Jul 11 16:03:12 2023 +0200 + + netfilter: nf_tables: prevent OOB access in nft_byteorder_eval + + Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2221720 + Upstream Status: net commit caf3ef7468f75 + CVE: CVE-2023-35001 + + commit caf3ef7468f7534771b5c44cd8dbd6f7f87c2cbd + Author: Thadeu Lima de Souza Cascardo + Date: Wed Jul 5 18:05:35 2023 -0300 + + netfilter: nf_tables: prevent OOB access in nft_byteorder_eval + + When evaluating byteorder expressions with size 2, a union with 32-bit and + 16-bit members is used. Since the 16-bit members are aligned to 32-bit, + the array accesses will be out-of-bounds. + + It may lead to a stack-out-of-bounds access like the one below: + + [ 23.095215] ================================================================== + [ 23.095625] BUG: KASAN: stack-out-of-bounds in nft_byteorder_eval+0x13c/0x320 + [ 23.096020] Read of size 2 at addr ffffc90000007948 by task ping/115 + [ 23.096358] + [ 23.096456] CPU: 0 PID: 115 Comm: ping Not tainted 6.4.0+ #413 + [ 23.096770] Call Trace: + [ 23.096910] + [ 23.097030] dump_stack_lvl+0x60/0xc0 + [ 23.097218] print_report+0xcf/0x630 + [ 23.097388] ? nft_byteorder_eval+0x13c/0x320 + [ 23.097577] ? kasan_addr_to_slab+0xd/0xc0 + [ 23.097760] ? nft_byteorder_eval+0x13c/0x320 + [ 23.097949] kasan_report+0xc9/0x110 + [ 23.098106] ? nft_byteorder_eval+0x13c/0x320 + [ 23.098298] __asan_load2+0x83/0xd0 + [ 23.098453] nft_byteorder_eval+0x13c/0x320 + [ 23.098659] nft_do_chain+0x1c8/0xc50 + [ 23.098852] ? __pfx_nft_do_chain+0x10/0x10 + [ 23.099078] ? __kasan_check_read+0x11/0x20 + [ 23.099295] ? __pfx___lock_acquire+0x10/0x10 + [ 23.099535] ? __pfx___lock_acquire+0x10/0x10 + [ 23.099745] ? __kasan_check_read+0x11/0x20 + [ 23.099929] nft_do_chain_ipv4+0xfe/0x140 + [ 23.100105] ? __pfx_nft_do_chain_ipv4+0x10/0x10 + [ 23.100327] ? lock_release+0x204/0x400 + [ 23.100515] ? nf_hook.constprop.0+0x340/0x550 + [ 23.100779] nf_hook_slow+0x6c/0x100 + [ 23.100977] ? __pfx_nft_do_chain_ipv4+0x10/0x10 + [ 23.101223] nf_hook.constprop.0+0x334/0x550 + [ 23.101443] ? __pfx_ip_local_deliver_finish+0x10/0x10 + [ 23.101677] ? __pfx_nf_hook.constprop.0+0x10/0x10 + [ 23.101882] ? __pfx_ip_rcv_finish+0x10/0x10 + [ 23.102071] ? __pfx_ip_local_deliver_finish+0x10/0x10 + [ 23.102291] ? rcu_read_lock_held+0x4b/0x70 + [ 23.102481] ip_local_deliver+0xbb/0x110 + [ 23.102665] ? __pfx_ip_rcv+0x10/0x10 + [ 23.102839] ip_rcv+0x199/0x2a0 + [ 23.102980] ? __pfx_ip_rcv+0x10/0x10 + [ 23.103140] __netif_receive_skb_one_core+0x13e/0x150 + [ 23.103362] ? __pfx___netif_receive_skb_one_core+0x10/0x10 + [ 23.103647] ? mark_held_locks+0x48/0xa0 + [ 23.103819] ? process_backlog+0x36c/0x380 + [ 23.103999] __netif_receive_skb+0x23/0xc0 + [ 23.104179] process_backlog+0x91/0x380 + [ 23.104350] __napi_poll.constprop.0+0x66/0x360 + [ 23.104589] ? net_rx_action+0x1cb/0x610 + [ 23.104811] net_rx_action+0x33e/0x610 + [ 23.105024] ? _raw_spin_unlock+0x23/0x50 + [ 23.105257] ? __pfx_net_rx_action+0x10/0x10 + [ 23.105485] ? mark_held_locks+0x48/0xa0 + [ 23.105741] __do_softirq+0xfa/0x5ab + [ 23.105956] ? __dev_queue_xmit+0x765/0x1c00 + [ 23.106193] do_softirq.part.0+0x49/0xc0 + [ 23.106423] + [ 23.106547] + [ 23.106670] __local_bh_enable_ip+0xf5/0x120 + [ 23.106903] __dev_queue_xmit+0x789/0x1c00 + [ 23.107131] ? __pfx___dev_queue_xmit+0x10/0x10 + [ 23.107381] ? find_held_lock+0x8e/0xb0 + [ 23.107585] ? lock_release+0x204/0x400 + [ 23.107798] ? neigh_resolve_output+0x185/0x350 + [ 23.108049] ? mark_held_locks+0x48/0xa0 + [ 23.108265] ? neigh_resolve_output+0x185/0x350 + [ 23.108514] neigh_resolve_output+0x246/0x350 + [ 23.108753] ? neigh_resolve_output+0x246/0x350 + [ 23.109003] ip_finish_output2+0x3c3/0x10b0 + [ 23.109250] ? __pfx_ip_finish_output2+0x10/0x10 + [ 23.109510] ? __pfx_nf_hook+0x10/0x10 + [ 23.109732] __ip_finish_output+0x217/0x390 + [ 23.109978] ip_finish_output+0x2f/0x130 + [ 23.110207] ip_output+0xc9/0x170 + [ 23.110404] ip_push_pending_frames+0x1a0/0x240 + [ 23.110652] raw_sendmsg+0x102e/0x19e0 + [ 23.110871] ? __pfx_raw_sendmsg+0x10/0x10 + [ 23.111093] ? lock_release+0x204/0x400 + [ 23.111304] ? __mod_lruvec_page_state+0x148/0x330 + [ 23.111567] ? find_held_lock+0x8e/0xb0 + [ 23.111777] ? find_held_lock+0x8e/0xb0 + [ 23.111993] ? __rcu_read_unlock+0x7c/0x2f0 + [ 23.112225] ? aa_sk_perm+0x18a/0x550 + [ 23.112431] ? filemap_map_pages+0x4f1/0x900 + [ 23.112665] ? __pfx_aa_sk_perm+0x10/0x10 + [ 23.112880] ? find_held_lock+0x8e/0xb0 + [ 23.113098] inet_sendmsg+0xa0/0xb0 + [ 23.113297] ? inet_sendmsg+0xa0/0xb0 + [ 23.113500] ? __pfx_inet_sendmsg+0x10/0x10 + [ 23.113727] sock_sendmsg+0xf4/0x100 + [ 23.113924] ? move_addr_to_kernel.part.0+0x4f/0xa0 + [ 23.114190] __sys_sendto+0x1d4/0x290 + [ 23.114391] ? __pfx___sys_sendto+0x10/0x10 + [ 23.114621] ? __pfx_mark_lock.part.0+0x10/0x10 + [ 23.114869] ? lock_release+0x204/0x400 + [ 23.115076] ? find_held_lock+0x8e/0xb0 + [ 23.115287] ? rcu_is_watching+0x23/0x60 + [ 23.115503] ? __rseq_handle_notify_resume+0x6e2/0x860 + [ 23.115778] ? __kasan_check_write+0x14/0x30 + [ 23.116008] ? blkcg_maybe_throttle_current+0x8d/0x770 + [ 23.116285] ? mark_held_locks+0x28/0xa0 + [ 23.116503] ? do_syscall_64+0x37/0x90 + [ 23.116713] __x64_sys_sendto+0x7f/0xb0 + [ 23.116924] do_syscall_64+0x59/0x90 + [ 23.117123] ? irqentry_exit_to_user_mode+0x25/0x30 + [ 23.117387] ? irqentry_exit+0x77/0xb0 + [ 23.117593] ? exc_page_fault+0x92/0x140 + [ 23.117806] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + [ 23.118081] RIP: 0033:0x7f744aee2bba + [ 23.118282] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 + [ 23.119237] RSP: 002b:00007ffd04a7c9f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c + [ 23.119644] RAX: ffffffffffffffda RBX: 00007ffd04a7e0a0 RCX: 00007f744aee2bba + [ 23.120023] RDX: 0000000000000040 RSI: 000056488e9e6300 RDI: 0000000000000003 + [ 23.120413] RBP: 000056488e9e6300 R08: 00007ffd04a80320 R09: 0000000000000010 + [ 23.120809] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040 + [ 23.121219] R13: 00007ffd04a7dc38 R14: 00007ffd04a7ca00 R15: 00007ffd04a7e0a0 + [ 23.121617] + [ 23.121749] + [ 23.121845] The buggy address belongs to the virtual mapping at + [ 23.121845] [ffffc90000000000, ffffc90000009000) created by: + [ 23.121845] irq_init_percpu_irqstack+0x1cf/0x270 + [ 23.122707] + [ 23.122803] The buggy address belongs to the physical page: + [ 23.123104] page:0000000072ac19f0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x24a09 + [ 23.123609] flags: 0xfffffc0001000(reserved|node=0|zone=1|lastcpupid=0x1fffff) + [ 23.123998] page_type: 0xffffffff() + [ 23.124194] raw: 000fffffc0001000 ffffea0000928248 ffffea0000928248 0000000000000000 + [ 23.124610] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 + [ 23.125023] page dumped because: kasan: bad access detected + [ 23.125326] + [ 23.125421] Memory state around the buggy address: + [ 23.125682] ffffc90000007800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + [ 23.126072] ffffc90000007880: 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 f2 f2 00 + [ 23.126455] >ffffc90000007900: 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 + [ 23.126840] ^ + [ 23.127138] ffffc90000007980: 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 + [ 23.127522] ffffc90000007a00: f3 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 + [ 23.127906] ================================================================== + [ 23.128324] Disabling lock debugging due to kernel taint + + Using simple s16 pointers for the 16-bit accesses fixes the problem. For + the 32-bit accesses, src and dst can be used directly. + + Fixes: 96518518cc41 ("netfilter: add nftables") + Cc: stable@vger.kernel.org + Reported-by: Tanguy DUBROCA (@SidewayRE) from @Synacktiv working with ZDI + Signed-off-by: Thadeu Lima de Souza Cascardo + Reviewed-by: Florian Westphal + Signed-off-by: Pablo Neira Ayuso + + Signed-off-by: Florian Westphal + +Signed-off-by: Ryan Sullivan +--- + net/netfilter/nft_byteorder.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/net/netfilter/nft_byteorder.c b/net/netfilter/nft_byteorder.c +index 13d4e421a6b3..46a8f894717c 100644 +--- a/net/netfilter/nft_byteorder.c ++++ b/net/netfilter/nft_byteorder.c +@@ -33,11 +33,11 @@ static void nft_byteorder_eval(const struct nft_expr *expr, + const struct nft_byteorder *priv = nft_expr_priv(expr); + u32 *src = ®s->data[priv->sreg]; + u32 *dst = ®s->data[priv->dreg]; +- union { u32 u32; u16 u16; } *s, *d; ++ u16 *s16, *d16; + unsigned int i; + +- s = (void *)src; +- d = (void *)dst; ++ s16 = (void *)src; ++ d16 = (void *)dst; + + switch (priv->size) { + case 8: { +@@ -63,11 +63,11 @@ static void nft_byteorder_eval(const struct nft_expr *expr, + switch (priv->op) { + case NFT_BYTEORDER_NTOH: + for (i = 0; i < priv->len / 4; i++) +- d[i].u32 = ntohl((__force __be32)s[i].u32); ++ dst[i] = ntohl((__force __be32)src[i]); + break; + case NFT_BYTEORDER_HTON: + for (i = 0; i < priv->len / 4; i++) +- d[i].u32 = (__force __u32)htonl(s[i].u32); ++ dst[i] = (__force __u32)htonl(src[i]); + break; + } + break; +@@ -75,11 +75,11 @@ static void nft_byteorder_eval(const struct nft_expr *expr, + switch (priv->op) { + case NFT_BYTEORDER_NTOH: + for (i = 0; i < priv->len / 2; i++) +- d[i].u16 = ntohs((__force __be16)s[i].u16); ++ d16[i] = ntohs((__force __be16)s16[i]); + break; + case NFT_BYTEORDER_HTON: + for (i = 0; i < priv->len / 2; i++) +- d[i].u16 = (__force __u16)htons(s[i].u16); ++ d16[i] = (__force __u16)htons(s16[i]); + break; + } + break; +-- +2.40.1 + + diff --git a/SOURCES/CVE-2023-3609.patch b/SOURCES/CVE-2023-3609.patch new file mode 100644 index 0000000..7a27dcc --- /dev/null +++ b/SOURCES/CVE-2023-3609.patch @@ -0,0 +1,149 @@ +From 889eaaeaa5aa88308347b90f53e1bd2301a50dec Mon Sep 17 00:00:00 2001 +From: Ryan Sullivan +Date: Mon, 25 Sep 2023 10:50:48 -0400 +Subject: [KPATCH CVE-2023-3609] kpatch fixes for CVE-2023-3609 + +Kernels: +3.10.0-1160.88.1.el7 +3.10.0-1160.90.1.el7 +3.10.0-1160.92.1.el7 +3.10.0-1160.95.1.el7 +3.10.0-1160.99.1.el7 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/59 +Approved-by: Yannick Cote (@ycote1) +Changes since last build: +[x86_64]: +cls_u32.o: changed function: u32_set_parms.isra.21 +nf_tables_api.o: changed function: nf_tables_delsetelem +nf_tables_api.o: changed function: nf_tables_newsetelem +nf_tables_api.o: changed function: nf_tables_set_lookup +nf_tables_api.o: changed function: nf_tables_set_lookup_byid +nf_tables_api.o: changed function: nft_validate_register_store +nft_byteorder.o: changed function: nft_byteorder_eval +nft_dynset.o: changed function: nft_dynset_init +nft_lookup.o: changed function: nft_lookup_init + +[ppc64le]: +cls_u32.o: changed function: u32_set_parms.isra.21 +nf_tables_api.o: changed function: nf_tables_bind_check_setelem +nf_tables_api.o: changed function: nf_tables_delset +nf_tables_api.o: changed function: nf_tables_delsetelem +nf_tables_api.o: changed function: nf_tables_dump_set +nf_tables_api.o: changed function: nf_tables_getset +nf_tables_api.o: changed function: nf_tables_getsetelem +nf_tables_api.o: changed function: nf_tables_newset +nf_tables_api.o: changed function: nf_tables_newsetelem +nf_tables_api.o: changed function: nf_tables_set_lookup +nf_tables_api.o: changed function: nf_tables_set_lookup_byid +nf_tables_api.o: changed function: nft_add_set_elem +nf_tables_api.o: changed function: nft_validate_register_store +nft_byteorder.o: changed function: nft_byteorder_eval +nft_dynset.o: changed function: nft_dynset_init +nft_lookup.o: changed function: nft_lookup_init + +--------------------------- + +Modifications: none + +commit 867fb59af8011c735d38c08d6e6ecef67265cb4e +Author: Davide Caratti +Date: Tue Aug 8 11:18:31 2023 +0200 + + net/sched: cls_u32: Fix reference counter leak leading to overflow + + Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2225486 + CVE: CVE-2023-3609 + Upstream Status: net.git commit 04c55383fa56 + Conflicts: + - net/sched/cls_u32.c: we still have CONFIG_NET_CLS_IND in rhel7, + because of missing upstream commit a51486266c3b ("net: sched: remove + NET_CLS_IND config option"), so the patch has been manually reworked + to preserve use of #ifdef CONFIG_NET_CLS_IND + - we also don't have extacks because of missing backport of upstream + commit 4b981dbc2272 ("net: sched: cls_u32: add extack support"), so + the call to tcf_change_indev() has no 'extack' parameter + + commit 04c55383fa5689357bcdd2c8036725a55ed632bc + Author: Lee Jones + Date: Thu Jun 8 08:29:03 2023 +0100 + + net/sched: cls_u32: Fix reference counter leak leading to overflow + + In the event of a failure in tcf_change_indev(), u32_set_parms() will + immediately return without decrementing the recently incremented + reference counter. If this happens enough times, the counter will + rollover and the reference freed, leading to a double free which can be + used to do 'bad things'. + + In order to prevent this, move the point of possible failure above the + point where the reference counter is incremented. Also save any + meaningful return values to be applied to the return data at the + appropriate point in time. + + This issue was caught with KASAN. + + Fixes: 705c7091262d ("net: sched: cls_u32: no need to call tcf_exts_change for newly allocated struct") + Suggested-by: Eric Dumazet + Signed-off-by: Lee Jones + Reviewed-by: Eric Dumazet + Acked-by: Jamal Hadi Salim + Signed-off-by: David S. Miller + + Signed-off-by: Davide Caratti + +Signed-off-by: Ryan Sullivan +--- + net/sched/cls_u32.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c +index 269dcb08fed5..cc9398e10451 100644 +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -768,11 +768,22 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp, + struct nlattr *est, bool ovr) + { + int err; ++#ifdef CONFIG_NET_CLS_IND ++ int ifindex = -1; ++#endif + + err = tcf_exts_validate(net, tp, tb, est, &n->exts, ovr); + if (err < 0) + return err; + ++#ifdef CONFIG_NET_CLS_IND ++ if (tb[TCA_U32_INDEV]) { ++ ifindex = tcf_change_indev(net, tb[TCA_U32_INDEV]); ++ if (ifindex < 0) ++ return -EINVAL; ++ } ++#endif ++ + if (tb[TCA_U32_LINK]) { + u32 handle = nla_get_u32(tb[TCA_U32_LINK]); + struct tc_u_hnode *ht_down = NULL, *ht_old; +@@ -800,14 +811,10 @@ static int u32_set_parms(struct net *net, struct tcf_proto *tp, + } + + #ifdef CONFIG_NET_CLS_IND +- if (tb[TCA_U32_INDEV]) { +- int ret; +- ret = tcf_change_indev(net, tb[TCA_U32_INDEV]); +- if (ret < 0) +- return -EINVAL; +- n->ifindex = ret; +- } ++ if (ifindex >= 0) ++ n->ifindex = ifindex; + #endif ++ + return 0; + } + +-- +2.40.1 + + diff --git a/SOURCES/v0.9.2-backport-MR-1200-Make-sure-section-symbols-ex.patch b/SOURCES/v0.9.2-backport-MR-1200-Make-sure-section-symbols-ex.patch new file mode 100644 index 0000000..2aec990 --- /dev/null +++ b/SOURCES/v0.9.2-backport-MR-1200-Make-sure-section-symbols-ex.patch @@ -0,0 +1,83 @@ +From c1a07a5329c0b7db0ec54eea093e5d2d77735c06 Mon Sep 17 00:00:00 2001 +From: Joe Lawrence +Date: Fri, 9 Dec 2022 15:37:49 -0500 +Subject: [PATCH] v0.9.2 backport: MR!1200 ("Make sure section symbols exist") +Content-type: text/plain + +commit 5622e3cc3d393fd77866b9838d16cd064de6fba5 +Author: Artem Savkov +Date: Fri Jun 18 10:59:26 2021 +0200 + + Make sure section symbols exist + + Binutils recently became much more aggressive about removing unused + section symbols. Since we can not rely on those being available anymore + add additional checks before using them. + + Fixes: #1193 + + Signed-off-by: Artem Savkov + +Fixes: KLP-216 ("Backport kpatch-build section symbol check") +Signed-off-by: Joe Lawrence +--- + kpatch-build/create-diff-object.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/kpatch-build/create-diff-object.c b/kpatch-build/create-diff-object.c +index c9afe33bbdae..94879b5fce6a 100644 +--- a/kpatch-build/create-diff-object.c ++++ b/kpatch-build/create-diff-object.c +@@ -1241,7 +1241,8 @@ static void kpatch_correlate_static_local_variables(struct kpatch_elf *base, + if (bundled && sym->sec->twin) { + UNCORRELATE_ELEMENT(sym->sec); + +- UNCORRELATE_ELEMENT(sym->sec->secsym); ++ if (sym->sec->secsym) ++ UNCORRELATE_ELEMENT(sym->sec->secsym); + + if (sym->sec->rela) + UNCORRELATE_ELEMENT(sym->sec->rela); +@@ -1744,7 +1745,7 @@ static int kpatch_include_callback_elements(struct kpatch_elf *kelf) + sym = rela->sym; + log_normal("found callback: %s\n",sym->name); + kpatch_include_symbol(sym); +- } else { ++ } else if (sec->secsym) { + sec->secsym->include = 1; + } + } +@@ -1772,7 +1773,8 @@ static void kpatch_include_force_elements(struct kpatch_elf *kelf) + sec->include = 1; + if (!is_rela_section(sec)) { + /* .kpatch.force */ +- sec->secsym->include = 1; ++ if (sec->secsym) ++ sec->secsym->include = 1; + continue; + } + /* .rela.kpatch.force */ +@@ -2381,7 +2383,8 @@ static void kpatch_regenerate_special_section(struct kpatch_elf *kelf, + sec->include = 1; + sec->base->include = 1; + /* include secsym so .kpatch.arch relas can point to section symbols */ +- sec->base->secsym->include = 1; ++ if (sec->base->secsym) ++ sec->base->secsym->include = 1; + + /* + * Update text section data buf and size. +@@ -2564,7 +2567,9 @@ static void kpatch_mark_ignored_sections(struct kpatch_elf *kelf) + * from the section data comparison, but this is a simpler way. + */ + strsec->include = 1; +- strsec->secsym->include = 1; ++ if (strsec->secsym) ++ strsec->secsym->include = 1; ++ + name = strsec->data->d_buf + rela->addend; + ignoresec = find_section_by_name(&kelf->sections, name); + if (!ignoresec) +-- +2.38.1 + diff --git a/SOURCES/v0.9.2-backport-MR-1281-create-diff-object-add-suppo.patch b/SOURCES/v0.9.2-backport-MR-1281-create-diff-object-add-suppo.patch new file mode 100644 index 0000000..38ef70c --- /dev/null +++ b/SOURCES/v0.9.2-backport-MR-1281-create-diff-object-add-suppo.patch @@ -0,0 +1,54 @@ +From d98f100dc979f87296ec88b63a0d506aaf4cd2bd Mon Sep 17 00:00:00 2001 +From: Joe Lawrence +Date: Thu, 8 Dec 2022 12:31:17 -0500 +Subject: [PATCH] v0.9.2 backport: MR!1281 ("create-diff-object: add support + for .return_sites section (x86)") +Content-type: text/plain + +commit 33368a88cdf875b0edd02b0dfd3356a7e93b24db +Author: Jonathan Dobson +Date: Sat Jul 16 15:46:54 2022 -0600 + + create-diff-object: add support for .return_sites section (x86) + + Conflicts: + kpatch-build/create-diff-object.c + - Manually apply patch to avoid diff context, v0.9.2 structure + special_section structure doesn't have .arch + +Signed-off-by: Joe Lawrence +--- + kpatch-build/create-diff-object.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/kpatch-build/create-diff-object.c b/kpatch-build/create-diff-object.c +index cee8adf333dc..c9afe33bbdae 100644 +--- a/kpatch-build/create-diff-object.c ++++ b/kpatch-build/create-diff-object.c +@@ -1991,6 +1991,11 @@ static int altinstructions_group_size(struct kpatch_elf *kelf, int offset) + return size; + } + ++static int return_sites_group_size(struct kpatch_elf *kelf, int offset) ++{ ++ return 4; ++} ++ + static int smp_locks_group_size(struct kpatch_elf *kelf, int offset) + { + return 4; +@@ -2103,6 +2108,11 @@ static struct special_section special_sections[] = { + .name = ".altinstructions", + .group_size = altinstructions_group_size, + }, ++ { ++ .name = ".return_sites", ++ .group_size = return_sites_group_size, ++ }, ++ + #endif + #ifdef __powerpc64__ + { +-- +2.38.1 + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index b6fa541..d18bf32 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -1,17 +1,24 @@ # Set to 1 if building an empty subscription-only package. -%define empty_package 1 +%define empty_package 0 ####################################################### # Only need to update these variables and the changelog %define kernel_ver 3.10.0-1160.99.1.el7 %define kpatch_ver 0.9.2 -%define rpm_ver 0 -%define rpm_rel 0 +%define rpm_ver 1 +%define rpm_rel 1 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. -Source100: XXX.patch -#Source101: YYY.patch +# +# https://bugzilla.redhat.com/2196588 +Source100: CVE-2023-32233-full2.patch +# +# https://bugzilla.redhat.com/2221747 +Source101: CVE-2023-35001.patch +# +# https://bugzilla.redhat.com/2225510 +Source102: CVE-2023-3609.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -146,5 +153,10 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Tue Sep 26 2023 Yannick Cote [1-1.el7] +- kernel: net/sched: cls_u32 component reference counter leak if tcf_change_indev() fails [2225510] {CVE-2023-3609} +- kernel: nf_tables: stack-out-of-bounds-read in nft_byteorder_eval() [2221747] {CVE-2023-35001} +- kernel: netfilter: use-after-free in nf_tables when processing batch requests can lead to privilege escalation [2196588] {CVE-2023-32233} + * Mon Aug 14 2023 Yannick Cote [0-0.el7] - An empty patch to subscribe to kpatch stream for kernel-3.10.0-1160.99.1.el7 [2231880]