diff --git a/SOURCES/CVE-2022-42896.patch b/SOURCES/CVE-2022-42896.patch new file mode 100644 index 0000000..a19fcb5 --- /dev/null +++ b/SOURCES/CVE-2022-42896.patch @@ -0,0 +1,505 @@ +From 5fe8bfedd40a614374fdcb430694de00aedae2c5 Mon Sep 17 00:00:00 2001 +From: Joe Lawrence +Date: Thu, 18 Jan 2024 09:42:47 -0500 +Subject: [KPATCH CVE-2022-42896] kpatch fixes for CVE-2022-42896 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Kernels: +3.10.0-1160.95.1.el7 +3.10.0-1160.99.1.el7 +3.10.0-1160.102.1.el7 +3.10.0-1160.105.1.el7 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/66 +Changes since last build: +[x86_64]: +igb_main.o: changed function: igb_configure +l2cap_core.o: changed function: l2cap_chan_hold +l2cap_core.o: changed function: l2cap_conn_get +l2cap_core.o: changed function: l2cap_global_chan_by_psm +l2cap_core.o: changed function: l2cap_recv_frame +l2cap_core.o: new function: klp_l2cap_le_sig_cmd +sch_atm.o: changed function: atm_tc_peek +sch_atm.o: changed function: sch_atm_dequeue +sch_drr.o: changed function: drr_dequeue +sch_dsmark.o: changed function: dsmark_peek +sch_hfsc.o: changed function: hfsc_enqueue +sch_hfsc.o: changed function: qdisc_peek_len +sch_multiq.o: changed function: multiq_peek +sch_prio.o: changed function: prio_peek +sch_qfq.o: changed function: qfq_change_class +sch_qfq.o: changed function: qfq_dequeue +sch_red.o: changed function: red_peek +sch_sfb.o: changed function: sfb_peek +sch_tbf.o: changed function: tbf_dequeue + +[ppc64le]: +l2cap_core.o: changed function: __l2cap_chan_add +l2cap_core.o: changed function: __l2cap_physical_cfm +l2cap_core.o: changed function: __set_monitor_timer +l2cap_core.o: changed function: __set_retrans_timer.part.24 +l2cap_core.o: changed function: l2cap_ack_timeout +l2cap_core.o: changed function: l2cap_build_conf_req +l2cap_core.o: changed function: l2cap_chan_busy +l2cap_core.o: changed function: l2cap_chan_close +l2cap_core.o: changed function: l2cap_chan_connect +l2cap_core.o: changed function: l2cap_chan_del +l2cap_core.o: changed function: l2cap_chan_hold +l2cap_core.o: changed function: l2cap_chan_put +l2cap_core.o: changed function: l2cap_chan_send +l2cap_core.o: changed function: l2cap_chan_timeout +l2cap_core.o: changed function: l2cap_conn_add.part.28 +l2cap_core.o: changed function: l2cap_conn_del +l2cap_core.o: changed function: l2cap_conn_start +l2cap_core.o: changed function: l2cap_connect +l2cap_core.o: changed function: l2cap_connect_cfm +l2cap_core.o: changed function: l2cap_connect_create_rsp +l2cap_core.o: changed function: l2cap_data_channel +l2cap_core.o: changed function: l2cap_disconn_cfm +l2cap_core.o: changed function: l2cap_do_create +l2cap_core.o: changed function: l2cap_do_start +l2cap_core.o: changed function: l2cap_ertm_resend +l2cap_core.o: changed function: l2cap_ertm_send +l2cap_core.o: changed function: l2cap_global_fixed_chan +l2cap_core.o: changed function: l2cap_handle_rej +l2cap_core.o: changed function: l2cap_handle_srej +l2cap_core.o: changed function: l2cap_logical_cfm +l2cap_core.o: changed function: l2cap_monitor_timeout +l2cap_core.o: changed function: l2cap_move_done +l2cap_core.o: changed function: l2cap_move_setup +l2cap_core.o: changed function: l2cap_parse_conf_rsp.constprop.36 +l2cap_core.o: changed function: l2cap_pass_to_tx +l2cap_core.o: changed function: l2cap_process_reqseq +l2cap_core.o: changed function: l2cap_recv_frame +l2cap_core.o: changed function: l2cap_retrans_timeout +l2cap_core.o: changed function: l2cap_retransmit_all +l2cap_core.o: changed function: l2cap_rx +l2cap_core.o: changed function: l2cap_rx_state_recv +l2cap_core.o: changed function: l2cap_security_cfm +l2cap_core.o: changed function: l2cap_send_ack +l2cap_core.o: changed function: l2cap_send_efs_conf_rsp +l2cap_core.o: changed function: l2cap_send_i_or_rr_or_rnr +l2cap_core.o: changed function: l2cap_send_move_chan_cfm +l2cap_core.o: changed function: l2cap_send_move_chan_cfm_icid +l2cap_core.o: changed function: l2cap_send_move_chan_req +l2cap_core.o: changed function: l2cap_send_rr_or_rnr +l2cap_core.o: changed function: l2cap_send_sframe +l2cap_core.o: changed function: l2cap_send_srej +l2cap_core.o: changed function: l2cap_send_srej_tail +l2cap_core.o: changed function: l2cap_start_connection +l2cap_core.o: new function: l2cap_connect_req +sch_atm.o: changed function: atm_tc_bind_filter +sch_atm.o: changed function: atm_tc_change +sch_atm.o: changed function: atm_tc_delete +sch_atm.o: changed function: atm_tc_destroy +sch_atm.o: changed function: atm_tc_enqueue +sch_atm.o: changed function: atm_tc_find +sch_atm.o: changed function: atm_tc_graft +sch_atm.o: changed function: atm_tc_leaf +sch_atm.o: changed function: atm_tc_peek +sch_atm.o: changed function: atm_tc_put +sch_atm.o: changed function: atm_tc_reset +sch_atm.o: changed function: atm_tc_tcf_block +sch_atm.o: changed function: sch_atm_dequeue +sch_drr.o: changed function: drr_dequeue +sch_dsmark.o: changed function: dsmark_bind_filter +sch_dsmark.o: changed function: dsmark_change +sch_dsmark.o: changed function: dsmark_destroy +sch_dsmark.o: changed function: dsmark_dump_class +sch_dsmark.o: changed function: dsmark_init +sch_dsmark.o: changed function: dsmark_peek +sch_dsmark.o: changed function: dsmark_reset +sch_hfsc.o: changed function: hfsc_change_class +sch_hfsc.o: changed function: hfsc_dequeue +sch_hfsc.o: changed function: hfsc_enqueue +sch_multiq.o: changed function: multiq_peek +sch_prio.o: changed function: prio_peek +sch_qfq.o: changed function: qfq_change_class +sch_qfq.o: changed function: qfq_dequeue +sch_red.o: changed function: red_peek +sch_sfb.o: changed function: sfb_peek +sch_tbf.o: changed function: tbf_dequeue + +--------------------------- + +Modifications: +- function l2cap_le_sig_cmd has no fentry/mcount call, so add a "klp_" + prefix to the patched version and its callers +- for ppc64le, add __attribute__((optimize("-fno-optimize-sibling-calls"))) + l2cap_chan_hold() + l2cap_disconn_cfm() + l2cap_handle_rej() + l2cap_handle_srej() + l2cap_monitor_timeout() + l2cap_pass_to_tx() + l2cap_retransmit_all() + l2cap_send_efs_conf_rsp() + l2cap_send_sframe() + +commit d8f15b60a96ba8ce5d3d55518eb939d9bebd87a9 +Author: David Marlin +Date: Tue Jan 9 23:44:57 2024 -0600 + + Bluetooth: L2CAP: Fix L2CAP_CR_SCID_IN_USE value + + JIRA: https://issues.redhat.com/browse/RHEL-2742 + CVE: CVE-2022-42896 + + commit d8edd9ed156a1a840f1b1c2dbbf458684d6eea6e + Author: Marcin Kraglak + Date: Wed Mar 8 14:09:41 2017 +0100 + + Bluetooth: L2CAP: Fix L2CAP_CR_SCID_IN_USE value + + Fix issue found during L2CAP qualification test TP/LE/CFC/BV-20-C. + + Signed-off-by: Marcin Kraglak + Signed-off-by: Marcel Holtmann + + Signed-off-by: David Marlin + +commit ae6cdce73d24b5cdccb89f88552bd6a9074f0aed +Author: David Marlin +Date: Tue Jan 9 23:45:05 2024 -0600 + + Bluetooth: Use separate L2CAP LE credit based connection result values + + JIRA: https://issues.redhat.com/browse/RHEL-2742 + CVE: CVE-2022-42896 + + commit 571f739083e2544b343b5998608de679519de4e9 + Author: Mallikarjun Phulari + Date: Fri Oct 5 14:48:12 2018 +0530 + + Bluetooth: Use separate L2CAP LE credit based connection result values + + Add the result values specific to L2CAP LE credit based connections + and change the old result values wherever they were used. + + Signed-off-by: Mallikarjun Phulari + Signed-off-by: Marcel Holtmann + + Signed-off-by: David Marlin + +commit b45513e7819c6d7fe8bcd8bcf94670e0da9cc949 +Author: David Marlin +Date: Tue Jan 9 23:46:25 2024 -0600 + + Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM + + JIRA: https://issues.redhat.com/browse/RHEL-2742 + + CVE: CVE-2022-42896 + + Conflicts: + Our 3.10 tree does not include support for Bluetooth Enhanced Credit Based Mode, + so omit hunk #2 of: + 711f8c3fb3db Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM + + commit 711f8c3fb3db61897080468586b970c87c61d9e4 + Author: Luiz Augusto von Dentz + Date: Mon Oct 31 16:10:32 2022 -0700 + + Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM + + The Bluetooth spec states that the valid range for SPSM is from + 0x0001-0x00ff so it is invalid to accept values outside of this range: + + BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A + page 1059: + Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges + + CVE: CVE-2022-42896 + CC: stable@vger.kernel.org + Reported-by: Tamás Koczka + Signed-off-by: Luiz Augusto von Dentz + Reviewed-by: Tedd Ho-Jeong An + + Signed-off-by: David Marlin + +commit a766b7a5d576eb559319776f8fa400f00128937e +Author: David Marlin +Date: Tue Jan 9 23:47:13 2024 -0600 + + Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm + + JIRA: https://issues.redhat.com/browse/RHEL-2742 + CVE: CVE-2022-42896 + + commit f937b758a188d6fd328a81367087eddbb2fce50f + Author: Luiz Augusto von Dentz + Date: Mon Oct 31 16:10:33 2022 -0700 + + Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm + + l2cap_global_chan_by_psm shall not return fixed channels as they are not + meant to be connected by (S)PSM. + + Signed-off-by: Luiz Augusto von Dentz + Reviewed-by: Tedd Ho-Jeong An + + Signed-off-by: David Marlin + +Signed-off-by: Joe Lawrence +--- + include/net/bluetooth/l2cap.h | 17 +++++++---- + net/bluetooth/l2cap_core.c | 55 +++++++++++++++++++++++++---------- + 2 files changed, 50 insertions(+), 22 deletions(-) + +diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h +index 45f3a951974c..1b0dfbb0eb82 100644 +--- a/include/net/bluetooth/l2cap.h ++++ b/include/net/bluetooth/l2cap.h +@@ -277,12 +277,17 @@ struct l2cap_conn_rsp { + #define L2CAP_CR_SEC_BLOCK 0x0003 + #define L2CAP_CR_NO_MEM 0x0004 + #define L2CAP_CR_BAD_AMP 0x0005 +-#define L2CAP_CR_AUTHENTICATION 0x0005 +-#define L2CAP_CR_AUTHORIZATION 0x0006 +-#define L2CAP_CR_BAD_KEY_SIZE 0x0007 +-#define L2CAP_CR_ENCRYPTION 0x0008 +-#define L2CAP_CR_INVALID_SCID 0x0009 +-#define L2CAP_CR_SCID_IN_USE 0x0010 ++ ++/* credit based connect results */ ++#define L2CAP_CR_LE_SUCCESS 0x0000 ++#define L2CAP_CR_LE_BAD_PSM 0x0002 ++#define L2CAP_CR_LE_NO_MEM 0x0004 ++#define L2CAP_CR_LE_AUTHENTICATION 0x0005 ++#define L2CAP_CR_LE_AUTHORIZATION 0x0006 ++#define L2CAP_CR_LE_BAD_KEY_SIZE 0x0007 ++#define L2CAP_CR_LE_ENCRYPTION 0x0008 ++#define L2CAP_CR_LE_INVALID_SCID 0x0009 ++#define L2CAP_CR_LE_SCID_IN_USE 0X000A + + /* connect/create channel status */ + #define L2CAP_CS_NO_INFO 0x0000 +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 4338810b0d58..a3bed86517e7 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -480,6 +480,7 @@ static void l2cap_chan_destroy(struct kref *kref) + kfree(chan); + } + ++__attribute__((optimize("-fno-optimize-sibling-calls"))) + void l2cap_chan_hold(struct l2cap_chan *c) + { + BT_DBG("chan %p orig refcnt %d", c, kref_read(&c->kref)); +@@ -682,9 +683,9 @@ static void l2cap_chan_le_connect_reject(struct l2cap_chan *chan) + u16 result; + + if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) +- result = L2CAP_CR_AUTHORIZATION; ++ result = L2CAP_CR_LE_AUTHORIZATION; + else +- result = L2CAP_CR_BAD_PSM; ++ result = L2CAP_CR_LE_BAD_PSM; + + l2cap_state_change(chan, BT_DISCONN); + +@@ -1067,6 +1068,7 @@ static struct sk_buff *l2cap_create_sframe_pdu(struct l2cap_chan *chan, + return skb; + } + ++__attribute__((optimize("-fno-optimize-sibling-calls"))) + static void l2cap_send_sframe(struct l2cap_chan *chan, + struct l2cap_ctrl *control) + { +@@ -1792,7 +1794,7 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, + if (link_type == LE_LINK && c->src_type == BDADDR_BREDR) + continue; + +- if (c->psm == psm) { ++ if (c->chan_type != L2CAP_CHAN_FIXED && c->psm == psm) { + int src_match, dst_match; + int src_any, dst_any; + +@@ -1822,6 +1824,7 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, + return c1; + } + ++__attribute__((optimize("-fno-optimize-sibling-calls"))) + static void l2cap_monitor_timeout(struct work_struct *work) + { + struct l2cap_chan *chan = container_of(work, struct l2cap_chan, +@@ -2062,6 +2065,7 @@ static void l2cap_retransmit(struct l2cap_chan *chan, + l2cap_ertm_resend(chan); + } + ++__attribute__((optimize("-fno-optimize-sibling-calls"))) + static void l2cap_retransmit_all(struct l2cap_chan *chan, + struct l2cap_ctrl *control) + { +@@ -2862,6 +2866,7 @@ static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control, + } + } + ++__attribute__((optimize("-fno-optimize-sibling-calls"))) + static void l2cap_pass_to_tx(struct l2cap_chan *chan, + struct l2cap_ctrl *control) + { +@@ -3702,7 +3707,7 @@ void __l2cap_le_connect_rsp_defer(struct l2cap_chan *chan) + rsp.mtu = cpu_to_le16(chan->imtu); + rsp.mps = cpu_to_le16(chan->mps); + rsp.credits = cpu_to_le16(chan->rx_credits); +- rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS); ++ rsp.result = cpu_to_le16(L2CAP_CR_LE_SUCCESS); + + l2cap_send_cmd(conn, chan->ident, L2CAP_LE_CONN_RSP, sizeof(rsp), + &rsp); +@@ -4055,6 +4060,8 @@ static inline void set_default_fcs(struct l2cap_chan *chan) + chan->fcs = L2CAP_FCS_CRC16; + } + ++ ++__attribute__((optimize("-fno-optimize-sibling-calls"))) + static void l2cap_send_efs_conf_rsp(struct l2cap_chan *chan, void *data, + u8 ident, u16 flags) + { +@@ -5318,7 +5325,7 @@ static int l2cap_le_connect_rsp(struct l2cap_conn *conn, + credits = __le16_to_cpu(rsp->credits); + result = __le16_to_cpu(rsp->result); + +- if (result == L2CAP_CR_SUCCESS && (mtu < 23 || mps < 23 || ++ if (result == L2CAP_CR_LE_SUCCESS && (mtu < 23 || mps < 23 || + dcid < L2CAP_CID_DYN_START || + dcid > L2CAP_CID_LE_DYN_END)) + return -EPROTO; +@@ -5339,7 +5346,7 @@ static int l2cap_le_connect_rsp(struct l2cap_conn *conn, + l2cap_chan_lock(chan); + + switch (result) { +- case L2CAP_CR_SUCCESS: ++ case L2CAP_CR_LE_SUCCESS: + if (__l2cap_get_chan_by_dcid(conn, dcid)) { + err = -EBADSLT; + break; +@@ -5353,8 +5360,8 @@ static int l2cap_le_connect_rsp(struct l2cap_conn *conn, + l2cap_chan_ready(chan); + break; + +- case L2CAP_CR_AUTHENTICATION: +- case L2CAP_CR_ENCRYPTION: ++ case L2CAP_CR_LE_AUTHENTICATION: ++ case L2CAP_CR_LE_ENCRYPTION: + /* If we already have MITM protection we can't do + * anything. + */ +@@ -5493,11 +5500,24 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn, + BT_DBG("psm 0x%2.2x scid 0x%4.4x mtu %u mps %u", __le16_to_cpu(psm), + scid, mtu, mps); + ++ /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 3, Part A ++ * page 1059: ++ * ++ * Valid range: 0x0001-0x00ff ++ * ++ * Table 4.15: L2CAP_LE_CREDIT_BASED_CONNECTION_REQ SPSM ranges ++ */ ++ if (!psm || __le16_to_cpu(psm) > L2CAP_PSM_LE_DYN_END) { ++ result = L2CAP_CR_LE_BAD_PSM; ++ chan = NULL; ++ goto response; ++ } ++ + /* Check if we have socket listening on psm */ + pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, &conn->hcon->src, + &conn->hcon->dst, LE_LINK); + if (!pchan) { +- result = L2CAP_CR_BAD_PSM; ++ result = L2CAP_CR_LE_BAD_PSM; + chan = NULL; + goto response; + } +@@ -5507,28 +5527,28 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn, + + if (!smp_sufficient_security(conn->hcon, pchan->sec_level, + SMP_ALLOW_STK)) { +- result = L2CAP_CR_AUTHENTICATION; ++ result = L2CAP_CR_LE_AUTHENTICATION; + chan = NULL; + goto response_unlock; + } + + /* Check for valid dynamic CID range */ + if (scid < L2CAP_CID_DYN_START || scid > L2CAP_CID_LE_DYN_END) { +- result = L2CAP_CR_INVALID_SCID; ++ result = L2CAP_CR_LE_INVALID_SCID; + chan = NULL; + goto response_unlock; + } + + /* Check if we already have channel with that dcid */ + if (__l2cap_get_chan_by_dcid(conn, scid)) { +- result = L2CAP_CR_SCID_IN_USE; ++ result = L2CAP_CR_LE_SCID_IN_USE; + chan = NULL; + goto response_unlock; + } + + chan = pchan->ops->new_connection(pchan); + if (!chan) { +- result = L2CAP_CR_NO_MEM; ++ result = L2CAP_CR_LE_NO_MEM; + goto response_unlock; + } + +@@ -5563,7 +5583,7 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn, + chan->ops->defer(chan); + } else { + l2cap_chan_ready(chan); +- result = L2CAP_CR_SUCCESS; ++ result = L2CAP_CR_LE_SUCCESS; + } + + response_unlock: +@@ -5665,7 +5685,7 @@ done: + return 0; + } + +-static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn, ++static inline int klp_l2cap_le_sig_cmd(struct l2cap_conn *conn, + struct l2cap_cmd_hdr *cmd, u16 cmd_len, + u8 *data) + { +@@ -5738,7 +5758,7 @@ static inline void l2cap_le_sig_channel(struct l2cap_conn *conn, + goto drop; + } + +- err = l2cap_le_sig_cmd(conn, cmd, len, skb->data); ++ err = klp_l2cap_le_sig_cmd(conn, cmd, len, skb->data); + if (err) { + struct l2cap_cmd_rej_unk rej; + +@@ -6012,6 +6032,7 @@ static int l2cap_rx_queued_iframes(struct l2cap_chan *chan) + return err; + } + ++__attribute__((optimize("-fno-optimize-sibling-calls"))) + static void l2cap_handle_srej(struct l2cap_chan *chan, + struct l2cap_ctrl *control) + { +@@ -6070,6 +6091,7 @@ static void l2cap_handle_srej(struct l2cap_chan *chan, + } + } + ++__attribute__((optimize("-fno-optimize-sibling-calls"))) + static void l2cap_handle_rej(struct l2cap_chan *chan, + struct l2cap_ctrl *control) + { +@@ -7442,6 +7464,7 @@ int l2cap_disconn_ind(struct hci_conn *hcon) + return conn->disc_reason; + } + ++__attribute__((optimize("-fno-optimize-sibling-calls"))) + static void l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason) + { + if (hcon->type != ACL_LINK && hcon->type != LE_LINK) +-- +2.44.0 + + diff --git a/SOURCES/CVE-2023-31436.patch b/SOURCES/CVE-2023-31436.patch new file mode 100644 index 0000000..75c68bf --- /dev/null +++ b/SOURCES/CVE-2023-31436.patch @@ -0,0 +1,269 @@ +From 85b78933a00c38dac80b5bbdf75a2114a0284765 Mon Sep 17 00:00:00 2001 +From: Joe Lawrence +Date: Mon, 26 Feb 2024 12:32:57 -0500 +Subject: [KPATCH CVE-2023-31436] kpatch fixes for CVE-2023-31436 + +Kernels: +3.10.0-1160.95.1.el7 +3.10.0-1160.99.1.el7 +3.10.0-1160.102.1.el7 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/69 +Changes since last build: +[x86_64]: +igb_main.o: changed function: igb_configure +l2cap_core.o: changed function: l2cap_chan_hold +l2cap_core.o: changed function: l2cap_conn_get +l2cap_core.o: changed function: l2cap_global_chan_by_psm +l2cap_core.o: changed function: l2cap_recv_frame +l2cap_core.o: new function: klp_l2cap_le_sig_cmd +sch_atm.o: changed function: atm_tc_peek +sch_atm.o: changed function: sch_atm_dequeue +sch_drr.o: changed function: drr_dequeue +sch_dsmark.o: changed function: dsmark_peek +sch_hfsc.o: changed function: hfsc_enqueue +sch_hfsc.o: changed function: qdisc_peek_len +sch_multiq.o: changed function: multiq_peek +sch_prio.o: changed function: prio_peek +sch_qfq.o: changed function: qfq_change_class +sch_qfq.o: changed function: qfq_dequeue +sch_red.o: changed function: red_peek +sch_sfb.o: changed function: sfb_peek +sch_tbf.o: changed function: tbf_dequeue + +[ppc64le]: +l2cap_core.o: changed function: __l2cap_chan_add +l2cap_core.o: changed function: __l2cap_physical_cfm +l2cap_core.o: changed function: __set_monitor_timer +l2cap_core.o: changed function: __set_retrans_timer.part.24 +l2cap_core.o: changed function: l2cap_ack_timeout +l2cap_core.o: changed function: l2cap_build_conf_req +l2cap_core.o: changed function: l2cap_chan_busy +l2cap_core.o: changed function: l2cap_chan_close +l2cap_core.o: changed function: l2cap_chan_connect +l2cap_core.o: changed function: l2cap_chan_del +l2cap_core.o: changed function: l2cap_chan_hold +l2cap_core.o: changed function: l2cap_chan_put +l2cap_core.o: changed function: l2cap_chan_send +l2cap_core.o: changed function: l2cap_chan_timeout +l2cap_core.o: changed function: l2cap_conn_add.part.28 +l2cap_core.o: changed function: l2cap_conn_del +l2cap_core.o: changed function: l2cap_conn_start +l2cap_core.o: changed function: l2cap_connect +l2cap_core.o: changed function: l2cap_connect_cfm +l2cap_core.o: changed function: l2cap_connect_create_rsp +l2cap_core.o: changed function: l2cap_data_channel +l2cap_core.o: changed function: l2cap_disconn_cfm +l2cap_core.o: changed function: l2cap_do_create +l2cap_core.o: changed function: l2cap_do_start +l2cap_core.o: changed function: l2cap_ertm_resend +l2cap_core.o: changed function: l2cap_ertm_send +l2cap_core.o: changed function: l2cap_global_fixed_chan +l2cap_core.o: changed function: l2cap_handle_rej +l2cap_core.o: changed function: l2cap_handle_srej +l2cap_core.o: changed function: l2cap_logical_cfm +l2cap_core.o: changed function: l2cap_monitor_timeout +l2cap_core.o: changed function: l2cap_move_done +l2cap_core.o: changed function: l2cap_move_setup +l2cap_core.o: changed function: l2cap_parse_conf_rsp.constprop.36 +l2cap_core.o: changed function: l2cap_pass_to_tx +l2cap_core.o: changed function: l2cap_process_reqseq +l2cap_core.o: changed function: l2cap_recv_frame +l2cap_core.o: changed function: l2cap_retrans_timeout +l2cap_core.o: changed function: l2cap_retransmit_all +l2cap_core.o: changed function: l2cap_rx +l2cap_core.o: changed function: l2cap_rx_state_recv +l2cap_core.o: changed function: l2cap_security_cfm +l2cap_core.o: changed function: l2cap_send_ack +l2cap_core.o: changed function: l2cap_send_efs_conf_rsp +l2cap_core.o: changed function: l2cap_send_i_or_rr_or_rnr +l2cap_core.o: changed function: l2cap_send_move_chan_cfm +l2cap_core.o: changed function: l2cap_send_move_chan_cfm_icid +l2cap_core.o: changed function: l2cap_send_move_chan_req +l2cap_core.o: changed function: l2cap_send_rr_or_rnr +l2cap_core.o: changed function: l2cap_send_sframe +l2cap_core.o: changed function: l2cap_send_srej +l2cap_core.o: changed function: l2cap_send_srej_tail +l2cap_core.o: changed function: l2cap_start_connection +l2cap_core.o: new function: l2cap_connect_req +sch_atm.o: changed function: atm_tc_bind_filter +sch_atm.o: changed function: atm_tc_change +sch_atm.o: changed function: atm_tc_delete +sch_atm.o: changed function: atm_tc_destroy +sch_atm.o: changed function: atm_tc_enqueue +sch_atm.o: changed function: atm_tc_find +sch_atm.o: changed function: atm_tc_graft +sch_atm.o: changed function: atm_tc_leaf +sch_atm.o: changed function: atm_tc_peek +sch_atm.o: changed function: atm_tc_put +sch_atm.o: changed function: atm_tc_reset +sch_atm.o: changed function: atm_tc_tcf_block +sch_atm.o: changed function: sch_atm_dequeue +sch_drr.o: changed function: drr_dequeue +sch_dsmark.o: changed function: dsmark_bind_filter +sch_dsmark.o: changed function: dsmark_change +sch_dsmark.o: changed function: dsmark_destroy +sch_dsmark.o: changed function: dsmark_dump_class +sch_dsmark.o: changed function: dsmark_init +sch_dsmark.o: changed function: dsmark_peek +sch_dsmark.o: changed function: dsmark_reset +sch_hfsc.o: changed function: hfsc_change_class +sch_hfsc.o: changed function: hfsc_dequeue +sch_hfsc.o: changed function: hfsc_enqueue +sch_multiq.o: changed function: multiq_peek +sch_prio.o: changed function: prio_peek +sch_qfq.o: changed function: qfq_change_class +sch_qfq.o: changed function: qfq_dequeue +sch_red.o: changed function: red_peek +sch_sfb.o: changed function: sfb_peek +sch_tbf.o: changed function: tbf_dequeue + +--------------------------- + +Modifications: none + +commit 906f32101a825691a705bc5754716cc870f64b83 +Author: Davide Caratti +Date: Tue Sep 5 11:15:12 2023 +0200 + + net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg + + Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2225555 + Upstream Status: net.git commit 3037933448f6 + + commit 3037933448f60f9acb705997eae62013ecb81e0d + Author: Gwangun Jung + Date: Thu Apr 13 19:35:54 2023 +0900 + + net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg + + If the TCA_QFQ_LMAX value is not offered through nlattr, lmax is determined by the MTU value of the network device. + The MTU of the loopback device can be set up to 2^31-1. + As a result, it is possible to have an lmax value that exceeds QFQ_MIN_LMAX. + + Due to the invalid lmax value, an index is generated that exceeds the QFQ_MAX_INDEX(=24) value, causing out-of-bounds read/write errors. + + The following reports a oob access: + + [ 84.582666] BUG: KASAN: slab-out-of-bounds in qfq_activate_agg.constprop.0 (net/sched/sch_qfq.c:1027 net/sched/sch_qfq.c:1060 net/sched/sch_qfq.c:1313) + [ 84.583267] Read of size 4 at addr ffff88810f676948 by task ping/301 + [ 84.583686] + [ 84.583797] CPU: 3 PID: 301 Comm: ping Not tainted 6.3.0-rc5 #1 + [ 84.584164] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 + [ 84.584644] Call Trace: + [ 84.584787] + [ 84.584906] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) + [ 84.585108] print_report (mm/kasan/report.c:320 mm/kasan/report.c:430) + [ 84.585570] kasan_report (mm/kasan/report.c:538) + [ 84.585988] qfq_activate_agg.constprop.0 (net/sched/sch_qfq.c:1027 net/sched/sch_qfq.c:1060 net/sched/sch_qfq.c:1313) + [ 84.586599] qfq_enqueue (net/sched/sch_qfq.c:1255) + [ 84.587607] dev_qdisc_enqueue (net/core/dev.c:3776) + [ 84.587749] __dev_queue_xmit (./include/net/sch_generic.h:186 net/core/dev.c:3865 net/core/dev.c:4212) + [ 84.588763] ip_finish_output2 (./include/net/neighbour.h:546 net/ipv4/ip_output.c:228) + [ 84.589460] ip_output (net/ipv4/ip_output.c:430) + [ 84.590132] ip_push_pending_frames (./include/net/dst.h:444 net/ipv4/ip_output.c:126 net/ipv4/ip_output.c:1586 net/ipv4/ip_output.c:1606) + [ 84.590285] raw_sendmsg (net/ipv4/raw.c:649) + [ 84.591960] sock_sendmsg (net/socket.c:724 net/socket.c:747) + [ 84.592084] __sys_sendto (net/socket.c:2142) + [ 84.593306] __x64_sys_sendto (net/socket.c:2150) + [ 84.593779] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) + [ 84.593902] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) + [ 84.594070] RIP: 0033:0x7fe568032066 + [ 84.594192] Code: 0e 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c09[ 84.594796] RSP: 002b:00007ffce388b4e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c + + Code starting with the faulting instruction + =========================================== + [ 84.595047] RAX: ffffffffffffffda RBX: 00007ffce388cc70 RCX: 00007fe568032066 + [ 84.595281] RDX: 0000000000000040 RSI: 00005605fdad6d10 RDI: 0000000000000003 + [ 84.595515] RBP: 00005605fdad6d10 R08: 00007ffce388eeec R09: 0000000000000010 + [ 84.595749] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040 + [ 84.595984] R13: 00007ffce388cc30 R14: 00007ffce388b4f0 R15: 0000001d00000001 + [ 84.596218] + [ 84.596295] + [ 84.596351] Allocated by task 291: + [ 84.596467] kasan_save_stack (mm/kasan/common.c:46) + [ 84.596597] kasan_set_track (mm/kasan/common.c:52) + [ 84.596725] __kasan_kmalloc (mm/kasan/common.c:384) + [ 84.596852] __kmalloc_node (./include/linux/kasan.h:196 mm/slab_common.c:967 mm/slab_common.c:974) + [ 84.596979] qdisc_alloc (./include/linux/slab.h:610 ./include/linux/slab.h:731 net/sched/sch_generic.c:938) + [ 84.597100] qdisc_create (net/sched/sch_api.c:1244) + [ 84.597222] tc_modify_qdisc (net/sched/sch_api.c:1680) + [ 84.597357] rtnetlink_rcv_msg (net/core/rtnetlink.c:6174) + [ 84.597495] netlink_rcv_skb (net/netlink/af_netlink.c:2574) + [ 84.597627] netlink_unicast (net/netlink/af_netlink.c:1340 net/netlink/af_netlink.c:1365) + [ 84.597759] netlink_sendmsg (net/netlink/af_netlink.c:1942) + [ 84.597891] sock_sendmsg (net/socket.c:724 net/socket.c:747) + [ 84.598016] ____sys_sendmsg (net/socket.c:2501) + [ 84.598147] ___sys_sendmsg (net/socket.c:2557) + [ 84.598275] __sys_sendmsg (./include/linux/file.h:31 net/socket.c:2586) + [ 84.598399] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) + [ 84.598520] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) + [ 84.598688] + [ 84.598744] The buggy address belongs to the object at ffff88810f674000 + [ 84.598744] which belongs to the cache kmalloc-8k of size 8192 + [ 84.599135] The buggy address is located 2664 bytes to the right of + [ 84.599135] allocated 7904-byte region [ffff88810f674000, ffff88810f675ee0) + [ 84.599544] + [ 84.599598] The buggy address belongs to the physical page: + [ 84.599777] page:00000000e638567f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10f670 + [ 84.600074] head:00000000e638567f order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 + [ 84.600330] flags: 0x200000000010200(slab|head|node=0|zone=2) + [ 84.600517] raw: 0200000000010200 ffff888100043180 dead000000000122 0000000000000000 + [ 84.600764] raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000 + [ 84.601009] page dumped because: kasan: bad access detected + [ 84.601187] + [ 84.601241] Memory state around the buggy address: + [ 84.601396] ffff88810f676800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + [ 84.601620] ffff88810f676880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + [ 84.601845] >ffff88810f676900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + [ 84.602069] ^ + [ 84.602243] ffff88810f676980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + [ 84.602468] ffff88810f676a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + [ 84.602693] ================================================================== + [ 84.602924] Disabling lock debugging due to kernel taint + + Fixes: 3015f3d2a3cd ("pkt_sched: enable QFQ to support TSO/GSO") + Reported-by: Gwangun Jung + Signed-off-by: Gwangun Jung + Acked-by: Jamal Hadi Salim + Signed-off-by: David S. Miller + + Signed-off-by: Davide Caratti + +Signed-off-by: Joe Lawrence +--- + net/sched/sch_qfq.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index ca8c79456c80..a0e5ebac5f39 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -436,15 +436,16 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, + } else + weight = 1; + +- if (tb[TCA_QFQ_LMAX]) { ++ if (tb[TCA_QFQ_LMAX]) + lmax = nla_get_u32(tb[TCA_QFQ_LMAX]); +- if (lmax < QFQ_MIN_LMAX || lmax > (1UL << QFQ_MTU_SHIFT)) { +- pr_notice("qfq: invalid max length %u\n", lmax); +- return -EINVAL; +- } +- } else ++ else + lmax = psched_mtu(qdisc_dev(sch)); + ++ if (lmax < QFQ_MIN_LMAX || lmax > (1UL << QFQ_MTU_SHIFT)) { ++ pr_notice("qfq: invalid max length %u\n", lmax); ++ return -EINVAL; ++ } ++ + inv_w = ONE_FP / weight; + weight = ONE_FP / inv_w; + +-- +2.44.0 + + diff --git a/SOURCES/CVE-2023-45871.patch b/SOURCES/CVE-2023-45871.patch new file mode 100644 index 0000000..dc8427c --- /dev/null +++ b/SOURCES/CVE-2023-45871.patch @@ -0,0 +1,193 @@ +From f5204071e2323f1d695a4d19be727fd6ad5f154c Mon Sep 17 00:00:00 2001 +From: Joe Lawrence +Date: Wed, 17 Jan 2024 15:29:28 -0500 +Subject: [KPATCH CVE-2023-45871] kpatch fixes for CVE-2023-45871 + +Kernels: +3.10.0-1160.95.1.el7 +3.10.0-1160.99.1.el7 +3.10.0-1160.102.1.el7 +3.10.0-1160.105.1.el7 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/65 +Changes since last build: +[x86_64]: +igb_main.o: changed function: igb_configure +l2cap_core.o: changed function: l2cap_chan_hold +l2cap_core.o: changed function: l2cap_conn_get +l2cap_core.o: changed function: l2cap_global_chan_by_psm +l2cap_core.o: changed function: l2cap_recv_frame +l2cap_core.o: new function: klp_l2cap_le_sig_cmd +sch_atm.o: changed function: atm_tc_peek +sch_atm.o: changed function: sch_atm_dequeue +sch_drr.o: changed function: drr_dequeue +sch_dsmark.o: changed function: dsmark_peek +sch_hfsc.o: changed function: hfsc_enqueue +sch_hfsc.o: changed function: qdisc_peek_len +sch_multiq.o: changed function: multiq_peek +sch_prio.o: changed function: prio_peek +sch_qfq.o: changed function: qfq_change_class +sch_qfq.o: changed function: qfq_dequeue +sch_red.o: changed function: red_peek +sch_sfb.o: changed function: sfb_peek +sch_tbf.o: changed function: tbf_dequeue + +[ppc64le]: +l2cap_core.o: changed function: __l2cap_chan_add +l2cap_core.o: changed function: __l2cap_physical_cfm +l2cap_core.o: changed function: __set_monitor_timer +l2cap_core.o: changed function: __set_retrans_timer.part.24 +l2cap_core.o: changed function: l2cap_ack_timeout +l2cap_core.o: changed function: l2cap_build_conf_req +l2cap_core.o: changed function: l2cap_chan_busy +l2cap_core.o: changed function: l2cap_chan_close +l2cap_core.o: changed function: l2cap_chan_connect +l2cap_core.o: changed function: l2cap_chan_del +l2cap_core.o: changed function: l2cap_chan_hold +l2cap_core.o: changed function: l2cap_chan_put +l2cap_core.o: changed function: l2cap_chan_send +l2cap_core.o: changed function: l2cap_chan_timeout +l2cap_core.o: changed function: l2cap_conn_add.part.28 +l2cap_core.o: changed function: l2cap_conn_del +l2cap_core.o: changed function: l2cap_conn_start +l2cap_core.o: changed function: l2cap_connect +l2cap_core.o: changed function: l2cap_connect_cfm +l2cap_core.o: changed function: l2cap_connect_create_rsp +l2cap_core.o: changed function: l2cap_data_channel +l2cap_core.o: changed function: l2cap_disconn_cfm +l2cap_core.o: changed function: l2cap_do_create +l2cap_core.o: changed function: l2cap_do_start +l2cap_core.o: changed function: l2cap_ertm_resend +l2cap_core.o: changed function: l2cap_ertm_send +l2cap_core.o: changed function: l2cap_global_fixed_chan +l2cap_core.o: changed function: l2cap_handle_rej +l2cap_core.o: changed function: l2cap_handle_srej +l2cap_core.o: changed function: l2cap_logical_cfm +l2cap_core.o: changed function: l2cap_monitor_timeout +l2cap_core.o: changed function: l2cap_move_done +l2cap_core.o: changed function: l2cap_move_setup +l2cap_core.o: changed function: l2cap_parse_conf_rsp.constprop.36 +l2cap_core.o: changed function: l2cap_pass_to_tx +l2cap_core.o: changed function: l2cap_process_reqseq +l2cap_core.o: changed function: l2cap_recv_frame +l2cap_core.o: changed function: l2cap_retrans_timeout +l2cap_core.o: changed function: l2cap_retransmit_all +l2cap_core.o: changed function: l2cap_rx +l2cap_core.o: changed function: l2cap_rx_state_recv +l2cap_core.o: changed function: l2cap_security_cfm +l2cap_core.o: changed function: l2cap_send_ack +l2cap_core.o: changed function: l2cap_send_efs_conf_rsp +l2cap_core.o: changed function: l2cap_send_i_or_rr_or_rnr +l2cap_core.o: changed function: l2cap_send_move_chan_cfm +l2cap_core.o: changed function: l2cap_send_move_chan_cfm_icid +l2cap_core.o: changed function: l2cap_send_move_chan_req +l2cap_core.o: changed function: l2cap_send_rr_or_rnr +l2cap_core.o: changed function: l2cap_send_sframe +l2cap_core.o: changed function: l2cap_send_srej +l2cap_core.o: changed function: l2cap_send_srej_tail +l2cap_core.o: changed function: l2cap_start_connection +l2cap_core.o: new function: l2cap_connect_req +sch_atm.o: changed function: atm_tc_bind_filter +sch_atm.o: changed function: atm_tc_change +sch_atm.o: changed function: atm_tc_delete +sch_atm.o: changed function: atm_tc_destroy +sch_atm.o: changed function: atm_tc_enqueue +sch_atm.o: changed function: atm_tc_find +sch_atm.o: changed function: atm_tc_graft +sch_atm.o: changed function: atm_tc_leaf +sch_atm.o: changed function: atm_tc_peek +sch_atm.o: changed function: atm_tc_put +sch_atm.o: changed function: atm_tc_reset +sch_atm.o: changed function: atm_tc_tcf_block +sch_atm.o: changed function: sch_atm_dequeue +sch_drr.o: changed function: drr_dequeue +sch_dsmark.o: changed function: dsmark_bind_filter +sch_dsmark.o: changed function: dsmark_change +sch_dsmark.o: changed function: dsmark_destroy +sch_dsmark.o: changed function: dsmark_dump_class +sch_dsmark.o: changed function: dsmark_init +sch_dsmark.o: changed function: dsmark_peek +sch_dsmark.o: changed function: dsmark_reset +sch_hfsc.o: changed function: hfsc_change_class +sch_hfsc.o: changed function: hfsc_dequeue +sch_hfsc.o: changed function: hfsc_enqueue +sch_multiq.o: changed function: multiq_peek +sch_prio.o: changed function: prio_peek +sch_qfq.o: changed function: qfq_change_class +sch_qfq.o: changed function: qfq_dequeue +sch_red.o: changed function: red_peek +sch_sfb.o: changed function: sfb_peek +sch_tbf.o: changed function: tbf_dequeue + +--------------------------- + +Modifications: none + +commit de534cd6d39849339867a3d587c3c3b04776ef6e +Author: Wander Lairson Costa +Date: Wed Jan 10 10:07:38 2024 -0300 + + igb: set max size RX buffer when store bad packet is enabled + + JIRA: https://issues.redhat.com/browse/RHEL-15181 + CVE: CVE-2023-45871 + + commit bb5ed01cd2428cd25b1c88a3a9cba87055eb289f + Author: Radoslaw Tyl + Date: Thu Aug 24 13:46:19 2023 -0700 + + igb: set max size RX buffer when store bad packet is enabled + + Increase the RX buffer size to 3K when the SBP bit is on. The size of + the RX buffer determines the number of pages allocated which may not + be sufficient for receive frames larger than the set MTU size. + + Cc: stable@vger.kernel.org + Fixes: 89eaefb61dc9 ("igb: Support RX-ALL feature flag.") + Reported-by: Manfred Rudigier + Signed-off-by: Radoslaw Tyl + Tested-by: Arpana Arland (A Contingent worker at Intel) + Signed-off-by: Tony Nguyen + Signed-off-by: David S. Miller + + Signed-off-by: Wander Lairson Costa + +Signed-off-by: Joe Lawrence +--- + drivers/net/ethernet/intel/igb/igb_main.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 58fa02b36285..44b23384123e 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -4576,6 +4576,10 @@ void igb_configure_rx_ring(struct igb_adapter *adapter, + static void igb_set_rx_buffer_len(struct igb_adapter *adapter, + struct igb_ring *rx_ring) + { ++#if (PAGE_SIZE < 8192) ++ struct e1000_hw *hw = &adapter->hw; ++#endif ++ + /* set build_skb and buffer size flags */ + clear_ring_build_skb_enabled(rx_ring); + clear_ring_uses_large_buffer(rx_ring); +@@ -4586,10 +4590,9 @@ static void igb_set_rx_buffer_len(struct igb_adapter *adapter, + set_ring_build_skb_enabled(rx_ring); + + #if (PAGE_SIZE < 8192) +- if (adapter->max_frame_size <= IGB_MAX_FRAME_BUILD_SKB) +- return; +- +- set_ring_uses_large_buffer(rx_ring); ++ if (adapter->max_frame_size > IGB_MAX_FRAME_BUILD_SKB || ++ rd32(E1000_RCTL) & E1000_RCTL_SBP) ++ set_ring_uses_large_buffer(rx_ring); + #endif + } + +-- +2.44.0 + + diff --git a/SOURCES/CVE-2023-4921.patch b/SOURCES/CVE-2023-4921.patch new file mode 100644 index 0000000..190b465 --- /dev/null +++ b/SOURCES/CVE-2023-4921.patch @@ -0,0 +1,693 @@ +From 84eda7845563ee9c0cc215fe9d0a3c67cb4903fd Mon Sep 17 00:00:00 2001 +From: Ryan Sullivan +Date: Thu, 1 Feb 2024 14:36:30 -0500 +Subject: [KPATCH CVE-2023-4921] kpatch fixes for CVE-2023-4921 + +Kernels: +3.10.0-1160.95.1.el7 +3.10.0-1160.99.1.el7 +3.10.0-1160.102.1.el7 +3.10.0-1160.105.1.el7 +3.10.0-1160.108.1.el7 + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/67 +Approved-by: Joe Lawrence (@joe.lawrence) +Changes since last build: +[x86_64]: +igb_main.o: changed function: igb_configure +l2cap_core.o: changed function: l2cap_chan_hold +l2cap_core.o: changed function: l2cap_conn_get +l2cap_core.o: changed function: l2cap_global_chan_by_psm +l2cap_core.o: changed function: l2cap_recv_frame +l2cap_core.o: new function: klp_l2cap_le_sig_cmd +sch_atm.o: changed function: atm_tc_peek +sch_atm.o: changed function: sch_atm_dequeue +sch_drr.o: changed function: drr_dequeue +sch_dsmark.o: changed function: dsmark_peek +sch_hfsc.o: changed function: hfsc_enqueue +sch_hfsc.o: changed function: qdisc_peek_len +sch_multiq.o: changed function: multiq_peek +sch_prio.o: changed function: prio_peek +sch_qfq.o: changed function: qfq_change_class +sch_qfq.o: changed function: qfq_dequeue +sch_red.o: changed function: red_peek +sch_sfb.o: changed function: sfb_peek +sch_tbf.o: changed function: tbf_dequeue + +[ppc64le]: +l2cap_core.o: changed function: __l2cap_chan_add +l2cap_core.o: changed function: __l2cap_physical_cfm +l2cap_core.o: changed function: __set_monitor_timer +l2cap_core.o: changed function: __set_retrans_timer.part.24 +l2cap_core.o: changed function: l2cap_ack_timeout +l2cap_core.o: changed function: l2cap_build_conf_req +l2cap_core.o: changed function: l2cap_chan_busy +l2cap_core.o: changed function: l2cap_chan_close +l2cap_core.o: changed function: l2cap_chan_connect +l2cap_core.o: changed function: l2cap_chan_del +l2cap_core.o: changed function: l2cap_chan_hold +l2cap_core.o: changed function: l2cap_chan_put +l2cap_core.o: changed function: l2cap_chan_send +l2cap_core.o: changed function: l2cap_chan_timeout +l2cap_core.o: changed function: l2cap_conn_add.part.28 +l2cap_core.o: changed function: l2cap_conn_del +l2cap_core.o: changed function: l2cap_conn_start +l2cap_core.o: changed function: l2cap_connect +l2cap_core.o: changed function: l2cap_connect_cfm +l2cap_core.o: changed function: l2cap_connect_create_rsp +l2cap_core.o: changed function: l2cap_data_channel +l2cap_core.o: changed function: l2cap_disconn_cfm +l2cap_core.o: changed function: l2cap_do_create +l2cap_core.o: changed function: l2cap_do_start +l2cap_core.o: changed function: l2cap_ertm_resend +l2cap_core.o: changed function: l2cap_ertm_send +l2cap_core.o: changed function: l2cap_global_fixed_chan +l2cap_core.o: changed function: l2cap_handle_rej +l2cap_core.o: changed function: l2cap_handle_srej +l2cap_core.o: changed function: l2cap_logical_cfm +l2cap_core.o: changed function: l2cap_monitor_timeout +l2cap_core.o: changed function: l2cap_move_done +l2cap_core.o: changed function: l2cap_move_setup +l2cap_core.o: changed function: l2cap_parse_conf_rsp.constprop.36 +l2cap_core.o: changed function: l2cap_pass_to_tx +l2cap_core.o: changed function: l2cap_process_reqseq +l2cap_core.o: changed function: l2cap_recv_frame +l2cap_core.o: changed function: l2cap_retrans_timeout +l2cap_core.o: changed function: l2cap_retransmit_all +l2cap_core.o: changed function: l2cap_rx +l2cap_core.o: changed function: l2cap_rx_state_recv +l2cap_core.o: changed function: l2cap_security_cfm +l2cap_core.o: changed function: l2cap_send_ack +l2cap_core.o: changed function: l2cap_send_efs_conf_rsp +l2cap_core.o: changed function: l2cap_send_i_or_rr_or_rnr +l2cap_core.o: changed function: l2cap_send_move_chan_cfm +l2cap_core.o: changed function: l2cap_send_move_chan_cfm_icid +l2cap_core.o: changed function: l2cap_send_move_chan_req +l2cap_core.o: changed function: l2cap_send_rr_or_rnr +l2cap_core.o: changed function: l2cap_send_sframe +l2cap_core.o: changed function: l2cap_send_srej +l2cap_core.o: changed function: l2cap_send_srej_tail +l2cap_core.o: changed function: l2cap_start_connection +l2cap_core.o: new function: l2cap_connect_req +sch_atm.o: changed function: atm_tc_bind_filter +sch_atm.o: changed function: atm_tc_change +sch_atm.o: changed function: atm_tc_delete +sch_atm.o: changed function: atm_tc_destroy +sch_atm.o: changed function: atm_tc_enqueue +sch_atm.o: changed function: atm_tc_find +sch_atm.o: changed function: atm_tc_graft +sch_atm.o: changed function: atm_tc_leaf +sch_atm.o: changed function: atm_tc_peek +sch_atm.o: changed function: atm_tc_put +sch_atm.o: changed function: atm_tc_reset +sch_atm.o: changed function: atm_tc_tcf_block +sch_atm.o: changed function: sch_atm_dequeue +sch_drr.o: changed function: drr_dequeue +sch_dsmark.o: changed function: dsmark_bind_filter +sch_dsmark.o: changed function: dsmark_change +sch_dsmark.o: changed function: dsmark_destroy +sch_dsmark.o: changed function: dsmark_dump_class +sch_dsmark.o: changed function: dsmark_init +sch_dsmark.o: changed function: dsmark_peek +sch_dsmark.o: changed function: dsmark_reset +sch_hfsc.o: changed function: hfsc_change_class +sch_hfsc.o: changed function: hfsc_dequeue +sch_hfsc.o: changed function: hfsc_enqueue +sch_multiq.o: changed function: multiq_peek +sch_prio.o: changed function: prio_peek +sch_qfq.o: changed function: qfq_change_class +sch_qfq.o: changed function: qfq_dequeue +sch_red.o: changed function: red_peek +sch_sfb.o: changed function: sfb_peek +sch_tbf.o: changed function: tbf_dequeue + +--------------------------- + +Modifications: +- redirected to qdisc_peek_dequeued() by modifying functions that +called '->peek(qdisc)' to call klp_cve_2023_4921_peek() rather than by +modifying plug_qdisc_ops +- don't remove existing WARN_ONCE instances to avoid kpatch-build +"unreconcilable difference" error in .data.once section + +commit faf95907a10c29861882d7885b6e04ebe20057c8 +Author: Davide Caratti +Date: Fri Oct 27 17:22:42 2023 +0200 + + net: sched: sch_qfq: Fix UAF in qfq_dequeue() + + JIRA: https://issues.redhat.com/browse/RHEL-14397 + CVE: CVE-2023-4921 + Upstream Status: net.git commit 8fc134fee27f2263988ae38920bc03da416b03d8 + + commit 8fc134fee27f2263988ae38920bc03da416b03d8 + Author: valis + Date: Fri Sep 1 12:22:37 2023 -0400 + + net: sched: sch_qfq: Fix UAF in qfq_dequeue() + + When the plug qdisc is used as a class of the qfq qdisc it could trigger a + UAF. This issue can be reproduced with following commands: + + tc qdisc add dev lo root handle 1: qfq + tc class add dev lo parent 1: classid 1:1 qfq weight 1 maxpkt 512 + tc qdisc add dev lo parent 1:1 handle 2: plug + tc filter add dev lo parent 1: basic classid 1:1 + ping -c1 127.0.0.1 + + and boom: + + [ 285.353793] BUG: KASAN: slab-use-after-free in qfq_dequeue+0xa7/0x7f0 + [ 285.354910] Read of size 4 at addr ffff8880bad312a8 by task ping/144 + [ 285.355903] + [ 285.356165] CPU: 1 PID: 144 Comm: ping Not tainted 6.5.0-rc3+ #4 + [ 285.357112] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 + [ 285.358376] Call Trace: + [ 285.358773] + [ 285.359109] dump_stack_lvl+0x44/0x60 + [ 285.359708] print_address_description.constprop.0+0x2c/0x3c0 + [ 285.360611] kasan_report+0x10c/0x120 + [ 285.361195] ? qfq_dequeue+0xa7/0x7f0 + [ 285.361780] qfq_dequeue+0xa7/0x7f0 + [ 285.362342] __qdisc_run+0xf1/0x970 + [ 285.362903] net_tx_action+0x28e/0x460 + [ 285.363502] __do_softirq+0x11b/0x3de + [ 285.364097] do_softirq.part.0+0x72/0x90 + [ 285.364721] + [ 285.365072] + [ 285.365422] __local_bh_enable_ip+0x77/0x90 + [ 285.366079] __dev_queue_xmit+0x95f/0x1550 + [ 285.366732] ? __pfx_csum_and_copy_from_iter+0x10/0x10 + [ 285.367526] ? __pfx___dev_queue_xmit+0x10/0x10 + [ 285.368259] ? __build_skb_around+0x129/0x190 + [ 285.368960] ? ip_generic_getfrag+0x12c/0x170 + [ 285.369653] ? __pfx_ip_generic_getfrag+0x10/0x10 + [ 285.370390] ? csum_partial+0x8/0x20 + [ 285.370961] ? raw_getfrag+0xe5/0x140 + [ 285.371559] ip_finish_output2+0x539/0xa40 + [ 285.372222] ? __pfx_ip_finish_output2+0x10/0x10 + [ 285.372954] ip_output+0x113/0x1e0 + [ 285.373512] ? __pfx_ip_output+0x10/0x10 + [ 285.374130] ? icmp_out_count+0x49/0x60 + [ 285.374739] ? __pfx_ip_finish_output+0x10/0x10 + [ 285.375457] ip_push_pending_frames+0xf3/0x100 + [ 285.376173] raw_sendmsg+0xef5/0x12d0 + [ 285.376760] ? do_syscall_64+0x40/0x90 + [ 285.377359] ? __static_call_text_end+0x136578/0x136578 + [ 285.378173] ? do_syscall_64+0x40/0x90 + [ 285.378772] ? kasan_enable_current+0x11/0x20 + [ 285.379469] ? __pfx_raw_sendmsg+0x10/0x10 + [ 285.380137] ? __sock_create+0x13e/0x270 + [ 285.380673] ? __sys_socket+0xf3/0x180 + [ 285.381174] ? __x64_sys_socket+0x3d/0x50 + [ 285.381725] ? entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + [ 285.382425] ? __rcu_read_unlock+0x48/0x70 + [ 285.382975] ? ip4_datagram_release_cb+0xd8/0x380 + [ 285.383608] ? __pfx_ip4_datagram_release_cb+0x10/0x10 + [ 285.384295] ? preempt_count_sub+0x14/0xc0 + [ 285.384844] ? __list_del_entry_valid+0x76/0x140 + [ 285.385467] ? _raw_spin_lock_bh+0x87/0xe0 + [ 285.386014] ? __pfx__raw_spin_lock_bh+0x10/0x10 + [ 285.386645] ? release_sock+0xa0/0xd0 + [ 285.387148] ? preempt_count_sub+0x14/0xc0 + [ 285.387712] ? freeze_secondary_cpus+0x348/0x3c0 + [ 285.388341] ? aa_sk_perm+0x177/0x390 + [ 285.388856] ? __pfx_aa_sk_perm+0x10/0x10 + [ 285.389441] ? check_stack_object+0x22/0x70 + [ 285.390032] ? inet_send_prepare+0x2f/0x120 + [ 285.390603] ? __pfx_inet_sendmsg+0x10/0x10 + [ 285.391172] sock_sendmsg+0xcc/0xe0 + [ 285.391667] __sys_sendto+0x190/0x230 + [ 285.392168] ? __pfx___sys_sendto+0x10/0x10 + [ 285.392727] ? kvm_clock_get_cycles+0x14/0x30 + [ 285.393328] ? set_normalized_timespec64+0x57/0x70 + [ 285.393980] ? _raw_spin_unlock_irq+0x1b/0x40 + [ 285.394578] ? __x64_sys_clock_gettime+0x11c/0x160 + [ 285.395225] ? __pfx___x64_sys_clock_gettime+0x10/0x10 + [ 285.395908] ? _copy_to_user+0x3e/0x60 + [ 285.396432] ? exit_to_user_mode_prepare+0x1a/0x120 + [ 285.397086] ? syscall_exit_to_user_mode+0x22/0x50 + [ 285.397734] ? do_syscall_64+0x71/0x90 + [ 285.398258] __x64_sys_sendto+0x74/0x90 + [ 285.398786] do_syscall_64+0x64/0x90 + [ 285.399273] ? exit_to_user_mode_prepare+0x1a/0x120 + [ 285.399949] ? syscall_exit_to_user_mode+0x22/0x50 + [ 285.400605] ? do_syscall_64+0x71/0x90 + [ 285.401124] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + [ 285.401807] RIP: 0033:0x495726 + [ 285.402233] Code: ff ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 2c 00 00 00 0f 09 + [ 285.404683] RSP: 002b:00007ffcc25fb618 EFLAGS: 00000246 ORIG_RAX: 000000000000002c + [ 285.405677] RAX: ffffffffffffffda RBX: 0000000000000040 RCX: 0000000000495726 + [ 285.406628] RDX: 0000000000000040 RSI: 0000000002518750 RDI: 0000000000000000 + [ 285.407565] RBP: 00000000005205ef R08: 00000000005f8838 R09: 000000000000001c + [ 285.408523] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000002517634 + [ 285.409460] R13: 00007ffcc25fb6f0 R14: 0000000000000003 R15: 0000000000000000 + [ 285.410403] + [ 285.410704] + [ 285.410929] Allocated by task 144: + [ 285.411402] kasan_save_stack+0x1e/0x40 + [ 285.411926] kasan_set_track+0x21/0x30 + [ 285.412442] __kasan_slab_alloc+0x55/0x70 + [ 285.412973] kmem_cache_alloc_node+0x187/0x3d0 + [ 285.413567] __alloc_skb+0x1b4/0x230 + [ 285.414060] __ip_append_data+0x17f7/0x1b60 + [ 285.414633] ip_append_data+0x97/0xf0 + [ 285.415144] raw_sendmsg+0x5a8/0x12d0 + [ 285.415640] sock_sendmsg+0xcc/0xe0 + [ 285.416117] __sys_sendto+0x190/0x230 + [ 285.416626] __x64_sys_sendto+0x74/0x90 + [ 285.417145] do_syscall_64+0x64/0x90 + [ 285.417624] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + [ 285.418306] + [ 285.418531] Freed by task 144: + [ 285.418960] kasan_save_stack+0x1e/0x40 + [ 285.419469] kasan_set_track+0x21/0x30 + [ 285.419988] kasan_save_free_info+0x27/0x40 + [ 285.420556] ____kasan_slab_free+0x109/0x1a0 + [ 285.421146] kmem_cache_free+0x1c2/0x450 + [ 285.421680] __netif_receive_skb_core+0x2ce/0x1870 + [ 285.422333] __netif_receive_skb_one_core+0x97/0x140 + [ 285.423003] process_backlog+0x100/0x2f0 + [ 285.423537] __napi_poll+0x5c/0x2d0 + [ 285.424023] net_rx_action+0x2be/0x560 + [ 285.424510] __do_softirq+0x11b/0x3de + [ 285.425034] + [ 285.425254] The buggy address belongs to the object at ffff8880bad31280 + [ 285.425254] which belongs to the cache skbuff_head_cache of size 224 + [ 285.426993] The buggy address is located 40 bytes inside of + [ 285.426993] freed 224-byte region [ffff8880bad31280, ffff8880bad31360) + [ 285.428572] + [ 285.428798] The buggy address belongs to the physical page: + [ 285.429540] page:00000000f4b77674 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xbad31 + [ 285.430758] flags: 0x100000000000200(slab|node=0|zone=1) + [ 285.431447] page_type: 0xffffffff() + [ 285.431934] raw: 0100000000000200 ffff88810094a8c0 dead000000000122 0000000000000000 + [ 285.432757] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 + [ 285.433562] page dumped because: kasan: bad access detected + [ 285.434144] + [ 285.434320] Memory state around the buggy address: + [ 285.434828] ffff8880bad31180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + [ 285.435580] ffff8880bad31200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + [ 285.436264] >ffff8880bad31280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + [ 285.436777] ^ + [ 285.437106] ffff8880bad31300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc + [ 285.437616] ffff8880bad31380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + [ 285.438126] ================================================================== + [ 285.438662] Disabling lock debugging due to kernel taint + + Fix this by: + 1. Changing sch_plug's .peek handler to qdisc_peek_dequeued(), a + function compatible with non-work-conserving qdiscs + 2. Checking the return value of qdisc_dequeue_peeked() in sch_qfq. + + Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") + Reported-by: valis + Signed-off-by: valis + Signed-off-by: Jamal Hadi Salim + Link: https://lore.kernel.org/r/20230901162237.11525-1-jhs@mojatatu.com + Signed-off-by: Paolo Abeni + + Signed-off-by: Davide Caratti + +commit eb76ae2165f95d31ad199d706840140b271c719e +Author: Davide Caratti +Date: Thu Jan 25 15:45:42 2024 +0100 + + net: sched: sch_qfq: Use non-work-conserving warning handler + + JIRA: https://issues.redhat.com/browse/RHEL-14397 + Upstream Status: net.git commit 6d25d1dc76bf5943a5c1f4bb74d66d5eac58eb77 + + commit 6d25d1dc76bf5943a5c1f4bb74d66d5eac58eb77 + Author: Liu Jian + Date: Mon Oct 23 14:47:29 2023 +0800 + + net: sched: sch_qfq: Use non-work-conserving warning handler + + A helper function for printing non-work-conserving alarms is added in + commit b00355db3f88 ("pkt_sched: sch_hfsc: sch_htb: Add non-work-conserving + warning handler."). In this commit, use qdisc_warn_nonwc() instead of + WARN_ONCE() to handle the non-work-conserving warning in qfq Qdisc. + + Signed-off-by: Liu Jian + Link: https://lore.kernel.org/r/20231023064729.370649-1-liujian56@huawei.com + Signed-off-by: Paolo Abeni + + Signed-off-by: Davide Caratti + +Signed-off-by: Ryan Sullivan +--- + net/sched/klp_cve_2023_4921.h | 16 +++++++++++++ + net/sched/sch_atm.c | 5 ++-- + net/sched/sch_drr.c | 3 ++- + net/sched/sch_dsmark.c | 3 ++- + net/sched/sch_hfsc.c | 7 +++--- + net/sched/sch_multiq.c | 4 +++- + net/sched/sch_prio.c | 6 ++++- + net/sched/sch_qfq.c | 43 ++++++++++++++++++++++++++--------- + net/sched/sch_red.c | 3 ++- + net/sched/sch_sfb.c | 3 ++- + net/sched/sch_tbf.c | 3 ++- + 11 files changed, 73 insertions(+), 23 deletions(-) + create mode 100644 net/sched/klp_cve_2023_4921.h + +diff --git a/net/sched/klp_cve_2023_4921.h b/net/sched/klp_cve_2023_4921.h +new file mode 100644 +index 000000000000..07a5624a487c +--- /dev/null ++++ b/net/sched/klp_cve_2023_4921.h +@@ -0,0 +1,16 @@ ++#ifndef __KLP_CVE_2023_4921__ ++#define __KLP_CVE_2023_4921__ ++ ++static inline struct sk_buff *klp_cve_2023_4921_peek(struct Qdisc *sch) ++{ ++ /* ++ * kpatch workaround: can't modify plug_qdisc_ops structure, so ++ * provide a peek pivot based on the underlying qdisc ops id ++ */ ++ if (strcmp(sch->ops->id, "plug") == 0) ++ return qdisc_peek_dequeued(sch); ++ ++ return sch->ops->peek(sch); ++} ++ ++#endif +diff --git a/net/sched/sch_atm.c b/net/sched/sch_atm.c +index 7c8966a42794..d58c84b3fba2 100644 +--- a/net/sched/sch_atm.c ++++ b/net/sched/sch_atm.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include "klp_cve_2023_4921.h" + + /* + * The ATM queuing discipline provides a framework for invoking classifiers +@@ -474,7 +475,7 @@ static void sch_atm_dequeue(unsigned long data) + * If traffic is properly shaped, this won't generate nasty + * little bursts. Otherwise, it may ... (but that's okay) + */ +- while ((skb = flow->q->ops->peek(flow->q))) { ++ while ((skb = klp_cve_2023_4921_peek(flow->q))) { + if (!atm_may_send(flow->vcc, skb->truesize)) + break; + +@@ -528,7 +529,7 @@ static struct sk_buff *atm_tc_peek(struct Qdisc *sch) + + pr_debug("atm_tc_peek(sch %p,[qdisc %p])\n", sch, p); + +- return p->link.q->ops->peek(p->link.q); ++ return klp_cve_2023_4921_peek(p->link.q); + } + + static int atm_tc_init(struct Qdisc *sch, struct nlattr *opt) +diff --git a/net/sched/sch_drr.c b/net/sched/sch_drr.c +index 9bfe7b50115f..27dd8e610da2 100644 +--- a/net/sched/sch_drr.c ++++ b/net/sched/sch_drr.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include "klp_cve_2023_4921.h" + + struct drr_class { + struct Qdisc_class_common common; +@@ -378,7 +379,7 @@ static struct sk_buff *drr_dequeue(struct Qdisc *sch) + goto out; + while (1) { + cl = list_first_entry(&q->active, struct drr_class, alist); +- skb = cl->qdisc->ops->peek(cl->qdisc); ++ skb = klp_cve_2023_4921_peek(cl->qdisc); + if (skb == NULL) { + qdisc_warn_nonwc(__func__, cl->qdisc); + goto out; +diff --git a/net/sched/sch_dsmark.c b/net/sched/sch_dsmark.c +index df08e15e6f19..06b6e03f89ea 100644 +--- a/net/sched/sch_dsmark.c ++++ b/net/sched/sch_dsmark.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include "klp_cve_2023_4921.h" + + /* + * classid class marking +@@ -327,7 +328,7 @@ static struct sk_buff *dsmark_peek(struct Qdisc *sch) + + pr_debug("%s(sch %p,[qdisc %p])\n", __func__, sch, p); + +- return p->q->ops->peek(p->q); ++ return klp_cve_2023_4921_peek(p->q); + } + + static int dsmark_init(struct Qdisc *sch, struct nlattr *opt) +diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c +index fb14b551f65d..466244c57737 100644 +--- a/net/sched/sch_hfsc.c ++++ b/net/sched/sch_hfsc.c +@@ -67,6 +67,7 @@ + #include + #include + #include ++#include "klp_cve_2023_4921.h" + + /* + * kernel internal service curve representation: +@@ -834,7 +835,8 @@ qdisc_peek_len(struct Qdisc *sch) + struct sk_buff *skb; + unsigned int len; + +- skb = sch->ops->peek(sch); ++ skb = klp_cve_2023_4921_peek(sch); ++ + if (unlikely(skb == NULL)) { + qdisc_warn_nonwc("qdisc_peek_len", sch); + return 0; +@@ -1567,8 +1569,7 @@ hfsc_enqueue(struct sk_buff *skb, struct Qdisc *sch, struct sk_buff **to_free) + * to invalidate the deadline. + */ + if (cl->cl_flags & HFSC_RSC) +- cl->qdisc->ops->peek(cl->qdisc); +- ++ klp_cve_2023_4921_peek(cl->qdisc); + } + + qdisc_qstats_backlog_inc(sch, skb); +diff --git a/net/sched/sch_multiq.c b/net/sched/sch_multiq.c +index 31e0a284eeff..8f6e85b2c8b8 100644 +--- a/net/sched/sch_multiq.c ++++ b/net/sched/sch_multiq.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include "klp_cve_2023_4921.h" + + struct multiq_sched_data { + u16 bands; +@@ -145,7 +146,8 @@ static struct sk_buff *multiq_peek(struct Qdisc *sch) + if (!netif_xmit_stopped( + netdev_get_tx_queue(qdisc_dev(sch), curband))) { + qdisc = q->queues[curband]; +- skb = qdisc->ops->peek(qdisc); ++ skb = klp_cve_2023_4921_peek(qdisc); ++ + if (skb) + return skb; + } +diff --git a/net/sched/sch_prio.c b/net/sched/sch_prio.c +index faf447b60b68..23526ef54f0c 100644 +--- a/net/sched/sch_prio.c ++++ b/net/sched/sch_prio.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include "klp_cve_2023_4921.h" + + struct prio_sched_data { + int bands; +@@ -103,7 +104,10 @@ static struct sk_buff *prio_peek(struct Qdisc *sch) + + for (prio = 0; prio < q->bands; prio++) { + struct Qdisc *qdisc = q->queues[prio]; +- struct sk_buff *skb = qdisc->ops->peek(qdisc); ++ struct sk_buff *skb; ++ ++ skb = klp_cve_2023_4921_peek(qdisc); ++ + if (skb) + return skb; + } +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index ca8c79456c80..134cd66225c0 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -18,6 +18,8 @@ + #include + #include + #include ++#include ++#include "klp_cve_2023_4921.h" + + + /* Quick Fair Queueing Plus +@@ -984,19 +986,24 @@ static void qfq_update_eligible(struct qfq_sched *q) + } + + /* Dequeue head packet of the head class in the DRR queue of the aggregate. */ +-static void agg_dequeue(struct qfq_aggregate *agg, +- struct qfq_class *cl, unsigned int len) ++static struct sk_buff *agg_dequeue(struct qfq_aggregate *agg, ++ struct qfq_class *cl, unsigned int len) + { +- qdisc_dequeue_peeked(cl->qdisc); ++ struct sk_buff *skb = qdisc_dequeue_peeked(cl->qdisc); ++ ++ if (!skb) ++ return NULL; + + cl->deficit -= (int) len; + + if (cl->qdisc->q.qlen == 0) /* no more packets, remove from list */ + list_del(&cl->alist); +- else if (cl->deficit < qdisc_pkt_len(cl->qdisc->ops->peek(cl->qdisc))) { ++ else if (cl->deficit < qdisc_pkt_len(klp_cve_2023_4921_peek(cl->qdisc))) { + cl->deficit += agg->lmax; + list_move_tail(&cl->alist, &agg->active); + } ++ ++ return skb; + } + + static inline struct sk_buff *qfq_peek_skb(struct qfq_aggregate *agg, +@@ -1006,10 +1013,16 @@ static inline struct sk_buff *qfq_peek_skb(struct qfq_aggregate *agg, + struct sk_buff *skb; + + *cl = list_first_entry(&agg->active, struct qfq_class, alist); +- skb = (*cl)->qdisc->ops->peek((*cl)->qdisc); +- if (skb == NULL) +- WARN_ONCE(1, "qfq_dequeue: non-workconserving leaf\n"); +- else ++ skb = klp_cve_2023_4921_peek((*cl)->qdisc); ++ if (skb == NULL) { ++ /* ++ * kpatch-build workaround: keep old WARN_ONCE to avoid ++ * create-diff-object unreconcilable difference from ++ * unsupported .data.once section change. ++ */ ++ WARN_ONCE(!jiffies, "qfq_dequeue: non-workconserving leaf\n"); ++ qdisc_warn_nonwc("qfq_dequeue", (*cl)->qdisc); ++ } else + *len = qdisc_pkt_len(skb); + + return skb; +@@ -1142,11 +1155,18 @@ static struct sk_buff *qfq_dequeue(struct Qdisc *sch) + if (!skb) + return NULL; + +- qdisc_qstats_backlog_dec(sch, skb); + sch->q.qlen--; ++ ++ skb = agg_dequeue(in_serv_agg, cl, len); ++ ++ if (!skb) { ++ sch->q.qlen++; ++ return NULL; ++ } ++ ++ qdisc_qstats_backlog_dec(sch, skb); + qdisc_bstats_update(sch, skb); + +- agg_dequeue(in_serv_agg, cl, len); + /* If lmax is lowered, through qfq_change_class, for a class + * owning pending packets with larger size than the new value + * of lmax, then the following condition may hold. +@@ -1224,6 +1244,7 @@ static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch, + } + pr_debug("qfq_enqueue: cl = %x\n", cl->common.classid); + ++ + if (unlikely(cl->agg->lmax < qdisc_pkt_len(skb))) { + pr_debug("qfq: increasing maxpkt from %u to %u for class %u", + cl->agg->lmax, qdisc_pkt_len(skb), cl->common.classid); +@@ -1252,7 +1273,7 @@ static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch, + agg = cl->agg; + /* if the queue was not empty, then done here */ + if (cl->qdisc->q.qlen != 1) { +- if (unlikely(skb == cl->qdisc->ops->peek(cl->qdisc)) && ++ if (unlikely(skb == klp_cve_2023_4921_peek(cl->qdisc)) && + list_first_entry(&agg->active, struct qfq_class, alist) + == cl && cl->deficit < qdisc_pkt_len(skb)) + list_move_tail(&cl->alist, &agg->active); +diff --git a/net/sched/sch_red.c b/net/sched/sch_red.c +index e4789760457a..eea80e402219 100644 +--- a/net/sched/sch_red.c ++++ b/net/sched/sch_red.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include "klp_cve_2023_4921.h" + + + /* Parameters, settable by user: +@@ -135,7 +136,7 @@ static struct sk_buff *red_peek(struct Qdisc *sch) + struct red_sched_data *q = qdisc_priv(sch); + struct Qdisc *child = q->qdisc; + +- return child->ops->peek(child); ++ return klp_cve_2023_4921_peek(child); + } + + static void red_reset(struct Qdisc *sch) +diff --git a/net/sched/sch_sfb.c b/net/sched/sch_sfb.c +index aeb509bde740..f8d75735351f 100644 +--- a/net/sched/sch_sfb.c ++++ b/net/sched/sch_sfb.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include "klp_cve_2023_4921.h" + + /* + * SFB uses two B[l][n] : L x N arrays of bins (L levels, N bins per level) +@@ -445,7 +446,7 @@ static struct sk_buff *sfb_peek(struct Qdisc *sch) + struct sfb_sched_data *q = qdisc_priv(sch); + struct Qdisc *child = q->qdisc; + +- return child->ops->peek(child); ++ return klp_cve_2023_4921_peek(child); + } + + /* No sfb_drop -- impossible since the child doesn't return the dropped skb. */ +diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c +index 15a19519aa9c..9957adc1b951 100644 +--- a/net/sched/sch_tbf.c ++++ b/net/sched/sch_tbf.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include "klp_cve_2023_4921.h" + + + /* Simple Token Bucket Filter. +@@ -214,7 +215,7 @@ static struct sk_buff *tbf_dequeue(struct Qdisc *sch) + struct tbf_sched_data *q = qdisc_priv(sch); + struct sk_buff *skb; + +- skb = q->qdisc->ops->peek(q->qdisc); ++ skb = klp_cve_2023_4921_peek(q->qdisc); + + if (skb) { + s64 now; +-- +2.44.0 + + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index 547b071..f3a830f 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -6,7 +6,7 @@ %define kernel_ver 3.10.0-1160.99.1.el7 %define kpatch_ver 0.9.2 %define rpm_ver 1 -%define rpm_rel 3 +%define rpm_rel 4 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. @@ -31,6 +31,18 @@ Source105: CVE-2023-4128.patch # # https://issues.redhat.com/browse/RHEL-8456 Source106: CVE-2023-42753.patch +# +# https://issues.redhat.com/browse/RHEL-8831 +Source107: CVE-2022-42896.patch +# +# https://issues.redhat.com/browse/RHEL-12767 +Source108: CVE-2023-31436.patch +# +# https://issues.redhat.com/browse/RHEL-15213 +Source109: CVE-2023-45871.patch +# +# https://issues.redhat.com/browse/RHEL-14416 +Source110: CVE-2023-4921.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -165,6 +177,12 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Wed Mar 06 2024 Yannick Cote [1-4.el7] +- kernel: use-after-free in sch_qfq network scheduler [RHEL-14416] {CVE-2023-4921} +- kernel: IGB driver inadequate buffer size for frames larger than MTU [RHEL-15213] {CVE-2023-45871} +- kernel: out-of-bounds write in qfq_change_class function [RHEL-12767] {CVE-2023-31436} +- kernel: use-after-free in l2cap_connect and l2cap_le_connect_req in net/bluetooth/l2cap_core.c [RHEL-8831] {CVE-2022-42896} + * Fri Jan 05 2024 Yannick Cote [1-3.el7] - kernel: netfilter: potential slab-out-of-bound access due to integer underflow [RHEL-8456] {CVE-2023-42753}