rpms / kpatch-patch-4_18_0-348

Clone
Source Code
GIT

Blame SOURCES/CVE-2022-0435.patch

c8
  1.   c38cbcd4b40971658e06699a1c9644aace900d96
  2.   SOURCES
  3.   CVE-2022-0435.patch
Blob History Raw
c38cbc 
From 8db2609e76912d088d19ba0938e80c5628e58e9e Mon Sep 17 00:00:00 2001
c38cbc 
From: Joe Lawrence <joe.lawrence@redhat.com>
c38cbc 
Date: Thu, 3 Mar 2022 11:44:42 -0500
c38cbc 
Subject: [KPATCH CVE-2022-0435] tipc: kpatch fixes for CVE-2022-0435
c38cbc
c38cbc 
Kernels:
c38cbc 
4.18.0-348.el8
c38cbc 
4.18.0-348.2.1.el8_5
c38cbc 
4.18.0-348.7.1.el8_5
c38cbc 
4.18.0-348.12.2.el8_5
c38cbc
c38cbc 
Changes since last build:
c38cbc 
[x86_64]:
c38cbc 
link.o: changed function: tipc_link_rcv
c38cbc 
monitor.o: changed function: tipc_mon_rcv
c38cbc
c38cbc 
[ppc64le]:
c38cbc 
link.o: changed function: tipc_link_proto_rcv
c38cbc 
monitor.o: changed function: tipc_mon_rcv
c38cbc
c38cbc 
---------------------------
c38cbc
c38cbc 
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/36
c38cbc 
Approved-by: Yannick Cote (@ycote1)
c38cbc 
Kernels:
c38cbc 
4.18.0-348.el8
c38cbc 
4.18.0-348.2.1.el8_5
c38cbc 
4.18.0-348.7.1.el8_5
c38cbc 
4.18.0-348.12.2.el8_5
c38cbc
c38cbc 
Modifications: none
c38cbc
c38cbc 
commit 8b2b73e6cb7bd6d9d5af8d21f15d002a373d0a2e
c38cbc 
Author: Xin Long <lxin@redhat.com>
c38cbc 
Date:   Thu Feb 10 21:43:20 2022 -0500
c38cbc
c38cbc 
    tipc: improve size validations for received domain records
c38cbc
c38cbc 
    Bugzilla: https://bugzilla.redhat.com/2048970
c38cbc 
    CVE: CVE-2022-0435
c38cbc 
    Y-Commit: 0e080c279fd19325b263617515835d6ce45e88f4
c38cbc
c38cbc 
    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2048971
c38cbc 
    O-CVE: CVE-2022-0435
c38cbc 
    Tested: compile only
c38cbc
c38cbc 
    commit 9aa422ad326634b76309e8ff342c246800621216
c38cbc 
    Author: Jon Maloy <jmaloy@redhat.com>
c38cbc 
    Date:   Sat Feb 5 14:11:18 2022 -0500
c38cbc
c38cbc 
        tipc: improve size validations for received domain records
c38cbc
c38cbc 
        The function tipc_mon_rcv() allows a node to receive and process
c38cbc 
        domain_record structs from peer nodes to track their views of the
c38cbc 
        network topology.
c38cbc
c38cbc 
        This patch verifies that the number of members in a received domain
c38cbc 
        record does not exceed the limit defined by MAX_MON_DOMAIN, something
c38cbc 
        that may otherwise lead to a stack overflow.
c38cbc
c38cbc 
        tipc_mon_rcv() is called from the function tipc_link_proto_rcv(), where
c38cbc 
        we are reading a 32 bit message data length field into a uint16.  To
c38cbc 
        avert any risk of bit overflow, we add an extra sanity check for this in
c38cbc 
        that function.  We cannot see that happen with the current code, but
c38cbc 
        future designers being unaware of this risk, may introduce it by
c38cbc 
        allowing delivery of very large (> 64k) sk buffers from the bearer
c38cbc 
        layer.  This potential problem was identified by Eric Dumazet.
c38cbc
c38cbc 
        This fixes CVE-2022-0435
c38cbc
c38cbc 
        Reported-by: Samuel Page <samuel.page@appgate.com>
c38cbc 
        Reported-by: Eric Dumazet <edumazet@google.com>
c38cbc 
        Fixes: 35c55c9877f8 ("tipc: add neighbor monitoring framework")
c38cbc 
        Signed-off-by: Jon Maloy <jmaloy@redhat.com>
c38cbc 
        Reviewed-by: Xin Long <lucien.xin@gmail.com>
c38cbc 
        Reviewed-by: Samuel Page <samuel.page@appgate.com>
c38cbc 
        Reviewed-by: Eric Dumazet <edumazet@google.com>
c38cbc 
        Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
c38cbc
c38cbc 
    Signed-off-by: Xin Long <lxin@redhat.com>
c38cbc 
    Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
c38cbc
c38cbc 
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
c38cbc 
---
c38cbc 
 net/tipc/link.c    | 9 +++++++--
c38cbc 
 net/tipc/monitor.c | 2 ++
c38cbc 
 2 files changed, 9 insertions(+), 2 deletions(-)
c38cbc
c38cbc 
diff --git a/net/tipc/link.c b/net/tipc/link.c
c38cbc 
index b5ed87dded2c..062ec1989c41 100644
c38cbc 
--- a/net/tipc/link.c
c38cbc 
+++ b/net/tipc/link.c
c38cbc 
@@ -2165,7 +2165,7 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
c38cbc 
 	struct tipc_msg *hdr = buf_msg(skb);
c38cbc 
 	struct tipc_gap_ack_blks *ga = NULL;
c38cbc 
 	bool reply = msg_probe(hdr), retransmitted = false;
c38cbc 
-	u16 dlen = msg_data_sz(hdr), glen = 0;
c38cbc 
+	u32 dlen = msg_data_sz(hdr), glen = 0;
c38cbc 
 	u16 peers_snd_nxt =  msg_next_sent(hdr);
c38cbc 
 	u16 peers_tol = msg_link_tolerance(hdr);
c38cbc 
 	u16 peers_prio = msg_linkprio(hdr);
c38cbc 
@@ -2179,6 +2179,10 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
c38cbc 
 	void *data;
c38cbc
c38cbc 
 	trace_tipc_proto_rcv(skb, false, l->name);
c38cbc 
+
c38cbc 
+	if (dlen > U16_MAX)
c38cbc 
+		goto exit;
c38cbc 
+
c38cbc 
 	if (tipc_link_is_blocked(l) || !xmitq)
c38cbc 
 		goto exit;
c38cbc
c38cbc 
@@ -2275,7 +2279,8 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
c38cbc
c38cbc 
 		/* Receive Gap ACK blocks from peer if any */
c38cbc 
 		glen = tipc_get_gap_ack_blks(&ga, l, hdr, true);
c38cbc 
-
c38cbc 
+		if(glen > dlen)
c38cbc 
+			break;
c38cbc 
 		tipc_mon_rcv(l->net, data + glen, dlen - glen, l->addr,
c38cbc 
 			     &l->mon_state, l->bearer_id);
c38cbc
c38cbc 
diff --git a/net/tipc/monitor.c b/net/tipc/monitor.c
c38cbc 
index 6dce2abf436e..a37190da5a50 100644
c38cbc 
--- a/net/tipc/monitor.c
c38cbc 
+++ b/net/tipc/monitor.c
c38cbc 
@@ -465,6 +465,8 @@ void tipc_mon_rcv(struct net *net, void *data, u16 dlen, u32 addr,
c38cbc 
 	state->probing = false;
c38cbc
c38cbc 
 	/* Sanity check received domain record */
c38cbc 
+	if (new_member_cnt > MAX_MON_DOMAIN)
c38cbc 
+		return;
c38cbc 
 	if (dlen < dom_rec_len(arrv_dom, 0))
c38cbc 
 		return;
c38cbc 
 	if (dlen != dom_rec_len(arrv_dom, new_member_cnt))
c38cbc 
--
c38cbc 
2.34.1
c38cbc
c38cbc

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation