From cdd3f984e2798d17eeedc8c07f75abe587c68e53 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 24 2022 09:05:37 +0000 Subject: import kpatch-patch-4_18_0-348-1-2.el8 --- diff --git a/SOURCES/CVE-2021-4155.patch b/SOURCES/CVE-2021-4155.patch new file mode 100644 index 0000000..f6bf020 --- /dev/null +++ b/SOURCES/CVE-2021-4155.patch @@ -0,0 +1,81 @@ +From cec4ee812b7c642c552c64c488a299323d622638 Mon Sep 17 00:00:00 2001 +From: Joe Lawrence +Date: Fri, 7 Jan 2022 14:11:20 -0500 +Subject: [KPATCH CVE-2021-4155] xfs: kpatch fixes for CVE-2021-4155 + +Kernels: +4.18.0-348.el8 +4.18.0-348.2.1.el8_5 +4.18.0-348.7.1.el8_5 + +Changes since last build: +arches: x86_64 ppc64le +xfs_ioctl.o: changed function: xfs_ioc_space +--------------------------- + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/12 +Approved-by: Artem Savkov (@artem.savkov) +Kernels: +4.18.0-348.el8 +4.18.0-348.2.1.el8_5 +4.18.0-348.7.1.el8_5 + +Modifications: none + +Z-MR: https://gitlab.com/redhat/prdsc/rhel/src/kernel-private/rhel-8/-/merge_requests/28 + +KT0 test PASS: https://beaker.engineering.redhat.com/jobs/6173055 +for kpatch-patch-4_18_0-348-1-2.el8 scratch build: +https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=42267085 + +commit 374251004418783ae2e1e191b957cf63e3796d5e +Author: Bruno Meneguele +Date: Thu Jan 6 17:19:24 2022 -0300 + + xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like fallocate + + Bugzilla: https://bugzilla.redhat.com/2034864 + CVE: CVE-2021-4155 + + O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2034865 + O-CVE: CVE-2021-4155 + Tested: xfstests and specific reproducer + Upstream status: Posted privately due to embargo + + The old ALLOCSP/FREESP ioctls in XFS can be used to preallocate space at + the end of files, just like fallocate and RESVSP. Make the behavior + consistent with the other ioctls. + + Reported-by: Kirill Tkhai + Signed-off-by: Darrick J. Wong + Signed-off-by: Darrick J. Wong + Reviewed-by: Dave Chinner + Reviewed-by: Eric Sandeen + (cherry picked from commit 983d8e60f50806f90534cc5373d0ce867e5aaf79) + + Signed-off-by: Carlos Maiolino + Signed-off-by: Bruno Meneguele + +Signed-off-by: Joe Lawrence +--- + fs/xfs/xfs_ioctl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c +index 2a68819e4fe5..7d9c76c5cfb0 100644 +--- a/fs/xfs/xfs_ioctl.c ++++ b/fs/xfs/xfs_ioctl.c +@@ -686,7 +686,8 @@ xfs_ioc_space( + + if (bf->l_start > XFS_ISIZE(ip)) { + error = xfs_alloc_file_space(ip, XFS_ISIZE(ip), +- bf->l_start - XFS_ISIZE(ip), 0); ++ bf->l_start - XFS_ISIZE(ip), ++ XFS_BMAPI_PREALLOC); + if (error) + goto out_unlock; + } +-- +2.26.3 + + diff --git a/SOURCES/CVE-2022-0185.patch b/SOURCES/CVE-2022-0185.patch new file mode 100644 index 0000000..e5cc52c --- /dev/null +++ b/SOURCES/CVE-2022-0185.patch @@ -0,0 +1,68 @@ +From 84e2346b7ae9c50f95701027f8d860424623a294 Mon Sep 17 00:00:00 2001 +From: Joe Lawrence +Date: Fri, 14 Jan 2022 09:25:24 -0500 +Subject: [KPATCH CVE-2022-0185] vfs: kpatch fixes for CVE-2022-0185 + +Kernels: +4.18.0-348.el8 +4.18.0-348.2.1.el8_5 +4.18.0-348.7.1.el8_5 + +Changes since last build: +arches: x86_64 ppc64le +fs_context.o: changed function: legacy_parse_param +--------------------------- + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/15 +Approved-by: Artem Savkov (@artem.savkov) +Kernels: +4.18.0-348.el8 +4.18.0-348.2.1.el8_5 +4.18.0-348.7.1.el8_5 + +Modifications: none + +commit 689263a917cde581464bdc69777dd0f3d9e808af +Author: Frantisek Hrbata +Date: Fri Jan 14 10:30:05 2022 +0100 + + vfs: Out-of-bounds write of heap buffer in fs_context.c + + Bugzilla: https://bugzilla.redhat.com/2040585 + CVE: CVE-2022-0185 + + From Jamie Hill-Daniel + + The "PAGE_SIZE - 2 - size" calculation is is an unsigned type so + a large value of "size" results in a high positive value. This + results in heap overflow which can be exploited by a standard + user for privilege escalation. + + Signed-off-by: Frantisek Hrbata + +Signed-off-by: Joe Lawrence +--- + fs/fs_context.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/fs_context.c b/fs/fs_context.c +index b1eacb03b72f..c921102b2398 100644 +--- a/fs/fs_context.c ++++ b/fs/fs_context.c +@@ -563,8 +563,10 @@ static int legacy_parse_param(struct fs_context *fc, struct fs_parameter *param) + return invalf(fc, "VFS: Legacy: Parameter type for '%s' not supported", + param->key); + } +- +- if (len > PAGE_SIZE - 2 - size) ++ /* Subtracting 'size' from PAGE_SIZE can lead to integer underflow, ++ * so check bounds using addition instead. ++ */ ++ if (size + len + 2 > PAGE_SIZE) + return invalf(fc, "VFS: Legacy: Cumulative options too large"); + if (strchr(param->key, ',') || + (param->type == fs_value_is_string && +-- +2.26.3 + + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index fd9a20d..44dfa99 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -6,13 +6,19 @@ %define kernel_ver 4.18.0-348.el8 %define kpatch_ver 0.9.5 %define rpm_ver 1 -%define rpm_rel 1 +%define rpm_rel 2 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. # # https://bugzilla.redhat.com/2020562 Source100: CVE-2021-43267.patch +# +# https://bugzilla.redhat.com/2034875 +Source101: CVE-2021-4155.patch +# +# https://bugzilla.redhat.com/2040593 +Source102: CVE-2022-0185.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -151,6 +157,10 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Tue Jan 18 2022 Joe Lawrence [1-2.el8] +- kernel: fs_context: heap overflow in legacy parameter handling [2040593] {CVE-2022-0185} +- kernel: xfs: raw block device data leak in XFS_IOC_ALLOCSP IOCTL [2034875] {CVE-2021-4155} + * Tue Nov 09 2021 Artem Savkov [1-1.el8] - Insufficient validation of user-supplied sizes for the MSG_CRYPTO message type [2020562] {CVE-2021-43267}