diff --git a/SOURCES/CVE-2021-4028.patch b/SOURCES/CVE-2021-4028.patch new file mode 100644 index 0000000..da59c91 --- /dev/null +++ b/SOURCES/CVE-2021-4028.patch @@ -0,0 +1,145 @@ +From dfa836934686eb5b0dd0cfb7957bd9d5327fba4a Mon Sep 17 00:00:00 2001 +From: "C. Erastus Toe" +Date: Mon, 7 Mar 2022 22:39:18 -0500 +Subject: [KPATCH CVE-2021-4028] kpatch fixes for CVE-2021-4028 + +Kernels: +4.18.0-348.el8 +4.18.0-348.2.1.el8_5 +4.18.0-348.7.1.el8_5 +4.18.0-348.12.2.el8_5 +4.18.0-348.19.1.el8_5 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/40 +Approved-by: Joe Lawrence (@joe.lawrence) +Changes since last build: +[x86_64]: +cma.o: changed function: rdma_listen +nf_tables_api.o: changed function: __nf_tables_abort +nf_tables_api.o: changed function: __nft_release_basechain +nf_tables_api.o: changed function: nf_tables_commit +nf_tables_api.o: changed function: nf_tables_exit_net +nf_tables_api.o: changed function: nf_tables_newrule +nf_tables_api.o: changed function: nf_tables_rule_destroy +nf_tables_api.o: changed function: nft_delrule +nf_tables_api.o: new function: nft_rule_expr_deactivate +nf_tables_offload.o: changed function: nft_flow_rule_create + +[ppc64le]: +cma.o: changed function: rdma_listen +nf_tables_api.o: changed function: __nf_tables_abort +nf_tables_api.o: changed function: __nft_release_basechain +nf_tables_api.o: changed function: nf_tables_commit +nf_tables_api.o: changed function: nf_tables_exit_net +nf_tables_api.o: changed function: nf_tables_newrule +nf_tables_api.o: changed function: nf_tables_trans_destroy_work +nf_tables_api.o: changed function: nft_delrule +nf_tables_offload.o: changed function: nft_flow_rule_create + +--------------------------- + +Modifications: none + +commit bbccf3dd6a13b14389ee537fb0f1b549752dae08 +Author: Kamal Heib +Date: Thu Jan 6 10:43:05 2022 +0200 + + RDMA/cma: Do not change route.addr.src_addr.ss_family + + Bugzilla: https://bugzilla.redhat.com/2032073 + CVE: CVE-2021-4028 + Y-Commit: 46f48bc7901a8066a310cd528881f67d9f67a16d + + O-Bugzilla: http://bugzilla.redhat.com/2032074 + O-CVE: CVE-2021-4028 + + commit bc0bdc5afaa740d782fbf936aaeebd65e5c2921d + Author: Jason Gunthorpe + Date: Wed Sep 15 17:21:43 2021 -0300 + + RDMA/cma: Do not change route.addr.src_addr.ss_family + + If the state is not idle then rdma_bind_addr() will immediately fail and + no change to global state should happen. + + For instance if the state is already RDMA_CM_LISTEN then this will corrupt + the src_addr and would cause the test in cma_cancel_operation(): + + if (cma_any_addr(cma_src_addr(id_priv)) && !id_priv->cma_dev) + + To view a mangled src_addr, eg with a IPv6 loopback address but an IPv4 + family, failing the test. + + This would manifest as this trace from syzkaller: + + BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 lib/list_debug.c:26 + Read of size 8 at addr ffff8881546491e0 by task syz-executor.1/32204 + + CPU: 1 PID: 32204 Comm: syz-executor.1 Not tainted 5.12.0-rc8-syzkaller #0 + Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x141/0x1d7 lib/dump_stack.c:120 + print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232 + __kasan_report mm/kasan/report.c:399 [inline] + kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 + __list_add_valid+0x93/0xa0 lib/list_debug.c:26 + __list_add include/linux/list.h:67 [inline] + list_add_tail include/linux/list.h:100 [inline] + cma_listen_on_all drivers/infiniband/core/cma.c:2557 [inline] + rdma_listen+0x787/0xe00 drivers/infiniband/core/cma.c:3751 + ucma_listen+0x16a/0x210 drivers/infiniband/core/ucma.c:1102 + ucma_write+0x259/0x350 drivers/infiniband/core/ucma.c:1732 + vfs_write+0x28e/0xa30 fs/read_write.c:603 + ksys_write+0x1ee/0x250 fs/read_write.c:658 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xae + + Which is indicating that an rdma_id_private was destroyed without doing + cma_cancel_listens(). + + Instead of trying to re-use the src_addr memory to indirectly create an + any address build one explicitly on the stack and bind to that as any + other normal flow would do. + + Link: https://lore.kernel.org/r/0-v1-9fbb33f5e201+2a-cma_listen_jgg@nvidia.com + Cc: stable@vger.kernel.org + Fixes: 732d41c545bb ("RDMA/cma: Make the locking for automatic state transition more clear") + Reported-by: syzbot+6bb0528b13611047209c@syzkaller.appspotmail.com + Tested-by: Hao Sun + Reviewed-by: Leon Romanovsky + Signed-off-by: Jason Gunthorpe + + Signed-off-by: Kamal Heib + Signed-off-by: Bruno Meneguele + +Signed-off-by: C. Erastus Toe +--- + drivers/infiniband/core/cma.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index 5b9022a8c9ec..f716de3fd7e5 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -3716,9 +3716,13 @@ int rdma_listen(struct rdma_cm_id *id, int backlog) + int ret; + + if (!cma_comp_exch(id_priv, RDMA_CM_ADDR_BOUND, RDMA_CM_LISTEN)) { ++ struct sockaddr_in any_in = { ++ .sin_family = AF_INET, ++ .sin_addr.s_addr = htonl(INADDR_ANY), ++ }; ++ + /* For a well behaved ULP state will be RDMA_CM_IDLE */ +- id->route.addr.src_addr.ss_family = AF_INET; +- ret = rdma_bind_addr(id, cma_src_addr(id_priv)); ++ ret = rdma_bind_addr(id, (struct sockaddr *)&any_in); + if (ret) + return ret; + if (WARN_ON(!cma_comp_exch(id_priv, RDMA_CM_ADDR_BOUND, +-- +2.34.1 + + diff --git a/SOURCES/CVE-2022-25636.patch b/SOURCES/CVE-2022-25636.patch new file mode 100644 index 0000000..5241756 --- /dev/null +++ b/SOURCES/CVE-2022-25636.patch @@ -0,0 +1,207 @@ +From e34e7e4a82e772c705bacee9ef5b63fec54e729c Mon Sep 17 00:00:00 2001 +From: Yannick Cote +Date: Tue, 29 Mar 2022 13:21:16 -0400 +Subject: [KPATCH CVE-2022-25636] netfilter: kpatch fixes for CVE-2022-25636 + +Kernels: +4.18.0-348.el8 +4.18.0-348.2.1.el8_5 +4.18.0-348.7.1.el8_5 +4.18.0-348.12.2.el8_5 +4.18.0-348.20.1.el8_5 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/45 +Approved-by: Joe Lawrence (@joe.lawrence) +Changes since last build: +[x86_64]: +cma.o: changed function: rdma_listen +nf_tables_api.o: changed function: __nf_tables_abort +nf_tables_api.o: changed function: __nft_release_basechain +nf_tables_api.o: changed function: nf_tables_commit +nf_tables_api.o: changed function: nf_tables_exit_net +nf_tables_api.o: changed function: nf_tables_newrule +nf_tables_api.o: changed function: nf_tables_rule_destroy +nf_tables_api.o: changed function: nft_delrule +nf_tables_api.o: new function: nft_rule_expr_deactivate +nf_tables_offload.o: changed function: nft_flow_rule_create + +[ppc64le]: +cma.o: changed function: rdma_listen +nf_tables_api.o: changed function: __nf_tables_abort +nf_tables_api.o: changed function: __nft_release_basechain +nf_tables_api.o: changed function: nf_tables_commit +nf_tables_api.o: changed function: nf_tables_exit_net +nf_tables_api.o: changed function: nf_tables_newrule +nf_tables_api.o: changed function: nf_tables_trans_destroy_work +nf_tables_api.o: changed function: nft_delrule +nf_tables_offload.o: changed function: nft_flow_rule_create + +--------------------------- + +Modifications: +- Simplify code to fixing the vulnerability root cause. +- For this, replace (netfilter: nf_tables_offload: incorrect flow +offload action array size) with localized code to make sure that +'forward' and 'dup' rules (all types really) act as having the +NFT_OFFLOAD_F_ACTION flag set. + +commit 9a8d76cbd3d4321f2207bc89fdf0029fe2de3705 +Author: Florian Westphal +Date: Tue Feb 22 00:40:19 2022 +0100 + + netfilter: nftables_offload: KASAN slab-out-of-bounds Read in nft_flow_rule_create + + Bugzilla: https://bugzilla.redhat.com/2056866 + Y-Commit: c8c8daf989226dca2bab98b8c408a4967e24926d + + O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2056728 + Upstream Status: commit 31cc578ae2de + + commit 31cc578ae2de19c748af06d859019dced68e325d + Author: Saeed Mirzamohammadi + Date: Tue Oct 20 13:41:36 2020 +0200 + + netfilter: nftables_offload: KASAN slab-out-of-bounds Read in nft_flow_rule_create + + This patch fixes the issue due to: + + BUG: KASAN: slab-out-of-bounds in nft_flow_rule_create+0x622/0x6a2 + net/netfilter/nf_tables_offload.c:40 + Read of size 8 at addr ffff888103910b58 by task syz-executor227/16244 + + The error happens when expr->ops is accessed early on before performing the boundary check and after nft_expr_next() moves the expr to go out-of-bounds. + + This patch checks the boundary condition before expr->ops that fixes the slab-out-of-bounds Read issue. + + Add nft_expr_more() and use it to fix this problem. + + Signed-off-by: Saeed Mirzamohammadi + Signed-off-by: Pablo Neira Ayuso + + Signed-off-by: Florian Westphal + Signed-off-by: Patrick Talbert + +commit bd5cf01bee78b2d9c5356021d7f9bfed8d0cbe27 +Author: Florian Westphal +Date: Tue Feb 22 00:40:20 2022 +0100 + + netfilter: nf_tables_offload: incorrect flow offload action array size + + Bugzilla: https://bugzilla.redhat.com/2056866 + CVE: CVE-2022-25636 + Y-Commit: fa41e65b922a9f624d51fdd9f698c096e340a6b7 + + O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2056728 + O-CVE: CVE-2022-25636 + Upstream Status: nf.git commit b1a5983f56e3 + + Conflicts: + include/net/netfilter/nf_tables.h + + Context only, RHEL8 lacks the offload_stats callback. + + commit b1a5983f56e371046dcf164f90bfaf704d2b89f6 + Author: Pablo Neira Ayuso + Date: Thu Feb 17 23:41:20 2022 +0100 + + netfilter: nf_tables_offload: incorrect flow offload action array size + + immediate verdict expression needs to allocate one slot in the flow offload + action array, however, immediate data expression does not need to do so. + + fwd and dup expression need to allocate one slot, this is missing. + + Add a new offload_action interface to report if this expression needs to + allocate one slot in the flow offload action array. + + Fixes: be2861dc36d7 ("netfilter: nft_{fwd,dup}_netdev: add offload support") + Reported-and-tested-by: Nick Gregory + Signed-off-by: Pablo Neira Ayuso + + Signed-off-by: Florian Westphal + Signed-off-by: Patrick Talbert + +Signed-off-by: Yannick Cote +--- + include/net/netfilter/nf_tables.h | 6 ++++++ + net/netfilter/nf_tables_api.c | 6 +++--- + net/netfilter/nf_tables_offload.c | 6 +++--- + 3 files changed, 12 insertions(+), 6 deletions(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index aa5b025771b4..2f6d9959d695 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -896,6 +896,12 @@ static inline struct nft_expr *nft_expr_last(const struct nft_rule *rule) + return (struct nft_expr *)&rule->data[rule->dlen]; + } + ++static inline bool nft_expr_more(const struct nft_rule *rule, ++ const struct nft_expr *expr) ++{ ++ return expr != nft_expr_last(rule) && expr->ops; ++} ++ + static inline struct nft_userdata *nft_userdata(const struct nft_rule *rule) + { + return (void *)&rule->data[rule->dlen]; +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 353201d81205..9620daa81a15 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -335,7 +335,7 @@ static void nft_rule_expr_activate(const struct nft_ctx *ctx, + struct nft_expr *expr; + + expr = nft_expr_first(rule); +- while (expr != nft_expr_last(rule) && expr->ops) { ++ while (nft_expr_more(rule, expr)) { + if (expr->ops->activate) + expr->ops->activate(ctx, expr); + +@@ -350,7 +350,7 @@ static void nft_rule_expr_deactivate(const struct nft_ctx *ctx, + struct nft_expr *expr; + + expr = nft_expr_first(rule); +- while (expr != nft_expr_last(rule) && expr->ops) { ++ while (nft_expr_more(rule, expr)) { + if (expr->ops->deactivate) + expr->ops->deactivate(ctx, expr, phase); + +@@ -2951,7 +2951,7 @@ static void nf_tables_rule_destroy(const struct nft_ctx *ctx, + * is called on error from nf_tables_newrule(). + */ + expr = nft_expr_first(rule); +- while (expr != nft_expr_last(rule) && expr->ops) { ++ while (nft_expr_more(rule, expr)) { + next = nft_expr_next(expr); + nf_tables_expr_destroy(ctx, expr); + expr = next; +diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c +index 499e5c51da22..091640fcc2f6 100644 +--- a/net/netfilter/nf_tables_offload.c ++++ b/net/netfilter/nf_tables_offload.c +@@ -93,8 +93,8 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net, + struct nft_expr *expr; + + expr = nft_expr_first(rule); +- while (expr->ops && expr != nft_expr_last(rule)) { +- if (expr->ops->offload_flags & NFT_OFFLOAD_F_ACTION) ++ while (nft_expr_more(rule, expr)) { ++ if (expr->ops->offload) + num_actions++; + + expr = nft_expr_next(expr); +@@ -117,7 +117,7 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net, + ctx->net = net; + ctx->dep.type = NFT_OFFLOAD_DEP_UNSPEC; + +- while (expr->ops && expr != nft_expr_last(rule)) { ++ while (nft_expr_more(rule, expr)) { + if (!expr->ops->offload) { + err = -EOPNOTSUPP; + goto err_out; +-- +2.34.1 + + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index 3ba344d..9bc763d 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -6,7 +6,7 @@ %define kernel_ver 4.18.0-348.el8 %define kpatch_ver 0.9.5 %define rpm_ver 1 -%define rpm_rel 3 +%define rpm_rel 4 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. @@ -37,6 +37,12 @@ Source107: CVE-2022-0492.patch # # https://bugzilla.redhat.com/2047620 Source108: CVE-2022-22942.patch +# +# https://bugzilla.redhat.com/2033364 +Source109: CVE-2021-4028.patch +# +# https://bugzilla.redhat.com/2056875 +Source110: CVE-2022-25636.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -175,6 +181,10 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Tue Apr 19 2022 Yannick Cote [1-4.el8] +- kernel: heap out of bounds write in nf_dup_netdev.c [2056875] {CVE-2022-25636} +- kernel: use-after-free in RDMA listen() [2033364] {CVE-2021-4028} + * Fri Mar 04 2022 Yannick Cote [1-3.el8] - kernel: failing usercopy allows for use-after-free exploitation [2047620] {CVE-2022-22942} - kernel: cgroups v1 release_agent feature may allow privilege escalation [2052187] {CVE-2022-0492}