rpms / kpatch-patch-4_18_0-372_13_1

Clone
Source Code
GIT

Blame SOURCES/CVE-2022-2588.patch

c8
  1.   3618d77a71c272231a60496d5b40cdd0ca823c5e
  2.   SOURCES
  3.   CVE-2022-2588.patch
Blob History Raw
3618d7 
From 40fea653c0535b0963a20f3768475a21745966a1 Mon Sep 17 00:00:00 2001
3618d7 
From: Julia Denham <jdenham@redhat.com>
3618d7 
Date: Wed, 5 Oct 2022 10:46:32 -0400
3618d7 
Subject: [KPATCH CVE-2022-2588] kpatch fixes for CVE-2022-2588
3618d7
3618d7 
Kernels:
3618d7 
4.18.0-372.9.1.el8
3618d7 
4.18.0-372.13.1.el8_6
3618d7 
4.18.0-372.16.1.el8_6
3618d7 
4.18.0-372.19.1.el8_6
3618d7 
4.18.0-372.26.1.el8_6
3618d7
3618d7
3618d7 
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/57
3618d7 
Approved-by: Joe Lawrence (@joe.lawrence)
3618d7 
Approved-by: Yannick Cote (@ycote1)
3618d7 
Changes since last build:
3618d7 
arches: x86_64 ppc64le
3618d7 
cls_route.o: changed function: route4_change
3618d7 
---------------------------
3618d7
3618d7 
Modifications: none
3618d7
3618d7 
commit da65135ce599844336767732fe9f4adc731ddf03
3618d7 
Author: Felix Maurer <fmaurer@redhat.com>
3618d7 
Date:   Fri Aug 19 15:28:46 2022 +0200
3618d7
3618d7 
    net_sched: cls_route: remove from list when handle is 0
3618d7
3618d7 
    Bugzilla: https://bugzilla.redhat.com/2121817
3618d7 
    CVE: CVE-2022-2588
3618d7 
    Y-Commit: 30cff48f9bf8efc15d8a7294c6bf88f013eed546
3618d7
3618d7 
    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2116328
3618d7 
    O-CVE: CVE-2022-2588
3618d7
3618d7 
    commit 9ad36309e2719a884f946678e0296be10f0bb4c1
3618d7 
    Author: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
3618d7 
    Date:   Tue Aug 9 14:05:18 2022 -0300
3618d7
3618d7 
        net_sched: cls_route: remove from list when handle is 0
3618d7
3618d7 
        When a route filter is replaced and the old filter has a 0 handle, the old
3618d7 
        one won't be removed from the hashtable, while it will still be freed.
3618d7
3618d7 
        The test was there since before commit 1109c00547fc ("net: sched: RCU
3618d7 
        cls_route"), when a new filter was not allocated when there was an old one.
3618d7 
        The old filter was reused and the reinserting would only be necessary if an
3618d7 
        old filter was replaced. That was still wrong for the same case where the
3618d7 
        old handle was 0.
3618d7
3618d7 
        Remove the old filter from the list independently from its handle value.
3618d7
3618d7 
        This fixes CVE-2022-2588, also reported as ZDI-CAN-17440.
3618d7
3618d7 
        Reported-by: Zhenpeng Lin <zplin@u.northwestern.edu>
3618d7 
        Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
3618d7 
        Reviewed-by: Kamal Mostafa <kamal@canonical.com>
3618d7 
        Cc: <stable@vger.kernel.org>
3618d7 
        Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
3618d7 
        Link: https://lore.kernel.org/r/20220809170518.164662-1-cascardo@canonical.com
3618d7 
        Signed-off-by: Jakub Kicinski <kuba@kernel.org>
3618d7
3618d7 
    Signed-off-by: Felix Maurer <fmaurer@redhat.com>
3618d7 
    Signed-off-by: Augusto Caringi <acaringi@redhat.com>
3618d7
3618d7 
Signed-off-by: Julia Denham <jdenham@redhat.com>
3618d7 
---
3618d7 
 net/sched/cls_route.c | 2 +-
3618d7 
 1 file changed, 1 insertion(+), 1 deletion(-)
3618d7
3618d7 
diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c
3618d7 
index 94dbc05e40f7..882a0ad65af5 100644
3618d7 
--- a/net/sched/cls_route.c
3618d7 
+++ b/net/sched/cls_route.c
3618d7 
@@ -530,7 +530,7 @@ static int route4_change(struct net *net, struct sk_buff *in_skb,
3618d7 
 	rcu_assign_pointer(f->next, f1);
3618d7 
 	rcu_assign_pointer(*fp, f);
3618d7
3618d7 
-	if (fold && fold->handle && f->handle != fold->handle) {
3618d7 
+	if (fold) {
3618d7 
 		th = to_hash(fold->handle);
3618d7 
 		h = from_hash(fold->handle >> 16);
3618d7 
 		b = rtnl_dereference(head->table[th]);
3618d7 
--
3618d7 
2.37.3
3618d7
3618d7

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation