rpms / kpatch-patch-4_18_0-372_26_1

Clone
Source Code
GIT

Blame SOURCES/CVE-2022-2588.patch

c8
  1.   16c341b083f4c4697dc4b5c47bd5b6187630f1f5
  2.   SOURCES
  3.   CVE-2022-2588.patch
Blob History Raw
16c341 
From 40fea653c0535b0963a20f3768475a21745966a1 Mon Sep 17 00:00:00 2001
16c341 
From: Julia Denham <jdenham@redhat.com>
16c341 
Date: Wed, 5 Oct 2022 10:46:32 -0400
16c341 
Subject: [KPATCH CVE-2022-2588] kpatch fixes for CVE-2022-2588
16c341
16c341 
Kernels:
16c341 
4.18.0-372.9.1.el8
16c341 
4.18.0-372.13.1.el8_6
16c341 
4.18.0-372.16.1.el8_6
16c341 
4.18.0-372.19.1.el8_6
16c341 
4.18.0-372.26.1.el8_6
16c341
16c341
16c341 
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/57
16c341 
Approved-by: Joe Lawrence (@joe.lawrence)
16c341 
Approved-by: Yannick Cote (@ycote1)
16c341 
Changes since last build:
16c341 
arches: x86_64 ppc64le
16c341 
cls_route.o: changed function: route4_change
16c341 
---------------------------
16c341
16c341 
Modifications: none
16c341
16c341 
commit da65135ce599844336767732fe9f4adc731ddf03
16c341 
Author: Felix Maurer <fmaurer@redhat.com>
16c341 
Date:   Fri Aug 19 15:28:46 2022 +0200
16c341
16c341 
    net_sched: cls_route: remove from list when handle is 0
16c341
16c341 
    Bugzilla: https://bugzilla.redhat.com/2121817
16c341 
    CVE: CVE-2022-2588
16c341 
    Y-Commit: 30cff48f9bf8efc15d8a7294c6bf88f013eed546
16c341
16c341 
    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2116328
16c341 
    O-CVE: CVE-2022-2588
16c341
16c341 
    commit 9ad36309e2719a884f946678e0296be10f0bb4c1
16c341 
    Author: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
16c341 
    Date:   Tue Aug 9 14:05:18 2022 -0300
16c341
16c341 
        net_sched: cls_route: remove from list when handle is 0
16c341
16c341 
        When a route filter is replaced and the old filter has a 0 handle, the old
16c341 
        one won't be removed from the hashtable, while it will still be freed.
16c341
16c341 
        The test was there since before commit 1109c00547fc ("net: sched: RCU
16c341 
        cls_route"), when a new filter was not allocated when there was an old one.
16c341 
        The old filter was reused and the reinserting would only be necessary if an
16c341 
        old filter was replaced. That was still wrong for the same case where the
16c341 
        old handle was 0.
16c341
16c341 
        Remove the old filter from the list independently from its handle value.
16c341
16c341 
        This fixes CVE-2022-2588, also reported as ZDI-CAN-17440.
16c341
16c341 
        Reported-by: Zhenpeng Lin <zplin@u.northwestern.edu>
16c341 
        Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
16c341 
        Reviewed-by: Kamal Mostafa <kamal@canonical.com>
16c341 
        Cc: <stable@vger.kernel.org>
16c341 
        Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
16c341 
        Link: https://lore.kernel.org/r/20220809170518.164662-1-cascardo@canonical.com
16c341 
        Signed-off-by: Jakub Kicinski <kuba@kernel.org>
16c341
16c341 
    Signed-off-by: Felix Maurer <fmaurer@redhat.com>
16c341 
    Signed-off-by: Augusto Caringi <acaringi@redhat.com>
16c341
16c341 
Signed-off-by: Julia Denham <jdenham@redhat.com>
16c341 
---
16c341 
 net/sched/cls_route.c | 2 +-
16c341 
 1 file changed, 1 insertion(+), 1 deletion(-)
16c341
16c341 
diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c
16c341 
index 94dbc05e40f7..882a0ad65af5 100644
16c341 
--- a/net/sched/cls_route.c
16c341 
+++ b/net/sched/cls_route.c
16c341 
@@ -530,7 +530,7 @@ static int route4_change(struct net *net, struct sk_buff *in_skb,
16c341 
 	rcu_assign_pointer(f->next, f1);
16c341 
 	rcu_assign_pointer(*fp, f);
16c341
16c341 
-	if (fold && fold->handle && f->handle != fold->handle) {
16c341 
+	if (fold) {
16c341 
 		th = to_hash(fold->handle);
16c341 
 		h = from_hash(fold->handle >> 16);
16c341 
 		b = rtnl_dereference(head->table[th]);
16c341 
--
16c341 
2.37.3
16c341
16c341

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation