diff --git a/.gitignore b/.gitignore index e69de29..45d8831 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/kernel-4.18.0-372.26.1.el8_6.src.rpm +SOURCES/v0.9.6.tar.gz diff --git a/.kpatch-patch-4_18_0-372_26_1.metadata b/.kpatch-patch-4_18_0-372_26_1.metadata index e69de29..62d6951 100644 --- a/.kpatch-patch-4_18_0-372_26_1.metadata +++ b/.kpatch-patch-4_18_0-372_26_1.metadata @@ -0,0 +1,2 @@ +ad61a039eb2d3d8e5c31fee76b144c0a2e84669a SOURCES/kernel-4.18.0-372.26.1.el8_6.src.rpm +223c224ddd6896c467b9347ab297e3f7f013f5d7 SOURCES/v0.9.6.tar.gz diff --git a/SOURCES/CVE-2022-2588.patch b/SOURCES/CVE-2022-2588.patch new file mode 100644 index 0000000..1a9683f --- /dev/null +++ b/SOURCES/CVE-2022-2588.patch @@ -0,0 +1,88 @@ +From 40fea653c0535b0963a20f3768475a21745966a1 Mon Sep 17 00:00:00 2001 +From: Julia Denham +Date: Wed, 5 Oct 2022 10:46:32 -0400 +Subject: [KPATCH CVE-2022-2588] kpatch fixes for CVE-2022-2588 + +Kernels: +4.18.0-372.9.1.el8 +4.18.0-372.13.1.el8_6 +4.18.0-372.16.1.el8_6 +4.18.0-372.19.1.el8_6 +4.18.0-372.26.1.el8_6 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/57 +Approved-by: Joe Lawrence (@joe.lawrence) +Approved-by: Yannick Cote (@ycote1) +Changes since last build: +arches: x86_64 ppc64le +cls_route.o: changed function: route4_change +--------------------------- + +Modifications: none + +commit da65135ce599844336767732fe9f4adc731ddf03 +Author: Felix Maurer +Date: Fri Aug 19 15:28:46 2022 +0200 + + net_sched: cls_route: remove from list when handle is 0 + + Bugzilla: https://bugzilla.redhat.com/2121817 + CVE: CVE-2022-2588 + Y-Commit: 30cff48f9bf8efc15d8a7294c6bf88f013eed546 + + O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2116328 + O-CVE: CVE-2022-2588 + + commit 9ad36309e2719a884f946678e0296be10f0bb4c1 + Author: Thadeu Lima de Souza Cascardo + Date: Tue Aug 9 14:05:18 2022 -0300 + + net_sched: cls_route: remove from list when handle is 0 + + When a route filter is replaced and the old filter has a 0 handle, the old + one won't be removed from the hashtable, while it will still be freed. + + The test was there since before commit 1109c00547fc ("net: sched: RCU + cls_route"), when a new filter was not allocated when there was an old one. + The old filter was reused and the reinserting would only be necessary if an + old filter was replaced. That was still wrong for the same case where the + old handle was 0. + + Remove the old filter from the list independently from its handle value. + + This fixes CVE-2022-2588, also reported as ZDI-CAN-17440. + + Reported-by: Zhenpeng Lin + Signed-off-by: Thadeu Lima de Souza Cascardo + Reviewed-by: Kamal Mostafa + Cc: + Acked-by: Jamal Hadi Salim + Link: https://lore.kernel.org/r/20220809170518.164662-1-cascardo@canonical.com + Signed-off-by: Jakub Kicinski + + Signed-off-by: Felix Maurer + Signed-off-by: Augusto Caringi + +Signed-off-by: Julia Denham +--- + net/sched/cls_route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c +index 94dbc05e40f7..882a0ad65af5 100644 +--- a/net/sched/cls_route.c ++++ b/net/sched/cls_route.c +@@ -530,7 +530,7 @@ static int route4_change(struct net *net, struct sk_buff *in_skb, + rcu_assign_pointer(f->next, f1); + rcu_assign_pointer(*fp, f); + +- if (fold && fold->handle && f->handle != fold->handle) { ++ if (fold) { + th = to_hash(fold->handle); + h = from_hash(fold->handle >> 16); + b = rtnl_dereference(head->table[th]); +-- +2.37.3 + + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index 6ae64a5..ed9cd16 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -1,17 +1,18 @@ # Set to 1 if building an empty subscription-only package. -%define empty_package 1 +%define empty_package 0 ####################################################### # Only need to update these variables and the changelog %define kernel_ver 4.18.0-372.26.1.el8_6 %define kpatch_ver 0.9.6 -%define rpm_ver 0 -%define rpm_rel 0 +%define rpm_ver 1 +%define rpm_rel 1 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. -Source100: XXX.patch -#Source101: YYY.patch +# +# https://bugzilla.redhat.com/2122584 +Source100: CVE-2022-2588.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -150,5 +151,8 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Mon Oct 10 2022 Yannick Cote [1-1.el8_6] +- kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation [2122584] {CVE-2022-2588} + * Tue Aug 30 2022 Yannick Cote [0-0.el8] - An empty patch to subscribe to kpatch stream for kernel-4.18.0-372.26.1.el8_6 [2122640]