diff --git a/.gitignore b/.gitignore index e69de29..cff73dc 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/kernel-4.18.0-425.13.1.el8_7.src.rpm +SOURCES/v0.9.6.tar.gz diff --git a/.kpatch-patch-4_18_0-425_13_1.metadata b/.kpatch-patch-4_18_0-425_13_1.metadata index e69de29..9844083 100644 --- a/.kpatch-patch-4_18_0-425_13_1.metadata +++ b/.kpatch-patch-4_18_0-425_13_1.metadata @@ -0,0 +1,2 @@ +49576b2564d3560f492955e9d21c1a41f218e0eb SOURCES/kernel-4.18.0-425.13.1.el8_7.src.rpm +223c224ddd6896c467b9347ab297e3f7f013f5d7 SOURCES/v0.9.6.tar.gz diff --git a/SOURCES/CVE-2022-4378.patch b/SOURCES/CVE-2022-4378.patch new file mode 100644 index 0000000..723af9a --- /dev/null +++ b/SOURCES/CVE-2022-4378.patch @@ -0,0 +1,212 @@ +From daf9de90e88ffb2e303145733167327f92b869c2 Mon Sep 17 00:00:00 2001 +From: Ryan Sullivan +Date: Tue, 7 Feb 2023 12:08:05 -0500 +Subject: [KPATCH CVE-2022-4378] kpatch fixes for CVE-2022-4378 + +Kernels: +4.18.0-425.3.1.el8 +4.18.0-425.10.1.el8_7 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/82 +Approved-by: Joe Lawrence (@joe.lawrence) +Approved-by: Yannick Cote (@ycote1) +Changes since last build: +[x86_64]: +control.o: changed function: snd_ctl_elem_read +control.o: changed function: snd_ctl_ioctl +sysctl.o: changed function: __do_proc_dointvec +sysctl.o: changed function: __do_proc_douintvec +sysctl.o: changed function: __do_proc_doulongvec_minmax +sysctl.o: changed function: proc_get_long.constprop.14 + +[ppc64le]: +control.o: changed function: snd_ctl_elem_read +control.o: changed function: snd_ctl_ioctl +sysctl.o: changed function: __do_proc_dointvec +sysctl.o: changed function: __do_proc_doulongvec_minmax +sysctl.o: changed function: proc_dopipe_max_size +sysctl.o: changed function: proc_douintvec +sysctl.o: changed function: proc_douintvec_minmax +sysctl.o: changed function: proc_get_long.constprop.14 + +--------------------------- + +Modifications: none + +commit 8c873c04cfd546b8b29ae86dc35414cf4167d163 +Author: Wander Lairson Costa +Date: Mon Dec 12 15:43:15 2022 -0300 + + proc: avoid integer type confusion in get_proc_long + + Bugzilla: https://bugzilla.redhat.com/2152571 + CVE: CVE-2022-4378 + Y-Commit: bbda4302821f46972d5139f9af87993a7a07306e + + O-Bugzilla: https://bugzilla.redhat.com/2152572 + O-CVE: CVE-2022-4378 + + commit e6cfaf34be9fcd1a8285a294e18986bfc41a409c + Author: Linus Torvalds + Date: Mon Dec 5 11:33:40 2022 -0800 + + proc: avoid integer type confusion in get_proc_long + + proc_get_long() is passed a size_t, but then assigns it to an 'int' + variable for the length. Let's not do that, even if our IO paths are + limited to MAX_RW_COUNT (exactly because of these kinds of type errors). + + So do the proper test in the rigth type. + + Reported-by: Kyle Zeng + Signed-off-by: Linus Torvalds + + Signed-off-by: Wander Lairson Costa + Signed-off-by: Jarod Wilson + +commit 2347e6da850ca59e4730578b53d0e9339a1bb1e6 +Author: Wander Lairson Costa +Date: Mon Dec 12 15:47:25 2022 -0300 + + proc: proc_skip_spaces() shouldn't think it is working on C strings + + Bugzilla: https://bugzilla.redhat.com/2152571 + CVE: CVE-2022-4378 + Y-Commit: ec2f9f80ba44b533578349a97fb2fe9894142221 + + O-Bugzilla: https://bugzilla.redhat.com/2152572 + O-CVE: CVE-2022-4378 + + Conflicts: context hunks because out version is much older than + upstream. + + commit bce9332220bd677d83b19d21502776ad555a0e73 + Author: Linus Torvalds + Date: Mon Dec 5 12:09:06 2022 -0800 + + proc: proc_skip_spaces() shouldn't think it is working on C strings + + proc_skip_spaces() seems to think it is working on C strings, and ends + up being just a wrapper around skip_spaces() with a really odd calling + convention. + + Instead of basing it on skip_spaces(), it should have looked more like + proc_skip_char(), which really is the exact same function (except it + skips a particular character, rather than whitespace). So use that as + inspiration, odd coding and all. + + Now the calling convention actually makes sense and works for the + intended purpose. + + Reported-and-tested-by: Kyle Zeng + Acked-by: Eric Dumazet + Signed-off-by: Linus Torvalds + + Signed-off-by: Wander Lairson Costa + Signed-off-by: Jarod Wilson + +Signed-off-by: Ryan Sullivan +--- + kernel/sysctl.c | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index b4c8a670e9e0..3c8a3a787528 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -2194,13 +2194,14 @@ int proc_dostring(struct ctl_table *table, int write, + (char __user *)buffer, lenp, ppos); + } + +-static size_t proc_skip_spaces(char **buf) ++static void proc_skip_spaces(char **buf, size_t *size) + { +- size_t ret; +- char *tmp = skip_spaces(*buf); +- ret = tmp - *buf; +- *buf = tmp; +- return ret; ++ while (*size) { ++ if (!isspace(**buf)) ++ break; ++ (*size)--; ++ (*buf)++; ++ } + } + + static void proc_skip_char(char **buf, size_t *size, const char v) +@@ -2269,13 +2270,12 @@ static int proc_get_long(char **buf, size_t *size, + unsigned long *val, bool *neg, + const char *perm_tr, unsigned perm_tr_len, char *tr) + { +- int len; + char *p, tmp[TMPBUFLEN]; ++ ssize_t len = *size; + +- if (!*size) ++ if (len <= 0) + return -EINVAL; + +- len = *size; + if (len > TMPBUFLEN - 1) + len = TMPBUFLEN - 1; + +@@ -2438,7 +2438,7 @@ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table, + bool neg; + + if (write) { +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + + if (!left) + break; +@@ -2469,7 +2469,7 @@ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table, + if (!write && !first && left && !err) + err = proc_put_char(&buffer, &left, '\n'); + if (write && !err && left) +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (write) { + kfree(kbuf); + if (first) +@@ -2518,7 +2518,7 @@ static int do_proc_douintvec_w(unsigned int *tbl_data, + if (IS_ERR(kbuf)) + return -EINVAL; + +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (!left) { + err = -EINVAL; + goto out_free; +@@ -2538,7 +2538,7 @@ static int do_proc_douintvec_w(unsigned int *tbl_data, + } + + if (!err && left) +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + + out_free: + kfree(kbuf); +@@ -2982,7 +2982,7 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int + if (write) { + bool neg; + +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + + err = proc_get_long(&p, &left, &val, &neg, + proc_wspace_sep, +@@ -3013,7 +3013,7 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int + if (!write && !first && left && !err) + err = proc_put_char(&buffer, &left, '\n'); + if (write && !err) +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (write) { + kfree(kbuf); + if (first) +-- +2.39.2 + + diff --git a/SOURCES/CVE-2023-0266.patch b/SOURCES/CVE-2023-0266.patch new file mode 100644 index 0000000..e1155d4 --- /dev/null +++ b/SOURCES/CVE-2023-0266.patch @@ -0,0 +1,156 @@ +From 6cfa68ca747bc4fe8978bcf92c3d894e95c05022 Mon Sep 17 00:00:00 2001 +From: Ryan Sullivan +Date: Fri, 17 Feb 2023 10:33:05 -0500 +Subject: [KPATCH CVE-2023-0266] kpatch fixes for CVE-2023-0266 + +Kernels: +4.18.0-425.3.1.el8 +4.18.0-425.10.1.el8_7 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/87 +Approved-by: Yannick Cote (@ycote1) +Approved-by: Joe Lawrence (@joe.lawrence) +Changes since last build: +[x86_64]: +control.o: changed function: snd_ctl_elem_read +control.o: changed function: snd_ctl_ioctl +sysctl.o: changed function: __do_proc_dointvec +sysctl.o: changed function: __do_proc_douintvec +sysctl.o: changed function: __do_proc_doulongvec_minmax +sysctl.o: changed function: proc_get_long.constprop.14 + +[ppc64le]: +control.o: changed function: snd_ctl_elem_read +control.o: changed function: snd_ctl_ioctl +sysctl.o: changed function: __do_proc_dointvec +sysctl.o: changed function: __do_proc_doulongvec_minmax +sysctl.o: changed function: proc_dopipe_max_size +sysctl.o: changed function: proc_douintvec +sysctl.o: changed function: proc_douintvec_minmax +sysctl.o: changed function: proc_get_long.constprop.14 + +--------------------------- + +Modifications: none + +commit 28e15c1ec38154a006589fb8eb40fcab1eea97ce +Author: Jaroslav Kysela +Date: Thu Feb 9 09:10:34 2023 +0100 + + ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF + + Takes rwsem lock inside snd_ctl_elem_read instead of snd_ctl_elem_read_user + like it was done for write in commit 1fa4445f9adf1 ("ALSA: control - introduce + snd_ctl_notify_one() helper"). Doing this way we are also fixing the following + locking issue happening in the compat path which can be easily triggered and + turned into an use-after-free. + + 64-bits: + snd_ctl_ioctl + snd_ctl_elem_read_user + [takes controls_rwsem] + snd_ctl_elem_read [lock properly held, all good] + [drops controls_rwsem] + + 32-bits: + snd_ctl_ioctl_compat + snd_ctl_elem_write_read_compat + ctl_elem_write_read + snd_ctl_elem_read [missing lock, not good] + + CVE-2023-0266 was assigned for this issue. + + Cc: stable@kernel.org # 5.13+ + Signed-off-by: Clement Lecigne + Reviewed-by: Jaroslav Kysela + Link: https://lore.kernel.org/r/20230113120745.25464-1-tiwai@suse.de + Signed-off-by: Takashi Iwai + + Author: Clement Lecigne + Date: Fri Jan 13 13:07:45 2023 +0100 + + CVE: CVE-2023-0266 + + Signed-off-by: Jaroslav Kysela + (cherry picked from commit 56b88b50565cd8b946a2d00b0c83927b7ebb055e) + Bugzilla: https://bugzilla.redhat.com/2163400 + +Signed-off-by: Ryan Sullivan +--- + sound/core/control.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +diff --git a/sound/core/control.c b/sound/core/control.c +index 92fa122941a7..00c86f4d9063 100644 +--- a/sound/core/control.c ++++ b/sound/core/control.c +@@ -1066,14 +1066,19 @@ static int snd_ctl_elem_read(struct snd_card *card, + const u32 pattern = 0xdeadbeef; + int ret; + ++ down_read(&card->controls_rwsem); + kctl = snd_ctl_find_id(card, &control->id); +- if (kctl == NULL) +- return -ENOENT; ++ if (kctl == NULL) { ++ ret = -ENOENT; ++ goto unlock; ++ } + + index_offset = snd_ctl_get_ioff(kctl, &control->id); + vd = &kctl->vd[index_offset]; +- if (!(vd->access & SNDRV_CTL_ELEM_ACCESS_READ) || kctl->get == NULL) +- return -EPERM; ++ if (!(vd->access & SNDRV_CTL_ELEM_ACCESS_READ) || kctl->get == NULL) { ++ ret = -EPERM; ++ goto unlock; ++ } + + snd_ctl_build_ioff(&control->id, kctl, index_offset); + +@@ -1083,7 +1088,7 @@ static int snd_ctl_elem_read(struct snd_card *card, + info.id = control->id; + ret = __snd_ctl_elem_info(card, kctl, &info, NULL); + if (ret < 0) +- return ret; ++ goto unlock; + #endif + + if (!snd_ctl_skip_validation(&info)) +@@ -1093,7 +1098,7 @@ static int snd_ctl_elem_read(struct snd_card *card, + ret = kctl->get(kctl, control); + snd_power_unref(card); + if (ret < 0) +- return ret; ++ goto unlock; + if (!snd_ctl_skip_validation(&info) && + sanity_check_elem_value(card, control, &info, pattern) < 0) { + dev_err(card->dev, +@@ -1101,8 +1106,11 @@ static int snd_ctl_elem_read(struct snd_card *card, + control->id.iface, control->id.device, + control->id.subdevice, control->id.name, + control->id.index); +- return -EINVAL; ++ ret = -EINVAL; ++ goto unlock; + } ++unlock: ++ up_read(&card->controls_rwsem); + return ret; + } + +@@ -1116,9 +1124,7 @@ static int snd_ctl_elem_read_user(struct snd_card *card, + if (IS_ERR(control)) + return PTR_ERR(control); + +- down_read(&card->controls_rwsem); + result = snd_ctl_elem_read(card, control); +- up_read(&card->controls_rwsem); + if (result < 0) + goto error; + +-- +2.39.2 + + diff --git a/SOURCES/CVE-2023-0386.patch b/SOURCES/CVE-2023-0386.patch new file mode 100644 index 0000000..235e8b8 --- /dev/null +++ b/SOURCES/CVE-2023-0386.patch @@ -0,0 +1,84 @@ +From 49fc47e81624d594ff10837b9cd34f14c9e26046 Mon Sep 17 00:00:00 2001 +From: Ryan Sullivan +Date: Wed, 15 Mar 2023 09:20:36 -0400 +Subject: [KPATCH CVE-2023-0386] kpatch fixes for CVE-2023-0386 + +Kernels: +4.18.0-425.3.1.el8 +4.18.0-425.10.1.el8_7 +4.18.0-425.13.1.el8_7 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/92 +Approved-by: Joe Lawrence (@joe.lawrence) +Approved-by: Yannick Cote (@ycote1) +Changes since last build: +[x86_64]: +copy_up.o: changed function: ovl_copy_up_one +copy_up.o: new function: ovl_do_copy_up + +[ppc64le]: +copy_up.o: changed function: ovl_copy_up_one + +--------------------------- + +Modifications: none + +commit a9ae1a96322125120bbb5177b1c76586f886a8db +Author: Miklos Szeredi +Date: Tue Jan 24 16:41:18 2023 +0100 + + ovl: fail on invalid uid/gid mapping at copy up + + Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2165341 + CVE: CVE-2023-0386 + + If st_uid/st_gid doesn't have a mapping in the mounter's user_ns, then + copy-up should fail, just like it would fail if the mounter task was doing + the copy using "cp -a". + + There's a corner case where the "cp -a" would succeed but copy up fail: if + there's a mapping of the invalid uid/gid (65534 by default) in the user + namespace. This is because stat(2) will return this value if the mapping + doesn't exist in the current user_ns and "cp -a" will in turn be able to + create a file with this uid/gid. + + This behavior would be inconsistent with POSIX ACL's, which return -1 for + invalid uid/gid which result in a failed copy. + + For consistency and simplicity fail the copy of the st_uid/st_gid are + invalid. + + Fixes: 459c7c565ac3 ("ovl: unprivieged mounts") + Cc: # v5.11 + Signed-off-by: Miklos Szeredi + Reviewed-by: Christian Brauner + Reviewed-by: Seth Forshee + (cherry picked from commit 4f11ada10d0ad3fd53e2bd67806351de63a4f9c3) + + Signed-off-by: Miklos Szeredi + +Signed-off-by: Ryan Sullivan +--- + fs/overlayfs/copy_up.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c +index edd818b77aac..7c51ca835fc7 100644 +--- a/fs/overlayfs/copy_up.c ++++ b/fs/overlayfs/copy_up.c +@@ -889,6 +889,10 @@ static int ovl_copy_up_one(struct dentry *parent, struct dentry *dentry, + if (err) + return err; + ++ if (!kuid_has_mapping(current_user_ns(), ctx.stat.uid) || ++ !kgid_has_mapping(current_user_ns(), ctx.stat.gid)) ++ return -EOVERFLOW; ++ + ctx.metacopy = ovl_need_meta_copy_up(dentry, ctx.stat.mode, flags); + + if (parent) { +-- +2.39.2 + + diff --git a/SOURCES/v0.9.6-backport-MR-1281-create-diff-object-add-suppo.patch b/SOURCES/v0.9.6-backport-MR-1281-create-diff-object-add-suppo.patch new file mode 100644 index 0000000..75be78b --- /dev/null +++ b/SOURCES/v0.9.6-backport-MR-1281-create-diff-object-add-suppo.patch @@ -0,0 +1,49 @@ +From ea6a6f2d23a0af0e2cde8c99f0b7f0becf6beee5 Mon Sep 17 00:00:00 2001 +From: Joe Lawrence +Date: Thu, 8 Dec 2022 12:51:23 -0500 +Subject: [PATCH] v0.9.6 backport: MR!1281 ("create-diff-object: add support + for .return_sites section (x86)") +Content-type: text/plain + +commit 33368a88cdf875b0edd02b0dfd3356a7e93b24db +Author: Jonathan Dobson +Date: Sat Jul 16 15:46:54 2022 -0600 + + create-diff-object: add support for .return_sites section (x86) + +Signed-off-by: Joe Lawrence +--- + kpatch-build/create-diff-object.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/kpatch-build/create-diff-object.c b/kpatch-build/create-diff-object.c +index 826741d07fc7..a79ec7985135 100644 +--- a/kpatch-build/create-diff-object.c ++++ b/kpatch-build/create-diff-object.c +@@ -2132,6 +2132,11 @@ static int retpoline_sites_group_size(struct kpatch_elf *kelf, int offset) + return 4; + } + ++static int return_sites_group_size(struct kpatch_elf *kelf, int offset) ++{ ++ return 4; ++} ++ + static int fixup_entry_group_size(struct kpatch_elf *kelf, int offset) + { + static int size = 0; +@@ -2258,6 +2263,11 @@ static struct special_section special_sections[] = { + .arch = X86_64, + .group_size = retpoline_sites_group_size, + }, ++ { ++ .name = ".return_sites", ++ .arch = X86_64, ++ .group_size = return_sites_group_size, ++ }, + { + .name = "__ftr_fixup", + .arch = PPC64, +-- +2.38.1 + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index 3a29188..794ad87 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -1,17 +1,24 @@ # Set to 1 if building an empty subscription-only package. -%define empty_package 1 +%define empty_package 0 ####################################################### # Only need to update these variables and the changelog %define kernel_ver 4.18.0-425.13.1.el8_7 %define kpatch_ver 0.9.6 -%define rpm_ver 0 -%define rpm_rel 0 +%define rpm_ver 1 +%define rpm_rel 2 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. -Source100: XXX.patch -#Source101: YYY.patch +# +# https://bugzilla.redhat.com/2152597 +Source100: CVE-2022-4378.patch +# +# https://bugzilla.redhat.com/2163413 +Source101: CVE-2023-0266.patch +# +# https://bugzilla.redhat.com/2165360 +Source102: CVE-2023-0386.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -151,5 +158,12 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Thu Mar 23 2023 Yannick Cote [1-2.el8_7] +- kernel: FUSE filesystem low-privileged user privileges escalation [2165360] {CVE-2023-0386} + +* Tue Mar 21 2023 Yannick Cote [1-1.el8_7] +- ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF [2163413] {CVE-2023-0266} +- kernel: stack overflow in do_proc_dointvec and proc_skip_spaces [2152597] {CVE-2022-4378} + * Tue Feb 07 2023 Yannick Cote [0-0.el8] - An empty patch to subscribe to kpatch stream for kernel-4.18.0-425.13.1.el8_7 [2167944]