From 6e64c9926b3f62eff0b4b50d8e47a83cfeef3b13 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 12 2023 08:28:07 +0000 Subject: import kpatch-patch-4_18_0-425_3_1-1-2.el8 --- diff --git a/.gitignore b/.gitignore index e69de29..efeeb14 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/kernel-4.18.0-425.3.1.el8.src.rpm +SOURCES/v0.9.6.tar.gz diff --git a/.kpatch-patch-4_18_0-425_3_1.metadata b/.kpatch-patch-4_18_0-425_3_1.metadata index e69de29..8c1ca68 100644 --- a/.kpatch-patch-4_18_0-425_3_1.metadata +++ b/.kpatch-patch-4_18_0-425_3_1.metadata @@ -0,0 +1,2 @@ +22891a91c476518e918feb6751b62859eeee80c4 SOURCES/kernel-4.18.0-425.3.1.el8.src.rpm +223c224ddd6896c467b9347ab297e3f7f013f5d7 SOURCES/v0.9.6.tar.gz diff --git a/SOURCES/CVE-2022-2964.patch b/SOURCES/CVE-2022-2964.patch new file mode 100644 index 0000000..075d5a8 --- /dev/null +++ b/SOURCES/CVE-2022-2964.patch @@ -0,0 +1,315 @@ +From f199e966e1da09385b3a822b60220c3e7dad5d15 Mon Sep 17 00:00:00 2001 +From: Yannick Cote +Date: Wed, 7 Dec 2022 13:51:50 -0500 +Subject: [KPATCH CVE-2022-2964] kpatch fixes for CVE-2022-2964 + +Kernels: +4.18.0-425.3.1.el8 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/65 +Approved-by: Joe Lawrence (@joe.lawrence) +Changes since last build: +arches: x86_64 ppc64le +ax88179_178a.o: changed function: ax88179_rx_fixup +--------------------------- + +Modifications: none + +commit f12daa92e8162af22fa80f7a69c2b7069a600f24 +Author: Jose Ignacio Tornos Martinez +Date: Wed Nov 23 17:38:38 2022 +0100 + + net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup + + Bugzilla: https://bugzilla.redhat.com/2142724 + CVE: CVE-2022-2964 + + commit 57bc3d3ae8c14df3ceb4e17d26ddf9eeab304581 + Author: Jann Horn + Date: Wed Jan 26 14:14:52 2022 +0100 + + net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup + + ax88179_rx_fixup() contains several out-of-bounds accesses that can be + triggered by a malicious (or defective) USB device, in particular: + + - The metadata array (hdr_off..hdr_off+2*pkt_cnt) can be out of bounds, + causing OOB reads and (on big-endian systems) OOB endianness flips. + - A packet can overlap the metadata array, causing a later OOB + endianness flip to corrupt data used by a cloned SKB that has already + been handed off into the network stack. + - A packet SKB can be constructed whose tail is far beyond its end, + causing out-of-bounds heap data to be considered part of the SKB's + data. + + I have tested that this can be used by a malicious USB device to send a + bogus ICMPv6 Echo Request and receive an ICMPv6 Echo Reply in response + that contains random kernel heap data. + It's probably also possible to get OOB writes from this on a + little-endian system somehow - maybe by triggering skb_cow() via IP + options processing -, but I haven't tested that. + + Fixes: e2ca90c276e1 ("ax88179_178a: ASIX AX88179_178A USB 3.0/2.0 to gigabit ethernet adapter driver") + Cc: stable@kernel.org + Signed-off-by: Jann Horn + Signed-off-by: Greg Kroah-Hartman + + Signed-off-by: Jose Ignacio Tornos Martinez + +commit 065aec7252fd7a895103db717faf36984cd3ce35 +Author: Jose Ignacio Tornos Martinez +Date: Wed Nov 23 17:38:39 2022 +0100 + + net: usb: ax88179_178a: Fix packet receiving + + Bugzilla: https://bugzilla.redhat.com/2142724 + CVE: CVE-2022-2964 + + commit f8ebb3ac881b17712e1d5967c97ab1806b16d3d6 + Author: Jose Alonso + Date: Tue Jun 28 12:13:02 2022 -0300 + + net: usb: ax88179_178a: Fix packet receiving + + This patch corrects packet receiving in ax88179_rx_fixup. + + - problem observed: + ifconfig shows allways a lot of 'RX Errors' while packets + are received normally. + + This occurs because ax88179_rx_fixup does not recognise properly + the usb urb received. + The packets are normally processed and at the end, the code exits + with 'return 0', generating RX Errors. + (pkt_cnt==-2 and ptk_hdr over field rx_hdr trying to identify + another packet there) + + This is a usb urb received by "tcpdump -i usbmon2 -X" on a + little-endian CPU: + 0x0000: eeee f8e3 3b19 87a0 94de 80e3 daac 0800 + ^ packet 1 start (pkt_len = 0x05ec) + ^^^^ IP alignment pseudo header + ^ ethernet packet start + last byte ethernet packet v + padding (8-bytes aligned) vvvv vvvv + 0x05e0: c92d d444 1420 8a69 83dd 272f e82b 9811 + 0x05f0: eeee f8e3 3b19 87a0 94de 80e3 daac 0800 + ... ^ packet 2 + 0x0be0: eeee f8e3 3b19 87a0 94de 80e3 daac 0800 + ... + 0x1130: 9d41 9171 8a38 0ec5 eeee f8e3 3b19 87a0 + ... + 0x1720: 8cfc 15ff 5e4c e85c eeee f8e3 3b19 87a0 + ... + 0x1d10: ecfa 2a3a 19ab c78c eeee f8e3 3b19 87a0 + ... + 0x2070: eeee f8e3 3b19 87a0 94de 80e3 daac 0800 + ... ^ packet 7 + 0x2120: 7c88 4ca5 5c57 7dcc 0d34 7577 f778 7e0a + 0x2130: f032 e093 7489 0740 3008 ec05 0000 0080 + ====1==== ====2==== + hdr_off ^ + pkt_len = 0x05ec ^^^^ + AX_RXHDR_*=0x00830 ^^^^ ^ + pkt_len = 0 ^^^^ + AX_RXHDR_DROP_ERR=0x80000000 ^^^^ ^ + 0x2140: 3008 ec05 0000 0080 3008 5805 0000 0080 + 0x2150: 3008 ec05 0000 0080 3008 ec05 0000 0080 + 0x2160: 3008 5803 0000 0080 3008 c800 0000 0080 + ===11==== ===12==== ===13==== ===14==== + 0x2170: 0000 0000 0e00 3821 + ^^^^ ^^^^ rx_hdr + ^^^^ pkt_cnt=14 + ^^^^ hdr_off=0x2138 + ^^^^ ^^^^ padding + + The dump shows that pkt_cnt is the number of entrys in the + per-packet metadata. It is "2 * packet count". + Each packet have two entrys. The first have a valid + value (pkt_len and AX_RXHDR_*) and the second have a + dummy-header 0x80000000 (pkt_len=0 with AX_RXHDR_DROP_ERR). + Why exists dummy-header for each packet?!? + My guess is that this was done probably to align the + entry for each packet to 64-bits and maintain compatibility + with old firmware. + There is also a padding (0x00000000) before the rx_hdr to + align the end of rx_hdr to 64-bit. + Note that packets have a alignment of 64-bits (8-bytes). + + This patch assumes that the dummy-header and the last + padding are optional. So it preserves semantics and + recognises the same valid packets as the current code. + + This patch was made using only the dumpfile information and + tested with only one device: + 0b95:1790 ASIX Electronics Corp. AX88179 Gigabit Ethernet + + Fixes: 57bc3d3ae8c1 ("net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup") + Fixes: e2ca90c276e1 ("ax88179_178a: ASIX AX88179_178A USB 3.0/2.0 to gigabit ethernet adapter driver") + Signed-off-by: Jose Alonso + Acked-by: Paolo Abeni + Link: https://lore.kernel.org/r/d6970bb04bf67598af4d316eaeb1792040b18cfd.camel@gmail.com + Signed-off-by: Paolo Abeni + + Signed-off-by: Jose Ignacio Tornos Martinez + +Signed-off-by: Yannick Cote +--- + drivers/net/usb/ax88179_178a.c | 113 +++++++++++++++++++++++++-------- + 1 file changed, 87 insertions(+), 26 deletions(-) + +diff --git a/drivers/net/usb/ax88179_178a.c b/drivers/net/usb/ax88179_178a.c +index 2eb02808812c..a4896f396c7c 100644 +--- a/drivers/net/usb/ax88179_178a.c ++++ b/drivers/net/usb/ax88179_178a.c +@@ -1477,58 +1477,119 @@ static int ax88179_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + u16 hdr_off; + u32 *pkt_hdr; + +- /* This check is no longer done by usbnet */ +- if (skb->len < dev->net->hard_header_len) ++ /* At the end of the SKB, there's a header telling us how many packets ++ * are bundled into this buffer and where we can find an array of ++ * per-packet metadata (which contains elements encoded into u16). ++ */ ++ ++ /* SKB contents for current firmware: ++ * ++ * ... ++ * ++ * ++ * ... ++ * ++ * ++ * ++ * where: ++ * contains pkt_len bytes: ++ * 2 bytes of IP alignment pseudo header ++ * packet received ++ * contains 4 bytes: ++ * pkt_len and fields AX_RXHDR_* ++ * 0-7 bytes to terminate at ++ * 8 bytes boundary (64-bit). ++ * 4 bytes to make rx_hdr terminate at ++ * 8 bytes boundary (64-bit) ++ * contains 4 bytes: ++ * pkt_len=0 and AX_RXHDR_DROP_ERR ++ * contains 4 bytes: ++ * pkt_cnt and hdr_off (offset of ++ * ) ++ * ++ * pkt_cnt is number of entrys in the per-packet metadata. ++ * In current firmware there is 2 entrys per packet. ++ * The first points to the packet and the ++ * second is a dummy header. ++ * This was done probably to align fields in 64-bit and ++ * maintain compatibility with old firmware. ++ * This code assumes that and are ++ * optional. ++ */ ++ ++ if (skb->len < 4) + return 0; +- + skb_trim(skb, skb->len - 4); + rx_hdr = get_unaligned_le32(skb_tail_pointer(skb)); +- + pkt_cnt = (u16)rx_hdr; + hdr_off = (u16)(rx_hdr >> 16); ++ ++ if (pkt_cnt == 0) ++ return 0; ++ ++ /* Make sure that the bounds of the metadata array are inside the SKB ++ * (and in front of the counter at the end). ++ */ ++ if (pkt_cnt * 4 + hdr_off > skb->len) ++ return 0; + pkt_hdr = (u32 *)(skb->data + hdr_off); + +- while (pkt_cnt--) { ++ /* Packets must not overlap the metadata array */ ++ skb_trim(skb, hdr_off); ++ ++ for (; pkt_cnt > 0; pkt_cnt--, pkt_hdr++) { ++ u16 pkt_len_plus_padd; + u16 pkt_len; + + le32_to_cpus(pkt_hdr); + pkt_len = (*pkt_hdr >> 16) & 0x1fff; ++ pkt_len_plus_padd = (pkt_len + 7) & 0xfff8; ++ ++ /* Skip dummy header used for alignment ++ */ ++ if (pkt_len == 0) ++ continue; ++ ++ if (pkt_len_plus_padd > skb->len) ++ return 0; + + /* Check CRC or runt packet */ +- if ((*pkt_hdr & AX_RXHDR_CRC_ERR) || +- (*pkt_hdr & AX_RXHDR_DROP_ERR)) { +- skb_pull(skb, (pkt_len + 7) & 0xFFF8); +- pkt_hdr++; ++ if ((*pkt_hdr & (AX_RXHDR_CRC_ERR | AX_RXHDR_DROP_ERR)) || ++ pkt_len < 2 + ETH_HLEN) { ++ dev->net->stats.rx_errors++; ++ skb_pull(skb, pkt_len_plus_padd); + continue; + } + +- if (pkt_cnt == 0) { +- skb->len = pkt_len; ++ /* last packet */ ++ if (pkt_len_plus_padd == skb->len) { ++ skb_trim(skb, pkt_len); ++ + /* Skip IP alignment pseudo header */ + skb_pull(skb, 2); +- skb_set_tail_pointer(skb, skb->len); +- skb->truesize = pkt_len + sizeof(struct sk_buff); ++ ++ skb->truesize = SKB_TRUESIZE(pkt_len_plus_padd); + ax88179_rx_checksum(skb, pkt_hdr); + return 1; + } + + ax_skb = skb_clone(skb, GFP_ATOMIC); +- if (ax_skb) { +- ax_skb->len = pkt_len; +- /* Skip IP alignment pseudo header */ +- skb_pull(ax_skb, 2); +- skb_set_tail_pointer(ax_skb, ax_skb->len); +- ax_skb->truesize = pkt_len + sizeof(struct sk_buff); +- ax88179_rx_checksum(ax_skb, pkt_hdr); +- usbnet_skb_return(dev, ax_skb); +- } else { ++ if (!ax_skb) + return 0; +- } ++ skb_trim(ax_skb, pkt_len); ++ ++ /* Skip IP alignment pseudo header */ ++ skb_pull(ax_skb, 2); ++ ++ skb->truesize = pkt_len_plus_padd + ++ SKB_DATA_ALIGN(sizeof(struct sk_buff)); ++ ax88179_rx_checksum(ax_skb, pkt_hdr); ++ usbnet_skb_return(dev, ax_skb); + +- skb_pull(skb, (pkt_len + 7) & 0xFFF8); +- pkt_hdr++; ++ skb_pull(skb, pkt_len_plus_padd); + } +- return 1; ++ ++ return 0; + } + + static struct sk_buff * +-- +2.38.1 + + diff --git a/SOURCES/CVE-2022-4139.patch b/SOURCES/CVE-2022-4139.patch new file mode 100644 index 0000000..20ac01d --- /dev/null +++ b/SOURCES/CVE-2022-4139.patch @@ -0,0 +1,77 @@ +From 1b00ec2d7916551eda170e687eb351d40fe346aa Mon Sep 17 00:00:00 2001 +From: Joe Lawrence +Date: Tue, 3 Jan 2023 11:02:47 -0500 +Subject: [KPATCH CVE-2022-4139] kpatch fixes for CVE-2022-4139 +Content-type: text/plain + +Kernels: +4.18.0-425.3.1.el8 + +Changes since last build: +arches: x86_64 +intel_gt.o: changed function: intel_gt_invalidate_tlbs +--------------------------- + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/66 +Approved-by: Julia Denham (@jdenham) +Modifications: none + +commit 54c6de5154c319e30fddef4fc82a67661525b76e +Author: Wander Lairson Costa +Date: Thu Dec 1 10:30:34 2022 -0300 + + drm/i915: fix TLB invalidation for Gen12 video and compute engines + + Bugzilla: https://bugzilla.redhat.com/2148149 + CVE: CVE-2022-4139 + Y-Commit: 03abd2e51e4b208b873f7fd749d1af0ebef6658f + + O-Bugzilla: https://bugzilla.redhat.com/2148150 + O-CVE: CVE-2022-4139 + + commit 04aa64375f48a5d430b5550d9271f8428883e550 + Author: Andrzej Hajda + Date: Mon Nov 14 11:38:24 2022 +0100 + + drm/i915: fix TLB invalidation for Gen12 video and compute engines + + In case of Gen12 video and compute engines, TLB_INV registers are masked - + to modify one bit, corresponding bit in upper half of the register must + be enabled, otherwise nothing happens. + + CVE: CVE-2022-4139 + Suggested-by: Chris Wilson + Signed-off-by: Andrzej Hajda + Acked-by: Daniel Vetter + Fixes: 7938d61591d3 ("drm/i915: Flush TLBs before releasing backing store") + Cc: stable@vger.kernel.org + Signed-off-by: Linus Torvalds + + Signed-off-by: Wander Lairson Costa + Signed-off-by: Jarod Wilson + +Signed-off-by: Joe Lawrence +--- + drivers/gpu/drm/i915/gt/intel_gt.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/i915/gt/intel_gt.c b/drivers/gpu/drm/i915/gt/intel_gt.c +index f4375479e6f0..1cb9971759d2 100644 +--- a/drivers/gpu/drm/i915/gt/intel_gt.c ++++ b/drivers/gpu/drm/i915/gt/intel_gt.c +@@ -1021,6 +1021,11 @@ void intel_gt_invalidate_tlbs(struct intel_gt *gt) + if (!i915_mmio_reg_offset(rb.reg)) + continue; + ++ if (GRAPHICS_VER(i915) == 12 && (engine->class == VIDEO_DECODE_CLASS || ++ engine->class == VIDEO_ENHANCEMENT_CLASS || ++ engine->class == COMPUTE_CLASS)) ++ rb.bit = _MASKED_BIT_ENABLE(rb.bit); ++ + intel_uncore_write_fw(uncore, rb.reg, rb.bit); + } + +-- +2.39.0 + + diff --git a/SOURCES/v0.9.6-backport-MR-1281-create-diff-object-add-suppo.patch b/SOURCES/v0.9.6-backport-MR-1281-create-diff-object-add-suppo.patch new file mode 100644 index 0000000..75be78b --- /dev/null +++ b/SOURCES/v0.9.6-backport-MR-1281-create-diff-object-add-suppo.patch @@ -0,0 +1,49 @@ +From ea6a6f2d23a0af0e2cde8c99f0b7f0becf6beee5 Mon Sep 17 00:00:00 2001 +From: Joe Lawrence +Date: Thu, 8 Dec 2022 12:51:23 -0500 +Subject: [PATCH] v0.9.6 backport: MR!1281 ("create-diff-object: add support + for .return_sites section (x86)") +Content-type: text/plain + +commit 33368a88cdf875b0edd02b0dfd3356a7e93b24db +Author: Jonathan Dobson +Date: Sat Jul 16 15:46:54 2022 -0600 + + create-diff-object: add support for .return_sites section (x86) + +Signed-off-by: Joe Lawrence +--- + kpatch-build/create-diff-object.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/kpatch-build/create-diff-object.c b/kpatch-build/create-diff-object.c +index 826741d07fc7..a79ec7985135 100644 +--- a/kpatch-build/create-diff-object.c ++++ b/kpatch-build/create-diff-object.c +@@ -2132,6 +2132,11 @@ static int retpoline_sites_group_size(struct kpatch_elf *kelf, int offset) + return 4; + } + ++static int return_sites_group_size(struct kpatch_elf *kelf, int offset) ++{ ++ return 4; ++} ++ + static int fixup_entry_group_size(struct kpatch_elf *kelf, int offset) + { + static int size = 0; +@@ -2258,6 +2263,11 @@ static struct special_section special_sections[] = { + .arch = X86_64, + .group_size = retpoline_sites_group_size, + }, ++ { ++ .name = ".return_sites", ++ .arch = X86_64, ++ .group_size = return_sites_group_size, ++ }, + { + .name = "__ftr_fixup", + .arch = PPC64, +-- +2.38.1 + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index ac190fe..39a2129 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -1,17 +1,21 @@ # Set to 1 if building an empty subscription-only package. -%define empty_package 1 +%define empty_package 0 ####################################################### # Only need to update these variables and the changelog %define kernel_ver 4.18.0-425.3.1.el8 %define kpatch_ver 0.9.6 -%define rpm_ver 0 -%define rpm_rel 0 +%define rpm_ver 1 +%define rpm_rel 2 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. -Source100: XXX.patch -#Source101: YYY.patch +# +# https://bugzilla.redhat.com/2142784 +Source100: CVE-2022-2964.patch +# +# https://bugzilla.redhat.com/2147587 +Source101: CVE-2022-4139.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -67,6 +71,7 @@ Source0: https://github.com/dynup/kpatch/archive/v%{kpatch_ver}.tar.gz Source10: kernel-%{kernel_ver}.src.rpm # kpatch-build patches +Patch1: v0.9.6-backport-MR-1281-create-diff-object-add-suppo.patch %global _dupsign_opts --keyname=rhelkpatch1 @@ -150,5 +155,11 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Fri Jan 06 2023 Joe Lawrence [1-2.el8] +- kernel: i915: Incorrect GPU TLB flush can lead to random memory access [2147587] {CVE-2022-4139} + +* Tue Dec 13 2022 Yannick Cote [1-1.el8] +- kernel: memory corruption in AX88179_178A based USB ethernet device. [2142784] {CVE-2022-2964} + * Mon Oct 24 2022 Yannick Cote [0-0.el8] - An empty patch to subscribe to kpatch stream for kernel-4.18.0-425.3.1.el8 [2137417]