rpms / kpatch-patch-4_18_0-477_10_1

Clone
Source Code
GIT

Blame SOURCES/CVE-2023-32233.patch

c8
  1.   d4680378eb6044769d33757e4e373092d27176ff
  2.   SOURCES
  3.   CVE-2023-32233.patch
Blob History Raw
d46803 
From bb66ee8a99f3f35a02bd1af9fa1948a3a0626a73 Mon Sep 17 00:00:00 2001
d46803 
From: Ryan Sullivan <rysulliv@redhat.com>
d46803 
Date: Mon, 22 May 2023 11:02:17 -0400
d46803 
Subject: [KPATCH CVE-2023-32233] kpatch fixes for CVE-2023-32233
d46803
d46803
d46803 
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/106
d46803 
Approved-by: Yannick Cote (@ycote1)
d46803 
Approved-by: Joe Lawrence (@joe.lawrence)
d46803 
Kernels:
d46803 
4.18.0-477.10.1.el8_8
d46803
d46803 
Changes since last build:
d46803 
[x86_64]:
d46803 
nf_tables_api.o: changed function: nf_tables_deactivate_set
d46803 
nf_tables_api.o: changed function: nf_tables_fill_chain_info.isra.53
d46803 
nf_tables_api.o: changed function: nf_tables_newrule
d46803 
nf_tables_api.o: new function: __list_del_entry
d46803 
nf_tables_api.o: new function: nf_tables_activate_set
d46803 
nf_tables_api.o: new function: nla_put_string
d46803 
nft_dynset.o: changed function: nft_dynset_activate
d46803 
nft_lookup.o: changed function: nft_lookup_activate
d46803 
nft_objref.o: changed function: nft_objref_map_activate
d46803
d46803 
[ppc64le]:
d46803 
nf_tables_api.o: changed function: nf_tables_deactivate_set
d46803 
nf_tables_api.o: new function: nf_tables_activate_set
d46803 
nft_dynset.o: changed function: nft_dynset_activate
d46803 
nft_lookup.o: changed function: nft_lookup_activate
d46803 
nft_objref.o: changed function: nft_objref_map_activate
d46803
d46803 
---------------------------
d46803
d46803 
Modifications:
d46803 
Removes prototype definition of nf_tables_activate_set() from
d46803 
nf_tables.h and moves it into the affected files above when it is
d46803 
called, also adds the optimization attribute
d46803 
"-fno-optimize-sibling-calls" to the nf_tables_deactivate_set function
d46803
d46803 
commit 50c9311832bfa1e4f3a3800819d8e292d8bf7266
d46803 
Author: Florian Westphal <fwestpha@redhat.com>
d46803 
Date:   Wed May 10 13:20:40 2023 +0200
d46803
d46803 
    netfilter: nf_tables: deactivate anonymous set from preparation phase
d46803
d46803 
    Bugzilla: https://bugzilla.redhat.com/2196147
d46803 
    CVE: CVE-2023-32233
d46803 
    Y-Commit: 4238c2276fd879575b7599c349dafe24fbf2602b
d46803
d46803 
    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2196148
d46803 
    Upstream Status: commit c1592a89942e9
d46803 
    O-CVE: CVE-2023-32233
d46803
d46803 
    commit c1592a89942e9678f7d9c8030efa777c0d57edab
d46803 
    Author: Pablo Neira Ayuso <pablo@netfilter.org>
d46803 
    Date:   Tue May 2 10:25:24 2023 +0200
d46803
d46803 
        netfilter: nf_tables: deactivate anonymous set from preparation phase
d46803
d46803 
        Toggle deleted anonymous sets as inactive in the next generation, so
d46803 
        users cannot perform any update on it. Clear the generation bitmask
d46803 
        in case the transaction is aborted.
d46803
d46803 
        The following KASAN splat shows a set element deletion for a bound
d46803 
        anonymous set that has been already removed in the same transaction.
d46803
d46803 
        [   64.921510] ==================================================================
d46803 
        [   64.923123] BUG: KASAN: wild-memory-access in nf_tables_commit+0xa24/0x1490 [nf_tables]
d46803 
        [   64.924745] Write of size 8 at addr dead000000000122 by task test/890
d46803 
        [   64.927903] CPU: 3 PID: 890 Comm: test Not tainted 6.3.0+ #253
d46803 
        [   64.931120] Call Trace:
d46803 
        [   64.932699]  <TASK>
d46803 
        [   64.934292]  dump_stack_lvl+0x33/0x50
d46803 
        [   64.935908]  ? nf_tables_commit+0xa24/0x1490 [nf_tables]
d46803 
        [   64.937551]  kasan_report+0xda/0x120
d46803 
        [   64.939186]  ? nf_tables_commit+0xa24/0x1490 [nf_tables]
d46803 
        [   64.940814]  nf_tables_commit+0xa24/0x1490 [nf_tables]
d46803 
        [   64.942452]  ? __kasan_slab_alloc+0x2d/0x60
d46803 
        [   64.944070]  ? nf_tables_setelem_notify+0x190/0x190 [nf_tables]
d46803 
        [   64.945710]  ? kasan_set_track+0x21/0x30
d46803 
        [   64.947323]  nfnetlink_rcv_batch+0x709/0xd90 [nfnetlink]
d46803 
        [   64.948898]  ? nfnetlink_rcv_msg+0x480/0x480 [nfnetlink]
d46803
d46803 
        Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
d46803
d46803 
    Signed-off-by: Florian Westphal <fwestpha@redhat.com>
d46803 
    Signed-off-by: Lucas Zampieri <lzampier@redhat.com>
d46803
d46803 
Signed-off-by: Ryan Sullivan <rysulliv@redhat.com>
d46803 
---
d46803 
 net/netfilter/nf_tables_api.c | 12 ++++++++++++
d46803 
 net/netfilter/nft_dynset.c    |  3 ++-
d46803 
 net/netfilter/nft_lookup.c    |  3 ++-
d46803 
 net/netfilter/nft_objref.c    |  3 ++-
d46803 
 4 files changed, 18 insertions(+), 3 deletions(-)
d46803
d46803 
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
d46803 
index 19044ada1789..80c30400f252 100644
d46803 
--- a/net/netfilter/nf_tables_api.c
d46803 
+++ b/net/netfilter/nf_tables_api.c
d46803 
@@ -4434,12 +4434,24 @@ void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
d46803 
 }
d46803 
 EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
d46803
d46803 
+void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set)
d46803 
+{
d46803 
+	if (nft_set_is_anonymous(set))
d46803 
+		nft_clear(ctx->net, set);
d46803 
+
d46803 
+	set->use++;
d46803 
+}
d46803 
+
d46803 
+__attribute__((optimize("-fno-optimize-sibling-calls")))
d46803 
 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
d46803 
 			      struct nft_set_binding *binding,
d46803 
 			      enum nft_trans_phase phase)
d46803 
 {
d46803 
 	switch (phase) {
d46803 
 	case NFT_TRANS_PREPARE:
d46803 
+		if (nft_set_is_anonymous(set))
d46803 
+			nft_deactivate_next(ctx->net, set);
d46803 
+
d46803 
 		set->use--;
d46803 
 		return;
d46803 
 	case NFT_TRANS_ABORT:
d46803 
diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
d46803 
index 4eff0955e533..1549aef8449f 100644
d46803 
--- a/net/netfilter/nft_dynset.c
d46803 
+++ b/net/netfilter/nft_dynset.c
d46803 
@@ -335,12 +335,13 @@ static void nft_dynset_deactivate(const struct nft_ctx *ctx,
d46803 
 	nf_tables_deactivate_set(ctx, priv->set, &priv->binding, phase);
d46803 
 }
d46803
d46803 
+void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set); // CVE-2023-32233
d46803 
 static void nft_dynset_activate(const struct nft_ctx *ctx,
d46803 
 				const struct nft_expr *expr)
d46803 
 {
d46803 
 	struct nft_dynset *priv = nft_expr_priv(expr);
d46803
d46803 
-	priv->set->use++;
d46803 
+	nf_tables_activate_set(ctx, priv->set);
d46803 
 }
d46803
d46803 
 static void nft_dynset_destroy(const struct nft_ctx *ctx,
d46803 
diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c
d46803 
index a38a1ea9b6b4..5683e92d2eba 100644
d46803 
--- a/net/netfilter/nft_lookup.c
d46803 
+++ b/net/netfilter/nft_lookup.c
d46803 
@@ -130,12 +130,13 @@ static void nft_lookup_deactivate(const struct nft_ctx *ctx,
d46803 
 	nf_tables_deactivate_set(ctx, priv->set, &priv->binding, phase);
d46803 
 }
d46803
d46803 
+void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set); // CVE-2023-32233
d46803 
 static void nft_lookup_activate(const struct nft_ctx *ctx,
d46803 
 				const struct nft_expr *expr)
d46803 
 {
d46803 
 	struct nft_lookup *priv = nft_expr_priv(expr);
d46803
d46803 
-	priv->set->use++;
d46803 
+	nf_tables_activate_set(ctx, priv->set);
d46803 
 }
d46803
d46803 
 static void nft_lookup_destroy(const struct nft_ctx *ctx,
d46803 
diff --git a/net/netfilter/nft_objref.c b/net/netfilter/nft_objref.c
d46803 
index 8dfa798ea683..698c48b4af5a 100644
d46803 
--- a/net/netfilter/nft_objref.c
d46803 
+++ b/net/netfilter/nft_objref.c
d46803 
@@ -178,12 +178,13 @@ static void nft_objref_map_deactivate(const struct nft_ctx *ctx,
d46803 
 	nf_tables_deactivate_set(ctx, priv->set, &priv->binding, phase);
d46803 
 }
d46803
d46803 
+void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set); // CVE-2023-32233
d46803 
 static void nft_objref_map_activate(const struct nft_ctx *ctx,
d46803 
 				    const struct nft_expr *expr)
d46803 
 {
d46803 
 	struct nft_objref_map *priv = nft_expr_priv(expr);
d46803
d46803 
-	priv->set->use++;
d46803 
+	nf_tables_activate_set(ctx, priv->set);
d46803 
 }
d46803
d46803 
 static void nft_objref_map_destroy(const struct nft_ctx *ctx,
d46803 
--
d46803 
2.39.2
d46803
d46803

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation