diff --git a/.gitignore b/.gitignore index e69de29..7dcc5ed 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/kernel-5.14.0-162.12.1.el9_1.src.rpm +SOURCES/v0.9.7.tar.gz diff --git a/.kpatch-patch-5_14_0-162_12_1.metadata b/.kpatch-patch-5_14_0-162_12_1.metadata index e69de29..9251add 100644 --- a/.kpatch-patch-5_14_0-162_12_1.metadata +++ b/.kpatch-patch-5_14_0-162_12_1.metadata @@ -0,0 +1,2 @@ +1818a767cccd81f05e300833a8d9f45b7006ccc5 SOURCES/kernel-5.14.0-162.12.1.el9_1.src.rpm +da88fa82b005bbafc1719c59bd00847ce2a22a60 SOURCES/v0.9.7.tar.gz diff --git a/SOURCES/CVE-2022-3564.patch b/SOURCES/CVE-2022-3564.patch new file mode 100644 index 0000000..a8d46ad --- /dev/null +++ b/SOURCES/CVE-2022-3564.patch @@ -0,0 +1,217 @@ +From 6b5f1ddf8fdf04b977a2523a103d03e807fc0471 Mon Sep 17 00:00:00 2001 +From: Ryan Sullivan +Date: Mon, 23 Jan 2023 11:48:28 -0500 +Subject: [KPATCH CVE-2022-3564] kpatch fixes for CVE-2022-3564 + +Kernels: +5.14.0-162.6.1.el9_1 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-9/-/merge_requests/16 +Approved-by: Joe Lawrence (@joe.lawrence) +Approved-by: Yannick Cote (@ycote1) +Changes since last build: +arches: x86_64 ppc64le +l2cap_core.o: changed function: l2cap_rx_state_recv +l2cap_core.o: changed function: l2cap_stream_rx +nfs4proc.o: changed function: nfsd4_copy +nfs4proc.o: changed function: nfsd4_do_async_copy +nft_payload.o: changed function: nft_payload_copy_vlan +sysctl.o: changed function: __do_proc_dointvec +sysctl.o: changed function: __do_proc_douintvec +sysctl.o: changed function: __do_proc_doulongvec_minmax +sysctl.o: changed function: proc_get_long.constprop.0 +--------------------------- + +Modifications: none + +commit c4f4f4633ff2000f9f67db4271b8186939690908 +Author: Ricardo Robaina +Date: Wed Jan 11 14:57:13 2023 -0300 + + Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu + + Bugzilla: https://bugzilla.redhat.com/2152929 + CVE: CVE-2022-3564 + Y-Commit: 7de3277fe8bf62a5af7d2758f1b13cea20541724 + + O-Bugzilla: https://bugzilla.redhat.com/2152931 + O-CVE: CVE-2022-3564 + + commit 3aff8aaca4e36dc8b17eaa011684881a80238966 + Author: Maxim Mikityanskiy + Date: Wed Oct 5 00:27:18 2022 +0300 + + Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu + + Fix the race condition between the following two flows that run in + parallel: + + 1. l2cap_reassemble_sdu -> chan->ops->recv (l2cap_sock_recv_cb) -> + __sock_queue_rcv_skb. + + 2. bt_sock_recvmsg -> skb_recv_datagram, skb_free_datagram. + + An SKB can be queued by the first flow and immediately dequeued and + freed by the second flow, therefore the callers of l2cap_reassemble_sdu + can't use the SKB after that function returns. However, some places + continue accessing struct l2cap_ctrl that resides in the SKB's CB for a + short time after l2cap_reassemble_sdu returns, leading to a + use-after-free condition (the stack trace is below, line numbers for + kernel 5.19.8). + + Fix it by keeping a local copy of struct l2cap_ctrl. + + BUG: KASAN: use-after-free in l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth + Read of size 1 at addr ffff88812025f2f0 by task kworker/u17:3/43169 + + Workqueue: hci0 hci_rx_work [bluetooth] + Call Trace: + + dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4)) + print_report.cold (mm/kasan/report.c:314 mm/kasan/report.c:429) + ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth + kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493) + ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth + l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth + l2cap_rx (net/bluetooth/l2cap_core.c:7236 net/bluetooth/l2cap_core.c:7271) bluetooth + ret_from_fork (arch/x86/entry/entry_64.S:306) + + + Allocated by task 43169: + kasan_save_stack (mm/kasan/common.c:39) + __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469) + kmem_cache_alloc_node (mm/slab.h:750 mm/slub.c:3243 mm/slub.c:3293) + __alloc_skb (net/core/skbuff.c:414) + l2cap_recv_frag (./include/net/bluetooth/bluetooth.h:425 net/bluetooth/l2cap_core.c:8329) bluetooth + l2cap_recv_acldata (net/bluetooth/l2cap_core.c:8442) bluetooth + hci_rx_work (net/bluetooth/hci_core.c:3642 net/bluetooth/hci_core.c:3832) bluetooth + process_one_work (kernel/workqueue.c:2289) + worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2437) + kthread (kernel/kthread.c:376) + ret_from_fork (arch/x86/entry/entry_64.S:306) + + Freed by task 27920: + kasan_save_stack (mm/kasan/common.c:39) + kasan_set_track (mm/kasan/common.c:45) + kasan_set_free_info (mm/kasan/generic.c:372) + ____kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328) + slab_free_freelist_hook (mm/slub.c:1780) + kmem_cache_free (mm/slub.c:3536 mm/slub.c:3553) + skb_free_datagram (./include/net/sock.h:1578 ./include/net/sock.h:1639 net/core/datagram.c:323) + bt_sock_recvmsg (net/bluetooth/af_bluetooth.c:295) bluetooth + l2cap_sock_recvmsg (net/bluetooth/l2cap_sock.c:1212) bluetooth + sock_read_iter (net/socket.c:1087) + new_sync_read (./include/linux/fs.h:2052 fs/read_write.c:401) + vfs_read (fs/read_write.c:482) + ksys_read (fs/read_write.c:620) + do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) + + Link: https://lore.kernel.org/linux-bluetooth/CAKErNvoqga1WcmoR3-0875esY6TVWFQDandbVZncSiuGPBQXLA@mail.gmail.com/T/#u + Fixes: d2a7ac5d5d3a ("Bluetooth: Add the ERTM receive state machine") + Fixes: 4b51dae96731 ("Bluetooth: Add streaming mode receive and incoming packet classifier") + Signed-off-by: Maxim Mikityanskiy + Signed-off-by: Luiz Augusto von Dentz + + Signed-off-by: Ricardo Robaina + Signed-off-by: Patrick Talbert + +Signed-off-by: Ryan Sullivan +--- + net/bluetooth/l2cap_core.c | 48 ++++++++++++++++++++++++++++++++------ + 1 file changed, 41 insertions(+), 7 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index e817ff0607a0..e95c1a019de9 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -6842,6 +6842,7 @@ static int l2cap_rx_state_recv(struct l2cap_chan *chan, + struct l2cap_ctrl *control, + struct sk_buff *skb, u8 event) + { ++ struct l2cap_ctrl local_control; + int err = 0; + bool skb_in_use = false; + +@@ -6866,15 +6867,32 @@ static int l2cap_rx_state_recv(struct l2cap_chan *chan, + chan->buffer_seq = chan->expected_tx_seq; + skb_in_use = true; + ++ /* l2cap_reassemble_sdu may free skb, hence invalidate ++ * control, so make a copy in advance to use it after ++ * l2cap_reassemble_sdu returns and to avoid the race ++ * condition, for example: ++ * ++ * The current thread calls: ++ * l2cap_reassemble_sdu ++ * chan->ops->recv == l2cap_sock_recv_cb ++ * __sock_queue_rcv_skb ++ * Another thread calls: ++ * bt_sock_recvmsg ++ * skb_recv_datagram ++ * skb_free_datagram ++ * Then the current thread tries to access control, but ++ * it was freed by skb_free_datagram. ++ */ ++ local_control = *control; + err = l2cap_reassemble_sdu(chan, skb, control); + if (err) + break; + +- if (control->final) { ++ if (local_control.final) { + if (!test_and_clear_bit(CONN_REJ_ACT, + &chan->conn_state)) { +- control->final = 0; +- l2cap_retransmit_all(chan, control); ++ local_control.final = 0; ++ l2cap_retransmit_all(chan, &local_control); + l2cap_ertm_send(chan); + } + } +@@ -7254,11 +7272,27 @@ static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control, + static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control, + struct sk_buff *skb) + { ++ /* l2cap_reassemble_sdu may free skb, hence invalidate control, so store ++ * the txseq field in advance to use it after l2cap_reassemble_sdu ++ * returns and to avoid the race condition, for example: ++ * ++ * The current thread calls: ++ * l2cap_reassemble_sdu ++ * chan->ops->recv == l2cap_sock_recv_cb ++ * __sock_queue_rcv_skb ++ * Another thread calls: ++ * bt_sock_recvmsg ++ * skb_recv_datagram ++ * skb_free_datagram ++ * Then the current thread tries to access control, but it was freed by ++ * skb_free_datagram. ++ */ ++ u16 txseq = control->txseq; ++ + BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb, + chan->rx_state); + +- if (l2cap_classify_txseq(chan, control->txseq) == +- L2CAP_TXSEQ_EXPECTED) { ++ if (l2cap_classify_txseq(chan, txseq) == L2CAP_TXSEQ_EXPECTED) { + l2cap_pass_to_tx(chan, control); + + BT_DBG("buffer_seq %u->%u", chan->buffer_seq, +@@ -7281,8 +7315,8 @@ static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control, + } + } + +- chan->last_acked_seq = control->txseq; +- chan->expected_tx_seq = __next_seq(chan, control->txseq); ++ chan->last_acked_seq = txseq; ++ chan->expected_tx_seq = __next_seq(chan, txseq); + + return 0; + } +-- +2.39.1 + + diff --git a/SOURCES/CVE-2022-4378.patch b/SOURCES/CVE-2022-4378.patch new file mode 100644 index 0000000..ef190f8 --- /dev/null +++ b/SOURCES/CVE-2022-4378.patch @@ -0,0 +1,201 @@ +From 5b91e65d83213b25cc9529884a2106eee80c6c04 Mon Sep 17 00:00:00 2001 +From: Ryan Sullivan +Date: Thu, 26 Jan 2023 09:44:30 -0500 +Subject: [KPATCH CVE-2022-4378] kpatch fixes for CVE-2022-4378 + +Kernels: +5.14.0-162.6.1.el9_1 +5.14.0-162.12.1.el9_1 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-9/-/merge_requests/19 +Approved-by: Joe Lawrence (@joe.lawrence) +Approved-by: Yannick Cote (@ycote1) +Changes since last build: +arches: x86_64 ppc64le +l2cap_core.o: changed function: l2cap_rx_state_recv +l2cap_core.o: changed function: l2cap_stream_rx +nfs4proc.o: changed function: nfsd4_copy +nfs4proc.o: changed function: nfsd4_do_async_copy +nft_payload.o: changed function: nft_payload_copy_vlan +sysctl.o: changed function: __do_proc_dointvec +sysctl.o: changed function: __do_proc_douintvec +sysctl.o: changed function: __do_proc_doulongvec_minmax +sysctl.o: changed function: proc_get_long.constprop.0 +--------------------------- + +Modifications: none + +commit d4c4d465e31fae6c3729b9c52a6bc3610494ead4 +Author: Wander Lairson Costa +Date: Mon Dec 12 15:30:46 2022 -0300 + + proc: avoid integer type confusion in get_proc_long + + Bugzilla: https://bugzilla.redhat.com/2152580 + CVE: CVE-2022-4378 + Y-Commit: ab93541c2e72e570f9b6cf79ff943400961a30e1 + + O-Bugzilla: https://bugzilla.redhat.com/2152581 + O-CVE: CVE-2022-4378 + + commit e6cfaf34be9fcd1a8285a294e18986bfc41a409c + Author: Linus Torvalds + Date: Mon Dec 5 11:33:40 2022 -0800 + + proc: avoid integer type confusion in get_proc_long + + proc_get_long() is passed a size_t, but then assigns it to an 'int' + variable for the length. Let's not do that, even if our IO paths are + limited to MAX_RW_COUNT (exactly because of these kinds of type errors). + + So do the proper test in the rigth type. + + Reported-by: Kyle Zeng + Signed-off-by: Linus Torvalds + + Signed-off-by: Wander Lairson Costa + Signed-off-by: Patrick Talbert + +commit 250391dd6ddc268d65901a1eaeb966a7256ef1cb +Author: Wander Lairson Costa +Date: Mon Dec 12 15:30:50 2022 -0300 + + proc: proc_skip_spaces() shouldn't think it is working on C strings + + Bugzilla: https://bugzilla.redhat.com/2152580 + CVE: CVE-2022-4378 + Y-Commit: a664fa0ecf20645f630e278b6da6aaabb3192954 + + O-Bugzilla: https://bugzilla.redhat.com/2152581 + O-CVE: CVE-2022-4378 + + commit bce9332220bd677d83b19d21502776ad555a0e73 + Author: Linus Torvalds + Date: Mon Dec 5 12:09:06 2022 -0800 + + proc: proc_skip_spaces() shouldn't think it is working on C strings + + proc_skip_spaces() seems to think it is working on C strings, and ends + up being just a wrapper around skip_spaces() with a really odd calling + convention. + + Instead of basing it on skip_spaces(), it should have looked more like + proc_skip_char(), which really is the exact same function (except it + skips a particular character, rather than whitespace). So use that as + inspiration, odd coding and all. + + Now the calling convention actually makes sense and works for the + intended purpose. + + Reported-and-tested-by: Kyle Zeng + Acked-by: Eric Dumazet + Signed-off-by: Linus Torvalds + + Signed-off-by: Wander Lairson Costa + Signed-off-by: Patrick Talbert + +Signed-off-by: Ryan Sullivan +--- + kernel/sysctl.c | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 0dd902ee206e..e72cf05ca07b 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -391,13 +391,14 @@ int proc_dostring(struct ctl_table *table, int write, + ppos); + } + +-static size_t proc_skip_spaces(char **buf) ++static void proc_skip_spaces(char **buf, size_t *size) + { +- size_t ret; +- char *tmp = skip_spaces(*buf); +- ret = tmp - *buf; +- *buf = tmp; +- return ret; ++ while (*size) { ++ if (!isspace(**buf)) ++ break; ++ (*size)--; ++ (*buf)++; ++ } + } + + static void proc_skip_char(char **buf, size_t *size, const char v) +@@ -466,13 +467,12 @@ static int proc_get_long(char **buf, size_t *size, + unsigned long *val, bool *neg, + const char *perm_tr, unsigned perm_tr_len, char *tr) + { +- int len; + char *p, tmp[TMPBUFLEN]; ++ ssize_t len = *size; + +- if (!*size) ++ if (len <= 0) + return -EINVAL; + +- len = *size; + if (len > TMPBUFLEN - 1) + len = TMPBUFLEN - 1; + +@@ -645,7 +645,7 @@ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table, + bool neg; + + if (write) { +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + + if (!left) + break; +@@ -672,7 +672,7 @@ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table, + if (!write && !first && left && !err) + proc_put_char(&buffer, &left, '\n'); + if (write && !err && left) +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (write && first) + return err ? : -EINVAL; + *lenp -= left; +@@ -714,7 +714,7 @@ static int do_proc_douintvec_w(unsigned int *tbl_data, + if (left > PAGE_SIZE - 1) + left = PAGE_SIZE - 1; + +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (!left) { + err = -EINVAL; + goto out_free; +@@ -734,7 +734,7 @@ static int do_proc_douintvec_w(unsigned int *tbl_data, + } + + if (!err && left) +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + + out_free: + if (err) +@@ -1271,7 +1271,7 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, + if (write) { + bool neg; + +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (!left) + break; + +@@ -1299,7 +1299,7 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, + if (!write && !first && left && !err) + proc_put_char(&buffer, &left, '\n'); + if (write && !err) +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (write && first) + return err ? : -EINVAL; + *lenp -= left; +-- +2.39.1 + + diff --git a/SOURCES/CVE-2022-4379.patch b/SOURCES/CVE-2022-4379.patch new file mode 100644 index 0000000..5c9a346 --- /dev/null +++ b/SOURCES/CVE-2022-4379.patch @@ -0,0 +1,151 @@ +From 17ddede397702f9cb323ac8bbcc673c8dd00c0cf Mon Sep 17 00:00:00 2001 +From: Yannick Cote +Date: Fri, 27 Jan 2023 10:34:30 -0500 +Subject: [KPATCH CVE-2022-4379] kpatch fixes for CVE-2022-4379 + +Kernels: +5.14.0-162.6.1.el9_1 +5.14.0-162.12.1.el9_1 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-9/-/merge_requests/21 +Approved-by: Joe Lawrence (@joe.lawrence) +Changes since last build: +arches: x86_64 ppc64le +l2cap_core.o: changed function: l2cap_rx_state_recv +l2cap_core.o: changed function: l2cap_stream_rx +nfs4proc.o: changed function: nfsd4_copy +nfs4proc.o: changed function: nfsd4_do_async_copy +nft_payload.o: changed function: nft_payload_copy_vlan +sysctl.o: changed function: __do_proc_dointvec +sysctl.o: changed function: __do_proc_douintvec +sysctl.o: changed function: __do_proc_doulongvec_minmax +sysctl.o: changed function: proc_get_long.constprop.0 +--------------------------- + +Modifications: +- fix `kpatch_no_sibling_calls_ppc64le` with -fno-optimize-sibling-calls + +commit e7df0c736aef6f0cc49758b8b0bdb27edf5c3e61 +Author: Benjamin Coddington +Date: Wed Dec 21 11:03:36 2022 -0500 + + NFSD: fix use-after-free in __nfs42_ssc_open() + + Bugzilla: https://bugzilla.redhat.com/2152815 + CVE: CVE-2022-4379 + Y-Commit: a16ccb9a41ad6a36d58f690b823095798ba7f69c + + O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2152816 + O-CVE: CVE-2022-4379 + Conflicts: Slight context diff from upstream patch, as we've not yet taken + upstream commit 754035ff7. This resulting fix is unchanged. + + commit 75333d48f92256a0dec91dbf07835e804fc411c0 + Author: Dai Ngo + Date: Mon Dec 12 14:50:11 2022 -0800 + + NFSD: fix use-after-free in __nfs42_ssc_open() + + Problem caused by source's vfsmount being unmounted but remains + on the delayed unmount list. This happens when nfs42_ssc_open() + return errors. + + Fixed by removing nfsd4_interssc_connect(), leave the vfsmount + for the laundromat to unmount when idle time expires. + + We don't need to call nfs_do_sb_deactive when nfs42_ssc_open + return errors since the file was not opened so nfs_server->active + was not incremented. Same as in nfsd4_copy, if we fail to + launch nfsd4_do_async_copy thread then there's no need to + call nfs_do_sb_deactive + + Reported-by: Xingyuan Mo + Signed-off-by: Dai Ngo + Tested-by: Xingyuan Mo + Signed-off-by: Chuck Lever + + Signed-off-by: Benjamin Coddington + + Conflicts: This area of code was refractored by c9s MR !1357 so + context is quite different. + + Signed-off-by: Patrick Talbert + +Signed-off-by: Yannick Cote +--- + fs/nfsd/nfs4proc.c | 23 +++++++---------------- + 1 file changed, 7 insertions(+), 16 deletions(-) + +diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c +index bbd02c7f4ffe..87bb43a32aad 100644 +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1525,13 +1525,6 @@ nfsd4_interssc_connect(struct nl4_server *nss, struct svc_rqst *rqstp, + return status; + } + +-static void +-nfsd4_interssc_disconnect(struct vfsmount *ss_mnt) +-{ +- nfs_do_sb_deactive(ss_mnt->mnt_sb); +- mntput(ss_mnt); +-} +- + /* + * Verify COPY destination stateid. + * +@@ -1634,11 +1627,6 @@ nfsd4_cleanup_inter_ssc(struct vfsmount *ss_mnt, struct nfsd_file *src, + { + } + +-static void +-nfsd4_interssc_disconnect(struct vfsmount *ss_mnt) +-{ +-} +- + static struct file *nfs42_ssc_open(struct vfsmount *ss_mnt, + struct nfs_fh *src_fh, + nfs4_stateid *stateid) +@@ -1794,14 +1782,14 @@ static int nfsd4_do_async_copy(void *data) + copy->nf_src = kzalloc(sizeof(struct nfsd_file), GFP_KERNEL); + if (!copy->nf_src) { + copy->nfserr = nfserr_serverfault; +- nfsd4_interssc_disconnect(copy->ss_mnt); ++ /* ss_mnt will be unmounted by the laundromat */ + goto do_callback; + } + copy->nf_src->nf_file = nfs42_ssc_open(copy->ss_mnt, ©->c_fh, + ©->stateid); + if (IS_ERR(copy->nf_src->nf_file)) { + copy->nfserr = nfserr_offload_denied; +- nfsd4_interssc_disconnect(copy->ss_mnt); ++ /* ss_mnt will be unmounted by the laundromat */ + goto do_callback; + } + } +@@ -1828,6 +1816,7 @@ static int nfsd4_do_async_copy(void *data) + return 0; + } + ++__attribute__((optimize("-fno-optimize-sibling-calls"))) + static __be32 + nfsd4_copy(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + union nfsd4_op_u *u) +@@ -1886,8 +1875,10 @@ nfsd4_copy(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + if (async_copy) + cleanup_async_copy(async_copy); + status = nfserrno(-ENOMEM); +- if (!copy->cp_intra) +- nfsd4_interssc_disconnect(copy->ss_mnt); ++ /* ++ * source's vfsmount of inter-copy will be unmounted ++ * by the laundromat ++ */ + goto out; + } + +-- +2.39.1 + + diff --git a/SOURCES/CVE-2023-0179.patch b/SOURCES/CVE-2023-0179.patch new file mode 100644 index 0000000..1562bb4 --- /dev/null +++ b/SOURCES/CVE-2023-0179.patch @@ -0,0 +1,85 @@ +From 8552f3231628950fb3f2a8966ef78b14006aefb2 Mon Sep 17 00:00:00 2001 +From: Ryan Sullivan +Date: Tue, 31 Jan 2023 11:26:03 -0500 +Subject: [KPATCH CVE-2023-0179] kpatch fixes for CVE-2023-0179 + +Kernels: +5.14.0-162.6.1.el9_1 +5.14.0-162.12.1.el9_1 + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-9/-/merge_requests/23 +Approved-by: Yannick Cote (@ycote1) +Approved-by: Joe Lawrence (@joe.lawrence) +Changes since last build: +arches: x86_64 ppc64le +l2cap_core.o: changed function: l2cap_rx_state_recv +l2cap_core.o: changed function: l2cap_stream_rx +nfs4proc.o: changed function: nfsd4_copy +nfs4proc.o: changed function: nfsd4_do_async_copy +nft_payload.o: changed function: nft_payload_copy_vlan +sysctl.o: changed function: __do_proc_dointvec +sysctl.o: changed function: __do_proc_douintvec +sysctl.o: changed function: __do_proc_doulongvec_minmax +sysctl.o: changed function: proc_get_long.constprop.0 +--------------------------- + +Modifications: none + +commit d4b9787a8f8c75d0c37560d25e817183a700fbec +Author: Florian Westphal +Date: Tue Jan 17 19:28:09 2023 +0100 + + netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits + + Bugzilla: https://bugzilla.redhat.com/2161724 + CVE: CVE-2023-0179 + Y-Commit: c3747b9b25ff4bfdc9fa5c139126043fc8c0389c + + O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2161725 + Upstream Status: net commit 696e1a48b1a1b + O-CVE: CVE-2023-0179 + + commit 696e1a48b1a1b01edad542a1ef293665864a4dd0 + Author: Pablo Neira Ayuso + Date: Wed Jan 11 17:07:33 2023 +0100 + + netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits + + If the offset + length goes over the ethernet + vlan header, then the + length is adjusted to copy the bytes that are within the boundaries of + the vlan_ethhdr scratchpad area. The remaining bytes beyond ethernet + + vlan header are copied directly from the skbuff data area. + + Fix incorrect arithmetic operator: subtract, not add, the size of the + vlan header in case of double-tagged packets to adjust the length + accordingly to address CVE-2023-0179. + + Reported-by: Davide Ornaghi + Fixes: f6ae9f120dad ("netfilter: nft_payload: add C-VLAN support") + Signed-off-by: Pablo Neira Ayuso + + Signed-off-by: Florian Westphal + Signed-off-by: Patrick Talbert + +Signed-off-by: Ryan Sullivan +--- + net/netfilter/nft_payload.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c +index 9af0d58a33f4..ee603dc05e81 100644 +--- a/net/netfilter/nft_payload.c ++++ b/net/netfilter/nft_payload.c +@@ -62,7 +62,7 @@ nft_payload_copy_vlan(u32 *d, const struct sk_buff *skb, u8 offset, u8 len) + return false; + + if (offset + len > VLAN_ETH_HLEN + vlan_hlen) +- ethlen -= offset + len - VLAN_ETH_HLEN + vlan_hlen; ++ ethlen -= offset + len - VLAN_ETH_HLEN - vlan_hlen; + + memcpy(dst_u8, vlanh + offset - vlan_hlen, ethlen); + +-- +2.39.1 + + diff --git a/SOURCES/v0.9.7-backport-MR-1314-create-diff-object-fix-__UNI.patch b/SOURCES/v0.9.7-backport-MR-1314-create-diff-object-fix-__UNI.patch new file mode 100644 index 0000000..0cef2c1 --- /dev/null +++ b/SOURCES/v0.9.7-backport-MR-1314-create-diff-object-fix-__UNI.patch @@ -0,0 +1,77 @@ +From c351828bf35121628461095eeb25ea2152e98d38 Mon Sep 17 00:00:00 2001 +From: Josh Poimboeuf +Date: Mon, 21 Nov 2022 19:32:18 -0800 +Subject: [PATCH] v0.9.7 backport: MR!1314 ("create-diff-object: fix + __UNIQUE_ID() variable correlation") + +commit 901445a54fcecbd6852b79878e67153c5048602e +Author: Josh Poimboeuf +Date: Mon Nov 21 19:32:18 2022 -0800 + + create-diff-object: fix __UNIQUE_ID() variable correlation + + kpatch_mangled_strcmp() only ignores the digits after the period, but in + the case of __UNIQUE_ID(), the symbol names have random digits before + the period due to the use of `__COUNTER__`. Make sure such symbols are + properly correlated. + + Signed-off-by: Josh Poimboeuf + +Signed-off-by: Yannick Cote +--- + kpatch-build/create-diff-object.c | 32 +++++++++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +diff --git a/kpatch-build/create-diff-object.c b/kpatch-build/create-diff-object.c +index 360441111c5e..7106b67cfd25 100644 +--- a/kpatch-build/create-diff-object.c ++++ b/kpatch-build/create-diff-object.c +@@ -396,6 +396,35 @@ static bool has_digit_tail(char *tail) + return false; + } + ++/* ++ * Hack for __UNIQUE_ID(). The following should match: ++ * ++ * __UNIQUE_ID_ddebug1131.186 ++ * __UNIQUE_ID_ddebug1132.187 ++ */ ++static int __kpatch_unique_id_strcmp(char *s1, char *s2) ++{ ++ /* match '__UNIQUE_ID_ddebug' */ ++ while (*s1 == *s2) { ++ if (!*s1) ++ return 0; ++ s1++; ++ s2++; ++ } ++ ++ /* skip digits before '.' or EOL */ ++ while (isdigit(*s1)) ++ s1++; ++ while (isdigit(*s2)) ++ s2++; ++ ++ if ((!*s1 || has_digit_tail(s1)) && ++ (!*s2 || has_digit_tail(s2))) ++ return 0; ++ ++ return 1; ++} ++ + /* + * This is like strcmp, but for gcc-mangled symbols. It skips the comparison + * of any substring which consists of '.' followed by any number of digits. +@@ -409,6 +438,9 @@ static int kpatch_mangled_strcmp(char *s1, char *s2) + if (strstr(s1, ".str1.")) + return strcmp(s1, s2); + ++ if (!strncmp(s1, "__UNIQUE_ID_", 12)) ++ return __kpatch_unique_id_strcmp(s1, s2); ++ + while (*s1 == *s2) { + if (!*s1) + return 0; +-- +2.38.1 + diff --git a/SOURCES/v0.9.7-backport-MR-1315-Static-call-fixes.patch b/SOURCES/v0.9.7-backport-MR-1315-Static-call-fixes.patch new file mode 100644 index 0000000..58f2e3f --- /dev/null +++ b/SOURCES/v0.9.7-backport-MR-1315-Static-call-fixes.patch @@ -0,0 +1,529 @@ +From 358743e6d8748510f4c9a71511d7ceea7c72f7aa Mon Sep 17 00:00:00 2001 +From: Josh Poimboeuf +Date: Mon, 21 Nov 2022 19:23:07 -0800 +Subject: [PATCH] v0.9.7 backport: MR!1315 ("Static call fixes") + +commit 87ad96760a3af0db294d44865dfa1703f57f5595 +Author: Josh Poimboeuf +Date: Mon Nov 21 19:23:07 2022 -0800 + + create-diff-object: fix s390 special_section initializer spacing + + Align the s390 special_section initializers to improve readability and + for consistency with the rest. + + Signed-off-by: Josh Poimboeuf + +commit 56bd8c4d0da1634f8549e7269f77a53e9d936a57 +Author: Josh Poimboeuf +Date: Mon Nov 21 19:27:23 2022 -0800 + + create-diff-object: refactor jump label filtering + + Convert the hard-coded should_keep_jump_label() to a proper callback, + since static calls will need a similar filter. + + Signed-off-by: Josh Poimboeuf + +commit f83218ad12a2d9e20d99d379c78974a576aa558c +Author: Josh Poimboeuf +Date: Mon Nov 21 19:29:53 2022 -0800 + + create-diff-object: detect unsupported static calls + + Similar to jump labels, static calls aren't supported when the static + call key was originally defined in a module rather than in vmlinux. + Detect those cases and either remove them (in the case of tracepoints) + or error out. + + Signed-off-by: Josh Poimboeuf + +commit ab2397c03e31f0f697aa8bf943d70b4e5a7def54 +Author: Josh Poimboeuf +Date: Mon Nov 21 19:41:30 2022 -0800 + + kpatch-macros: add KPATCH_STATIC_CALL() + + Signed-off-by: Josh Poimboeuf + +commit 92c178b6a30a827c48db46ff4238501ec406a28e +Author: Josh Poimboeuf +Date: Tue Nov 22 12:53:09 2022 -0800 + + create-diff-object: use errx() instead of err() + + Otherwise on recent distros it appends the errno to the error message, + like: + + create-diff-object: ERROR: x86.o: kpatch_regenerate_special_section: 2633: Found 1 unsupported static call(s) in the patched code. Use KPATCH_STATIC_CALL() instead.: Success + + which is not what we want in most cases. + + Signed-off-by: Josh Poimboeuf + +Signed-off-by: Yannick Cote +--- + kmod/patch/kpatch-macros.h | 11 + + kpatch-build/create-diff-object.c | 328 ++++++++++++++++++------------ + kpatch-build/log.h | 2 +- + 3 files changed, 211 insertions(+), 130 deletions(-) + +diff --git a/kmod/patch/kpatch-macros.h b/kmod/patch/kpatch-macros.h +index 8e09702ea001..b797838849ca 100644 +--- a/kmod/patch/kpatch-macros.h ++++ b/kmod/patch/kpatch-macros.h +@@ -141,4 +141,15 @@ struct kpatch_post_unpatch_callback { + printk(_fmt, ## __VA_ARGS__); \ + }) + ++/* ++ * KPATCH_STATIC_CALL macro ++ * ++ * Replace usages of static_call() with this macro, when create-diff-object ++ * recommends it due to the original static call key living in a module. ++ * ++ * This converts the static call to a regular indirect call. ++ */ ++#define KPATCH_STATIC_CALL(name) \ ++ ((typeof(STATIC_CALL_TRAMP(name))*)(STATIC_CALL_KEY(name).func)) ++ + #endif /* __KPATCH_MACROS_H_ */ +diff --git a/kpatch-build/create-diff-object.c b/kpatch-build/create-diff-object.c +index 7106b67cfd25..ddaa9b44f11e 100644 +--- a/kpatch-build/create-diff-object.c ++++ b/kpatch-build/create-diff-object.c +@@ -56,7 +56,7 @@ + #define DIFF_FATAL(format, ...) \ + ({ \ + fprintf(stderr, "ERROR: %s: " format "\n", childobj, ##__VA_ARGS__); \ +- err(EXIT_STATUS_DIFF_FATAL, "unreconcilable difference"); \ ++ errx(EXIT_STATUS_DIFF_FATAL, "unreconcilable difference"); \ + }) + + char *childobj; +@@ -71,6 +71,8 @@ enum loglevel loglevel = NORMAL; + + bool KLP_ARCH; + ++int jump_label_errors, static_call_errors; ++ + /******************* + * Data structures + * ****************/ +@@ -78,6 +80,9 @@ struct special_section { + char *name; + enum architecture arch; + int (*group_size)(struct kpatch_elf *kelf, int offset); ++ bool (*group_filter)(struct lookup_table *lookup, ++ struct section *relasec, unsigned int offset, ++ unsigned int size); + }; + + /************* +@@ -2215,6 +2220,169 @@ static int fixup_group_size(struct kpatch_elf *kelf, int offset) + return (int)(rela->addend - offset); + } + ++static bool jump_table_group_filter(struct lookup_table *lookup, ++ struct section *relasec, ++ unsigned int group_offset, ++ unsigned int group_size) ++{ ++ struct rela *code = NULL, *key = NULL, *rela; ++ bool tracepoint = false, dynamic_debug = false; ++ struct lookup_result symbol; ++ int i = 0; ++ ++ /* ++ * Here we hard-code knowledge about the contents of the jump_entry ++ * struct. It has three fields: code, target, and key. Each field has ++ * a relocation associated with it. ++ */ ++ list_for_each_entry(rela, &relasec->relas, list) { ++ if (rela->offset >= group_offset && ++ rela->offset < group_offset + group_size) { ++ if (i == 0) ++ code = rela; ++ else if (i == 2) ++ key = rela; ++ i++; ++ } ++ } ++ ++ if (i != 3 || !key || !code) ++ ERROR("BUG: __jump_table has an unexpected format"); ++ ++ if (!strncmp(key->sym->name, "__tracepoint_", 13)) ++ tracepoint = true; ++ ++ if (is_dynamic_debug_symbol(key->sym)) ++ dynamic_debug = true; ++ ++ if (KLP_ARCH) { ++ /* ++ * On older kernels (with .klp.arch support), jump labels ++ * aren't supported at all. Error out when they occur in a ++ * replacement function, with the exception of tracepoints and ++ * dynamic debug printks. An inert tracepoint or printk is ++ * harmless enough, but a broken jump label can cause ++ * unexpected behavior. ++ */ ++ if (tracepoint || dynamic_debug) ++ return false; ++ ++ /* ++ * This will be upgraded to an error after all jump labels have ++ * been reported. ++ */ ++ log_normal("Found a jump label at %s()+0x%lx, using key %s. Jump labels aren't supported with this kernel. Use static_key_enabled() instead.\n", ++ code->sym->name, code->addend, key->sym->name); ++ jump_label_errors++; ++ return false; ++ } ++ ++ /* ++ * On newer (5.8+) kernels, jump labels are supported in the case where ++ * the corresponding static key lives in vmlinux. That's because such ++ * kernels apply vmlinux-specific .klp.rela sections at the same time ++ * (in the klp module load) as normal relas, before jump label init. ++ * On the other hand, jump labels based on static keys which are ++ * defined in modules aren't supported, because late module patching ++ * can result in the klp relas getting applied *after* the klp module's ++ * jump label init. ++ */ ++ ++ if (lookup_symbol(lookup, key->sym, &symbol) && ++ strcmp(symbol.objname, "vmlinux")) { ++ ++ /* The static key lives in a module -- not supported */ ++ ++ /* Inert tracepoints and dynamic debug printks are harmless */ ++ if (tracepoint || dynamic_debug) ++ return false; ++ ++ /* ++ * This will be upgraded to an error after all jump label ++ * errors have been reported. ++ */ ++ log_normal("Found a jump label at %s()+0x%lx, using key %s, which is defined in a module. Use static_key_enabled() instead.\n", ++ code->sym->name, code->addend, key->sym->name); ++ jump_label_errors++; ++ return false; ++ } ++ ++ /* The static key lives in vmlinux or the patch module itself */ ++ ++ /* ++ * If the jump label key lives in the '__dyndbg' section, make sure ++ * the section gets included, because we don't use klp relocs for ++ * dynamic debug symbols. For an example of such a key, see ++ * DYNAMIC_DEBUG_BRANCH(). ++ */ ++ if (dynamic_debug) ++ kpatch_include_symbol(key->sym); ++ ++ return true; ++} ++ ++static bool static_call_sites_group_filter(struct lookup_table *lookup, ++ struct section *relasec, ++ unsigned int group_offset, ++ unsigned int group_size) ++{ ++ struct rela *code = NULL, *key = NULL, *rela; ++ bool tracepoint = false; ++ struct lookup_result symbol; ++ int i = 0; ++ ++ /* ++ * Here we hard-code knowledge about the contents of the jump_entry ++ * struct. It has three fields: code, target, and key. Each field has ++ * a relocation associated with it. ++ */ ++ list_for_each_entry(rela, &relasec->relas, list) { ++ if (rela->offset >= group_offset && ++ rela->offset < group_offset + group_size) { ++ if (i == 0) ++ code = rela; ++ else if (i == 1) ++ key = rela; ++ i++; ++ } ++ } ++ ++ if (i != 2 || !key || !code) ++ ERROR("BUG: .static_call_sites has an unexpected format"); ++ ++ if (!strncmp(key->sym->name, "__SCK__tp_func_", 15)) ++ tracepoint = true; ++ ++ /* ++ * Static calls are only supported in the case where the corresponding ++ * static call key lives in vmlinux (see explanation in ++ * jump_table_group_filter). ++ */ ++ ++ if (lookup_symbol(lookup, key->sym, &symbol) && ++ strcmp(symbol.objname, "vmlinux")) { ++ ++ /* The key lives in a module -- not supported */ ++ ++ /* Inert tracepoints are harmless */ ++ if (tracepoint) ++ return false; ++ ++ /* ++ * This will be upgraded to an error after all static call ++ * errors have been reported. ++ */ ++ log_normal("Found a static call at %s()+0x%lx, using key %s, which is defined in a module. Use KPATCH_STATIC_CALL() instead.\n", ++ code->sym->name, code->addend, key->sym->name); ++ static_call_errors++; ++ return false; ++ } ++ ++ /* The key lives in vmlinux or the patch module itself */ ++ return true; ++} ++ ++ + static struct special_section special_sections[] = { + { + .name = "__bug_table", +@@ -2235,6 +2403,7 @@ static struct special_section special_sections[] = { + .name = "__jump_table", + .arch = X86_64 | PPC64 | S390, + .group_size = jump_table_group_size, ++ .group_filter = jump_table_group_filter, + }, + { + .name = ".printk_index", +@@ -2260,6 +2429,7 @@ static struct special_section special_sections[] = { + .name = ".static_call_sites", + .arch = X86_64, + .group_size = static_call_sites_group_size, ++ .group_filter = static_call_sites_group_filter, + }, + { + .name = ".retpoline_sites", +@@ -2297,138 +2467,36 @@ static struct special_section special_sections[] = { + .group_size = fixup_barrier_nospec_group_size, + }, + { +- .name = ".s390_return_mem", +- .arch = S390, +- .group_size = s390_expolines_group_size, ++ .name = ".s390_return_mem", ++ .arch = S390, ++ .group_size = s390_expolines_group_size, + }, + { +- .name = ".s390_return_reg", +- .arch = S390, +- .group_size = s390_expolines_group_size, ++ .name = ".s390_return_reg", ++ .arch = S390, ++ .group_size = s390_expolines_group_size, + }, + { +- .name = ".s390_indirect_call", +- .arch = S390, +- .group_size = s390_expolines_group_size, ++ .name = ".s390_indirect_call", ++ .arch = S390, ++ .group_size = s390_expolines_group_size, + }, + { +- .name = ".s390_indirect_branches", +- .arch = S390, +- .group_size = s390_expolines_group_size, ++ .name = ".s390_indirect_branches", ++ .arch = S390, ++ .group_size = s390_expolines_group_size, + }, + { +- .name = ".s390_indirect_jump", +- .arch = S390, +- .group_size = s390_expolines_group_size, ++ .name = ".s390_indirect_jump", ++ .arch = S390, ++ .group_size = s390_expolines_group_size, + }, + {}, + }; + +-static bool should_keep_jump_label(struct lookup_table *lookup, +- struct section *relasec, +- unsigned int group_offset, +- unsigned int group_size, +- int *jump_labels_found) +-{ +- struct rela *code = NULL, *key = NULL, *rela; +- bool tracepoint = false, dynamic_debug = false; +- struct lookup_result symbol; +- int i = 0; +- +- /* +- * Here we hard-code knowledge about the contents of the jump_entry +- * struct. It has three fields: code, target, and key. Each field has +- * a relocation associated with it. +- */ +- list_for_each_entry(rela, &relasec->relas, list) { +- if (rela->offset >= group_offset && +- rela->offset < group_offset + group_size) { +- if (i == 0) +- code = rela; +- else if (i == 2) +- key = rela; +- i++; +- } +- } +- +- if (i != 3 || !key || !code) +- ERROR("BUG: __jump_table has an unexpected format"); +- +- if (!strncmp(key->sym->name, "__tracepoint_", 13)) +- tracepoint = true; +- +- if (is_dynamic_debug_symbol(key->sym)) +- dynamic_debug = true; +- +- if (KLP_ARCH) { +- /* +- * On older kernels (with .klp.arch support), jump labels +- * aren't supported at all. Error out when they occur in a +- * replacement function, with the exception of tracepoints and +- * dynamic debug printks. An inert tracepoint or printk is +- * harmless enough, but a broken jump label can cause +- * unexpected behavior. +- */ +- if (tracepoint || dynamic_debug) +- return false; +- +- /* +- * This will be upgraded to an error after all jump labels have +- * been reported. +- */ +- log_normal("Found a jump label at %s()+0x%lx, using key %s. Jump labels aren't supported with this kernel. Use static_key_enabled() instead.\n", +- code->sym->name, code->addend, key->sym->name); +- (*jump_labels_found)++; +- return false; +- } +- +- /* +- * On newer (5.8+) kernels, jump labels are supported in the case where +- * the corresponding static key lives in vmlinux. That's because such +- * kernels apply vmlinux-specific .klp.rela sections at the same time +- * (in the klp module load) as normal relas, before jump label init. +- * On the other hand, jump labels based on static keys which are +- * defined in modules aren't supported, because late module patching +- * can result in the klp relas getting applied *after* the klp module's +- * jump label init. +- */ +- +- if (lookup_symbol(lookup, key->sym, &symbol) && +- strcmp(symbol.objname, "vmlinux")) { +- +- /* The static key lives in a module -- not supported */ +- +- /* Inert tracepoints and dynamic debug printks are harmless */ +- if (tracepoint || dynamic_debug) +- return false; +- +- /* +- * This will be upgraded to an error after all jump labels have +- * been reported. +- */ +- log_normal("Found a jump label at %s()+0x%lx, using key %s, which is defined in a module. Use static_key_enabled() instead.\n", +- code->sym->name, code->addend, key->sym->name); +- (*jump_labels_found)++; +- return false; +- } +- +- /* The static key lives in vmlinux or the patch module itself */ +- +- /* +- * If the jump label key lives in the '__dyndbg' section, make sure +- * the section gets included, because we don't use klp relocs for +- * dynamic debug symbols. For an example of such a key, see +- * DYNAMIC_DEBUG_BRANCH(). +- */ +- if (dynamic_debug) +- kpatch_include_symbol(key->sym); +- +- return true; +-} +- + static bool should_keep_rela_group(struct lookup_table *lookup, + struct section *relasec, unsigned int offset, +- unsigned int size, int *jump_labels_found) ++ unsigned int size) + { + struct rela *rela; + bool found = false; +@@ -2448,10 +2516,6 @@ static bool should_keep_rela_group(struct lookup_table *lookup, + if (!found) + return false; + +- if (!strcmp(relasec->name, ".rela__jump_table")) +- return should_keep_jump_label(lookup, relasec, offset, size, +- jump_labels_found); +- + return true; + } + +@@ -2488,7 +2552,6 @@ static void kpatch_regenerate_special_section(struct kpatch_elf *kelf, + struct rela *rela, *safe; + char *src, *dest; + unsigned int group_size, src_offset, dest_offset; +- int jump_labels_found = 0; + + LIST_HEAD(newrelas); + +@@ -2523,8 +2586,11 @@ static void kpatch_regenerate_special_section(struct kpatch_elf *kelf, + if (src_offset + group_size > relasec->base->sh.sh_size) + group_size = (unsigned int)(relasec->base->sh.sh_size - src_offset); + +- if (!should_keep_rela_group(lookup, relasec, src_offset, group_size, +- &jump_labels_found)) ++ if (!should_keep_rela_group(lookup, relasec, src_offset, group_size)) ++ continue; ++ ++ if (special->group_filter && ++ !special->group_filter(lookup, relasec, src_offset, group_size)) + continue; + + /* +@@ -2557,9 +2623,13 @@ static void kpatch_regenerate_special_section(struct kpatch_elf *kelf, + dest_offset += group_size; + } + +- if (jump_labels_found) +- ERROR("Found %d jump label(s) in the patched code. Jump labels aren't currently supported. Use static_key_enabled() instead.", +- jump_labels_found); ++ if (jump_label_errors) ++ ERROR("Found %d unsupported jump label(s) in the patched code. Use static_key_enabled() instead.", ++ jump_label_errors); ++ ++ if (static_call_errors) ++ ERROR("Found %d unsupported static call(s) in the patched code. Use KPATCH_STATIC_CALL() instead.", ++ static_call_errors); + + if (!dest_offset) { + /* no changed or global functions referenced */ +diff --git a/kpatch-build/log.h b/kpatch-build/log.h +index eefa0fce7b08..dbdc212713e1 100644 +--- a/kpatch-build/log.h ++++ b/kpatch-build/log.h +@@ -9,7 +9,7 @@ extern enum loglevel loglevel; + extern char *childobj; + + #define ERROR(format, ...) \ +- err(EXIT_STATUS_ERROR, "ERROR: %s: %s: %d: " format, childobj, __FUNCTION__, __LINE__, ##__VA_ARGS__) ++ errx(EXIT_STATUS_ERROR, "ERROR: %s: %s: %d: " format, childobj, __FUNCTION__, __LINE__, ##__VA_ARGS__) + + #define log_debug(format, ...) log(DEBUG, format, ##__VA_ARGS__) + #define log_normal(format, ...) log(NORMAL, "%s: " format, childobj, ##__VA_ARGS__) +-- +2.38.1 + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index 8eb68fd..2c1aec6 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -1,17 +1,27 @@ # Set to 1 if building an empty subscription-only package. -%define empty_package 1 +%define empty_package 0 ####################################################### # Only need to update these variables and the changelog %define kernel_ver 5.14.0-162.12.1.el9_1 %define kpatch_ver 0.9.7 -%define rpm_ver 0 -%define rpm_rel 0 +%define rpm_ver 1 +%define rpm_rel 1 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. -Source100: XXX.patch -#Source101: YYY.patch +# +# https://bugzilla.redhat.com/2153007 +Source100: CVE-2022-3564.patch +# +# https://bugzilla.redhat.com/2152599 +Source101: CVE-2022-4378.patch +# +# https://bugzilla.redhat.com/2153157 +Source102: CVE-2022-4379.patch +# +# https://bugzilla.redhat.com/2161747 +Source103: CVE-2023-0179.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -189,5 +199,11 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Tue Feb 14 2023 Yannick Cote [1-1.el9_1] +- kernel: Netfilter integer overflow vulnerability in nft_payload_copy_vlan [2161747] {CVE-2023-0179} +- kernel: use-after-free in __nfs42_ssc_open() in fs/nfs/nfs4file.c leading to remote Denial of Service attack [2153157] {CVE-2022-4379} +- kernel: a stack overflow in do_proc_dointvec and proc_skip_spaces [2152599] {CVE-2022-4378} +- kernel: use-after-free caused by l2cap_reassemble_sdu() in net/bluetooth/l2cap_core.c [2153007] {CVE-2022-3564} + * Thu Dec 22 2022 Linqing Lu [0-0.el9] - An empty patch to subscribe to kpatch stream for kernel-5.14.0-162.12.1.el9_1 [2155884]