rpms / kpatch-patch-5_14_0-162_6_1

Clone
Source Code
GIT

Files

  1.   4be359001ada21f42fadefd94043ce2e057a3887
  2.   SOURCES
  3.   CVE-2022-4744.patch
Blob Blame History Raw 
From 951ae7dd395dd1407cfc6d7f2f59163850ec0362 Mon Sep 17 00:00:00 2001
From: Yannick Cote <ycote@redhat.com>
Date: Tue, 14 Mar 2023 21:40:48 -0400
Subject: [KPATCH CVE-2022-4744] kpatch fixes for CVE-2022-4744

Kernels:
5.14.0-162.6.1.el9_1
5.14.0-162.12.1.el9_1
5.14.0-162.18.1.el9_1


Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-9/-/merge_requests/28
Approved-by: Joe Lawrence (@joe.lawrence)
Changes since last build:
[x86_64]:
control.o: changed function: snd_ctl_elem_read
control.o: changed function: snd_ctl_ioctl
dev.o: changed function: register_netdevice
tun.o: changed function: tun_free_netdev
tun.o: changed function: tun_set_iff.constprop.0
tun.o: new function: kpp_cve_2022_4744_tun_net_init

[ppc64le]:
dev.o: changed function: register_netdevice
tun.o: changed function: tun_free_netdev
tun.o: changed function: tun_set_iff.constprop.0
tun.o: new function: kpp_cve_2022_4744_tun_net_init

---------------------------

Modifications:
- add shadow variables for tun->ifr, tun->file, ndo_init
- call init from register_netdevice() when shadow variables are detected
- renamed new tun_net_init() -> kpp_cve_2022_4744_tun_net_init()
- code to allocate, maintain and remove shadow variables

commit 8ab79b18abf2f3a2cf33903794ff0de7cec105fc
Author: Jon Maloy <jmaloy@redhat.com>
Date:   Wed Mar 8 11:35:45 2023 -0500

    tun: avoid double free in tun_free_netdev

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2156372
    Upstream: Merged
    CVE: CVE-2022-4744

    commit 158b515f703e75e7d68289bf4d98c664e1d632df
    Author: George Kennedy <george.kennedy@oracle.com>
    Date:   Thu Dec 16 13:25:32 2021 -0500

        tun: avoid double free in tun_free_netdev

        Avoid double free in tun_free_netdev() by moving the
        dev->tstats and tun->security allocs to a new ndo_init routine
        (tun_net_init()) that will be called by register_netdevice().
        ndo_init is paired with the desctructor (tun_free_netdev()),
        so if there's an error in register_netdevice() the destructor
        will handle the frees.

        BUG: KASAN: double-free or invalid-free in selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605

        CPU: 0 PID: 25750 Comm: syz-executor416 Not tainted 5.16.0-rc2-syzk #1
        Hardware name: Red Hat KVM, BIOS
        Call Trace:
        <TASK>
        __dump_stack lib/dump_stack.c:88 [inline]
        dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106
        print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:247
        kasan_report_invalid_free+0x55/0x80 mm/kasan/report.c:372
        ____kasan_slab_free mm/kasan/common.c:346 [inline]
        __kasan_slab_free+0x107/0x120 mm/kasan/common.c:374
        kasan_slab_free include/linux/kasan.h:235 [inline]
        slab_free_hook mm/slub.c:1723 [inline]
        slab_free_freelist_hook mm/slub.c:1749 [inline]
        slab_free mm/slub.c:3513 [inline]
        kfree+0xac/0x2d0 mm/slub.c:4561
        selinux_tun_dev_free_security+0x1a/0x20 security/selinux/hooks.c:5605
        security_tun_dev_free_security+0x4f/0x90 security/security.c:2342
        tun_free_netdev+0xe6/0x150 drivers/net/tun.c:2215
        netdev_run_todo+0x4df/0x840 net/core/dev.c:10627
        rtnl_unlock+0x13/0x20 net/core/rtnetlink.c:112
        __tun_chr_ioctl+0x80c/0x2870 drivers/net/tun.c:3302
        tun_chr_ioctl+0x2f/0x40 drivers/net/tun.c:3311
        vfs_ioctl fs/ioctl.c:51 [inline]
        __do_sys_ioctl fs/ioctl.c:874 [inline]
        __se_sys_ioctl fs/ioctl.c:860 [inline]
        __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860
        do_syscall_x64 arch/x86/entry/common.c:50 [inline]
        do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80
        entry_SYSCALL_64_after_hwframe+0x44/0xae

        Reported-by: syzkaller <syzkaller@googlegroups.com>
        Signed-off-by: George Kennedy <george.kennedy@oracle.com>
        Suggested-by: Jakub Kicinski <kuba@kernel.org>
        Link: https://lore.kernel.org/r/1639679132-19884-1-git-send-email-george.kennedy@oracle.com
        Signed-off-by: Jakub Kicinski <kuba@kernel.org>

    Signed-off-by: Jon Maloy <jmaloy@redhat.com>

Signed-off-by: Yannick Cote <ycote@redhat.com>
---
 drivers/net/tun.c | 135 ++++++++++++++++++++++++++++------------------
 net/core/dev.c    |  31 ++++++++++-
 2 files changed, 112 insertions(+), 54 deletions(-)

diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index a3aec566fb4b..2a2fee5e3c10 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -216,6 +216,9 @@ struct veth {
 	__be16 h_vlan_TCI;
 };
 
+static void tun_flow_init(struct tun_struct *tun);
+static void tun_flow_uninit(struct tun_struct *tun);
+
 static int tun_napi_receive(struct napi_struct *napi, int budget)
 {
 	struct tun_file *tfile = container_of(napi, struct tun_file, napi);
@@ -953,6 +956,67 @@ static int check_filter(struct tap_filter *filter, const struct sk_buff *skb)
 
 static const struct ethtool_ops tun_ethtool_ops;
 
+/* CVE-2022-4744 - kpatch gathered definitions */
+#ifndef __GENKSYMS__
+/* Note: avoid symvers churn for tun_get_tx_ring and tun_get_socket */
+# include <linux/livepatch.h>
+# define KLP_CVE_2022_4744  0x2022474400000001
+struct klp_cve_2022_4774_t {
+	struct ifreq tun_ifr;
+	struct file tun_file;
+	int (*ndo_init)(struct net_device *netdev);
+};
+#endif
+int kpp_cve_2022_4744_tun_net_init(struct net_device *dev)
+{
+	struct tun_struct *tun = netdev_priv(dev);
+	int err;
+	struct klp_cve_2022_4774_t *klp_sv;
+
+	klp_sv = klp_shadow_get(tun, KLP_CVE_2022_4744);
+	if (!klp_sv)
+		return -EINVAL;
+
+	dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats);
+	if (!dev->tstats)
+		return -ENOMEM;
+
+	spin_lock_init(&tun->lock);
+
+	err = security_tun_dev_alloc_security(&tun->security);
+	if (err < 0) {
+		free_percpu(dev->tstats);
+		return err;
+	}
+
+	tun_flow_init(tun);
+
+	dev->hw_features = NETIF_F_SG | NETIF_F_FRAGLIST |
+			   TUN_USER_FEATURES | NETIF_F_HW_VLAN_CTAG_TX |
+			   NETIF_F_HW_VLAN_STAG_TX;
+	dev->features = dev->hw_features | NETIF_F_LLTX;
+	dev->vlan_features = dev->features &
+			     ~(NETIF_F_HW_VLAN_CTAG_TX |
+			       NETIF_F_HW_VLAN_STAG_TX);
+	klp_sv = klp_shadow_get(tun, KLP_CVE_2022_4744);
+	if (klp_sv) {
+		tun->flags = (tun->flags & ~TUN_FEATURES) |
+			     (klp_sv->tun_ifr.ifr_flags & TUN_FEATURES);
+
+		INIT_LIST_HEAD(&tun->disabled);
+		err = tun_attach(tun, &klp_sv->tun_file, false,
+			 klp_sv->tun_ifr.ifr_flags & IFF_NAPI,
+			 klp_sv->tun_ifr.ifr_flags & IFF_NAPI_FRAGS, false);
+	}
+	if (err < 0) {
+		tun_flow_uninit(tun);
+		security_tun_dev_free_security(tun->security);
+		free_percpu(dev->tstats);
+		return err;
+	}
+	return 0;
+}
+
 /* Net device detach from fd. */
 static void tun_net_uninit(struct net_device *dev)
 {
@@ -2206,15 +2270,11 @@ static void tun_free_netdev(struct net_device *dev)
 	BUG_ON(!(list_empty(&tun->disabled)));
 
 	free_percpu(dev->tstats);
-	/* We clear tstats so that tun_set_iff() can tell if
-	 * tun_free_netdev() has been called from register_netdevice().
-	 */
-	dev->tstats = NULL;
-
 	tun_flow_uninit(tun);
 	security_tun_dev_free_security(tun->security);
 	__tun_set_ebpf(tun, &tun->steering_prog, NULL);
 	__tun_set_ebpf(tun, &tun->filter_prog, NULL);
+	klp_shadow_free(tun, KLP_CVE_2022_4744, NULL);
 }
 
 static void tun_setup(struct net_device *dev)
@@ -2716,41 +2776,30 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
 		tun->rx_batched = 0;
 		RCU_INIT_POINTER(tun->steering_prog, NULL);
 
-		dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats);
-		if (!dev->tstats) {
-			err = -ENOMEM;
-			goto err_free_dev;
-		}
+/* kpatch */
+{
+		struct klp_cve_2022_4774_t *klp_sv;
 
-		spin_lock_init(&tun->lock);
+		klp_sv = klp_shadow_alloc(tun, KLP_CVE_2022_4744,
+					  sizeof(*klp_sv), GFP_KERNEL, NULL, NULL);
+		if (!klp_sv) {
+			free_netdev(dev);
+			return -ENOMEM;
+		}
 
-		err = security_tun_dev_alloc_security(&tun->security);
-		if (err < 0)
-			goto err_free_stat;
+		memcpy(&klp_sv->tun_ifr, ifr, sizeof(*ifr));
+		memcpy(&klp_sv->tun_file, file, sizeof(*file));
+		klp_sv->ndo_init = kpp_cve_2022_4744_tun_net_init;
+}
 
 		tun_net_init(dev);
-		tun_flow_init(tun);
-
-		dev->hw_features = NETIF_F_SG | NETIF_F_FRAGLIST |
-				   TUN_USER_FEATURES | NETIF_F_HW_VLAN_CTAG_TX |
-				   NETIF_F_HW_VLAN_STAG_TX;
-		dev->features = dev->hw_features | NETIF_F_LLTX;
-		dev->vlan_features = dev->features &
-				     ~(NETIF_F_HW_VLAN_CTAG_TX |
-				       NETIF_F_HW_VLAN_STAG_TX);
-
-		tun->flags = (tun->flags & ~TUN_FEATURES) |
-			      (ifr->ifr_flags & TUN_FEATURES);
-
-		INIT_LIST_HEAD(&tun->disabled);
-		err = tun_attach(tun, file, false, ifr->ifr_flags & IFF_NAPI,
-				 ifr->ifr_flags & IFF_NAPI_FRAGS, false);
-		if (err < 0)
-			goto err_free_flow;
 
 		err = register_netdevice(tun->dev);
-		if (err < 0)
-			goto err_detach;
+		if (err < 0) {
+			klp_shadow_free(tun, KLP_CVE_2022_4744, NULL);
+			free_netdev(dev);
+			return err;
+		}
 		/* free_netdev() won't check refcnt, to avoid race
 		 * with dev_put() we need publish tun after registration.
 		 */
@@ -2767,24 +2816,6 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
 
 	strcpy(ifr->ifr_name, tun->dev->name);
 	return 0;
-
-err_detach:
-	tun_detach_all(dev);
-	/* We are here because register_netdevice() has failed.
-	 * If register_netdevice() already called tun_free_netdev()
-	 * while dealing with the error, dev->stats has been cleared.
-	 */
-	if (!dev->tstats)
-		goto err_free_dev;
-
-err_free_flow:
-	tun_flow_uninit(tun);
-	security_tun_dev_free_security(tun->security);
-err_free_stat:
-	free_percpu(dev->tstats);
-err_free_dev:
-	free_netdev(dev);
-	return err;
 }
 
 static void tun_get_iff(struct tun_struct *tun, struct ifreq *ifr)
diff --git a/net/core/dev.c b/net/core/dev.c
index 89ff6b1e7735..d5f07da178dc 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -9544,6 +9544,15 @@ EXPORT_SYMBOL(netif_tx_stop_all_queues);
  *	will not get the same name.
  */
 
+/* CVE-2022-4744 - kpatch gathered definitions */
+#include <linux/livepatch.h>
+#define KLP_CVE_2022_4744  0x2022474400000001
+struct klp_cve_2022_4774_t {
+	struct ifreq tun_ifr;
+	struct file tun_file;
+	int (*ndo_init)(struct net_device *netdev);
+};
+
 int register_netdevice(struct net_device *dev)
 {
 	int ret;
@@ -9576,15 +9585,33 @@ int register_netdevice(struct net_device *dev)
 	if (!dev->name_node)
 		goto out;
 
+/* kpatch */
+{
 	/* Init, if this function is available */
-	if (dev->netdev_ops->ndo_init) {
-		ret = dev->netdev_ops->ndo_init(dev);
+	struct klp_cve_2022_4774_t *klp_sv;
+	int (*ndo_init)(struct net_device *netdev) = NULL;
+
+	/* Does device has shadow variable ndo_init? */
+	if (netdev_priv(dev)) {
+		klp_sv = klp_shadow_get(netdev_priv(dev), KLP_CVE_2022_4744);
+		if (klp_sv && klp_sv->ndo_init)
+			ndo_init = klp_sv->ndo_init;
+	}
+
+	/* How about typical netdev_ops->ndo_init */
+	if (!ndo_init && dev->netdev_ops->ndo_init)
+		ndo_init = dev->netdev_ops->ndo_init;
+
+	/* Run ndo_init callback if found */
+	if (ndo_init) {
+		ret = ndo_init(dev);
 		if (ret) {
 			if (ret > 0)
 				ret = -EIO;
 			goto err_free_name;
 		}
 	}
+}
 
 	if (((dev->hw_features | dev->features) &
 	     NETIF_F_HW_VLAN_CTAG_FILTER) &&
-- 
2.39.2

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation