diff --git a/SOURCES/CVE-2022-3564.patch b/SOURCES/CVE-2022-3564.patch new file mode 100644 index 0000000..a8d46ad --- /dev/null +++ b/SOURCES/CVE-2022-3564.patch @@ -0,0 +1,217 @@ +From 6b5f1ddf8fdf04b977a2523a103d03e807fc0471 Mon Sep 17 00:00:00 2001 +From: Ryan Sullivan +Date: Mon, 23 Jan 2023 11:48:28 -0500 +Subject: [KPATCH CVE-2022-3564] kpatch fixes for CVE-2022-3564 + +Kernels: +5.14.0-162.6.1.el9_1 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-9/-/merge_requests/16 +Approved-by: Joe Lawrence (@joe.lawrence) +Approved-by: Yannick Cote (@ycote1) +Changes since last build: +arches: x86_64 ppc64le +l2cap_core.o: changed function: l2cap_rx_state_recv +l2cap_core.o: changed function: l2cap_stream_rx +nfs4proc.o: changed function: nfsd4_copy +nfs4proc.o: changed function: nfsd4_do_async_copy +nft_payload.o: changed function: nft_payload_copy_vlan +sysctl.o: changed function: __do_proc_dointvec +sysctl.o: changed function: __do_proc_douintvec +sysctl.o: changed function: __do_proc_doulongvec_minmax +sysctl.o: changed function: proc_get_long.constprop.0 +--------------------------- + +Modifications: none + +commit c4f4f4633ff2000f9f67db4271b8186939690908 +Author: Ricardo Robaina +Date: Wed Jan 11 14:57:13 2023 -0300 + + Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu + + Bugzilla: https://bugzilla.redhat.com/2152929 + CVE: CVE-2022-3564 + Y-Commit: 7de3277fe8bf62a5af7d2758f1b13cea20541724 + + O-Bugzilla: https://bugzilla.redhat.com/2152931 + O-CVE: CVE-2022-3564 + + commit 3aff8aaca4e36dc8b17eaa011684881a80238966 + Author: Maxim Mikityanskiy + Date: Wed Oct 5 00:27:18 2022 +0300 + + Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu + + Fix the race condition between the following two flows that run in + parallel: + + 1. l2cap_reassemble_sdu -> chan->ops->recv (l2cap_sock_recv_cb) -> + __sock_queue_rcv_skb. + + 2. bt_sock_recvmsg -> skb_recv_datagram, skb_free_datagram. + + An SKB can be queued by the first flow and immediately dequeued and + freed by the second flow, therefore the callers of l2cap_reassemble_sdu + can't use the SKB after that function returns. However, some places + continue accessing struct l2cap_ctrl that resides in the SKB's CB for a + short time after l2cap_reassemble_sdu returns, leading to a + use-after-free condition (the stack trace is below, line numbers for + kernel 5.19.8). + + Fix it by keeping a local copy of struct l2cap_ctrl. + + BUG: KASAN: use-after-free in l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth + Read of size 1 at addr ffff88812025f2f0 by task kworker/u17:3/43169 + + Workqueue: hci0 hci_rx_work [bluetooth] + Call Trace: + + dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4)) + print_report.cold (mm/kasan/report.c:314 mm/kasan/report.c:429) + ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth + kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493) + ? l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth + l2cap_rx_state_recv (net/bluetooth/l2cap_core.c:6906) bluetooth + l2cap_rx (net/bluetooth/l2cap_core.c:7236 net/bluetooth/l2cap_core.c:7271) bluetooth + ret_from_fork (arch/x86/entry/entry_64.S:306) + + + Allocated by task 43169: + kasan_save_stack (mm/kasan/common.c:39) + __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469) + kmem_cache_alloc_node (mm/slab.h:750 mm/slub.c:3243 mm/slub.c:3293) + __alloc_skb (net/core/skbuff.c:414) + l2cap_recv_frag (./include/net/bluetooth/bluetooth.h:425 net/bluetooth/l2cap_core.c:8329) bluetooth + l2cap_recv_acldata (net/bluetooth/l2cap_core.c:8442) bluetooth + hci_rx_work (net/bluetooth/hci_core.c:3642 net/bluetooth/hci_core.c:3832) bluetooth + process_one_work (kernel/workqueue.c:2289) + worker_thread (./include/linux/list.h:292 kernel/workqueue.c:2437) + kthread (kernel/kthread.c:376) + ret_from_fork (arch/x86/entry/entry_64.S:306) + + Freed by task 27920: + kasan_save_stack (mm/kasan/common.c:39) + kasan_set_track (mm/kasan/common.c:45) + kasan_set_free_info (mm/kasan/generic.c:372) + ____kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328) + slab_free_freelist_hook (mm/slub.c:1780) + kmem_cache_free (mm/slub.c:3536 mm/slub.c:3553) + skb_free_datagram (./include/net/sock.h:1578 ./include/net/sock.h:1639 net/core/datagram.c:323) + bt_sock_recvmsg (net/bluetooth/af_bluetooth.c:295) bluetooth + l2cap_sock_recvmsg (net/bluetooth/l2cap_sock.c:1212) bluetooth + sock_read_iter (net/socket.c:1087) + new_sync_read (./include/linux/fs.h:2052 fs/read_write.c:401) + vfs_read (fs/read_write.c:482) + ksys_read (fs/read_write.c:620) + do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) + + Link: https://lore.kernel.org/linux-bluetooth/CAKErNvoqga1WcmoR3-0875esY6TVWFQDandbVZncSiuGPBQXLA@mail.gmail.com/T/#u + Fixes: d2a7ac5d5d3a ("Bluetooth: Add the ERTM receive state machine") + Fixes: 4b51dae96731 ("Bluetooth: Add streaming mode receive and incoming packet classifier") + Signed-off-by: Maxim Mikityanskiy + Signed-off-by: Luiz Augusto von Dentz + + Signed-off-by: Ricardo Robaina + Signed-off-by: Patrick Talbert + +Signed-off-by: Ryan Sullivan +--- + net/bluetooth/l2cap_core.c | 48 ++++++++++++++++++++++++++++++++------ + 1 file changed, 41 insertions(+), 7 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index e817ff0607a0..e95c1a019de9 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -6842,6 +6842,7 @@ static int l2cap_rx_state_recv(struct l2cap_chan *chan, + struct l2cap_ctrl *control, + struct sk_buff *skb, u8 event) + { ++ struct l2cap_ctrl local_control; + int err = 0; + bool skb_in_use = false; + +@@ -6866,15 +6867,32 @@ static int l2cap_rx_state_recv(struct l2cap_chan *chan, + chan->buffer_seq = chan->expected_tx_seq; + skb_in_use = true; + ++ /* l2cap_reassemble_sdu may free skb, hence invalidate ++ * control, so make a copy in advance to use it after ++ * l2cap_reassemble_sdu returns and to avoid the race ++ * condition, for example: ++ * ++ * The current thread calls: ++ * l2cap_reassemble_sdu ++ * chan->ops->recv == l2cap_sock_recv_cb ++ * __sock_queue_rcv_skb ++ * Another thread calls: ++ * bt_sock_recvmsg ++ * skb_recv_datagram ++ * skb_free_datagram ++ * Then the current thread tries to access control, but ++ * it was freed by skb_free_datagram. ++ */ ++ local_control = *control; + err = l2cap_reassemble_sdu(chan, skb, control); + if (err) + break; + +- if (control->final) { ++ if (local_control.final) { + if (!test_and_clear_bit(CONN_REJ_ACT, + &chan->conn_state)) { +- control->final = 0; +- l2cap_retransmit_all(chan, control); ++ local_control.final = 0; ++ l2cap_retransmit_all(chan, &local_control); + l2cap_ertm_send(chan); + } + } +@@ -7254,11 +7272,27 @@ static int l2cap_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control, + static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control, + struct sk_buff *skb) + { ++ /* l2cap_reassemble_sdu may free skb, hence invalidate control, so store ++ * the txseq field in advance to use it after l2cap_reassemble_sdu ++ * returns and to avoid the race condition, for example: ++ * ++ * The current thread calls: ++ * l2cap_reassemble_sdu ++ * chan->ops->recv == l2cap_sock_recv_cb ++ * __sock_queue_rcv_skb ++ * Another thread calls: ++ * bt_sock_recvmsg ++ * skb_recv_datagram ++ * skb_free_datagram ++ * Then the current thread tries to access control, but it was freed by ++ * skb_free_datagram. ++ */ ++ u16 txseq = control->txseq; ++ + BT_DBG("chan %p, control %p, skb %p, state %d", chan, control, skb, + chan->rx_state); + +- if (l2cap_classify_txseq(chan, control->txseq) == +- L2CAP_TXSEQ_EXPECTED) { ++ if (l2cap_classify_txseq(chan, txseq) == L2CAP_TXSEQ_EXPECTED) { + l2cap_pass_to_tx(chan, control); + + BT_DBG("buffer_seq %u->%u", chan->buffer_seq, +@@ -7281,8 +7315,8 @@ static int l2cap_stream_rx(struct l2cap_chan *chan, struct l2cap_ctrl *control, + } + } + +- chan->last_acked_seq = control->txseq; +- chan->expected_tx_seq = __next_seq(chan, control->txseq); ++ chan->last_acked_seq = txseq; ++ chan->expected_tx_seq = __next_seq(chan, txseq); + + return 0; + } +-- +2.39.1 + + diff --git a/SOURCES/CVE-2022-4378.patch b/SOURCES/CVE-2022-4378.patch new file mode 100644 index 0000000..ef190f8 --- /dev/null +++ b/SOURCES/CVE-2022-4378.patch @@ -0,0 +1,201 @@ +From 5b91e65d83213b25cc9529884a2106eee80c6c04 Mon Sep 17 00:00:00 2001 +From: Ryan Sullivan +Date: Thu, 26 Jan 2023 09:44:30 -0500 +Subject: [KPATCH CVE-2022-4378] kpatch fixes for CVE-2022-4378 + +Kernels: +5.14.0-162.6.1.el9_1 +5.14.0-162.12.1.el9_1 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-9/-/merge_requests/19 +Approved-by: Joe Lawrence (@joe.lawrence) +Approved-by: Yannick Cote (@ycote1) +Changes since last build: +arches: x86_64 ppc64le +l2cap_core.o: changed function: l2cap_rx_state_recv +l2cap_core.o: changed function: l2cap_stream_rx +nfs4proc.o: changed function: nfsd4_copy +nfs4proc.o: changed function: nfsd4_do_async_copy +nft_payload.o: changed function: nft_payload_copy_vlan +sysctl.o: changed function: __do_proc_dointvec +sysctl.o: changed function: __do_proc_douintvec +sysctl.o: changed function: __do_proc_doulongvec_minmax +sysctl.o: changed function: proc_get_long.constprop.0 +--------------------------- + +Modifications: none + +commit d4c4d465e31fae6c3729b9c52a6bc3610494ead4 +Author: Wander Lairson Costa +Date: Mon Dec 12 15:30:46 2022 -0300 + + proc: avoid integer type confusion in get_proc_long + + Bugzilla: https://bugzilla.redhat.com/2152580 + CVE: CVE-2022-4378 + Y-Commit: ab93541c2e72e570f9b6cf79ff943400961a30e1 + + O-Bugzilla: https://bugzilla.redhat.com/2152581 + O-CVE: CVE-2022-4378 + + commit e6cfaf34be9fcd1a8285a294e18986bfc41a409c + Author: Linus Torvalds + Date: Mon Dec 5 11:33:40 2022 -0800 + + proc: avoid integer type confusion in get_proc_long + + proc_get_long() is passed a size_t, but then assigns it to an 'int' + variable for the length. Let's not do that, even if our IO paths are + limited to MAX_RW_COUNT (exactly because of these kinds of type errors). + + So do the proper test in the rigth type. + + Reported-by: Kyle Zeng + Signed-off-by: Linus Torvalds + + Signed-off-by: Wander Lairson Costa + Signed-off-by: Patrick Talbert + +commit 250391dd6ddc268d65901a1eaeb966a7256ef1cb +Author: Wander Lairson Costa +Date: Mon Dec 12 15:30:50 2022 -0300 + + proc: proc_skip_spaces() shouldn't think it is working on C strings + + Bugzilla: https://bugzilla.redhat.com/2152580 + CVE: CVE-2022-4378 + Y-Commit: a664fa0ecf20645f630e278b6da6aaabb3192954 + + O-Bugzilla: https://bugzilla.redhat.com/2152581 + O-CVE: CVE-2022-4378 + + commit bce9332220bd677d83b19d21502776ad555a0e73 + Author: Linus Torvalds + Date: Mon Dec 5 12:09:06 2022 -0800 + + proc: proc_skip_spaces() shouldn't think it is working on C strings + + proc_skip_spaces() seems to think it is working on C strings, and ends + up being just a wrapper around skip_spaces() with a really odd calling + convention. + + Instead of basing it on skip_spaces(), it should have looked more like + proc_skip_char(), which really is the exact same function (except it + skips a particular character, rather than whitespace). So use that as + inspiration, odd coding and all. + + Now the calling convention actually makes sense and works for the + intended purpose. + + Reported-and-tested-by: Kyle Zeng + Acked-by: Eric Dumazet + Signed-off-by: Linus Torvalds + + Signed-off-by: Wander Lairson Costa + Signed-off-by: Patrick Talbert + +Signed-off-by: Ryan Sullivan +--- + kernel/sysctl.c | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 0dd902ee206e..e72cf05ca07b 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -391,13 +391,14 @@ int proc_dostring(struct ctl_table *table, int write, + ppos); + } + +-static size_t proc_skip_spaces(char **buf) ++static void proc_skip_spaces(char **buf, size_t *size) + { +- size_t ret; +- char *tmp = skip_spaces(*buf); +- ret = tmp - *buf; +- *buf = tmp; +- return ret; ++ while (*size) { ++ if (!isspace(**buf)) ++ break; ++ (*size)--; ++ (*buf)++; ++ } + } + + static void proc_skip_char(char **buf, size_t *size, const char v) +@@ -466,13 +467,12 @@ static int proc_get_long(char **buf, size_t *size, + unsigned long *val, bool *neg, + const char *perm_tr, unsigned perm_tr_len, char *tr) + { +- int len; + char *p, tmp[TMPBUFLEN]; ++ ssize_t len = *size; + +- if (!*size) ++ if (len <= 0) + return -EINVAL; + +- len = *size; + if (len > TMPBUFLEN - 1) + len = TMPBUFLEN - 1; + +@@ -645,7 +645,7 @@ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table, + bool neg; + + if (write) { +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + + if (!left) + break; +@@ -672,7 +672,7 @@ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table, + if (!write && !first && left && !err) + proc_put_char(&buffer, &left, '\n'); + if (write && !err && left) +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (write && first) + return err ? : -EINVAL; + *lenp -= left; +@@ -714,7 +714,7 @@ static int do_proc_douintvec_w(unsigned int *tbl_data, + if (left > PAGE_SIZE - 1) + left = PAGE_SIZE - 1; + +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (!left) { + err = -EINVAL; + goto out_free; +@@ -734,7 +734,7 @@ static int do_proc_douintvec_w(unsigned int *tbl_data, + } + + if (!err && left) +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + + out_free: + if (err) +@@ -1271,7 +1271,7 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, + if (write) { + bool neg; + +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (!left) + break; + +@@ -1299,7 +1299,7 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, + if (!write && !first && left && !err) + proc_put_char(&buffer, &left, '\n'); + if (write && !err) +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (write && first) + return err ? : -EINVAL; + *lenp -= left; +-- +2.39.1 + + diff --git a/SOURCES/CVE-2022-4379.patch b/SOURCES/CVE-2022-4379.patch new file mode 100644 index 0000000..5c9a346 --- /dev/null +++ b/SOURCES/CVE-2022-4379.patch @@ -0,0 +1,151 @@ +From 17ddede397702f9cb323ac8bbcc673c8dd00c0cf Mon Sep 17 00:00:00 2001 +From: Yannick Cote +Date: Fri, 27 Jan 2023 10:34:30 -0500 +Subject: [KPATCH CVE-2022-4379] kpatch fixes for CVE-2022-4379 + +Kernels: +5.14.0-162.6.1.el9_1 +5.14.0-162.12.1.el9_1 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-9/-/merge_requests/21 +Approved-by: Joe Lawrence (@joe.lawrence) +Changes since last build: +arches: x86_64 ppc64le +l2cap_core.o: changed function: l2cap_rx_state_recv +l2cap_core.o: changed function: l2cap_stream_rx +nfs4proc.o: changed function: nfsd4_copy +nfs4proc.o: changed function: nfsd4_do_async_copy +nft_payload.o: changed function: nft_payload_copy_vlan +sysctl.o: changed function: __do_proc_dointvec +sysctl.o: changed function: __do_proc_douintvec +sysctl.o: changed function: __do_proc_doulongvec_minmax +sysctl.o: changed function: proc_get_long.constprop.0 +--------------------------- + +Modifications: +- fix `kpatch_no_sibling_calls_ppc64le` with -fno-optimize-sibling-calls + +commit e7df0c736aef6f0cc49758b8b0bdb27edf5c3e61 +Author: Benjamin Coddington +Date: Wed Dec 21 11:03:36 2022 -0500 + + NFSD: fix use-after-free in __nfs42_ssc_open() + + Bugzilla: https://bugzilla.redhat.com/2152815 + CVE: CVE-2022-4379 + Y-Commit: a16ccb9a41ad6a36d58f690b823095798ba7f69c + + O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2152816 + O-CVE: CVE-2022-4379 + Conflicts: Slight context diff from upstream patch, as we've not yet taken + upstream commit 754035ff7. This resulting fix is unchanged. + + commit 75333d48f92256a0dec91dbf07835e804fc411c0 + Author: Dai Ngo + Date: Mon Dec 12 14:50:11 2022 -0800 + + NFSD: fix use-after-free in __nfs42_ssc_open() + + Problem caused by source's vfsmount being unmounted but remains + on the delayed unmount list. This happens when nfs42_ssc_open() + return errors. + + Fixed by removing nfsd4_interssc_connect(), leave the vfsmount + for the laundromat to unmount when idle time expires. + + We don't need to call nfs_do_sb_deactive when nfs42_ssc_open + return errors since the file was not opened so nfs_server->active + was not incremented. Same as in nfsd4_copy, if we fail to + launch nfsd4_do_async_copy thread then there's no need to + call nfs_do_sb_deactive + + Reported-by: Xingyuan Mo + Signed-off-by: Dai Ngo + Tested-by: Xingyuan Mo + Signed-off-by: Chuck Lever + + Signed-off-by: Benjamin Coddington + + Conflicts: This area of code was refractored by c9s MR !1357 so + context is quite different. + + Signed-off-by: Patrick Talbert + +Signed-off-by: Yannick Cote +--- + fs/nfsd/nfs4proc.c | 23 +++++++---------------- + 1 file changed, 7 insertions(+), 16 deletions(-) + +diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c +index bbd02c7f4ffe..87bb43a32aad 100644 +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1525,13 +1525,6 @@ nfsd4_interssc_connect(struct nl4_server *nss, struct svc_rqst *rqstp, + return status; + } + +-static void +-nfsd4_interssc_disconnect(struct vfsmount *ss_mnt) +-{ +- nfs_do_sb_deactive(ss_mnt->mnt_sb); +- mntput(ss_mnt); +-} +- + /* + * Verify COPY destination stateid. + * +@@ -1634,11 +1627,6 @@ nfsd4_cleanup_inter_ssc(struct vfsmount *ss_mnt, struct nfsd_file *src, + { + } + +-static void +-nfsd4_interssc_disconnect(struct vfsmount *ss_mnt) +-{ +-} +- + static struct file *nfs42_ssc_open(struct vfsmount *ss_mnt, + struct nfs_fh *src_fh, + nfs4_stateid *stateid) +@@ -1794,14 +1782,14 @@ static int nfsd4_do_async_copy(void *data) + copy->nf_src = kzalloc(sizeof(struct nfsd_file), GFP_KERNEL); + if (!copy->nf_src) { + copy->nfserr = nfserr_serverfault; +- nfsd4_interssc_disconnect(copy->ss_mnt); ++ /* ss_mnt will be unmounted by the laundromat */ + goto do_callback; + } + copy->nf_src->nf_file = nfs42_ssc_open(copy->ss_mnt, ©->c_fh, + ©->stateid); + if (IS_ERR(copy->nf_src->nf_file)) { + copy->nfserr = nfserr_offload_denied; +- nfsd4_interssc_disconnect(copy->ss_mnt); ++ /* ss_mnt will be unmounted by the laundromat */ + goto do_callback; + } + } +@@ -1828,6 +1816,7 @@ static int nfsd4_do_async_copy(void *data) + return 0; + } + ++__attribute__((optimize("-fno-optimize-sibling-calls"))) + static __be32 + nfsd4_copy(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + union nfsd4_op_u *u) +@@ -1886,8 +1875,10 @@ nfsd4_copy(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + if (async_copy) + cleanup_async_copy(async_copy); + status = nfserrno(-ENOMEM); +- if (!copy->cp_intra) +- nfsd4_interssc_disconnect(copy->ss_mnt); ++ /* ++ * source's vfsmount of inter-copy will be unmounted ++ * by the laundromat ++ */ + goto out; + } + +-- +2.39.1 + + diff --git a/SOURCES/CVE-2023-0179.patch b/SOURCES/CVE-2023-0179.patch new file mode 100644 index 0000000..1562bb4 --- /dev/null +++ b/SOURCES/CVE-2023-0179.patch @@ -0,0 +1,85 @@ +From 8552f3231628950fb3f2a8966ef78b14006aefb2 Mon Sep 17 00:00:00 2001 +From: Ryan Sullivan +Date: Tue, 31 Jan 2023 11:26:03 -0500 +Subject: [KPATCH CVE-2023-0179] kpatch fixes for CVE-2023-0179 + +Kernels: +5.14.0-162.6.1.el9_1 +5.14.0-162.12.1.el9_1 + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-9/-/merge_requests/23 +Approved-by: Yannick Cote (@ycote1) +Approved-by: Joe Lawrence (@joe.lawrence) +Changes since last build: +arches: x86_64 ppc64le +l2cap_core.o: changed function: l2cap_rx_state_recv +l2cap_core.o: changed function: l2cap_stream_rx +nfs4proc.o: changed function: nfsd4_copy +nfs4proc.o: changed function: nfsd4_do_async_copy +nft_payload.o: changed function: nft_payload_copy_vlan +sysctl.o: changed function: __do_proc_dointvec +sysctl.o: changed function: __do_proc_douintvec +sysctl.o: changed function: __do_proc_doulongvec_minmax +sysctl.o: changed function: proc_get_long.constprop.0 +--------------------------- + +Modifications: none + +commit d4b9787a8f8c75d0c37560d25e817183a700fbec +Author: Florian Westphal +Date: Tue Jan 17 19:28:09 2023 +0100 + + netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits + + Bugzilla: https://bugzilla.redhat.com/2161724 + CVE: CVE-2023-0179 + Y-Commit: c3747b9b25ff4bfdc9fa5c139126043fc8c0389c + + O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2161725 + Upstream Status: net commit 696e1a48b1a1b + O-CVE: CVE-2023-0179 + + commit 696e1a48b1a1b01edad542a1ef293665864a4dd0 + Author: Pablo Neira Ayuso + Date: Wed Jan 11 17:07:33 2023 +0100 + + netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits + + If the offset + length goes over the ethernet + vlan header, then the + length is adjusted to copy the bytes that are within the boundaries of + the vlan_ethhdr scratchpad area. The remaining bytes beyond ethernet + + vlan header are copied directly from the skbuff data area. + + Fix incorrect arithmetic operator: subtract, not add, the size of the + vlan header in case of double-tagged packets to adjust the length + accordingly to address CVE-2023-0179. + + Reported-by: Davide Ornaghi + Fixes: f6ae9f120dad ("netfilter: nft_payload: add C-VLAN support") + Signed-off-by: Pablo Neira Ayuso + + Signed-off-by: Florian Westphal + Signed-off-by: Patrick Talbert + +Signed-off-by: Ryan Sullivan +--- + net/netfilter/nft_payload.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c +index 9af0d58a33f4..ee603dc05e81 100644 +--- a/net/netfilter/nft_payload.c ++++ b/net/netfilter/nft_payload.c +@@ -62,7 +62,7 @@ nft_payload_copy_vlan(u32 *d, const struct sk_buff *skb, u8 offset, u8 len) + return false; + + if (offset + len > VLAN_ETH_HLEN + vlan_hlen) +- ethlen -= offset + len - VLAN_ETH_HLEN + vlan_hlen; ++ ethlen -= offset + len - VLAN_ETH_HLEN - vlan_hlen; + + memcpy(dst_u8, vlanh + offset - vlan_hlen, ethlen); + +-- +2.39.1 + + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index c880651..f30787d 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -6,7 +6,7 @@ %define kernel_ver 5.14.0-162.6.1.el9_1 %define kpatch_ver 0.9.7 %define rpm_ver 1 -%define rpm_rel 1 +%define rpm_rel 2 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. @@ -22,6 +22,18 @@ Source102: CVE-2022-4139.patch # # https://bugzilla.redhat.com/2143187 Source103: CVE-2022-43945.patch +# +# https://bugzilla.redhat.com/2153007 +Source104: CVE-2022-3564.patch +# +# https://bugzilla.redhat.com/2152599 +Source105: CVE-2022-4378.patch +# +# https://bugzilla.redhat.com/2153157 +Source106: CVE-2022-4379.patch +# +# https://bugzilla.redhat.com/2161747 +Source107: CVE-2023-0179.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -199,6 +211,12 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Tue Feb 14 2023 Yannick Cote [1-2.el9_1] +- kernel: Netfilter integer overflow vulnerability in nft_payload_copy_vlan [2161747] {CVE-2023-0179} +- kernel: use-after-free in __nfs42_ssc_open() in fs/nfs/nfs4file.c leading to remote Denial of Service attack [2153157] {CVE-2022-4379} +- kernel: a stack overflow in do_proc_dointvec and proc_skip_spaces [2152599] {CVE-2022-4378} +- kernel: use-after-free caused by l2cap_reassemble_sdu() in net/bluetooth/l2cap_core.c [2153007] {CVE-2022-3564} + * Wed Jan 04 2023 Yannick Cote [1-1.el9_1] - kernel: nfsd buffer overflow by RPC message over TCP with garbage data [2143187] {CVE-2022-43945} - kernel: i915: Incorrect GPU TLB flush can lead to random memory access [2147591] {CVE-2022-4139}