From 92c3b6c8877712c364a633749f937e2902e621f1 Mon Sep 17 00:00:00 2001
From: Joe Lawrence <joe.lawrence@redhat.com>
Date: Mon, 16 May 2022 16:40:57 -0400
Subject: [KPATCH CVE-2022-27666] kpatch fixes for CVE-2022-27666
Content-type: text/plain
Kernels:
5.14.0-70.13.1.el9_0
Changes since last build:
arches: x86_64 ppc64le
esp4.o: changed function: esp_output_head
esp6.o: changed function: esp6_output_head
---------------------------
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-9/-/merge_requests/1
Approved-by: Yannick Cote (@ycote1)
Approved-by: C. Erastus Toe (@ctoe)
Modifications: none
commit 817a9ce752e72d1633d4fed9e5fcdeed50765a01
Author: Sabrina Dubroca <sdubroca@redhat.com>
Date: Wed Apr 13 15:56:45 2022 +0200
esp: Fix possible buffer overflow in ESP transformation
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062108
Tested: reproducer + basic ipsec tests
CVE: CVE-2022-27666
commit ebe48d368e97d007bfeb76fcb065d6cfc4c96645
Author: Steffen Klassert <steffen.klassert@secunet.com>
Date: Mon Mar 7 13:11:39 2022 +0100
esp: Fix possible buffer overflow in ESP transformation
The maximum message size that can be send is bigger than
the maximum site that skb_page_frag_refill can allocate.
So it is possible to write beyond the allocated buffer.
Fix this by doing a fallback to COW in that case.
v2:
Avoid get get_order() costs as suggested by Linus Torvalds.
Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Reported-by: valis <sec@valis.email>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sabrina Dubroca <sdubroca@redhat.com>
commit 70414a083333d52297d1915374d78a200d7dcd4d
Author: Sabrina Dubroca <sdubroca@redhat.com>
Date: Wed Apr 13 15:56:58 2022 +0200
esp: limit skb_page_frag_refill use to a single page
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062108
Upstream Status: 5bd8baab087d in ipsec/master
Tested: reproducer + basic ipsec tests
CVE: CVE-2022-27666
commit 5bd8baab087dff657e05387aee802e70304cc813
Author: Sabrina Dubroca <sd@queasysnail.net>
Date: Wed Apr 13 10:10:50 2022 +0200
esp: limit skb_page_frag_refill use to a single page
Commit ebe48d368e97 ("esp: Fix possible buffer overflow in ESP
transformation") tried to fix skb_page_frag_refill usage in ESP by
capping allocsize to 32k, but that doesn't completely solve the issue,
as skb_page_frag_refill may return a single page. If that happens, we
will write out of bounds, despite the check introduced in the previous
patch.
This patch forces COW in cases where we would end up calling
skb_page_frag_refill with a size larger than a page (first in
esp_output_head with tailen, then in esp_output_tail with
skb->data_len).
Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sabrina Dubroca <sdubroca@redhat.com>
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
---
net/ipv4/esp4.c | 4 ++++
net/ipv6/esp6.c | 4 ++++
2 files changed, 8 insertions(+)
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index a09e36c4a413..2b52b40fde27 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -457,6 +457,10 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
return err;
}
+ if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE ||
+ ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE)
+ goto cow;
+
if (!skb_cloned(skb)) {
if (tailen <= skb_tailroom(skb)) {
nfrags = 1;
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index ed2f061b8768..7f7b2e27109e 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -491,6 +491,10 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
return err;
}
+ if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE ||
+ ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE)
+ goto cow;
+
if (!skb_cloned(skb)) {
if (tailen <= skb_tailroom(skb)) {
nfrags = 1;
--
2.26.3