forked from rpms/kernel
Update to 4.18.0-477.27.1.el8_8
This commit is contained in:
parent
f41dc39bea
commit
a35919e2be
@ -0,0 +1,56 @@
|
||||
From 5bdcf7f9a8e44d61d724943167c381611b02a5ff Mon Sep 17 00:00:00 2001
|
||||
From: Ruihan Li <lrh2000@pku.edu.cn>
|
||||
Date: Sun, 16 Apr 2023 16:14:04 +0800
|
||||
Subject: [PATCH 1/6] bluetooth: Perform careful capability checks in
|
||||
hci_sock_ioctl()
|
||||
|
||||
Previously, capability was checked using capable(), which verified that the
|
||||
caller of the ioctl system call had the required capability. In addition,
|
||||
the result of the check would be stored in the HCI_SOCK_TRUSTED flag,
|
||||
making it persistent for the socket.
|
||||
|
||||
However, malicious programs can abuse this approach by deliberately sharing
|
||||
an HCI socket with a privileged task. The HCI socket will be marked as
|
||||
trusted when the privileged task occasionally makes an ioctl call.
|
||||
|
||||
This problem can be solved by using sk_capable() to check capability, which
|
||||
ensures that not only the current task but also the socket opener has the
|
||||
specified capability, thus reducing the risk of privilege escalation
|
||||
through the previously identified vulnerability.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Fixes: f81f5b2db869 ("Bluetooth: Send control open and close messages for HCI raw sockets")
|
||||
Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
|
||||
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
|
||||
(cherry picked from commit 25c150ac103a4ebeed0319994c742a90634ddf18)
|
||||
|
||||
CVE: CVE-2023-2002
|
||||
Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
|
||||
Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
|
||||
---
|
||||
net/bluetooth/hci_sock.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
|
||||
index d7c9ead69554..3cb8a2879ebb 100644
|
||||
--- a/net/bluetooth/hci_sock.c
|
||||
+++ b/net/bluetooth/hci_sock.c
|
||||
@@ -1000,7 +1000,14 @@ static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
|
||||
if (hci_sock_gen_cookie(sk)) {
|
||||
struct sk_buff *skb;
|
||||
|
||||
- if (capable(CAP_NET_ADMIN))
|
||||
+ /* Perform careful checks before setting the HCI_SOCK_TRUSTED
|
||||
+ * flag. Make sure that not only the current task but also
|
||||
+ * the socket opener has the required capability, since
|
||||
+ * privileged programs can be tricked into making ioctl calls
|
||||
+ * on HCI sockets, and the socket should not be marked as
|
||||
+ * trusted simply because the ioctl caller is privileged.
|
||||
+ */
|
||||
+ if (sk_capable(sk, CAP_NET_ADMIN))
|
||||
hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
|
||||
|
||||
/* Send event to monitor */
|
||||
--
|
||||
2.39.3
|
||||
|
@ -0,0 +1,172 @@
|
||||
From e594c8e25c5f6a3432c324cf8df93d34578825bb Mon Sep 17 00:00:00 2001
|
||||
From: "t.feng" <fengtao40@huawei.com>
|
||||
Date: Wed, 10 May 2023 11:50:44 +0800
|
||||
Subject: [PATCH 2/6] ipvlan:Fix out-of-bounds caused by unclear skb->cb
|
||||
|
||||
If skb enqueue the qdisc, fq_skb_cb(skb)->time_to_send is changed which
|
||||
is actually skb->cb, and IPCB(skb_in)->opt will be used in
|
||||
__ip_options_echo. It is possible that memcpy is out of bounds and lead
|
||||
to stack overflow.
|
||||
We should clear skb->cb before ip_local_out or ip6_local_out.
|
||||
|
||||
v2:
|
||||
1. clean the stack info
|
||||
2. use IPCB/IP6CB instead of skb->cb
|
||||
|
||||
crash on stable-5.10(reproduce in kasan kernel).
|
||||
Stack info:
|
||||
[ 2203.651571] BUG: KASAN: stack-out-of-bounds in
|
||||
__ip_options_echo+0x589/0x800
|
||||
[ 2203.653327] Write of size 4 at addr ffff88811a388f27 by task
|
||||
swapper/3/0
|
||||
[ 2203.655460] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Not tainted
|
||||
5.10.0-60.18.0.50.h856.kasan.eulerosv2r11.x86_64 #1
|
||||
[ 2203.655466] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
|
||||
BIOS rel-1.10.2-0-g5f4c7b1-20181220_000000-szxrtosci10000 04/01/2014
|
||||
[ 2203.655475] Call Trace:
|
||||
[ 2203.655481] <IRQ>
|
||||
[ 2203.655501] dump_stack+0x9c/0xd3
|
||||
[ 2203.655514] print_address_description.constprop.0+0x19/0x170
|
||||
[ 2203.655530] __kasan_report.cold+0x6c/0x84
|
||||
[ 2203.655586] kasan_report+0x3a/0x50
|
||||
[ 2203.655594] check_memory_region+0xfd/0x1f0
|
||||
[ 2203.655601] memcpy+0x39/0x60
|
||||
[ 2203.655608] __ip_options_echo+0x589/0x800
|
||||
[ 2203.655654] __icmp_send+0x59a/0x960
|
||||
[ 2203.655755] nf_send_unreach+0x129/0x3d0 [nf_reject_ipv4]
|
||||
[ 2203.655763] reject_tg+0x77/0x1bf [ipt_REJECT]
|
||||
[ 2203.655772] ipt_do_table+0x691/0xa40 [ip_tables]
|
||||
[ 2203.655821] nf_hook_slow+0x69/0x100
|
||||
[ 2203.655828] __ip_local_out+0x21e/0x2b0
|
||||
[ 2203.655857] ip_local_out+0x28/0x90
|
||||
[ 2203.655868] ipvlan_process_v4_outbound+0x21e/0x260 [ipvlan]
|
||||
[ 2203.655931] ipvlan_xmit_mode_l3+0x3bd/0x400 [ipvlan]
|
||||
[ 2203.655967] ipvlan_queue_xmit+0xb3/0x190 [ipvlan]
|
||||
[ 2203.655977] ipvlan_start_xmit+0x2e/0xb0 [ipvlan]
|
||||
[ 2203.655984] xmit_one.constprop.0+0xe1/0x280
|
||||
[ 2203.655992] dev_hard_start_xmit+0x62/0x100
|
||||
[ 2203.656000] sch_direct_xmit+0x215/0x640
|
||||
[ 2203.656028] __qdisc_run+0x153/0x1f0
|
||||
[ 2203.656069] __dev_queue_xmit+0x77f/0x1030
|
||||
[ 2203.656173] ip_finish_output2+0x59b/0xc20
|
||||
[ 2203.656244] __ip_finish_output.part.0+0x318/0x3d0
|
||||
[ 2203.656312] ip_finish_output+0x168/0x190
|
||||
[ 2203.656320] ip_output+0x12d/0x220
|
||||
[ 2203.656357] __ip_queue_xmit+0x392/0x880
|
||||
[ 2203.656380] __tcp_transmit_skb+0x1088/0x11c0
|
||||
[ 2203.656436] __tcp_retransmit_skb+0x475/0xa30
|
||||
[ 2203.656505] tcp_retransmit_skb+0x2d/0x190
|
||||
[ 2203.656512] tcp_retransmit_timer+0x3af/0x9a0
|
||||
[ 2203.656519] tcp_write_timer_handler+0x3ba/0x510
|
||||
[ 2203.656529] tcp_write_timer+0x55/0x180
|
||||
[ 2203.656542] call_timer_fn+0x3f/0x1d0
|
||||
[ 2203.656555] expire_timers+0x160/0x200
|
||||
[ 2203.656562] run_timer_softirq+0x1f4/0x480
|
||||
[ 2203.656606] __do_softirq+0xfd/0x402
|
||||
[ 2203.656613] asm_call_irq_on_stack+0x12/0x20
|
||||
[ 2203.656617] </IRQ>
|
||||
[ 2203.656623] do_softirq_own_stack+0x37/0x50
|
||||
[ 2203.656631] irq_exit_rcu+0x134/0x1a0
|
||||
[ 2203.656639] sysvec_apic_timer_interrupt+0x36/0x80
|
||||
[ 2203.656646] asm_sysvec_apic_timer_interrupt+0x12/0x20
|
||||
[ 2203.656654] RIP: 0010:default_idle+0x13/0x20
|
||||
[ 2203.656663] Code: 89 f0 5d 41 5c 41 5d 41 5e c3 cc cc cc cc cc cc cc
|
||||
cc cc cc cc cc cc 0f 1f 44 00 00 0f 1f 44 00 00 0f 00 2d 9f 32 57 00 fb
|
||||
f4 <c3> cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 be 08
|
||||
[ 2203.656668] RSP: 0018:ffff88810036fe78 EFLAGS: 00000256
|
||||
[ 2203.656676] RAX: ffffffffaf2a87f0 RBX: ffff888100360000 RCX:
|
||||
ffffffffaf290191
|
||||
[ 2203.656681] RDX: 0000000000098b5e RSI: 0000000000000004 RDI:
|
||||
ffff88811a3c4f60
|
||||
[ 2203.656686] RBP: 0000000000000000 R08: 0000000000000001 R09:
|
||||
ffff88811a3c4f63
|
||||
[ 2203.656690] R10: ffffed10234789ec R11: 0000000000000001 R12:
|
||||
0000000000000003
|
||||
[ 2203.656695] R13: ffff888100360000 R14: 0000000000000000 R15:
|
||||
0000000000000000
|
||||
[ 2203.656729] default_idle_call+0x5a/0x150
|
||||
[ 2203.656735] cpuidle_idle_call+0x1c6/0x220
|
||||
[ 2203.656780] do_idle+0xab/0x100
|
||||
[ 2203.656786] cpu_startup_entry+0x19/0x20
|
||||
[ 2203.656793] secondary_startup_64_no_verify+0xc2/0xcb
|
||||
|
||||
[ 2203.657409] The buggy address belongs to the page:
|
||||
[ 2203.658648] page:0000000027a9842f refcount:1 mapcount:0
|
||||
mapping:0000000000000000 index:0x0 pfn:0x11a388
|
||||
[ 2203.658665] flags:
|
||||
0x17ffffc0001000(reserved|node=0|zone=2|lastcpupid=0x1fffff)
|
||||
[ 2203.658675] raw: 0017ffffc0001000 ffffea000468e208 ffffea000468e208
|
||||
0000000000000000
|
||||
[ 2203.658682] raw: 0000000000000000 0000000000000000 00000001ffffffff
|
||||
0000000000000000
|
||||
[ 2203.658686] page dumped because: kasan: bad access detected
|
||||
|
||||
To reproduce(ipvlan with IPVLAN_MODE_L3):
|
||||
Env setting:
|
||||
=======================================================
|
||||
modprobe ipvlan ipvlan_default_mode=1
|
||||
sysctl net.ipv4.conf.eth0.forwarding=1
|
||||
iptables -t nat -A POSTROUTING -s 20.0.0.0/255.255.255.0 -o eth0 -j
|
||||
MASQUERADE
|
||||
ip link add gw link eth0 type ipvlan
|
||||
ip -4 addr add 20.0.0.254/24 dev gw
|
||||
ip netns add net1
|
||||
ip link add ipv1 link eth0 type ipvlan
|
||||
ip link set ipv1 netns net1
|
||||
ip netns exec net1 ip link set ipv1 up
|
||||
ip netns exec net1 ip -4 addr add 20.0.0.4/24 dev ipv1
|
||||
ip netns exec net1 route add default gw 20.0.0.254
|
||||
ip netns exec net1 tc qdisc add dev ipv1 root netem loss 10%
|
||||
ifconfig gw up
|
||||
iptables -t filter -A OUTPUT -p tcp --dport 8888 -j REJECT --reject-with
|
||||
icmp-port-unreachable
|
||||
=======================================================
|
||||
And then excute the shell(curl any address of eth0 can reach):
|
||||
|
||||
for((i=1;i<=100000;i++))
|
||||
do
|
||||
ip netns exec net1 curl x.x.x.x:8888
|
||||
done
|
||||
=======================================================
|
||||
|
||||
Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.")
|
||||
Signed-off-by: "t.feng" <fengtao40@huawei.com>
|
||||
Suggested-by: Florian Westphal <fw@strlen.de>
|
||||
Reviewed-by: Paolo Abeni <pabeni@redhat.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
(cherry picked from commit 90cbed5247439a966b645b34eb0a2e037836ea8e)
|
||||
|
||||
CVE: CVE-2023-3090
|
||||
Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
|
||||
Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
|
||||
---
|
||||
drivers/net/ipvlan/ipvlan_core.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
|
||||
index 62c73a8ed0c3..f1ffe1800754 100644
|
||||
--- a/drivers/net/ipvlan/ipvlan_core.c
|
||||
+++ b/drivers/net/ipvlan/ipvlan_core.c
|
||||
@@ -443,6 +443,9 @@ static int ipvlan_process_v4_outbound(struct sk_buff *skb)
|
||||
goto err;
|
||||
}
|
||||
skb_dst_set(skb, &rt->dst);
|
||||
+
|
||||
+ memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
|
||||
+
|
||||
err = ip_local_out(net, skb->sk, skb);
|
||||
if (unlikely(net_xmit_eval(err)))
|
||||
dev->stats.tx_errors++;
|
||||
@@ -481,6 +484,9 @@ static int ipvlan_process_v6_outbound(struct sk_buff *skb)
|
||||
goto err;
|
||||
}
|
||||
skb_dst_set(skb, dst);
|
||||
+
|
||||
+ memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
|
||||
+
|
||||
err = ip6_local_out(net, skb->sk, skb);
|
||||
if (unlikely(net_xmit_eval(err)))
|
||||
dev->stats.tx_errors++;
|
||||
--
|
||||
2.39.3
|
||||
|
@ -0,0 +1,62 @@
|
||||
From 0da574f21ad25aae92e8262b7636dc95cf12aacf Mon Sep 17 00:00:00 2001
|
||||
From: M A Ramdhan <ramdhan@starlabs.sg>
|
||||
Date: Wed, 5 Jul 2023 12:15:30 -0400
|
||||
Subject: [PATCH 3/6] net/sched: cls_fw: Fix improper refcount update leads to
|
||||
use-after-free
|
||||
|
||||
In the event of a failure in tcf_change_indev(), fw_set_parms() will
|
||||
immediately return an error after incrementing or decrementing
|
||||
reference counter in tcf_bind_filter(). If attacker can control
|
||||
reference counter to zero and make reference freed, leading to
|
||||
use after free.
|
||||
|
||||
In order to prevent this, move the point of possible failure above the
|
||||
point where the TC_FW_CLASSID is handled.
|
||||
|
||||
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
|
||||
Reported-by: M A Ramdhan <ramdhan@starlabs.sg>
|
||||
Signed-off-by: M A Ramdhan <ramdhan@starlabs.sg>
|
||||
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
|
||||
Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
|
||||
Message-ID: <20230705161530.52003-1-ramdhan@starlabs.sg>
|
||||
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
||||
(cherry picked from commit 0323bce598eea038714f941ce2b22541c46d488f)
|
||||
|
||||
CVE: CVE-2023-3776
|
||||
Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
|
||||
Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
|
||||
---
|
||||
net/sched/cls_fw.c | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
|
||||
index 6a0d3ee00758..4240ca68cbc4 100644
|
||||
--- a/net/sched/cls_fw.c
|
||||
+++ b/net/sched/cls_fw.c
|
||||
@@ -214,11 +214,6 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp,
|
||||
if (err < 0)
|
||||
return err;
|
||||
|
||||
- if (tb[TCA_FW_CLASSID]) {
|
||||
- f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]);
|
||||
- tcf_bind_filter(tp, &f->res, base);
|
||||
- }
|
||||
-
|
||||
if (tb[TCA_FW_INDEV]) {
|
||||
int ret;
|
||||
ret = tcf_change_indev(net, tb[TCA_FW_INDEV], extack);
|
||||
@@ -235,6 +230,11 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp,
|
||||
} else if (head->mask != 0xFFFFFFFF)
|
||||
return err;
|
||||
|
||||
+ if (tb[TCA_FW_CLASSID]) {
|
||||
+ f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]);
|
||||
+ tcf_bind_filter(tp, &f->res, base);
|
||||
+ }
|
||||
+
|
||||
return 0;
|
||||
}
|
||||
|
||||
--
|
||||
2.39.3
|
||||
|
@ -0,0 +1,63 @@
|
||||
From 036bd76b11980194badfb3b281a0307b4f6be7df Mon Sep 17 00:00:00 2001
|
||||
From: Florian Westphal <fw@strlen.de>
|
||||
Date: Wed, 19 Jul 2023 21:08:21 +0200
|
||||
Subject: [PATCH 4/6] netfilter: nft_set_pipapo: fix improper element removal
|
||||
|
||||
end key should be equal to start unless NFT_SET_EXT_KEY_END is present.
|
||||
|
||||
Its possible to add elements that only have a start key
|
||||
("{ 1.0.0.0 . 2.0.0.0 }") without an internval end.
|
||||
|
||||
Insertion treats this via:
|
||||
|
||||
if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END))
|
||||
end = (const u8 *)nft_set_ext_key_end(ext)->data;
|
||||
else
|
||||
end = start;
|
||||
|
||||
but removal side always uses nft_set_ext_key_end().
|
||||
This is wrong and leads to garbage remaining in the set after removal
|
||||
next lookup/insert attempt will give:
|
||||
|
||||
BUG: KASAN: slab-use-after-free in pipapo_get+0x8eb/0xb90
|
||||
Read of size 1 at addr ffff888100d50586 by task nft-pipapo_uaf_/1399
|
||||
Call Trace:
|
||||
kasan_report+0x105/0x140
|
||||
pipapo_get+0x8eb/0xb90
|
||||
nft_pipapo_insert+0x1dc/0x1710
|
||||
nf_tables_newsetelem+0x31f5/0x4e00
|
||||
..
|
||||
|
||||
Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges")
|
||||
Reported-by: lonial con <kongln9170@gmail.com>
|
||||
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
|
||||
Signed-off-by: Florian Westphal <fw@strlen.de>
|
||||
(cherry picked from commit 87b5a5c209405cb6b57424cdfa226a6dbd349232)
|
||||
|
||||
CVE: CVE-2023-4004
|
||||
Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
|
||||
Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
|
||||
---
|
||||
net/netfilter/nft_set_pipapo.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
|
||||
index 1eab335fb14b..0181617f9628 100644
|
||||
--- a/net/netfilter/nft_set_pipapo.c
|
||||
+++ b/net/netfilter/nft_set_pipapo.c
|
||||
@@ -1797,7 +1797,11 @@ static void nft_pipapo_remove(const struct net *net, const struct nft_set *set,
|
||||
int i, start, rules_fx;
|
||||
|
||||
match_start = data;
|
||||
- match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data;
|
||||
+
|
||||
+ if (nft_set_ext_exists(&e->ext, NFT_SET_EXT_KEY_END))
|
||||
+ match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data;
|
||||
+ else
|
||||
+ match_end = data;
|
||||
|
||||
start = first_rule;
|
||||
rules_fx = rules_f0;
|
||||
--
|
||||
2.39.3
|
||||
|
@ -0,0 +1,217 @@
|
||||
From b8f43f1b9945bb063ef0eae3bcdc6e04d8728d8f Mon Sep 17 00:00:00 2001
|
||||
From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
|
||||
Date: Wed, 5 Jul 2023 18:05:35 -0300
|
||||
Subject: [PATCH 5/6] netfilter: nf_tables: prevent OOB access in
|
||||
nft_byteorder_eval
|
||||
|
||||
When evaluating byteorder expressions with size 2, a union with 32-bit and
|
||||
16-bit members is used. Since the 16-bit members are aligned to 32-bit,
|
||||
the array accesses will be out-of-bounds.
|
||||
|
||||
It may lead to a stack-out-of-bounds access like the one below:
|
||||
|
||||
[ 23.095215] ==================================================================
|
||||
[ 23.095625] BUG: KASAN: stack-out-of-bounds in nft_byteorder_eval+0x13c/0x320
|
||||
[ 23.096020] Read of size 2 at addr ffffc90000007948 by task ping/115
|
||||
[ 23.096358]
|
||||
[ 23.096456] CPU: 0 PID: 115 Comm: ping Not tainted 6.4.0+ #413
|
||||
[ 23.096770] Call Trace:
|
||||
[ 23.096910] <IRQ>
|
||||
[ 23.097030] dump_stack_lvl+0x60/0xc0
|
||||
[ 23.097218] print_report+0xcf/0x630
|
||||
[ 23.097388] ? nft_byteorder_eval+0x13c/0x320
|
||||
[ 23.097577] ? kasan_addr_to_slab+0xd/0xc0
|
||||
[ 23.097760] ? nft_byteorder_eval+0x13c/0x320
|
||||
[ 23.097949] kasan_report+0xc9/0x110
|
||||
[ 23.098106] ? nft_byteorder_eval+0x13c/0x320
|
||||
[ 23.098298] __asan_load2+0x83/0xd0
|
||||
[ 23.098453] nft_byteorder_eval+0x13c/0x320
|
||||
[ 23.098659] nft_do_chain+0x1c8/0xc50
|
||||
[ 23.098852] ? __pfx_nft_do_chain+0x10/0x10
|
||||
[ 23.099078] ? __kasan_check_read+0x11/0x20
|
||||
[ 23.099295] ? __pfx___lock_acquire+0x10/0x10
|
||||
[ 23.099535] ? __pfx___lock_acquire+0x10/0x10
|
||||
[ 23.099745] ? __kasan_check_read+0x11/0x20
|
||||
[ 23.099929] nft_do_chain_ipv4+0xfe/0x140
|
||||
[ 23.100105] ? __pfx_nft_do_chain_ipv4+0x10/0x10
|
||||
[ 23.100327] ? lock_release+0x204/0x400
|
||||
[ 23.100515] ? nf_hook.constprop.0+0x340/0x550
|
||||
[ 23.100779] nf_hook_slow+0x6c/0x100
|
||||
[ 23.100977] ? __pfx_nft_do_chain_ipv4+0x10/0x10
|
||||
[ 23.101223] nf_hook.constprop.0+0x334/0x550
|
||||
[ 23.101443] ? __pfx_ip_local_deliver_finish+0x10/0x10
|
||||
[ 23.101677] ? __pfx_nf_hook.constprop.0+0x10/0x10
|
||||
[ 23.101882] ? __pfx_ip_rcv_finish+0x10/0x10
|
||||
[ 23.102071] ? __pfx_ip_local_deliver_finish+0x10/0x10
|
||||
[ 23.102291] ? rcu_read_lock_held+0x4b/0x70
|
||||
[ 23.102481] ip_local_deliver+0xbb/0x110
|
||||
[ 23.102665] ? __pfx_ip_rcv+0x10/0x10
|
||||
[ 23.102839] ip_rcv+0x199/0x2a0
|
||||
[ 23.102980] ? __pfx_ip_rcv+0x10/0x10
|
||||
[ 23.103140] __netif_receive_skb_one_core+0x13e/0x150
|
||||
[ 23.103362] ? __pfx___netif_receive_skb_one_core+0x10/0x10
|
||||
[ 23.103647] ? mark_held_locks+0x48/0xa0
|
||||
[ 23.103819] ? process_backlog+0x36c/0x380
|
||||
[ 23.103999] __netif_receive_skb+0x23/0xc0
|
||||
[ 23.104179] process_backlog+0x91/0x380
|
||||
[ 23.104350] __napi_poll.constprop.0+0x66/0x360
|
||||
[ 23.104589] ? net_rx_action+0x1cb/0x610
|
||||
[ 23.104811] net_rx_action+0x33e/0x610
|
||||
[ 23.105024] ? _raw_spin_unlock+0x23/0x50
|
||||
[ 23.105257] ? __pfx_net_rx_action+0x10/0x10
|
||||
[ 23.105485] ? mark_held_locks+0x48/0xa0
|
||||
[ 23.105741] __do_softirq+0xfa/0x5ab
|
||||
[ 23.105956] ? __dev_queue_xmit+0x765/0x1c00
|
||||
[ 23.106193] do_softirq.part.0+0x49/0xc0
|
||||
[ 23.106423] </IRQ>
|
||||
[ 23.106547] <TASK>
|
||||
[ 23.106670] __local_bh_enable_ip+0xf5/0x120
|
||||
[ 23.106903] __dev_queue_xmit+0x789/0x1c00
|
||||
[ 23.107131] ? __pfx___dev_queue_xmit+0x10/0x10
|
||||
[ 23.107381] ? find_held_lock+0x8e/0xb0
|
||||
[ 23.107585] ? lock_release+0x204/0x400
|
||||
[ 23.107798] ? neigh_resolve_output+0x185/0x350
|
||||
[ 23.108049] ? mark_held_locks+0x48/0xa0
|
||||
[ 23.108265] ? neigh_resolve_output+0x185/0x350
|
||||
[ 23.108514] neigh_resolve_output+0x246/0x350
|
||||
[ 23.108753] ? neigh_resolve_output+0x246/0x350
|
||||
[ 23.109003] ip_finish_output2+0x3c3/0x10b0
|
||||
[ 23.109250] ? __pfx_ip_finish_output2+0x10/0x10
|
||||
[ 23.109510] ? __pfx_nf_hook+0x10/0x10
|
||||
[ 23.109732] __ip_finish_output+0x217/0x390
|
||||
[ 23.109978] ip_finish_output+0x2f/0x130
|
||||
[ 23.110207] ip_output+0xc9/0x170
|
||||
[ 23.110404] ip_push_pending_frames+0x1a0/0x240
|
||||
[ 23.110652] raw_sendmsg+0x102e/0x19e0
|
||||
[ 23.110871] ? __pfx_raw_sendmsg+0x10/0x10
|
||||
[ 23.111093] ? lock_release+0x204/0x400
|
||||
[ 23.111304] ? __mod_lruvec_page_state+0x148/0x330
|
||||
[ 23.111567] ? find_held_lock+0x8e/0xb0
|
||||
[ 23.111777] ? find_held_lock+0x8e/0xb0
|
||||
[ 23.111993] ? __rcu_read_unlock+0x7c/0x2f0
|
||||
[ 23.112225] ? aa_sk_perm+0x18a/0x550
|
||||
[ 23.112431] ? filemap_map_pages+0x4f1/0x900
|
||||
[ 23.112665] ? __pfx_aa_sk_perm+0x10/0x10
|
||||
[ 23.112880] ? find_held_lock+0x8e/0xb0
|
||||
[ 23.113098] inet_sendmsg+0xa0/0xb0
|
||||
[ 23.113297] ? inet_sendmsg+0xa0/0xb0
|
||||
[ 23.113500] ? __pfx_inet_sendmsg+0x10/0x10
|
||||
[ 23.113727] sock_sendmsg+0xf4/0x100
|
||||
[ 23.113924] ? move_addr_to_kernel.part.0+0x4f/0xa0
|
||||
[ 23.114190] __sys_sendto+0x1d4/0x290
|
||||
[ 23.114391] ? __pfx___sys_sendto+0x10/0x10
|
||||
[ 23.114621] ? __pfx_mark_lock.part.0+0x10/0x10
|
||||
[ 23.114869] ? lock_release+0x204/0x400
|
||||
[ 23.115076] ? find_held_lock+0x8e/0xb0
|
||||
[ 23.115287] ? rcu_is_watching+0x23/0x60
|
||||
[ 23.115503] ? __rseq_handle_notify_resume+0x6e2/0x860
|
||||
[ 23.115778] ? __kasan_check_write+0x14/0x30
|
||||
[ 23.116008] ? blkcg_maybe_throttle_current+0x8d/0x770
|
||||
[ 23.116285] ? mark_held_locks+0x28/0xa0
|
||||
[ 23.116503] ? do_syscall_64+0x37/0x90
|
||||
[ 23.116713] __x64_sys_sendto+0x7f/0xb0
|
||||
[ 23.116924] do_syscall_64+0x59/0x90
|
||||
[ 23.117123] ? irqentry_exit_to_user_mode+0x25/0x30
|
||||
[ 23.117387] ? irqentry_exit+0x77/0xb0
|
||||
[ 23.117593] ? exc_page_fault+0x92/0x140
|
||||
[ 23.117806] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
|
||||
[ 23.118081] RIP: 0033:0x7f744aee2bba
|
||||
[ 23.118282] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
|
||||
[ 23.119237] RSP: 002b:00007ffd04a7c9f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
|
||||
[ 23.119644] RAX: ffffffffffffffda RBX: 00007ffd04a7e0a0 RCX: 00007f744aee2bba
|
||||
[ 23.120023] RDX: 0000000000000040 RSI: 000056488e9e6300 RDI: 0000000000000003
|
||||
[ 23.120413] RBP: 000056488e9e6300 R08: 00007ffd04a80320 R09: 0000000000000010
|
||||
[ 23.120809] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040
|
||||
[ 23.121219] R13: 00007ffd04a7dc38 R14: 00007ffd04a7ca00 R15: 00007ffd04a7e0a0
|
||||
[ 23.121617] </TASK>
|
||||
[ 23.121749]
|
||||
[ 23.121845] The buggy address belongs to the virtual mapping at
|
||||
[ 23.121845] [ffffc90000000000, ffffc90000009000) created by:
|
||||
[ 23.121845] irq_init_percpu_irqstack+0x1cf/0x270
|
||||
[ 23.122707]
|
||||
[ 23.122803] The buggy address belongs to the physical page:
|
||||
[ 23.123104] page:0000000072ac19f0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x24a09
|
||||
[ 23.123609] flags: 0xfffffc0001000(reserved|node=0|zone=1|lastcpupid=0x1fffff)
|
||||
[ 23.123998] page_type: 0xffffffff()
|
||||
[ 23.124194] raw: 000fffffc0001000 ffffea0000928248 ffffea0000928248 0000000000000000
|
||||
[ 23.124610] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
|
||||
[ 23.125023] page dumped because: kasan: bad access detected
|
||||
[ 23.125326]
|
||||
[ 23.125421] Memory state around the buggy address:
|
||||
[ 23.125682] ffffc90000007800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
[ 23.126072] ffffc90000007880: 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 f2 f2 00
|
||||
[ 23.126455] >ffffc90000007900: 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00
|
||||
[ 23.126840] ^
|
||||
[ 23.127138] ffffc90000007980: 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3
|
||||
[ 23.127522] ffffc90000007a00: f3 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
|
||||
[ 23.127906] ==================================================================
|
||||
[ 23.128324] Disabling lock debugging due to kernel taint
|
||||
|
||||
Using simple s16 pointers for the 16-bit accesses fixes the problem. For
|
||||
the 32-bit accesses, src and dst can be used directly.
|
||||
|
||||
Fixes: 96518518cc41 ("netfilter: add nftables")
|
||||
Cc: stable@vger.kernel.org
|
||||
Reported-by: Tanguy DUBROCA (@SidewayRE) from @Synacktiv working with ZDI
|
||||
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
|
||||
Reviewed-by: Florian Westphal <fw@strlen.de>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
(cherry picked from commit caf3ef7468f7534771b5c44cd8dbd6f7f87c2cbd)
|
||||
|
||||
CVE: CVE-2023-35001
|
||||
Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
|
||||
Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
|
||||
---
|
||||
net/netfilter/nft_byteorder.c | 14 +++++++-------
|
||||
1 file changed, 7 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/net/netfilter/nft_byteorder.c b/net/netfilter/nft_byteorder.c
|
||||
index 6fc6f2f45b0a..a752c98e97fb 100644
|
||||
--- a/net/netfilter/nft_byteorder.c
|
||||
+++ b/net/netfilter/nft_byteorder.c
|
||||
@@ -33,11 +33,11 @@ void nft_byteorder_eval(const struct nft_expr *expr,
|
||||
const struct nft_byteorder *priv = nft_expr_priv(expr);
|
||||
u32 *src = ®s->data[priv->sreg];
|
||||
u32 *dst = ®s->data[priv->dreg];
|
||||
- union { u32 u32; u16 u16; } *s, *d;
|
||||
+ u16 *s16, *d16;
|
||||
unsigned int i;
|
||||
|
||||
- s = (void *)src;
|
||||
- d = (void *)dst;
|
||||
+ s16 = (void *)src;
|
||||
+ d16 = (void *)dst;
|
||||
|
||||
switch (priv->size) {
|
||||
case 8: {
|
||||
@@ -64,11 +64,11 @@ void nft_byteorder_eval(const struct nft_expr *expr,
|
||||
switch (priv->op) {
|
||||
case NFT_BYTEORDER_NTOH:
|
||||
for (i = 0; i < priv->len / 4; i++)
|
||||
- d[i].u32 = ntohl((__force __be32)s[i].u32);
|
||||
+ dst[i] = ntohl((__force __be32)src[i]);
|
||||
break;
|
||||
case NFT_BYTEORDER_HTON:
|
||||
for (i = 0; i < priv->len / 4; i++)
|
||||
- d[i].u32 = (__force __u32)htonl(s[i].u32);
|
||||
+ dst[i] = (__force __u32)htonl(src[i]);
|
||||
break;
|
||||
}
|
||||
break;
|
||||
@@ -76,11 +76,11 @@ void nft_byteorder_eval(const struct nft_expr *expr,
|
||||
switch (priv->op) {
|
||||
case NFT_BYTEORDER_NTOH:
|
||||
for (i = 0; i < priv->len / 2; i++)
|
||||
- d[i].u16 = ntohs((__force __be16)s[i].u16);
|
||||
+ d16[i] = ntohs((__force __be16)s16[i]);
|
||||
break;
|
||||
case NFT_BYTEORDER_HTON:
|
||||
for (i = 0; i < priv->len / 2; i++)
|
||||
- d[i].u16 = (__force __u16)htons(s[i].u16);
|
||||
+ d16[i] = (__force __u16)htons(s16[i]);
|
||||
break;
|
||||
}
|
||||
break;
|
||||
--
|
||||
2.39.3
|
||||
|
@ -0,0 +1,44 @@
|
||||
From b07f2873225c6e16abd6ec352e9cd52a72fe7785 Mon Sep 17 00:00:00 2001
|
||||
From: Hangyu Hua <hbh25y@gmail.com>
|
||||
Date: Wed, 31 May 2023 18:28:04 +0800
|
||||
Subject: [PATCH 6/6] net/sched: flower: fix possible OOB write in
|
||||
fl_set_geneve_opt()
|
||||
|
||||
If we send two TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets and their total
|
||||
size is 252 bytes(key->enc_opts.len = 252) then
|
||||
key->enc_opts.len = opt->length = data_len / 4 = 0 when the third
|
||||
TCA_FLOWER_KEY_ENC_OPTS_GENEVE packet enters fl_set_geneve_opt. This
|
||||
bypasses the next bounds check and results in an out-of-bounds.
|
||||
|
||||
Fixes: 0a6e77784f49 ("net/sched: allow flower to match tunnel options")
|
||||
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
|
||||
Reviewed-by: Simon Horman <simon.horman@corigine.com>
|
||||
Reviewed-by: Pieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com>
|
||||
Link: https://lore.kernel.org/r/20230531102805.27090-1-hbh25y@gmail.com
|
||||
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
|
||||
(cherry picked from commit 4d56304e5827c8cc8cc18c75343d283af7c4825c)
|
||||
|
||||
CVE: CVE-2023-35788
|
||||
Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
|
||||
Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
|
||||
---
|
||||
net/sched/cls_flower.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
|
||||
index b81abfcd2a19..ca232483cfab 100644
|
||||
--- a/net/sched/cls_flower.c
|
||||
+++ b/net/sched/cls_flower.c
|
||||
@@ -1151,6 +1151,9 @@ static int fl_set_geneve_opt(const struct nlattr *nla, struct fl_flow_key *key,
|
||||
if (option_len > sizeof(struct geneve_opt))
|
||||
data_len = option_len - sizeof(struct geneve_opt);
|
||||
|
||||
+ if (key->enc_opts.len > FLOW_DIS_TUN_OPTS_MAX - 4)
|
||||
+ return -ERANGE;
|
||||
+
|
||||
opt = (struct geneve_opt *)&key->enc_opts.data[key->enc_opts.len];
|
||||
memset(opt, 0xff, option_len);
|
||||
opt->length = data_len / 4;
|
||||
--
|
||||
2.39.3
|
||||
|
@ -38,11 +38,11 @@
|
||||
# define buildid .local
|
||||
|
||||
%define rpmversion 4.18.0
|
||||
%define pkgrelease 477.21.3.el8_8
|
||||
%define pkgrelease 477.27.1.el8_8
|
||||
%define tarfile_release 477.13.1.el8_8
|
||||
|
||||
# allow pkg_release to have configurable %%{?dist} tag
|
||||
%define specrelease 477.21.3%{?dist}
|
||||
%define specrelease 477.27.1%{?dist}
|
||||
|
||||
%define pkg_release %{specrelease}%{?buildid}
|
||||
|
||||
@ -523,17 +523,23 @@ Source4001: rpminspect.yaml
|
||||
# empty final patch to facilitate testing of kernel patches
|
||||
Patch999999: linux-kernel-test.patch
|
||||
|
||||
Patch1000: debrand-single-cpu.patch
|
||||
# Patch1001: debrand-rh_taint.patch
|
||||
Patch1002: debrand-rh-i686-cpu.patch
|
||||
Patch1003: 1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch
|
||||
Patch1004: 1002-Bluetooth-L2CAP-Fix-accepting-connection-request.patch
|
||||
Patch1005: 1003-net-sched-tcindex-update-imperfect-hash-filters-resp.patch
|
||||
Patch1006: 1004-net-sched-tcindex-search-key-must-be-16-bits.patch
|
||||
Patch1007: 1005-net-sched-Retire-tcindex-classifier.patch
|
||||
Patch1008: 1006-xfs-verify-buffer-contents-when-we-skip-log-replay.patch
|
||||
Patch1009: 1007-i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch
|
||||
Patch1010: 1008-perf-Fix-check-before-add_event_to_groups-in-perf_gr.patch
|
||||
Patch0001: debrand-single-cpu.patch
|
||||
# Patch0002: debrand-rh_taint.patch
|
||||
Patch0003: debrand-rh-i686-cpu.patch
|
||||
Patch1001: 1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch
|
||||
Patch1002: 1002-Bluetooth-L2CAP-Fix-accepting-connection-request.patch
|
||||
Patch1003: 1003-net-sched-tcindex-update-imperfect-hash-filters-resp.patch
|
||||
Patch1004: 1004-net-sched-tcindex-search-key-must-be-16-bits.patch
|
||||
Patch1005: 1005-net-sched-Retire-tcindex-classifier.patch
|
||||
Patch1006: 1006-xfs-verify-buffer-contents-when-we-skip-log-replay.patch
|
||||
Patch1007: 1007-i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch
|
||||
Patch1008: 1008-perf-Fix-check-before-add_event_to_groups-in-perf_gr.patch
|
||||
Patch1009: 1009-bluetooth-Perform-careful-capability-checks-in-hci_s.patch
|
||||
Patch1010: 1010-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch
|
||||
Patch1011: 1011-net-sched-cls_fw-Fix-improper-refcount-update-leads-.patch
|
||||
Patch1012: 1012-netfilter-nft_set_pipapo-fix-improper-element-remova.patch
|
||||
Patch1013: 1013-netfilter-nf_tables-prevent-OOB-access-in-nft_byteor.patch
|
||||
Patch1014: 1014-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch
|
||||
|
||||
Patch9001: 9001-x86-xen-Split-HVM-vector-callback-setup-and-interrup.patch
|
||||
Patch9002: 9002-x86-microcode-AMD-Load-late-on-both-threads-too.patch
|
||||
@ -1108,6 +1114,12 @@ ApplyPatch 1005-net-sched-Retire-tcindex-classifier.patch
|
||||
ApplyPatch 1006-xfs-verify-buffer-contents-when-we-skip-log-replay.patch
|
||||
ApplyPatch 1007-i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch
|
||||
ApplyPatch 1008-perf-Fix-check-before-add_event_to_groups-in-perf_gr.patch
|
||||
ApplyPatch 1009-bluetooth-Perform-careful-capability-checks-in-hci_s.patch
|
||||
ApplyPatch 1010-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch
|
||||
ApplyPatch 1011-net-sched-cls_fw-Fix-improper-refcount-update-leads-.patch
|
||||
ApplyPatch 1012-netfilter-nft_set_pipapo-fix-improper-element-remova.patch
|
||||
ApplyPatch 1013-netfilter-nf_tables-prevent-OOB-access-in-nft_byteor.patch
|
||||
ApplyPatch 1014-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch
|
||||
|
||||
ApplyPatch 9001-x86-xen-Split-HVM-vector-callback-setup-and-interrup.patch
|
||||
ApplyPatch 9002-x86-microcode-AMD-Load-late-on-both-threads-too.patch
|
||||
@ -2715,6 +2727,14 @@ fi
|
||||
#
|
||||
#
|
||||
%changelog
|
||||
* Thu Sep 21 2023 Andrew Lukoshko <alukoshko@almalinux.org> [4.18.0-477.27.1.el8_8]
|
||||
- bluetooth: Perform careful capability checks in hci_sock_ioctl() {CVE-2023-2002}
|
||||
- ipvlan:Fix out-of-bounds caused by unclear skb->cb {CVE-2023-3090}
|
||||
- net/sched: cls_fw: Fix improper refcount update leads to use-after-free {CVE-2023-3776}
|
||||
- netfilter: nft_set_pipapo: fix improper element removal {CVE-2023-4004}
|
||||
- netfilter: nf_tables: prevent OOB access in nft_byteorder_eval {CVE-2023-35001}
|
||||
- net/sched: flower: fix possible OOB write in fl_set_geneve_opt() {CVE-2023-35788}
|
||||
|
||||
* Fri Sep 08 2023 Andrew Lukoshko <alukoshko@almalinux.org> [4.18.0-477.21.3.el8_8]
|
||||
- x86/microcode/AMD: Load late on both threads too
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user