From a35919e2be57c8bdf22cfc3dee574e83ecb1127e Mon Sep 17 00:00:00 2001 From: Andrew Lukoshko Date: Thu, 21 Sep 2023 09:49:54 +0000 Subject: [PATCH] Update to 4.18.0-477.27.1.el8_8 --- ...m-careful-capability-checks-in-hci_s.patch | 56 +++++ ...t-of-bounds-caused-by-unclear-skb-cb.patch | 172 ++++++++++++++ ...-Fix-improper-refcount-update-leads-.patch | 62 +++++ ...t_pipapo-fix-improper-element-remova.patch | 63 +++++ ...les-prevent-OOB-access-in-nft_byteor.patch | 217 ++++++++++++++++++ ...-fix-possible-OOB-write-in-fl_set_ge.patch | 44 ++++ SPECS/kernel.spec | 46 ++-- 7 files changed, 647 insertions(+), 13 deletions(-) create mode 100644 SOURCES/1009-bluetooth-Perform-careful-capability-checks-in-hci_s.patch create mode 100644 SOURCES/1010-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch create mode 100644 SOURCES/1011-net-sched-cls_fw-Fix-improper-refcount-update-leads-.patch create mode 100644 SOURCES/1012-netfilter-nft_set_pipapo-fix-improper-element-remova.patch create mode 100644 SOURCES/1013-netfilter-nf_tables-prevent-OOB-access-in-nft_byteor.patch create mode 100644 SOURCES/1014-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch diff --git a/SOURCES/1009-bluetooth-Perform-careful-capability-checks-in-hci_s.patch b/SOURCES/1009-bluetooth-Perform-careful-capability-checks-in-hci_s.patch new file mode 100644 index 0000000..f24e08e --- /dev/null +++ b/SOURCES/1009-bluetooth-Perform-careful-capability-checks-in-hci_s.patch @@ -0,0 +1,56 @@ +From 5bdcf7f9a8e44d61d724943167c381611b02a5ff Mon Sep 17 00:00:00 2001 +From: Ruihan Li +Date: Sun, 16 Apr 2023 16:14:04 +0800 +Subject: [PATCH 1/6] bluetooth: Perform careful capability checks in + hci_sock_ioctl() + +Previously, capability was checked using capable(), which verified that the +caller of the ioctl system call had the required capability. In addition, +the result of the check would be stored in the HCI_SOCK_TRUSTED flag, +making it persistent for the socket. + +However, malicious programs can abuse this approach by deliberately sharing +an HCI socket with a privileged task. The HCI socket will be marked as +trusted when the privileged task occasionally makes an ioctl call. + +This problem can be solved by using sk_capable() to check capability, which +ensures that not only the current task but also the socket opener has the +specified capability, thus reducing the risk of privilege escalation +through the previously identified vulnerability. + +Cc: stable@vger.kernel.org +Fixes: f81f5b2db869 ("Bluetooth: Send control open and close messages for HCI raw sockets") +Signed-off-by: Ruihan Li +Signed-off-by: Luiz Augusto von Dentz +(cherry picked from commit 25c150ac103a4ebeed0319994c742a90634ddf18) + +CVE: CVE-2023-2002 +Signed-off-by: Mridula Shastry +Reviewed-by: Venkat Venkatsubra +--- + net/bluetooth/hci_sock.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c +index d7c9ead69554..3cb8a2879ebb 100644 +--- a/net/bluetooth/hci_sock.c ++++ b/net/bluetooth/hci_sock.c +@@ -1000,7 +1000,14 @@ static int hci_sock_ioctl(struct socket *sock, unsigned int cmd, + if (hci_sock_gen_cookie(sk)) { + struct sk_buff *skb; + +- if (capable(CAP_NET_ADMIN)) ++ /* Perform careful checks before setting the HCI_SOCK_TRUSTED ++ * flag. Make sure that not only the current task but also ++ * the socket opener has the required capability, since ++ * privileged programs can be tricked into making ioctl calls ++ * on HCI sockets, and the socket should not be marked as ++ * trusted simply because the ioctl caller is privileged. ++ */ ++ if (sk_capable(sk, CAP_NET_ADMIN)) + hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); + + /* Send event to monitor */ +-- +2.39.3 + diff --git a/SOURCES/1010-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch b/SOURCES/1010-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch new file mode 100644 index 0000000..1b27d11 --- /dev/null +++ b/SOURCES/1010-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch @@ -0,0 +1,172 @@ +From e594c8e25c5f6a3432c324cf8df93d34578825bb Mon Sep 17 00:00:00 2001 +From: "t.feng" +Date: Wed, 10 May 2023 11:50:44 +0800 +Subject: [PATCH 2/6] ipvlan:Fix out-of-bounds caused by unclear skb->cb + +If skb enqueue the qdisc, fq_skb_cb(skb)->time_to_send is changed which +is actually skb->cb, and IPCB(skb_in)->opt will be used in +__ip_options_echo. It is possible that memcpy is out of bounds and lead +to stack overflow. +We should clear skb->cb before ip_local_out or ip6_local_out. + +v2: +1. clean the stack info +2. use IPCB/IP6CB instead of skb->cb + +crash on stable-5.10(reproduce in kasan kernel). +Stack info: +[ 2203.651571] BUG: KASAN: stack-out-of-bounds in +__ip_options_echo+0x589/0x800 +[ 2203.653327] Write of size 4 at addr ffff88811a388f27 by task +swapper/3/0 +[ 2203.655460] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Not tainted +5.10.0-60.18.0.50.h856.kasan.eulerosv2r11.x86_64 #1 +[ 2203.655466] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), +BIOS rel-1.10.2-0-g5f4c7b1-20181220_000000-szxrtosci10000 04/01/2014 +[ 2203.655475] Call Trace: +[ 2203.655481] +[ 2203.655501] dump_stack+0x9c/0xd3 +[ 2203.655514] print_address_description.constprop.0+0x19/0x170 +[ 2203.655530] __kasan_report.cold+0x6c/0x84 +[ 2203.655586] kasan_report+0x3a/0x50 +[ 2203.655594] check_memory_region+0xfd/0x1f0 +[ 2203.655601] memcpy+0x39/0x60 +[ 2203.655608] __ip_options_echo+0x589/0x800 +[ 2203.655654] __icmp_send+0x59a/0x960 +[ 2203.655755] nf_send_unreach+0x129/0x3d0 [nf_reject_ipv4] +[ 2203.655763] reject_tg+0x77/0x1bf [ipt_REJECT] +[ 2203.655772] ipt_do_table+0x691/0xa40 [ip_tables] +[ 2203.655821] nf_hook_slow+0x69/0x100 +[ 2203.655828] __ip_local_out+0x21e/0x2b0 +[ 2203.655857] ip_local_out+0x28/0x90 +[ 2203.655868] ipvlan_process_v4_outbound+0x21e/0x260 [ipvlan] +[ 2203.655931] ipvlan_xmit_mode_l3+0x3bd/0x400 [ipvlan] +[ 2203.655967] ipvlan_queue_xmit+0xb3/0x190 [ipvlan] +[ 2203.655977] ipvlan_start_xmit+0x2e/0xb0 [ipvlan] +[ 2203.655984] xmit_one.constprop.0+0xe1/0x280 +[ 2203.655992] dev_hard_start_xmit+0x62/0x100 +[ 2203.656000] sch_direct_xmit+0x215/0x640 +[ 2203.656028] __qdisc_run+0x153/0x1f0 +[ 2203.656069] __dev_queue_xmit+0x77f/0x1030 +[ 2203.656173] ip_finish_output2+0x59b/0xc20 +[ 2203.656244] __ip_finish_output.part.0+0x318/0x3d0 +[ 2203.656312] ip_finish_output+0x168/0x190 +[ 2203.656320] ip_output+0x12d/0x220 +[ 2203.656357] __ip_queue_xmit+0x392/0x880 +[ 2203.656380] __tcp_transmit_skb+0x1088/0x11c0 +[ 2203.656436] __tcp_retransmit_skb+0x475/0xa30 +[ 2203.656505] tcp_retransmit_skb+0x2d/0x190 +[ 2203.656512] tcp_retransmit_timer+0x3af/0x9a0 +[ 2203.656519] tcp_write_timer_handler+0x3ba/0x510 +[ 2203.656529] tcp_write_timer+0x55/0x180 +[ 2203.656542] call_timer_fn+0x3f/0x1d0 +[ 2203.656555] expire_timers+0x160/0x200 +[ 2203.656562] run_timer_softirq+0x1f4/0x480 +[ 2203.656606] __do_softirq+0xfd/0x402 +[ 2203.656613] asm_call_irq_on_stack+0x12/0x20 +[ 2203.656617] +[ 2203.656623] do_softirq_own_stack+0x37/0x50 +[ 2203.656631] irq_exit_rcu+0x134/0x1a0 +[ 2203.656639] sysvec_apic_timer_interrupt+0x36/0x80 +[ 2203.656646] asm_sysvec_apic_timer_interrupt+0x12/0x20 +[ 2203.656654] RIP: 0010:default_idle+0x13/0x20 +[ 2203.656663] Code: 89 f0 5d 41 5c 41 5d 41 5e c3 cc cc cc cc cc cc cc +cc cc cc cc cc cc 0f 1f 44 00 00 0f 1f 44 00 00 0f 00 2d 9f 32 57 00 fb +f4 cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 be 08 +[ 2203.656668] RSP: 0018:ffff88810036fe78 EFLAGS: 00000256 +[ 2203.656676] RAX: ffffffffaf2a87f0 RBX: ffff888100360000 RCX: +ffffffffaf290191 +[ 2203.656681] RDX: 0000000000098b5e RSI: 0000000000000004 RDI: +ffff88811a3c4f60 +[ 2203.656686] RBP: 0000000000000000 R08: 0000000000000001 R09: +ffff88811a3c4f63 +[ 2203.656690] R10: ffffed10234789ec R11: 0000000000000001 R12: +0000000000000003 +[ 2203.656695] R13: ffff888100360000 R14: 0000000000000000 R15: +0000000000000000 +[ 2203.656729] default_idle_call+0x5a/0x150 +[ 2203.656735] cpuidle_idle_call+0x1c6/0x220 +[ 2203.656780] do_idle+0xab/0x100 +[ 2203.656786] cpu_startup_entry+0x19/0x20 +[ 2203.656793] secondary_startup_64_no_verify+0xc2/0xcb + +[ 2203.657409] The buggy address belongs to the page: +[ 2203.658648] page:0000000027a9842f refcount:1 mapcount:0 +mapping:0000000000000000 index:0x0 pfn:0x11a388 +[ 2203.658665] flags: +0x17ffffc0001000(reserved|node=0|zone=2|lastcpupid=0x1fffff) +[ 2203.658675] raw: 0017ffffc0001000 ffffea000468e208 ffffea000468e208 +0000000000000000 +[ 2203.658682] raw: 0000000000000000 0000000000000000 00000001ffffffff +0000000000000000 +[ 2203.658686] page dumped because: kasan: bad access detected + +To reproduce(ipvlan with IPVLAN_MODE_L3): +Env setting: +======================================================= +modprobe ipvlan ipvlan_default_mode=1 +sysctl net.ipv4.conf.eth0.forwarding=1 +iptables -t nat -A POSTROUTING -s 20.0.0.0/255.255.255.0 -o eth0 -j +MASQUERADE +ip link add gw link eth0 type ipvlan +ip -4 addr add 20.0.0.254/24 dev gw +ip netns add net1 +ip link add ipv1 link eth0 type ipvlan +ip link set ipv1 netns net1 +ip netns exec net1 ip link set ipv1 up +ip netns exec net1 ip -4 addr add 20.0.0.4/24 dev ipv1 +ip netns exec net1 route add default gw 20.0.0.254 +ip netns exec net1 tc qdisc add dev ipv1 root netem loss 10% +ifconfig gw up +iptables -t filter -A OUTPUT -p tcp --dport 8888 -j REJECT --reject-with +icmp-port-unreachable +======================================================= +And then excute the shell(curl any address of eth0 can reach): + +for((i=1;i<=100000;i++)) +do + ip netns exec net1 curl x.x.x.x:8888 +done +======================================================= + +Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") +Signed-off-by: "t.feng" +Suggested-by: Florian Westphal +Reviewed-by: Paolo Abeni +Signed-off-by: David S. Miller +(cherry picked from commit 90cbed5247439a966b645b34eb0a2e037836ea8e) + +CVE: CVE-2023-3090 +Signed-off-by: Mridula Shastry +Reviewed-by: Venkat Venkatsubra +--- + drivers/net/ipvlan/ipvlan_core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c +index 62c73a8ed0c3..f1ffe1800754 100644 +--- a/drivers/net/ipvlan/ipvlan_core.c ++++ b/drivers/net/ipvlan/ipvlan_core.c +@@ -443,6 +443,9 @@ static int ipvlan_process_v4_outbound(struct sk_buff *skb) + goto err; + } + skb_dst_set(skb, &rt->dst); ++ ++ memset(IPCB(skb), 0, sizeof(*IPCB(skb))); ++ + err = ip_local_out(net, skb->sk, skb); + if (unlikely(net_xmit_eval(err))) + dev->stats.tx_errors++; +@@ -481,6 +484,9 @@ static int ipvlan_process_v6_outbound(struct sk_buff *skb) + goto err; + } + skb_dst_set(skb, dst); ++ ++ memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); ++ + err = ip6_local_out(net, skb->sk, skb); + if (unlikely(net_xmit_eval(err))) + dev->stats.tx_errors++; +-- +2.39.3 + diff --git a/SOURCES/1011-net-sched-cls_fw-Fix-improper-refcount-update-leads-.patch b/SOURCES/1011-net-sched-cls_fw-Fix-improper-refcount-update-leads-.patch new file mode 100644 index 0000000..2a4a108 --- /dev/null +++ b/SOURCES/1011-net-sched-cls_fw-Fix-improper-refcount-update-leads-.patch @@ -0,0 +1,62 @@ +From 0da574f21ad25aae92e8262b7636dc95cf12aacf Mon Sep 17 00:00:00 2001 +From: M A Ramdhan +Date: Wed, 5 Jul 2023 12:15:30 -0400 +Subject: [PATCH 3/6] net/sched: cls_fw: Fix improper refcount update leads to + use-after-free + +In the event of a failure in tcf_change_indev(), fw_set_parms() will +immediately return an error after incrementing or decrementing +reference counter in tcf_bind_filter(). If attacker can control +reference counter to zero and make reference freed, leading to +use after free. + +In order to prevent this, move the point of possible failure above the +point where the TC_FW_CLASSID is handled. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: M A Ramdhan +Signed-off-by: M A Ramdhan +Acked-by: Jamal Hadi Salim +Reviewed-by: Pedro Tammela +Message-ID: <20230705161530.52003-1-ramdhan@starlabs.sg> +Signed-off-by: Jakub Kicinski +(cherry picked from commit 0323bce598eea038714f941ce2b22541c46d488f) + +CVE: CVE-2023-3776 +Signed-off-by: Mridula Shastry +Reviewed-by: Venkat Venkatsubra +--- + net/sched/cls_fw.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c +index 6a0d3ee00758..4240ca68cbc4 100644 +--- a/net/sched/cls_fw.c ++++ b/net/sched/cls_fw.c +@@ -214,11 +214,6 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp, + if (err < 0) + return err; + +- if (tb[TCA_FW_CLASSID]) { +- f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]); +- tcf_bind_filter(tp, &f->res, base); +- } +- + if (tb[TCA_FW_INDEV]) { + int ret; + ret = tcf_change_indev(net, tb[TCA_FW_INDEV], extack); +@@ -235,6 +230,11 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp, + } else if (head->mask != 0xFFFFFFFF) + return err; + ++ if (tb[TCA_FW_CLASSID]) { ++ f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]); ++ tcf_bind_filter(tp, &f->res, base); ++ } ++ + return 0; + } + +-- +2.39.3 + diff --git a/SOURCES/1012-netfilter-nft_set_pipapo-fix-improper-element-remova.patch b/SOURCES/1012-netfilter-nft_set_pipapo-fix-improper-element-remova.patch new file mode 100644 index 0000000..8aa2c93 --- /dev/null +++ b/SOURCES/1012-netfilter-nft_set_pipapo-fix-improper-element-remova.patch @@ -0,0 +1,63 @@ +From 036bd76b11980194badfb3b281a0307b4f6be7df Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Wed, 19 Jul 2023 21:08:21 +0200 +Subject: [PATCH 4/6] netfilter: nft_set_pipapo: fix improper element removal + +end key should be equal to start unless NFT_SET_EXT_KEY_END is present. + +Its possible to add elements that only have a start key +("{ 1.0.0.0 . 2.0.0.0 }") without an internval end. + +Insertion treats this via: + +if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END)) + end = (const u8 *)nft_set_ext_key_end(ext)->data; +else + end = start; + +but removal side always uses nft_set_ext_key_end(). +This is wrong and leads to garbage remaining in the set after removal +next lookup/insert attempt will give: + +BUG: KASAN: slab-use-after-free in pipapo_get+0x8eb/0xb90 +Read of size 1 at addr ffff888100d50586 by task nft-pipapo_uaf_/1399 +Call Trace: + kasan_report+0x105/0x140 + pipapo_get+0x8eb/0xb90 + nft_pipapo_insert+0x1dc/0x1710 + nf_tables_newsetelem+0x31f5/0x4e00 + .. + +Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") +Reported-by: lonial con +Reviewed-by: Stefano Brivio +Signed-off-by: Florian Westphal +(cherry picked from commit 87b5a5c209405cb6b57424cdfa226a6dbd349232) + +CVE: CVE-2023-4004 +Signed-off-by: Mridula Shastry +Reviewed-by: Venkat Venkatsubra +--- + net/netfilter/nft_set_pipapo.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index 1eab335fb14b..0181617f9628 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -1797,7 +1797,11 @@ static void nft_pipapo_remove(const struct net *net, const struct nft_set *set, + int i, start, rules_fx; + + match_start = data; +- match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data; ++ ++ if (nft_set_ext_exists(&e->ext, NFT_SET_EXT_KEY_END)) ++ match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data; ++ else ++ match_end = data; + + start = first_rule; + rules_fx = rules_f0; +-- +2.39.3 + diff --git a/SOURCES/1013-netfilter-nf_tables-prevent-OOB-access-in-nft_byteor.patch b/SOURCES/1013-netfilter-nf_tables-prevent-OOB-access-in-nft_byteor.patch new file mode 100644 index 0000000..cdec0ec --- /dev/null +++ b/SOURCES/1013-netfilter-nf_tables-prevent-OOB-access-in-nft_byteor.patch @@ -0,0 +1,217 @@ +From b8f43f1b9945bb063ef0eae3bcdc6e04d8728d8f Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Wed, 5 Jul 2023 18:05:35 -0300 +Subject: [PATCH 5/6] netfilter: nf_tables: prevent OOB access in + nft_byteorder_eval + +When evaluating byteorder expressions with size 2, a union with 32-bit and +16-bit members is used. Since the 16-bit members are aligned to 32-bit, +the array accesses will be out-of-bounds. + +It may lead to a stack-out-of-bounds access like the one below: + +[ 23.095215] ================================================================== +[ 23.095625] BUG: KASAN: stack-out-of-bounds in nft_byteorder_eval+0x13c/0x320 +[ 23.096020] Read of size 2 at addr ffffc90000007948 by task ping/115 +[ 23.096358] +[ 23.096456] CPU: 0 PID: 115 Comm: ping Not tainted 6.4.0+ #413 +[ 23.096770] Call Trace: +[ 23.096910] +[ 23.097030] dump_stack_lvl+0x60/0xc0 +[ 23.097218] print_report+0xcf/0x630 +[ 23.097388] ? nft_byteorder_eval+0x13c/0x320 +[ 23.097577] ? kasan_addr_to_slab+0xd/0xc0 +[ 23.097760] ? nft_byteorder_eval+0x13c/0x320 +[ 23.097949] kasan_report+0xc9/0x110 +[ 23.098106] ? nft_byteorder_eval+0x13c/0x320 +[ 23.098298] __asan_load2+0x83/0xd0 +[ 23.098453] nft_byteorder_eval+0x13c/0x320 +[ 23.098659] nft_do_chain+0x1c8/0xc50 +[ 23.098852] ? __pfx_nft_do_chain+0x10/0x10 +[ 23.099078] ? __kasan_check_read+0x11/0x20 +[ 23.099295] ? __pfx___lock_acquire+0x10/0x10 +[ 23.099535] ? __pfx___lock_acquire+0x10/0x10 +[ 23.099745] ? __kasan_check_read+0x11/0x20 +[ 23.099929] nft_do_chain_ipv4+0xfe/0x140 +[ 23.100105] ? __pfx_nft_do_chain_ipv4+0x10/0x10 +[ 23.100327] ? lock_release+0x204/0x400 +[ 23.100515] ? nf_hook.constprop.0+0x340/0x550 +[ 23.100779] nf_hook_slow+0x6c/0x100 +[ 23.100977] ? __pfx_nft_do_chain_ipv4+0x10/0x10 +[ 23.101223] nf_hook.constprop.0+0x334/0x550 +[ 23.101443] ? __pfx_ip_local_deliver_finish+0x10/0x10 +[ 23.101677] ? __pfx_nf_hook.constprop.0+0x10/0x10 +[ 23.101882] ? __pfx_ip_rcv_finish+0x10/0x10 +[ 23.102071] ? __pfx_ip_local_deliver_finish+0x10/0x10 +[ 23.102291] ? rcu_read_lock_held+0x4b/0x70 +[ 23.102481] ip_local_deliver+0xbb/0x110 +[ 23.102665] ? __pfx_ip_rcv+0x10/0x10 +[ 23.102839] ip_rcv+0x199/0x2a0 +[ 23.102980] ? __pfx_ip_rcv+0x10/0x10 +[ 23.103140] __netif_receive_skb_one_core+0x13e/0x150 +[ 23.103362] ? __pfx___netif_receive_skb_one_core+0x10/0x10 +[ 23.103647] ? mark_held_locks+0x48/0xa0 +[ 23.103819] ? process_backlog+0x36c/0x380 +[ 23.103999] __netif_receive_skb+0x23/0xc0 +[ 23.104179] process_backlog+0x91/0x380 +[ 23.104350] __napi_poll.constprop.0+0x66/0x360 +[ 23.104589] ? net_rx_action+0x1cb/0x610 +[ 23.104811] net_rx_action+0x33e/0x610 +[ 23.105024] ? _raw_spin_unlock+0x23/0x50 +[ 23.105257] ? __pfx_net_rx_action+0x10/0x10 +[ 23.105485] ? mark_held_locks+0x48/0xa0 +[ 23.105741] __do_softirq+0xfa/0x5ab +[ 23.105956] ? __dev_queue_xmit+0x765/0x1c00 +[ 23.106193] do_softirq.part.0+0x49/0xc0 +[ 23.106423] +[ 23.106547] +[ 23.106670] __local_bh_enable_ip+0xf5/0x120 +[ 23.106903] __dev_queue_xmit+0x789/0x1c00 +[ 23.107131] ? __pfx___dev_queue_xmit+0x10/0x10 +[ 23.107381] ? find_held_lock+0x8e/0xb0 +[ 23.107585] ? lock_release+0x204/0x400 +[ 23.107798] ? neigh_resolve_output+0x185/0x350 +[ 23.108049] ? mark_held_locks+0x48/0xa0 +[ 23.108265] ? neigh_resolve_output+0x185/0x350 +[ 23.108514] neigh_resolve_output+0x246/0x350 +[ 23.108753] ? neigh_resolve_output+0x246/0x350 +[ 23.109003] ip_finish_output2+0x3c3/0x10b0 +[ 23.109250] ? __pfx_ip_finish_output2+0x10/0x10 +[ 23.109510] ? __pfx_nf_hook+0x10/0x10 +[ 23.109732] __ip_finish_output+0x217/0x390 +[ 23.109978] ip_finish_output+0x2f/0x130 +[ 23.110207] ip_output+0xc9/0x170 +[ 23.110404] ip_push_pending_frames+0x1a0/0x240 +[ 23.110652] raw_sendmsg+0x102e/0x19e0 +[ 23.110871] ? __pfx_raw_sendmsg+0x10/0x10 +[ 23.111093] ? lock_release+0x204/0x400 +[ 23.111304] ? __mod_lruvec_page_state+0x148/0x330 +[ 23.111567] ? find_held_lock+0x8e/0xb0 +[ 23.111777] ? find_held_lock+0x8e/0xb0 +[ 23.111993] ? __rcu_read_unlock+0x7c/0x2f0 +[ 23.112225] ? aa_sk_perm+0x18a/0x550 +[ 23.112431] ? filemap_map_pages+0x4f1/0x900 +[ 23.112665] ? __pfx_aa_sk_perm+0x10/0x10 +[ 23.112880] ? find_held_lock+0x8e/0xb0 +[ 23.113098] inet_sendmsg+0xa0/0xb0 +[ 23.113297] ? inet_sendmsg+0xa0/0xb0 +[ 23.113500] ? __pfx_inet_sendmsg+0x10/0x10 +[ 23.113727] sock_sendmsg+0xf4/0x100 +[ 23.113924] ? move_addr_to_kernel.part.0+0x4f/0xa0 +[ 23.114190] __sys_sendto+0x1d4/0x290 +[ 23.114391] ? __pfx___sys_sendto+0x10/0x10 +[ 23.114621] ? __pfx_mark_lock.part.0+0x10/0x10 +[ 23.114869] ? lock_release+0x204/0x400 +[ 23.115076] ? find_held_lock+0x8e/0xb0 +[ 23.115287] ? rcu_is_watching+0x23/0x60 +[ 23.115503] ? __rseq_handle_notify_resume+0x6e2/0x860 +[ 23.115778] ? __kasan_check_write+0x14/0x30 +[ 23.116008] ? blkcg_maybe_throttle_current+0x8d/0x770 +[ 23.116285] ? mark_held_locks+0x28/0xa0 +[ 23.116503] ? do_syscall_64+0x37/0x90 +[ 23.116713] __x64_sys_sendto+0x7f/0xb0 +[ 23.116924] do_syscall_64+0x59/0x90 +[ 23.117123] ? irqentry_exit_to_user_mode+0x25/0x30 +[ 23.117387] ? irqentry_exit+0x77/0xb0 +[ 23.117593] ? exc_page_fault+0x92/0x140 +[ 23.117806] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +[ 23.118081] RIP: 0033:0x7f744aee2bba +[ 23.118282] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 +[ 23.119237] RSP: 002b:00007ffd04a7c9f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +[ 23.119644] RAX: ffffffffffffffda RBX: 00007ffd04a7e0a0 RCX: 00007f744aee2bba +[ 23.120023] RDX: 0000000000000040 RSI: 000056488e9e6300 RDI: 0000000000000003 +[ 23.120413] RBP: 000056488e9e6300 R08: 00007ffd04a80320 R09: 0000000000000010 +[ 23.120809] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040 +[ 23.121219] R13: 00007ffd04a7dc38 R14: 00007ffd04a7ca00 R15: 00007ffd04a7e0a0 +[ 23.121617] +[ 23.121749] +[ 23.121845] The buggy address belongs to the virtual mapping at +[ 23.121845] [ffffc90000000000, ffffc90000009000) created by: +[ 23.121845] irq_init_percpu_irqstack+0x1cf/0x270 +[ 23.122707] +[ 23.122803] The buggy address belongs to the physical page: +[ 23.123104] page:0000000072ac19f0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x24a09 +[ 23.123609] flags: 0xfffffc0001000(reserved|node=0|zone=1|lastcpupid=0x1fffff) +[ 23.123998] page_type: 0xffffffff() +[ 23.124194] raw: 000fffffc0001000 ffffea0000928248 ffffea0000928248 0000000000000000 +[ 23.124610] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 +[ 23.125023] page dumped because: kasan: bad access detected +[ 23.125326] +[ 23.125421] Memory state around the buggy address: +[ 23.125682] ffffc90000007800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 23.126072] ffffc90000007880: 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 f2 f2 00 +[ 23.126455] >ffffc90000007900: 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 +[ 23.126840] ^ +[ 23.127138] ffffc90000007980: 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 +[ 23.127522] ffffc90000007a00: f3 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 +[ 23.127906] ================================================================== +[ 23.128324] Disabling lock debugging due to kernel taint + +Using simple s16 pointers for the 16-bit accesses fixes the problem. For +the 32-bit accesses, src and dst can be used directly. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Cc: stable@vger.kernel.org +Reported-by: Tanguy DUBROCA (@SidewayRE) from @Synacktiv working with ZDI +Signed-off-by: Thadeu Lima de Souza Cascardo +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit caf3ef7468f7534771b5c44cd8dbd6f7f87c2cbd) + +CVE: CVE-2023-35001 +Signed-off-by: Mridula Shastry +Reviewed-by: Venkat Venkatsubra +--- + net/netfilter/nft_byteorder.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/net/netfilter/nft_byteorder.c b/net/netfilter/nft_byteorder.c +index 6fc6f2f45b0a..a752c98e97fb 100644 +--- a/net/netfilter/nft_byteorder.c ++++ b/net/netfilter/nft_byteorder.c +@@ -33,11 +33,11 @@ void nft_byteorder_eval(const struct nft_expr *expr, + const struct nft_byteorder *priv = nft_expr_priv(expr); + u32 *src = ®s->data[priv->sreg]; + u32 *dst = ®s->data[priv->dreg]; +- union { u32 u32; u16 u16; } *s, *d; ++ u16 *s16, *d16; + unsigned int i; + +- s = (void *)src; +- d = (void *)dst; ++ s16 = (void *)src; ++ d16 = (void *)dst; + + switch (priv->size) { + case 8: { +@@ -64,11 +64,11 @@ void nft_byteorder_eval(const struct nft_expr *expr, + switch (priv->op) { + case NFT_BYTEORDER_NTOH: + for (i = 0; i < priv->len / 4; i++) +- d[i].u32 = ntohl((__force __be32)s[i].u32); ++ dst[i] = ntohl((__force __be32)src[i]); + break; + case NFT_BYTEORDER_HTON: + for (i = 0; i < priv->len / 4; i++) +- d[i].u32 = (__force __u32)htonl(s[i].u32); ++ dst[i] = (__force __u32)htonl(src[i]); + break; + } + break; +@@ -76,11 +76,11 @@ void nft_byteorder_eval(const struct nft_expr *expr, + switch (priv->op) { + case NFT_BYTEORDER_NTOH: + for (i = 0; i < priv->len / 2; i++) +- d[i].u16 = ntohs((__force __be16)s[i].u16); ++ d16[i] = ntohs((__force __be16)s16[i]); + break; + case NFT_BYTEORDER_HTON: + for (i = 0; i < priv->len / 2; i++) +- d[i].u16 = (__force __u16)htons(s[i].u16); ++ d16[i] = (__force __u16)htons(s16[i]); + break; + } + break; +-- +2.39.3 + diff --git a/SOURCES/1014-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch b/SOURCES/1014-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch new file mode 100644 index 0000000..73bd680 --- /dev/null +++ b/SOURCES/1014-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch @@ -0,0 +1,44 @@ +From b07f2873225c6e16abd6ec352e9cd52a72fe7785 Mon Sep 17 00:00:00 2001 +From: Hangyu Hua +Date: Wed, 31 May 2023 18:28:04 +0800 +Subject: [PATCH 6/6] net/sched: flower: fix possible OOB write in + fl_set_geneve_opt() + +If we send two TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets and their total +size is 252 bytes(key->enc_opts.len = 252) then +key->enc_opts.len = opt->length = data_len / 4 = 0 when the third +TCA_FLOWER_KEY_ENC_OPTS_GENEVE packet enters fl_set_geneve_opt. This +bypasses the next bounds check and results in an out-of-bounds. + +Fixes: 0a6e77784f49 ("net/sched: allow flower to match tunnel options") +Signed-off-by: Hangyu Hua +Reviewed-by: Simon Horman +Reviewed-by: Pieter Jansen van Vuuren +Link: https://lore.kernel.org/r/20230531102805.27090-1-hbh25y@gmail.com +Signed-off-by: Paolo Abeni +(cherry picked from commit 4d56304e5827c8cc8cc18c75343d283af7c4825c) + +CVE: CVE-2023-35788 +Signed-off-by: Mridula Shastry +Reviewed-by: Venkat Venkatsubra +--- + net/sched/cls_flower.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c +index b81abfcd2a19..ca232483cfab 100644 +--- a/net/sched/cls_flower.c ++++ b/net/sched/cls_flower.c +@@ -1151,6 +1151,9 @@ static int fl_set_geneve_opt(const struct nlattr *nla, struct fl_flow_key *key, + if (option_len > sizeof(struct geneve_opt)) + data_len = option_len - sizeof(struct geneve_opt); + ++ if (key->enc_opts.len > FLOW_DIS_TUN_OPTS_MAX - 4) ++ return -ERANGE; ++ + opt = (struct geneve_opt *)&key->enc_opts.data[key->enc_opts.len]; + memset(opt, 0xff, option_len); + opt->length = data_len / 4; +-- +2.39.3 + diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index 922c46a..c57097d 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -38,11 +38,11 @@ # define buildid .local %define rpmversion 4.18.0 -%define pkgrelease 477.21.3.el8_8 +%define pkgrelease 477.27.1.el8_8 %define tarfile_release 477.13.1.el8_8 # allow pkg_release to have configurable %%{?dist} tag -%define specrelease 477.21.3%{?dist} +%define specrelease 477.27.1%{?dist} %define pkg_release %{specrelease}%{?buildid} @@ -523,17 +523,23 @@ Source4001: rpminspect.yaml # empty final patch to facilitate testing of kernel patches Patch999999: linux-kernel-test.patch -Patch1000: debrand-single-cpu.patch -# Patch1001: debrand-rh_taint.patch -Patch1002: debrand-rh-i686-cpu.patch -Patch1003: 1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch -Patch1004: 1002-Bluetooth-L2CAP-Fix-accepting-connection-request.patch -Patch1005: 1003-net-sched-tcindex-update-imperfect-hash-filters-resp.patch -Patch1006: 1004-net-sched-tcindex-search-key-must-be-16-bits.patch -Patch1007: 1005-net-sched-Retire-tcindex-classifier.patch -Patch1008: 1006-xfs-verify-buffer-contents-when-we-skip-log-replay.patch -Patch1009: 1007-i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch -Patch1010: 1008-perf-Fix-check-before-add_event_to_groups-in-perf_gr.patch +Patch0001: debrand-single-cpu.patch +# Patch0002: debrand-rh_taint.patch +Patch0003: debrand-rh-i686-cpu.patch +Patch1001: 1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch +Patch1002: 1002-Bluetooth-L2CAP-Fix-accepting-connection-request.patch +Patch1003: 1003-net-sched-tcindex-update-imperfect-hash-filters-resp.patch +Patch1004: 1004-net-sched-tcindex-search-key-must-be-16-bits.patch +Patch1005: 1005-net-sched-Retire-tcindex-classifier.patch +Patch1006: 1006-xfs-verify-buffer-contents-when-we-skip-log-replay.patch +Patch1007: 1007-i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch +Patch1008: 1008-perf-Fix-check-before-add_event_to_groups-in-perf_gr.patch +Patch1009: 1009-bluetooth-Perform-careful-capability-checks-in-hci_s.patch +Patch1010: 1010-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch +Patch1011: 1011-net-sched-cls_fw-Fix-improper-refcount-update-leads-.patch +Patch1012: 1012-netfilter-nft_set_pipapo-fix-improper-element-remova.patch +Patch1013: 1013-netfilter-nf_tables-prevent-OOB-access-in-nft_byteor.patch +Patch1014: 1014-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch Patch9001: 9001-x86-xen-Split-HVM-vector-callback-setup-and-interrup.patch Patch9002: 9002-x86-microcode-AMD-Load-late-on-both-threads-too.patch @@ -1108,6 +1114,12 @@ ApplyPatch 1005-net-sched-Retire-tcindex-classifier.patch ApplyPatch 1006-xfs-verify-buffer-contents-when-we-skip-log-replay.patch ApplyPatch 1007-i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch ApplyPatch 1008-perf-Fix-check-before-add_event_to_groups-in-perf_gr.patch +ApplyPatch 1009-bluetooth-Perform-careful-capability-checks-in-hci_s.patch +ApplyPatch 1010-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch +ApplyPatch 1011-net-sched-cls_fw-Fix-improper-refcount-update-leads-.patch +ApplyPatch 1012-netfilter-nft_set_pipapo-fix-improper-element-remova.patch +ApplyPatch 1013-netfilter-nf_tables-prevent-OOB-access-in-nft_byteor.patch +ApplyPatch 1014-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch ApplyPatch 9001-x86-xen-Split-HVM-vector-callback-setup-and-interrup.patch ApplyPatch 9002-x86-microcode-AMD-Load-late-on-both-threads-too.patch @@ -2715,6 +2727,14 @@ fi # # %changelog +* Thu Sep 21 2023 Andrew Lukoshko [4.18.0-477.27.1.el8_8] +- bluetooth: Perform careful capability checks in hci_sock_ioctl() {CVE-2023-2002} +- ipvlan:Fix out-of-bounds caused by unclear skb->cb {CVE-2023-3090} +- net/sched: cls_fw: Fix improper refcount update leads to use-after-free {CVE-2023-3776} +- netfilter: nft_set_pipapo: fix improper element removal {CVE-2023-4004} +- netfilter: nf_tables: prevent OOB access in nft_byteorder_eval {CVE-2023-35001} +- net/sched: flower: fix possible OOB write in fl_set_geneve_opt() {CVE-2023-35788} + * Fri Sep 08 2023 Andrew Lukoshko [4.18.0-477.21.3.el8_8] - x86/microcode/AMD: Load late on both threads too