From e7e939cd1cb94955eaf9a498c166badbfa10c79b Mon Sep 17 00:00:00 2001 From: Andrew Lukoshko Date: Fri, 4 Aug 2023 14:33:10 +0200 Subject: [PATCH] Update with 5.14.0-284.25.1.el9_2 security fixes --- ...-race-condition-in-direct_page_fault.patch | 87 +++++++++ ...it-needs-to-have-a-speculation-check.patch | 45 +++++ ...Allow-enabling-STIBP-with-legacy-IBR.patch | 95 +++++++++ ...t-of-bounds-caused-by-unclear-skb-cb.patch | 180 ++++++++++++++++++ ...-fix-possible-OOB-write-in-fl_set_ge.patch | 49 +++++ SPECS/kernel.spec | 23 ++- 6 files changed, 477 insertions(+), 2 deletions(-) create mode 100644 SOURCES/1200-KVM-x86-mmu-Fix-race-condition-in-direct_page_fault.patch create mode 100644 SOURCES/1201-prlimit-do_prlimit-needs-to-have-a-speculation-check.patch create mode 100644 SOURCES/1202-x86-speculation-Allow-enabling-STIBP-with-legacy-IBR.patch create mode 100644 SOURCES/1203-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch create mode 100644 SOURCES/1204-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch diff --git a/SOURCES/1200-KVM-x86-mmu-Fix-race-condition-in-direct_page_fault.patch b/SOURCES/1200-KVM-x86-mmu-Fix-race-condition-in-direct_page_fault.patch new file mode 100644 index 0000000..57b9495 --- /dev/null +++ b/SOURCES/1200-KVM-x86-mmu-Fix-race-condition-in-direct_page_fault.patch @@ -0,0 +1,87 @@ +From 6f404ab35a9a684cb6ee146a39413698bba17fe4 Mon Sep 17 00:00:00 2001 +From: Nagappan Ramasamy Palaniappan +Date: Wed, 2 Aug 2023 12:50:36 +0000 +Subject: [PATCH 1/5] KVM: x86/mmu: Fix race condition in direct_page_fault + + make_mmu_pages_available() must be called with mmu_lock held for write. + However, if the TDP MMU is used, it will be called with mmu_lock held for + read. + This function does nothing unless shadow pages are used, so there is no + race unless nested TDP is used. + Since nested TDP uses shadow pages, old shadow pages may be zapped by this + function even when the TDP MMU is enabled. + Since shadow pages are never allocated by kvm_tdp_mmu_map(), a race + condition can be avoided by not calling make_mmu_pages_available() if the + TDP MMU is currently in use. + + I encountered this when repeatedly starting and stopping nested VM. + It can be artificially caused by allocating a large number of nested TDP + SPTEs. + + For example, the following BUG and general protection fault are caused in + the host kernel. + + pte_list_remove: 00000000cd54fc10 many->many + ------------[ cut here ]------------ + kernel BUG at arch/x86/kvm/mmu/mmu.c:963! + invalid opcode: 0000 [#1] PREEMPT SMP NOPTI + RIP: 0010:pte_list_remove.cold+0x16/0x48 [kvm] + Call Trace: + + drop_spte+0xe0/0x180 [kvm] + mmu_page_zap_pte+0x4f/0x140 [kvm] + __kvm_mmu_prepare_zap_page+0x62/0x3e0 [kvm] + kvm_mmu_zap_oldest_mmu_pages+0x7d/0xf0 [kvm] + direct_page_fault+0x3cb/0x9b0 [kvm] + kvm_tdp_page_fault+0x2c/0xa0 [kvm] + kvm_mmu_page_fault+0x207/0x930 [kvm] + npf_interception+0x47/0xb0 [kvm_amd] + svm_invoke_exit_handler+0x13c/0x1a0 [kvm_amd] + svm_handle_exit+0xfc/0x2c0 [kvm_amd] + kvm_arch_vcpu_ioctl_run+0xa79/0x1780 [kvm] + kvm_vcpu_ioctl+0x29b/0x6f0 [kvm] + __x64_sys_ioctl+0x95/0xd0 + do_syscall_64+0x5c/0x90 + + general protection fault, probably for non-canonical address + 0xdead000000000122: 0000 [#1] PREEMPT SMP NOPTI + RIP: 0010:kvm_mmu_commit_zap_page.part.0+0x4b/0xe0 [kvm] + Call Trace: + + kvm_mmu_zap_oldest_mmu_pages+0xae/0xf0 [kvm] + direct_page_fault+0x3cb/0x9b0 [kvm] + kvm_tdp_page_fault+0x2c/0xa0 [kvm] + kvm_mmu_page_fault+0x207/0x930 [kvm] + npf_interception+0x47/0xb0 [kvm_amd] + + CVE: CVE-2022-45869 + Fixes: a2855afc7ee8 ("KVM: x86/mmu: Allow parallel page faults for the TDP MMU") + Signed-off-by: Kazuki Takiguchi + Cc: stable@vger.kernel.org + Signed-off-by: Paolo Bonzini + +Conflicts: dropped hunk in direct_page_fault because the following backported commits do the same thing + a158127f55b98c ("KVM: x86/mmu: Split out TDP MMU page fault handling") + 1290f90e77186b ("KVM: x86/mmu: Stop needlessly making MMU pages available for TDP MMU faults") + +Signed-off-by: Nagappan Ramasamy Palaniappan +Reviewed-by: Laurence Rochfort +--- + arch/x86/kvm/mmu/mmu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c +index 05c137831..2968f8137 100644 +--- a/arch/x86/kvm/mmu/mmu.c ++++ b/arch/x86/kvm/mmu/mmu.c +@@ -2432,6 +2432,7 @@ static bool __kvm_mmu_prepare_zap_page(struct kvm *kvm, + { + bool list_unstable, zapped_root = false; + ++ lockdep_assert_held_write(&kvm->mmu_lock); + trace_kvm_mmu_prepare_zap_page(sp); + ++kvm->stat.mmu_shadow_zapped; + *nr_zapped = mmu_zap_unsync_children(kvm, sp, invalid_list); +-- +2.31.1 + diff --git a/SOURCES/1201-prlimit-do_prlimit-needs-to-have-a-speculation-check.patch b/SOURCES/1201-prlimit-do_prlimit-needs-to-have-a-speculation-check.patch new file mode 100644 index 0000000..bd18a2e --- /dev/null +++ b/SOURCES/1201-prlimit-do_prlimit-needs-to-have-a-speculation-check.patch @@ -0,0 +1,45 @@ +From c9e34f92dafffe1fd37ba7ef7fb198002576bea1 Mon Sep 17 00:00:00 2001 +From: Nagappan Ramasamy Palaniappan +Date: Wed, 2 Aug 2023 12:54:02 +0000 +Subject: [PATCH 2/5] prlimit: do_prlimit needs to have a speculation check + +CVE: CVE-2023-0458 + +commit 739790605705ddcf18f21782b9c99ad7d53a8c11 +Author: Greg Kroah-Hartman +Date: Fri Jan 20 11:03:20 2023 +0100 + + prlimit: do_prlimit needs to have a speculation check + + do_prlimit() adds the user-controlled resource value to a pointer that + will subsequently be dereferenced. In order to help prevent this + codepath from being used as a spectre "gadget" a barrier needs to be + added after checking the range. + + Reported-by: Jordy Zomer + Tested-by: Jordy Zomer + Suggested-by: Linus Torvalds + Signed-off-by: Greg Kroah-Hartman + +Signed-off-by: Nagappan Ramasamy Palaniappan +Reviewed-by: Laurence Rochfort +--- + kernel/sys.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/sys.c b/kernel/sys.c +index 75852f64d..45480f6f6 100644 +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -1439,6 +1439,8 @@ static int do_prlimit(struct task_struct *tsk, unsigned int resource, + + if (resource >= RLIM_NLIMITS) + return -EINVAL; ++ resource = array_index_nospec(resource, RLIM_NLIMITS); ++ + if (new_rlim) { + if (new_rlim->rlim_cur > new_rlim->rlim_max) + return -EINVAL; +-- +2.31.1 + diff --git a/SOURCES/1202-x86-speculation-Allow-enabling-STIBP-with-legacy-IBR.patch b/SOURCES/1202-x86-speculation-Allow-enabling-STIBP-with-legacy-IBR.patch new file mode 100644 index 0000000..57846d2 --- /dev/null +++ b/SOURCES/1202-x86-speculation-Allow-enabling-STIBP-with-legacy-IBR.patch @@ -0,0 +1,95 @@ +From 4758c1f8ad5385e53ea85739ad9f6fa6dfc0abda Mon Sep 17 00:00:00 2001 +From: Nagappan Ramasamy Palaniappan +Date: Wed, 2 Aug 2023 12:55:46 +0000 +Subject: [PATCH 3/5] x86/speculation: Allow enabling STIBP with legacy IBRS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When plain IBRS is enabled (not enhanced IBRS), the logic in +spectre_v2_user_select_mitigation() determines that STIBP is not needed. + +The IBRS bit implicitly protects against cross-thread branch target +injection. However, with legacy IBRS, the IBRS bit is cleared on +returning to userspace for performance reasons which leaves userspace +threads vulnerable to cross-thread branch target injection against which +STIBP protects. + +Exclude IBRS from the spectre_v2_in_ibrs_mode() check to allow for +enabling STIBP (through seccomp/prctl() by default or always-on, if +selected by spectre_v2_user kernel cmdline parameter). + + [ bp: Massage. ] + +Fixes: 7c693f54c873 ("x86/speculation: Add spectre_v2=ibrs option to support Kernel IBRS") +Reported-by: José Oliveira +Reported-by: Rodrigo Branco +Signed-off-by: KP Singh +Signed-off-by: Borislav Petkov (AMD) +Signed-off-by: Nagappan Ramasamy Palaniappan +Reviewed-by: Laurence Rochfort +--- + arch/x86/kernel/cpu/bugs.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index da7c361f4..e13c4ecdc 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -1095,14 +1095,18 @@ spectre_v2_parse_user_cmdline(void) + return SPECTRE_V2_USER_CMD_AUTO; + } + +-static inline bool spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode) ++static inline bool spectre_v2_in_eibrs_mode(enum spectre_v2_mitigation mode) + { +- return mode == SPECTRE_V2_IBRS || +- mode == SPECTRE_V2_EIBRS || ++ return mode == SPECTRE_V2_EIBRS || + mode == SPECTRE_V2_EIBRS_RETPOLINE || + mode == SPECTRE_V2_EIBRS_LFENCE; + } + ++static inline bool spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode) ++{ ++ return spectre_v2_in_eibrs_mode(mode) || mode == SPECTRE_V2_IBRS; ++} ++ + static void __init + spectre_v2_user_select_mitigation(void) + { +@@ -1165,12 +1169,19 @@ spectre_v2_user_select_mitigation(void) + } + + /* +- * If no STIBP, IBRS or enhanced IBRS is enabled, or SMT impossible, +- * STIBP is not required. ++ * If no STIBP, enhanced IBRS is enabled, or SMT impossible, STIBP ++ * is not required. ++ * ++ * Enhanced IBRS also protects against cross-thread branch target ++ * injection in user-mode as the IBRS bit remains always set which ++ * implicitly enables cross-thread protections. However, in legacy IBRS ++ * mode, the IBRS bit is set only on kernel entry and cleared on return ++ * to userspace. This disables the implicit cross-thread protection, ++ * so allow for STIBP to be selected in that case. + */ + if (!boot_cpu_has(X86_FEATURE_STIBP) || + !smt_possible || +- spectre_v2_in_ibrs_mode(spectre_v2_enabled)) ++ spectre_v2_in_eibrs_mode(spectre_v2_enabled)) + return; + + /* +@@ -2295,7 +2306,7 @@ static ssize_t mmio_stale_data_show_state(char *buf) + + static char *stibp_state(void) + { +- if (spectre_v2_in_ibrs_mode(spectre_v2_enabled)) ++ if (spectre_v2_in_eibrs_mode(spectre_v2_enabled)) + return ""; + + switch (spectre_v2_user_stibp) { +-- +2.31.1 + diff --git a/SOURCES/1203-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch b/SOURCES/1203-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch new file mode 100644 index 0000000..008091d --- /dev/null +++ b/SOURCES/1203-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch @@ -0,0 +1,180 @@ +From 4308d0e03dfe439f30b356630beb8b941bf84bf7 Mon Sep 17 00:00:00 2001 +From: Nagappan Ramasamy Palaniappan +Date: Wed, 2 Aug 2023 13:05:59 +0000 +Subject: [PATCH 4/5] ipvlan:Fix out-of-bounds caused by unclear skb->cb + +CVE: CVE-2023-3090 + +commit 90cbed5247439a966b645b34eb0a2e037836ea8e +Author: t.feng +Date: Wed May 10 11:50:44 2023 +0800 + + ipvlan:Fix out-of-bounds caused by unclear skb->cb + + If skb enqueue the qdisc, fq_skb_cb(skb)->time_to_send is changed which + is actually skb->cb, and IPCB(skb_in)->opt will be used in + __ip_options_echo. It is possible that memcpy is out of bounds and lead + to stack overflow. + We should clear skb->cb before ip_local_out or ip6_local_out. + + v2: + 1. clean the stack info + 2. use IPCB/IP6CB instead of skb->cb + + crash on stable-5.10(reproduce in kasan kernel). + Stack info: + [ 2203.651571] BUG: KASAN: stack-out-of-bounds in + __ip_options_echo+0x589/0x800 + [ 2203.653327] Write of size 4 at addr ffff88811a388f27 by task + swapper/3/0 + [ 2203.655460] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Not tainted + 5.10.0-60.18.0.50.h856.kasan.eulerosv2r11.x86_64 #1 + [ 2203.655466] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), + BIOS rel-1.10.2-0-g5f4c7b1-20181220_000000-szxrtosci10000 04/01/2014 + [ 2203.655475] Call Trace: + [ 2203.655481] + [ 2203.655501] dump_stack+0x9c/0xd3 + [ 2203.655514] print_address_description.constprop.0+0x19/0x170 + [ 2203.655530] __kasan_report.cold+0x6c/0x84 + [ 2203.655586] kasan_report+0x3a/0x50 + [ 2203.655586] kasan_report+0x3a/0x50 + [ 2203.655594] check_memory_region+0xfd/0x1f0 + [ 2203.655594] check_memory_region+0xfd/0x1f0 + [ 2203.655601] memcpy+0x39/0x60 + [ 2203.655608] __ip_options_echo+0x589/0x800 + [ 2203.655654] __icmp_send+0x59a/0x960 + [ 2203.655755] nf_send_unreach+0x129/0x3d0 [nf_reject_ipv4] + [ 2203.655763] reject_tg+0x77/0x1bf [ipt_REJECT] + [ 2203.655772] ipt_do_table+0x691/0xa40 [ip_tables] + [ 2203.655821] nf_hook_slow+0x69/0x100 + [ 2203.655828] __ip_local_out+0x21e/0x2b0 + [ 2203.655857] ip_local_out+0x28/0x90 + [ 2203.655868] ipvlan_process_v4_outbound+0x21e/0x260 [ipvlan] + [ 2203.655931] ipvlan_xmit_mode_l3+0x3bd/0x400 [ipvlan] + [ 2203.655967] ipvlan_queue_xmit+0xb3/0x190 [ipvlan] + [ 2203.655977] ipvlan_start_xmit+0x2e/0xb0 [ipvlan] + [ 2203.655984] xmit_one.constprop.0+0xe1/0x280 + [ 2203.655992] dev_hard_start_xmit+0x62/0x100 + [ 2203.656000] sch_direct_xmit+0x215/0x640 + [ 2203.656028] __qdisc_run+0x153/0x1f0 + [ 2203.656069] __dev_queue_xmit+0x77f/0x1030 + [ 2203.656173] ip_finish_output2+0x59b/0xc20 + [ 2203.656244] __ip_finish_output.part.0+0x318/0x3d0 + [ 2203.656312] ip_finish_output+0x168/0x190 + [ 2203.656320] ip_output+0x12d/0x220 + [ 2203.656357] __ip_queue_xmit+0x392/0x880 + [ 2203.656380] __tcp_transmit_skb+0x1088/0x11c0 + [ 2203.656436] __tcp_retransmit_skb+0x475/0xa30 + [ 2203.656505] tcp_retransmit_skb+0x2d/0x190 + [ 2203.656512] tcp_retransmit_timer+0x3af/0x9a0 + [ 2203.656519] tcp_write_timer_handler+0x3ba/0x510 + [ 2203.656529] tcp_write_timer+0x55/0x180 + [ 2203.656542] call_timer_fn+0x3f/0x1d0 + [ 2203.656555] expire_timers+0x160/0x200 + [ 2203.656562] run_timer_softirq+0x1f4/0x480 + [ 2203.656606] __do_softirq+0xfd/0x402 + [ 2203.656613] asm_call_irq_on_stack+0x12/0x20 + [ 2203.656617] + [ 2203.656623] do_softirq_own_stack+0x37/0x50 + [ 2203.656631] irq_exit_rcu+0x134/0x1a0 + [ 2203.656639] sysvec_apic_timer_interrupt+0x36/0x80 + [ 2203.656646] asm_sysvec_apic_timer_interrupt+0x12/0x20 + [ 2203.656654] RIP: 0010:default_idle+0x13/0x20 + [ 2203.656663] Code: 89 f0 5d 41 5c 41 5d 41 5e c3 cc cc cc cc cc cc cc + cc cc cc cc cc cc 0f 1f 44 00 00 0f 1f 44 00 00 0f 00 2d 9f 32 57 00 fb + f4 cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 be 08 + [ 2203.656668] RSP: 0018:ffff88810036fe78 EFLAGS: 00000256 + [ 2203.656676] RAX: ffffffffaf2a87f0 RBX: ffff888100360000 RCX: + ffffffffaf290191 + [ 2203.656681] RDX: 0000000000098b5e RSI: 0000000000000004 RDI: + ffff88811a3c4f60 + [ 2203.656686] RBP: 0000000000000000 R08: 0000000000000001 R09: + ffff88811a3c4f63 + [ 2203.656690] R10: ffffed10234789ec R11: 0000000000000001 R12: + 0000000000000003 + [ 2203.656695] R13: ffff888100360000 R14: 0000000000000000 R15: + 0000000000000000 + [ 2203.656729] default_idle_call+0x5a/0x150 + [ 2203.656735] cpuidle_idle_call+0x1c6/0x220 + [ 2203.656780] do_idle+0xab/0x100 + [ 2203.656786] cpu_startup_entry+0x19/0x20 + [ 2203.656793] secondary_startup_64_no_verify+0xc2/0xcb + + [ 2203.657409] The buggy address belongs to the page: + [ 2203.658648] page:0000000027a9842f refcount:1 mapcount:0 + mapping:0000000000000000 index:0x0 pfn:0x11a388 + [ 2203.658665] flags: + 0x17ffffc0001000(reserved|node=0|zone=2|lastcpupid=0x1fffff) + [ 2203.658675] raw: 0017ffffc0001000 ffffea000468e208 ffffea000468e208 + 0000000000000000 + [ 2203.658682] raw: 0000000000000000 0000000000000000 00000001ffffffff + 0000000000000000 + [ 2203.658686] page dumped because: kasan: bad access detected + + To reproduce(ipvlan with IPVLAN_MODE_L3): + Env setting: + ======================================================= + modprobe ipvlan ipvlan_default_mode=1 + sysctl net.ipv4.conf.eth0.forwarding=1 + iptables -t nat -A POSTROUTING -s 20.0.0.0/255.255.255.0 -o eth0 -j + MASQUERADE + ip link add gw link eth0 type ipvlan + ip -4 addr add 20.0.0.254/24 dev gw + ip netns add net1 + ip link add ipv1 link eth0 type ipvlan + ip link set ipv1 netns net1 + ip netns exec net1 ip link set ipv1 up + ip netns exec net1 ip -4 addr add 20.0.0.4/24 dev ipv1 + ip netns exec net1 route add default gw 20.0.0.254 + ip netns exec net1 tc qdisc add dev ipv1 root netem loss 10% + ifconfig gw up + iptables -t filter -A OUTPUT -p tcp --dport 8888 -j REJECT --reject-with + icmp-port-unreachable + ======================================================= + And then excute the shell(curl any address of eth0 can reach): + + for((i=1;i<=100000;i++)) + do + ip netns exec net1 curl x.x.x.x:8888 + done + ======================================================= + + Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") + Signed-off-by: "t.feng" + Suggested-by: Florian Westphal + Reviewed-by: Paolo Abeni + Signed-off-by: David S. Miller + +Signed-off-by: Nagappan Ramasamy Palaniappan +Reviewed-by: Laurence Rochfort +--- + drivers/net/ipvlan/ipvlan_core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c +index fe584e8ac..ab14c06d1 100644 +--- a/drivers/net/ipvlan/ipvlan_core.c ++++ b/drivers/net/ipvlan/ipvlan_core.c +@@ -437,6 +437,9 @@ static int ipvlan_process_v4_outbound(struct sk_buff *skb) + goto err; + } + skb_dst_set(skb, &rt->dst); ++ ++ memset(IPCB(skb), 0, sizeof(*IPCB(skb))); ++ + err = ip_local_out(net, skb->sk, skb); + if (unlikely(net_xmit_eval(err))) + dev->stats.tx_errors++; +@@ -475,6 +478,9 @@ static int ipvlan_process_v6_outbound(struct sk_buff *skb) + goto err; + } + skb_dst_set(skb, dst); ++ ++ memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); ++ + err = ip6_local_out(net, skb->sk, skb); + if (unlikely(net_xmit_eval(err))) + dev->stats.tx_errors++; +-- +2.31.1 + diff --git a/SOURCES/1204-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch b/SOURCES/1204-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch new file mode 100644 index 0000000..ce8857d --- /dev/null +++ b/SOURCES/1204-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch @@ -0,0 +1,49 @@ +From 68e161867609dafcee1a20343990547a8da9be83 Mon Sep 17 00:00:00 2001 +From: Nagappan Ramasamy Palaniappan +Date: Wed, 2 Aug 2023 13:10:03 +0000 +Subject: [PATCH 5/5] net/sched: flower: fix possible OOB write + in-fl_set_geneve_opt() + +CVE: CVE-2023-35788 + +commit 4d56304e5827c8cc8cc18c75343d283af7c4825c +Author: Hangyu Hua +Date: Wed May 31 18:28:04 2023 +0800 + + net/sched: flower: fix possible OOB write in fl_set_geneve_opt() + + If we send two TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets and their total + size is 252 bytes(key->enc_opts.len = 252) then + key->enc_opts.len = opt->length = data_len / 4 = 0 when the third + TCA_FLOWER_KEY_ENC_OPTS_GENEVE packet enters fl_set_geneve_opt. This + bypasses the next bounds check and results in an out-of-bounds. + + Fixes: 0a6e77784f49 ("net/sched: allow flower to match tunnel options") + Signed-off-by: Hangyu Hua + Reviewed-by: Simon Horman + Reviewed-by: Pieter Jansen van Vuuren + Link: https://lore.kernel.org/r/20230531102805.27090-1-hbh25y@gmail.com + +Signed-off-by: Nagappan Ramasamy Palaniappan +Reviewed-by: Laurence Rochfort +--- + net/sched/cls_flower.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c +index 041d63ff8..65b68bf36 100644 +--- a/net/sched/cls_flower.c ++++ b/net/sched/cls_flower.c +@@ -1145,6 +1145,9 @@ static int fl_set_geneve_opt(const struct nlattr *nla, struct fl_flow_key *key, + if (option_len > sizeof(struct geneve_opt)) + data_len = option_len - sizeof(struct geneve_opt); + ++ if (key->enc_opts.len > FLOW_DIS_TUN_OPTS_MAX - 4) ++ return -ERANGE; ++ + opt = (struct geneve_opt *)&key->enc_opts.data[key->enc_opts.len]; + memset(opt, 0xff, option_len); + opt->length = data_len / 4; +-- +2.31.1 + diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index 8622201..4740b7b 100755 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -161,13 +161,13 @@ Summary: The Linux kernel # define buildid .local %define specversion 5.14.0 %define patchversion 5.14 -%define pkgrelease 284.18.1 +%define pkgrelease 284.25.1 %define kversion 5 %define tarfile_release 5.14.0-284.18.1.el9_2 # This is needed to do merge window version magic %define patchlevel 14 # This allows pkg_release to have configurable %%{?dist} tag -%define specrelease 284.18.1%{?buildid}%{?dist} +%define specrelease 284.25.1%{?buildid}%{?dist} # This defines the kabi tarball version %define kabiversion 5.14.0-284.18.1.el9_2 @@ -900,6 +900,13 @@ Source4002: gating.yaml Patch1: patch-%{patchversion}-redhat.patch %endif +# Patches from Oracle Linux kernel package +Patch1200: 1200-KVM-x86-mmu-Fix-race-condition-in-direct_page_fault.patch +Patch1201: 1201-prlimit-do_prlimit-needs-to-have-a-speculation-check.patch +Patch1202: 1202-x86-speculation-Allow-enabling-STIBP-with-legacy-IBR.patch +Patch1203: 1203-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch +Patch1204: 1204-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch + # empty final patch to facilitate testing of kernel patches Patch999999: linux-kernel-test.patch @@ -1553,6 +1560,11 @@ cp -a %{SOURCE1} . ApplyOptionalPatch patch-%{patchversion}-redhat.patch %endif +ApplyPatch 1200-KVM-x86-mmu-Fix-race-condition-in-direct_page_fault.patch +ApplyPatch 1201-prlimit-do_prlimit-needs-to-have-a-speculation-check.patch +ApplyPatch 1202-x86-speculation-Allow-enabling-STIBP-with-legacy-IBR.patch +ApplyPatch 1203-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch +ApplyPatch 1204-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch ApplyOptionalPatch linux-kernel-test.patch # END OF PATCH APPLICATIONS @@ -3422,6 +3434,13 @@ fi # # %changelog +* Tue Aug 01 2023 Nagappan Ramasamy Palaniappan - [5.14.0-284.25.1.el9_2] +- KVM x86 mmuFix race condition in direct_page_fault +- prlimit do_prlimit needs to have a speculation check +- x86 speculation Allow enabling STIBP with legacy IBR +- ipvlan Fix out of bounds caused by unclear skb cb +- net sched flower fix possible OOB write in fl_set_geneve_opt + * Wed May 31 2023 Herton R. Krzesinski [5.14.0-284.18.1.el9_2] - x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL (Baoquan He) [2210614 2116317] - bluetooth: Perform careful capability checks in hci_sock_ioctl() (Ricardo Robaina) [2196340 2196341] {CVE-2023-2002}