Update to 4.18.0-477.27.1.el8_8

SOURCES/1009-bluetooth-Perform-careful-capability-checks-in-hci_s.patch

@@ -0,0 +1,56 @@
+From 5bdcf7f9a8e44d61d724943167c381611b02a5ff Mon Sep 17 00:00:00 2001
+From: Ruihan Li <lrh2000@pku.edu.cn>
+Date: Sun, 16 Apr 2023 16:14:04 +0800
+Subject: [PATCH 1/6] bluetooth: Perform careful capability checks in
+ hci_sock_ioctl()
+
+Previously, capability was checked using capable(), which verified that the
+caller of the ioctl system call had the required capability. In addition,
+the result of the check would be stored in the HCI_SOCK_TRUSTED flag,
+making it persistent for the socket.
+
+However, malicious programs can abuse this approach by deliberately sharing
+an HCI socket with a privileged task. The HCI socket will be marked as
+trusted when the privileged task occasionally makes an ioctl call.
+
+This problem can be solved by using sk_capable() to check capability, which
+ensures that not only the current task but also the socket opener has the
+specified capability, thus reducing the risk of privilege escalation
+through the previously identified vulnerability.
+
+Cc: stable@vger.kernel.org
+Fixes: f81f5b2db869 ("Bluetooth: Send control open and close messages for HCI raw sockets")
+Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+(cherry picked from commit 25c150ac103a4ebeed0319994c742a90634ddf18)
+
+CVE: CVE-2023-2002
+Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
+Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
+---
+ net/bluetooth/hci_sock.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
+index d7c9ead69554..3cb8a2879ebb 100644
+--- a/net/bluetooth/hci_sock.c
++++ b/net/bluetooth/hci_sock.c
+@@ -1000,7 +1000,14 @@ static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
+ 	if (hci_sock_gen_cookie(sk)) {
+ 		struct sk_buff *skb;
+ 
+-		if (capable(CAP_NET_ADMIN))
++		/* Perform careful checks before setting the HCI_SOCK_TRUSTED
++		 * flag. Make sure that not only the current task but also
++		 * the socket opener has the required capability, since
++		 * privileged programs can be tricked into making ioctl calls
++		 * on HCI sockets, and the socket should not be marked as
++		 * trusted simply because the ioctl caller is privileged.
++		 */
++		if (sk_capable(sk, CAP_NET_ADMIN))
+ 			hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
+ 
+ 		/* Send event to monitor */
+-- 
+2.39.3
+

SOURCES/1010-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch

@@ -0,0 +1,172 @@
+From e594c8e25c5f6a3432c324cf8df93d34578825bb Mon Sep 17 00:00:00 2001
+From: "t.feng" <fengtao40@huawei.com>
+Date: Wed, 10 May 2023 11:50:44 +0800
+Subject: [PATCH 2/6] ipvlan:Fix out-of-bounds caused by unclear skb->cb
+
+If skb enqueue the qdisc, fq_skb_cb(skb)->time_to_send is changed which
+is actually skb->cb, and IPCB(skb_in)->opt will be used in
+__ip_options_echo. It is possible that memcpy is out of bounds and lead
+to stack overflow.
+We should clear skb->cb before ip_local_out or ip6_local_out.
+
+v2:
+1. clean the stack info
+2. use IPCB/IP6CB instead of skb->cb
+
+crash on stable-5.10(reproduce in kasan kernel).
+Stack info:
+[ 2203.651571] BUG: KASAN: stack-out-of-bounds in
+__ip_options_echo+0x589/0x800
+[ 2203.653327] Write of size 4 at addr ffff88811a388f27 by task
+swapper/3/0
+[ 2203.655460] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Not tainted
+5.10.0-60.18.0.50.h856.kasan.eulerosv2r11.x86_64 #1
+[ 2203.655466] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
+BIOS rel-1.10.2-0-g5f4c7b1-20181220_000000-szxrtosci10000 04/01/2014
+[ 2203.655475] Call Trace:
+[ 2203.655481]  <IRQ>
+[ 2203.655501]  dump_stack+0x9c/0xd3
+[ 2203.655514]  print_address_description.constprop.0+0x19/0x170
+[ 2203.655530]  __kasan_report.cold+0x6c/0x84
+[ 2203.655586]  kasan_report+0x3a/0x50
+[ 2203.655594]  check_memory_region+0xfd/0x1f0
+[ 2203.655601]  memcpy+0x39/0x60
+[ 2203.655608]  __ip_options_echo+0x589/0x800
+[ 2203.655654]  __icmp_send+0x59a/0x960
+[ 2203.655755]  nf_send_unreach+0x129/0x3d0 [nf_reject_ipv4]
+[ 2203.655763]  reject_tg+0x77/0x1bf [ipt_REJECT]
+[ 2203.655772]  ipt_do_table+0x691/0xa40 [ip_tables]
+[ 2203.655821]  nf_hook_slow+0x69/0x100
+[ 2203.655828]  __ip_local_out+0x21e/0x2b0
+[ 2203.655857]  ip_local_out+0x28/0x90
+[ 2203.655868]  ipvlan_process_v4_outbound+0x21e/0x260 [ipvlan]
+[ 2203.655931]  ipvlan_xmit_mode_l3+0x3bd/0x400 [ipvlan]
+[ 2203.655967]  ipvlan_queue_xmit+0xb3/0x190 [ipvlan]
+[ 2203.655977]  ipvlan_start_xmit+0x2e/0xb0 [ipvlan]
+[ 2203.655984]  xmit_one.constprop.0+0xe1/0x280
+[ 2203.655992]  dev_hard_start_xmit+0x62/0x100
+[ 2203.656000]  sch_direct_xmit+0x215/0x640
+[ 2203.656028]  __qdisc_run+0x153/0x1f0
+[ 2203.656069]  __dev_queue_xmit+0x77f/0x1030
+[ 2203.656173]  ip_finish_output2+0x59b/0xc20
+[ 2203.656244]  __ip_finish_output.part.0+0x318/0x3d0
+[ 2203.656312]  ip_finish_output+0x168/0x190
+[ 2203.656320]  ip_output+0x12d/0x220
+[ 2203.656357]  __ip_queue_xmit+0x392/0x880
+[ 2203.656380]  __tcp_transmit_skb+0x1088/0x11c0
+[ 2203.656436]  __tcp_retransmit_skb+0x475/0xa30
+[ 2203.656505]  tcp_retransmit_skb+0x2d/0x190
+[ 2203.656512]  tcp_retransmit_timer+0x3af/0x9a0
+[ 2203.656519]  tcp_write_timer_handler+0x3ba/0x510
+[ 2203.656529]  tcp_write_timer+0x55/0x180
+[ 2203.656542]  call_timer_fn+0x3f/0x1d0
+[ 2203.656555]  expire_timers+0x160/0x200
+[ 2203.656562]  run_timer_softirq+0x1f4/0x480
+[ 2203.656606]  __do_softirq+0xfd/0x402
+[ 2203.656613]  asm_call_irq_on_stack+0x12/0x20
+[ 2203.656617]  </IRQ>
+[ 2203.656623]  do_softirq_own_stack+0x37/0x50
+[ 2203.656631]  irq_exit_rcu+0x134/0x1a0
+[ 2203.656639]  sysvec_apic_timer_interrupt+0x36/0x80
+[ 2203.656646]  asm_sysvec_apic_timer_interrupt+0x12/0x20
+[ 2203.656654] RIP: 0010:default_idle+0x13/0x20
+[ 2203.656663] Code: 89 f0 5d 41 5c 41 5d 41 5e c3 cc cc cc cc cc cc cc
+cc cc cc cc cc cc 0f 1f 44 00 00 0f 1f 44 00 00 0f 00 2d 9f 32 57 00 fb
+f4 <c3> cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 be 08
+[ 2203.656668] RSP: 0018:ffff88810036fe78 EFLAGS: 00000256
+[ 2203.656676] RAX: ffffffffaf2a87f0 RBX: ffff888100360000 RCX:
+ffffffffaf290191
+[ 2203.656681] RDX: 0000000000098b5e RSI: 0000000000000004 RDI:
+ffff88811a3c4f60
+[ 2203.656686] RBP: 0000000000000000 R08: 0000000000000001 R09:
+ffff88811a3c4f63
+[ 2203.656690] R10: ffffed10234789ec R11: 0000000000000001 R12:
+0000000000000003
+[ 2203.656695] R13: ffff888100360000 R14: 0000000000000000 R15:
+0000000000000000
+[ 2203.656729]  default_idle_call+0x5a/0x150
+[ 2203.656735]  cpuidle_idle_call+0x1c6/0x220
+[ 2203.656780]  do_idle+0xab/0x100
+[ 2203.656786]  cpu_startup_entry+0x19/0x20
+[ 2203.656793]  secondary_startup_64_no_verify+0xc2/0xcb
+
+[ 2203.657409] The buggy address belongs to the page:
+[ 2203.658648] page:0000000027a9842f refcount:1 mapcount:0
+mapping:0000000000000000 index:0x0 pfn:0x11a388
+[ 2203.658665] flags:
+0x17ffffc0001000(reserved|node=0|zone=2|lastcpupid=0x1fffff)
+[ 2203.658675] raw: 0017ffffc0001000 ffffea000468e208 ffffea000468e208
+0000000000000000
+[ 2203.658682] raw: 0000000000000000 0000000000000000 00000001ffffffff
+0000000000000000
+[ 2203.658686] page dumped because: kasan: bad access detected
+
+To reproduce(ipvlan with IPVLAN_MODE_L3):
+Env setting:
+=======================================================
+modprobe ipvlan ipvlan_default_mode=1
+sysctl net.ipv4.conf.eth0.forwarding=1
+iptables -t nat -A POSTROUTING -s 20.0.0.0/255.255.255.0 -o eth0 -j
+MASQUERADE
+ip link add gw link eth0 type ipvlan
+ip -4 addr add 20.0.0.254/24 dev gw
+ip netns add net1
+ip link add ipv1 link eth0 type ipvlan
+ip link set ipv1 netns net1
+ip netns exec net1 ip link set ipv1 up
+ip netns exec net1 ip -4 addr add 20.0.0.4/24 dev ipv1
+ip netns exec net1 route add default gw 20.0.0.254
+ip netns exec net1 tc qdisc add dev ipv1 root netem loss 10%
+ifconfig gw up
+iptables -t filter -A OUTPUT -p tcp --dport 8888 -j REJECT --reject-with
+icmp-port-unreachable
+=======================================================
+And then excute the shell(curl any address of eth0 can reach):
+
+for((i=1;i<=100000;i++))
+do
+        ip netns exec net1 curl x.x.x.x:8888
+done
+=======================================================
+
+Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.")
+Signed-off-by: "t.feng" <fengtao40@huawei.com>
+Suggested-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+(cherry picked from commit 90cbed5247439a966b645b34eb0a2e037836ea8e)
+
+CVE: CVE-2023-3090
+Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
+Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
+---
+ drivers/net/ipvlan/ipvlan_core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
+index 62c73a8ed0c3..f1ffe1800754 100644
+--- a/drivers/net/ipvlan/ipvlan_core.c
++++ b/drivers/net/ipvlan/ipvlan_core.c
+@@ -443,6 +443,9 @@ static int ipvlan_process_v4_outbound(struct sk_buff *skb)
+ 		goto err;
+ 	}
+ 	skb_dst_set(skb, &rt->dst);
++
++	memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
++
+ 	err = ip_local_out(net, skb->sk, skb);
+ 	if (unlikely(net_xmit_eval(err)))
+ 		dev->stats.tx_errors++;
+@@ -481,6 +484,9 @@ static int ipvlan_process_v6_outbound(struct sk_buff *skb)
+ 		goto err;
+ 	}
+ 	skb_dst_set(skb, dst);
++
++	memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
++
+ 	err = ip6_local_out(net, skb->sk, skb);
+ 	if (unlikely(net_xmit_eval(err)))
+ 		dev->stats.tx_errors++;
+-- 
+2.39.3
+

SOURCES/1011-net-sched-cls_fw-Fix-improper-refcount-update-leads-.patch

@@ -0,0 +1,62 @@
+From 0da574f21ad25aae92e8262b7636dc95cf12aacf Mon Sep 17 00:00:00 2001
+From: M A Ramdhan <ramdhan@starlabs.sg>
+Date: Wed, 5 Jul 2023 12:15:30 -0400
+Subject: [PATCH 3/6] net/sched: cls_fw: Fix improper refcount update leads to
+ use-after-free
+
+In the event of a failure in tcf_change_indev(), fw_set_parms() will
+immediately return an error after incrementing or decrementing
+reference counter in tcf_bind_filter().  If attacker can control
+reference counter to zero and make reference freed, leading to
+use after free.
+
+In order to prevent this, move the point of possible failure above the
+point where the TC_FW_CLASSID is handled.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: M A Ramdhan <ramdhan@starlabs.sg>
+Signed-off-by: M A Ramdhan <ramdhan@starlabs.sg>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
+Message-ID: <20230705161530.52003-1-ramdhan@starlabs.sg>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+(cherry picked from commit 0323bce598eea038714f941ce2b22541c46d488f)
+
+CVE: CVE-2023-3776
+Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
+Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
+---
+ net/sched/cls_fw.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
+index 6a0d3ee00758..4240ca68cbc4 100644
+--- a/net/sched/cls_fw.c
++++ b/net/sched/cls_fw.c
+@@ -214,11 +214,6 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp,
+ 	if (err < 0)
+ 		return err;
+ 
+-	if (tb[TCA_FW_CLASSID]) {
+-		f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]);
+-		tcf_bind_filter(tp, &f->res, base);
+-	}
+-
+ 	if (tb[TCA_FW_INDEV]) {
+ 		int ret;
+ 		ret = tcf_change_indev(net, tb[TCA_FW_INDEV], extack);
+@@ -235,6 +230,11 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp,
+ 	} else if (head->mask != 0xFFFFFFFF)
+ 		return err;
+ 
++	if (tb[TCA_FW_CLASSID]) {
++		f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]);
++		tcf_bind_filter(tp, &f->res, base);
++	}
++
+ 	return 0;
+ }
+ 
+-- 
+2.39.3
+

SOURCES/1012-netfilter-nft_set_pipapo-fix-improper-element-remova.patch

@@ -0,0 +1,63 @@
+From 036bd76b11980194badfb3b281a0307b4f6be7df Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 19 Jul 2023 21:08:21 +0200
+Subject: [PATCH 4/6] netfilter: nft_set_pipapo: fix improper element removal
+
+end key should be equal to start unless NFT_SET_EXT_KEY_END is present.
+
+Its possible to add elements that only have a start key
+("{ 1.0.0.0 . 2.0.0.0 }") without an internval end.
+
+Insertion treats this via:
+
+if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END))
+   end = (const u8 *)nft_set_ext_key_end(ext)->data;
+else
+   end = start;
+
+but removal side always uses nft_set_ext_key_end().
+This is wrong and leads to garbage remaining in the set after removal
+next lookup/insert attempt will give:
+
+BUG: KASAN: slab-use-after-free in pipapo_get+0x8eb/0xb90
+Read of size 1 at addr ffff888100d50586 by task nft-pipapo_uaf_/1399
+Call Trace:
+ kasan_report+0x105/0x140
+ pipapo_get+0x8eb/0xb90
+ nft_pipapo_insert+0x1dc/0x1710
+ nf_tables_newsetelem+0x31f5/0x4e00
+ ..
+
+Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges")
+Reported-by: lonial con <kongln9170@gmail.com>
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+(cherry picked from commit 87b5a5c209405cb6b57424cdfa226a6dbd349232)
+
+CVE: CVE-2023-4004
+Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
+Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
+---
+ net/netfilter/nft_set_pipapo.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
+index 1eab335fb14b..0181617f9628 100644
+--- a/net/netfilter/nft_set_pipapo.c
++++ b/net/netfilter/nft_set_pipapo.c
+@@ -1797,7 +1797,11 @@ static void nft_pipapo_remove(const struct net *net, const struct nft_set *set,
+ 		int i, start, rules_fx;
+ 
+ 		match_start = data;
+-		match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data;
++
++		if (nft_set_ext_exists(&e->ext, NFT_SET_EXT_KEY_END))
++			match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data;
++		else
++			match_end = data;
+ 
+ 		start = first_rule;
+ 		rules_fx = rules_f0;
+-- 
+2.39.3
+

SOURCES/1013-netfilter-nf_tables-prevent-OOB-access-in-nft_byteor.patch

@@ -0,0 +1,217 @@
+From b8f43f1b9945bb063ef0eae3bcdc6e04d8728d8f Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Date: Wed, 5 Jul 2023 18:05:35 -0300
+Subject: [PATCH 5/6] netfilter: nf_tables: prevent OOB access in
+ nft_byteorder_eval
+
+When evaluating byteorder expressions with size 2, a union with 32-bit and
+16-bit members is used. Since the 16-bit members are aligned to 32-bit,
+the array accesses will be out-of-bounds.
+
+It may lead to a stack-out-of-bounds access like the one below:
+
+[   23.095215] ==================================================================
+[   23.095625] BUG: KASAN: stack-out-of-bounds in nft_byteorder_eval+0x13c/0x320
+[   23.096020] Read of size 2 at addr ffffc90000007948 by task ping/115
+[   23.096358]
+[   23.096456] CPU: 0 PID: 115 Comm: ping Not tainted 6.4.0+ #413
+[   23.096770] Call Trace:
+[   23.096910]  <IRQ>
+[   23.097030]  dump_stack_lvl+0x60/0xc0
+[   23.097218]  print_report+0xcf/0x630
+[   23.097388]  ? nft_byteorder_eval+0x13c/0x320
+[   23.097577]  ? kasan_addr_to_slab+0xd/0xc0
+[   23.097760]  ? nft_byteorder_eval+0x13c/0x320
+[   23.097949]  kasan_report+0xc9/0x110
+[   23.098106]  ? nft_byteorder_eval+0x13c/0x320
+[   23.098298]  __asan_load2+0x83/0xd0
+[   23.098453]  nft_byteorder_eval+0x13c/0x320
+[   23.098659]  nft_do_chain+0x1c8/0xc50
+[   23.098852]  ? __pfx_nft_do_chain+0x10/0x10
+[   23.099078]  ? __kasan_check_read+0x11/0x20
+[   23.099295]  ? __pfx___lock_acquire+0x10/0x10
+[   23.099535]  ? __pfx___lock_acquire+0x10/0x10
+[   23.099745]  ? __kasan_check_read+0x11/0x20
+[   23.099929]  nft_do_chain_ipv4+0xfe/0x140
+[   23.100105]  ? __pfx_nft_do_chain_ipv4+0x10/0x10
+[   23.100327]  ? lock_release+0x204/0x400
+[   23.100515]  ? nf_hook.constprop.0+0x340/0x550
+[   23.100779]  nf_hook_slow+0x6c/0x100
+[   23.100977]  ? __pfx_nft_do_chain_ipv4+0x10/0x10
+[   23.101223]  nf_hook.constprop.0+0x334/0x550
+[   23.101443]  ? __pfx_ip_local_deliver_finish+0x10/0x10
+[   23.101677]  ? __pfx_nf_hook.constprop.0+0x10/0x10
+[   23.101882]  ? __pfx_ip_rcv_finish+0x10/0x10
+[   23.102071]  ? __pfx_ip_local_deliver_finish+0x10/0x10
+[   23.102291]  ? rcu_read_lock_held+0x4b/0x70
+[   23.102481]  ip_local_deliver+0xbb/0x110
+[   23.102665]  ? __pfx_ip_rcv+0x10/0x10
+[   23.102839]  ip_rcv+0x199/0x2a0
+[   23.102980]  ? __pfx_ip_rcv+0x10/0x10
+[   23.103140]  __netif_receive_skb_one_core+0x13e/0x150
+[   23.103362]  ? __pfx___netif_receive_skb_one_core+0x10/0x10
+[   23.103647]  ? mark_held_locks+0x48/0xa0
+[   23.103819]  ? process_backlog+0x36c/0x380
+[   23.103999]  __netif_receive_skb+0x23/0xc0
+[   23.104179]  process_backlog+0x91/0x380
+[   23.104350]  __napi_poll.constprop.0+0x66/0x360
+[   23.104589]  ? net_rx_action+0x1cb/0x610
+[   23.104811]  net_rx_action+0x33e/0x610
+[   23.105024]  ? _raw_spin_unlock+0x23/0x50
+[   23.105257]  ? __pfx_net_rx_action+0x10/0x10
+[   23.105485]  ? mark_held_locks+0x48/0xa0
+[   23.105741]  __do_softirq+0xfa/0x5ab
+[   23.105956]  ? __dev_queue_xmit+0x765/0x1c00
+[   23.106193]  do_softirq.part.0+0x49/0xc0
+[   23.106423]  </IRQ>
+[   23.106547]  <TASK>
+[   23.106670]  __local_bh_enable_ip+0xf5/0x120
+[   23.106903]  __dev_queue_xmit+0x789/0x1c00
+[   23.107131]  ? __pfx___dev_queue_xmit+0x10/0x10
+[   23.107381]  ? find_held_lock+0x8e/0xb0
+[   23.107585]  ? lock_release+0x204/0x400
+[   23.107798]  ? neigh_resolve_output+0x185/0x350
+[   23.108049]  ? mark_held_locks+0x48/0xa0
+[   23.108265]  ? neigh_resolve_output+0x185/0x350
+[   23.108514]  neigh_resolve_output+0x246/0x350
+[   23.108753]  ? neigh_resolve_output+0x246/0x350
+[   23.109003]  ip_finish_output2+0x3c3/0x10b0
+[   23.109250]  ? __pfx_ip_finish_output2+0x10/0x10
+[   23.109510]  ? __pfx_nf_hook+0x10/0x10
+[   23.109732]  __ip_finish_output+0x217/0x390
+[   23.109978]  ip_finish_output+0x2f/0x130
+[   23.110207]  ip_output+0xc9/0x170
+[   23.110404]  ip_push_pending_frames+0x1a0/0x240
+[   23.110652]  raw_sendmsg+0x102e/0x19e0
+[   23.110871]  ? __pfx_raw_sendmsg+0x10/0x10
+[   23.111093]  ? lock_release+0x204/0x400
+[   23.111304]  ? __mod_lruvec_page_state+0x148/0x330
+[   23.111567]  ? find_held_lock+0x8e/0xb0
+[   23.111777]  ? find_held_lock+0x8e/0xb0
+[   23.111993]  ? __rcu_read_unlock+0x7c/0x2f0
+[   23.112225]  ? aa_sk_perm+0x18a/0x550
+[   23.112431]  ? filemap_map_pages+0x4f1/0x900
+[   23.112665]  ? __pfx_aa_sk_perm+0x10/0x10
+[   23.112880]  ? find_held_lock+0x8e/0xb0
+[   23.113098]  inet_sendmsg+0xa0/0xb0
+[   23.113297]  ? inet_sendmsg+0xa0/0xb0
+[   23.113500]  ? __pfx_inet_sendmsg+0x10/0x10
+[   23.113727]  sock_sendmsg+0xf4/0x100
+[   23.113924]  ? move_addr_to_kernel.part.0+0x4f/0xa0
+[   23.114190]  __sys_sendto+0x1d4/0x290
+[   23.114391]  ? __pfx___sys_sendto+0x10/0x10
+[   23.114621]  ? __pfx_mark_lock.part.0+0x10/0x10
+[   23.114869]  ? lock_release+0x204/0x400
+[   23.115076]  ? find_held_lock+0x8e/0xb0
+[   23.115287]  ? rcu_is_watching+0x23/0x60
+[   23.115503]  ? __rseq_handle_notify_resume+0x6e2/0x860
+[   23.115778]  ? __kasan_check_write+0x14/0x30
+[   23.116008]  ? blkcg_maybe_throttle_current+0x8d/0x770
+[   23.116285]  ? mark_held_locks+0x28/0xa0
+[   23.116503]  ? do_syscall_64+0x37/0x90
+[   23.116713]  __x64_sys_sendto+0x7f/0xb0
+[   23.116924]  do_syscall_64+0x59/0x90
+[   23.117123]  ? irqentry_exit_to_user_mode+0x25/0x30
+[   23.117387]  ? irqentry_exit+0x77/0xb0
+[   23.117593]  ? exc_page_fault+0x92/0x140
+[   23.117806]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+[   23.118081] RIP: 0033:0x7f744aee2bba
+[   23.118282] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
+[   23.119237] RSP: 002b:00007ffd04a7c9f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+[   23.119644] RAX: ffffffffffffffda RBX: 00007ffd04a7e0a0 RCX: 00007f744aee2bba
+[   23.120023] RDX: 0000000000000040 RSI: 000056488e9e6300 RDI: 0000000000000003
+[   23.120413] RBP: 000056488e9e6300 R08: 00007ffd04a80320 R09: 0000000000000010
+[   23.120809] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040
+[   23.121219] R13: 00007ffd04a7dc38 R14: 00007ffd04a7ca00 R15: 00007ffd04a7e0a0
+[   23.121617]  </TASK>
+[   23.121749]
+[   23.121845] The buggy address belongs to the virtual mapping at
+[   23.121845]  [ffffc90000000000, ffffc90000009000) created by:
+[   23.121845]  irq_init_percpu_irqstack+0x1cf/0x270
+[   23.122707]
+[   23.122803] The buggy address belongs to the physical page:
+[   23.123104] page:0000000072ac19f0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x24a09
+[   23.123609] flags: 0xfffffc0001000(reserved|node=0|zone=1|lastcpupid=0x1fffff)
+[   23.123998] page_type: 0xffffffff()
+[   23.124194] raw: 000fffffc0001000 ffffea0000928248 ffffea0000928248 0000000000000000
+[   23.124610] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
+[   23.125023] page dumped because: kasan: bad access detected
+[   23.125326]
+[   23.125421] Memory state around the buggy address:
+[   23.125682]  ffffc90000007800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[   23.126072]  ffffc90000007880: 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 f2 f2 00
+[   23.126455] >ffffc90000007900: 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00
+[   23.126840]                                               ^
+[   23.127138]  ffffc90000007980: 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3
+[   23.127522]  ffffc90000007a00: f3 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
+[   23.127906] ==================================================================
+[   23.128324] Disabling lock debugging due to kernel taint
+
+Using simple s16 pointers for the 16-bit accesses fixes the problem. For
+the 32-bit accesses, src and dst can be used directly.
+
+Fixes: 96518518cc41 ("netfilter: add nftables")
+Cc: stable@vger.kernel.org
+Reported-by: Tanguy DUBROCA (@SidewayRE) from @Synacktiv working with ZDI
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit caf3ef7468f7534771b5c44cd8dbd6f7f87c2cbd)
+
+CVE: CVE-2023-35001
+Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
+Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
+---
+ net/netfilter/nft_byteorder.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/net/netfilter/nft_byteorder.c b/net/netfilter/nft_byteorder.c
+index 6fc6f2f45b0a..a752c98e97fb 100644
+--- a/net/netfilter/nft_byteorder.c
++++ b/net/netfilter/nft_byteorder.c
+@@ -33,11 +33,11 @@ void nft_byteorder_eval(const struct nft_expr *expr,
+ 	const struct nft_byteorder *priv = nft_expr_priv(expr);
+ 	u32 *src = &regs->data[priv->sreg];
+ 	u32 *dst = &regs->data[priv->dreg];
+-	union { u32 u32; u16 u16; } *s, *d;
++	u16 *s16, *d16;
+ 	unsigned int i;
+ 
+-	s = (void *)src;
+-	d = (void *)dst;
++	s16 = (void *)src;
++	d16 = (void *)dst;
+ 
+ 	switch (priv->size) {
+ 	case 8: {
+@@ -64,11 +64,11 @@ void nft_byteorder_eval(const struct nft_expr *expr,
+ 		switch (priv->op) {
+ 		case NFT_BYTEORDER_NTOH:
+ 			for (i = 0; i < priv->len / 4; i++)
+-				d[i].u32 = ntohl((__force __be32)s[i].u32);
++				dst[i] = ntohl((__force __be32)src[i]);
+ 			break;
+ 		case NFT_BYTEORDER_HTON:
+ 			for (i = 0; i < priv->len / 4; i++)
+-				d[i].u32 = (__force __u32)htonl(s[i].u32);
++				dst[i] = (__force __u32)htonl(src[i]);
+ 			break;
+ 		}
+ 		break;
+@@ -76,11 +76,11 @@ void nft_byteorder_eval(const struct nft_expr *expr,
+ 		switch (priv->op) {
+ 		case NFT_BYTEORDER_NTOH:
+ 			for (i = 0; i < priv->len / 2; i++)
+-				d[i].u16 = ntohs((__force __be16)s[i].u16);
++				d16[i] = ntohs((__force __be16)s16[i]);
+ 			break;
+ 		case NFT_BYTEORDER_HTON:
+ 			for (i = 0; i < priv->len / 2; i++)
+-				d[i].u16 = (__force __u16)htons(s[i].u16);
++				d16[i] = (__force __u16)htons(s16[i]);
+ 			break;
+ 		}
+ 		break;
+-- 
+2.39.3
+

SOURCES/1014-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch

@@ -0,0 +1,44 @@
+From b07f2873225c6e16abd6ec352e9cd52a72fe7785 Mon Sep 17 00:00:00 2001
+From: Hangyu Hua <hbh25y@gmail.com>
+Date: Wed, 31 May 2023 18:28:04 +0800
+Subject: [PATCH 6/6] net/sched: flower: fix possible OOB write in
+ fl_set_geneve_opt()
+
+If we send two TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets and their total
+size is 252 bytes(key->enc_opts.len = 252) then
+key->enc_opts.len = opt->length = data_len / 4 = 0 when the third
+TCA_FLOWER_KEY_ENC_OPTS_GENEVE packet enters fl_set_geneve_opt. This
+bypasses the next bounds check and results in an out-of-bounds.
+
+Fixes: 0a6e77784f49 ("net/sched: allow flower to match tunnel options")
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Reviewed-by: Pieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com>
+Link: https://lore.kernel.org/r/20230531102805.27090-1-hbh25y@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+(cherry picked from commit 4d56304e5827c8cc8cc18c75343d283af7c4825c)
+
+CVE: CVE-2023-35788
+Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
+Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
+---
+ net/sched/cls_flower.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
+index b81abfcd2a19..ca232483cfab 100644
+--- a/net/sched/cls_flower.c
++++ b/net/sched/cls_flower.c
+@@ -1151,6 +1151,9 @@ static int fl_set_geneve_opt(const struct nlattr *nla, struct fl_flow_key *key,
+ 	if (option_len > sizeof(struct geneve_opt))
+ 		data_len = option_len - sizeof(struct geneve_opt);
+ 
++	if (key->enc_opts.len > FLOW_DIS_TUN_OPTS_MAX - 4)
++		return -ERANGE;
++
+ 	opt = (struct geneve_opt *)&key->enc_opts.data[key->enc_opts.len];
+ 	memset(opt, 0xff, option_len);
+ 	opt->length = data_len / 4;
+-- 
+2.39.3
+

SPECS/kernel.spec

@@ -38,11 +38,11 @@
 # define buildid .local
 
 %define rpmversion 4.18.0
-%define pkgrelease 477.21.3.el8_8
+%define pkgrelease 477.27.1.el8_8
 %define tarfile_release 477.13.1.el8_8
 
 # allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 477.21.3%{?dist}
+%define specrelease 477.27.1%{?dist}
 
 %define pkg_release %{specrelease}%{?buildid}
 
@@ -523,17 +523,23 @@ Source4001: rpminspect.yaml
 # empty final patch to facilitate testing of kernel patches
 Patch999999: linux-kernel-test.patch
 
-Patch1000: debrand-single-cpu.patch
+Patch0001: debrand-single-cpu.patch
-# Patch1001: debrand-rh_taint.patch
+# Patch0002: debrand-rh_taint.patch
-Patch1002: debrand-rh-i686-cpu.patch
+Patch0003: debrand-rh-i686-cpu.patch
-Patch1003: 1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch
+Patch1001: 1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch
-Patch1004: 1002-Bluetooth-L2CAP-Fix-accepting-connection-request.patch
+Patch1002: 1002-Bluetooth-L2CAP-Fix-accepting-connection-request.patch
-Patch1005: 1003-net-sched-tcindex-update-imperfect-hash-filters-resp.patch
+Patch1003: 1003-net-sched-tcindex-update-imperfect-hash-filters-resp.patch
-Patch1006: 1004-net-sched-tcindex-search-key-must-be-16-bits.patch
+Patch1004: 1004-net-sched-tcindex-search-key-must-be-16-bits.patch
-Patch1007: 1005-net-sched-Retire-tcindex-classifier.patch
+Patch1005: 1005-net-sched-Retire-tcindex-classifier.patch
-Patch1008: 1006-xfs-verify-buffer-contents-when-we-skip-log-replay.patch
+Patch1006: 1006-xfs-verify-buffer-contents-when-we-skip-log-replay.patch
-Patch1009: 1007-i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch
+Patch1007: 1007-i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch
-Patch1010: 1008-perf-Fix-check-before-add_event_to_groups-in-perf_gr.patch
+Patch1008: 1008-perf-Fix-check-before-add_event_to_groups-in-perf_gr.patch
+Patch1009: 1009-bluetooth-Perform-careful-capability-checks-in-hci_s.patch
+Patch1010: 1010-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch
+Patch1011: 1011-net-sched-cls_fw-Fix-improper-refcount-update-leads-.patch
+Patch1012: 1012-netfilter-nft_set_pipapo-fix-improper-element-remova.patch
+Patch1013: 1013-netfilter-nf_tables-prevent-OOB-access-in-nft_byteor.patch
+Patch1014: 1014-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch
 
 Patch9001: 9001-x86-xen-Split-HVM-vector-callback-setup-and-interrup.patch
 Patch9002: 9002-x86-microcode-AMD-Load-late-on-both-threads-too.patch
@@ -1108,6 +1114,12 @@ ApplyPatch 1005-net-sched-Retire-tcindex-classifier.patch
 ApplyPatch 1006-xfs-verify-buffer-contents-when-we-skip-log-replay.patch
 ApplyPatch 1007-i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch
 ApplyPatch 1008-perf-Fix-check-before-add_event_to_groups-in-perf_gr.patch
+ApplyPatch 1009-bluetooth-Perform-careful-capability-checks-in-hci_s.patch
+ApplyPatch 1010-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch
+ApplyPatch 1011-net-sched-cls_fw-Fix-improper-refcount-update-leads-.patch
+ApplyPatch 1012-netfilter-nft_set_pipapo-fix-improper-element-remova.patch
+ApplyPatch 1013-netfilter-nf_tables-prevent-OOB-access-in-nft_byteor.patch
+ApplyPatch 1014-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch
 
 ApplyPatch 9001-x86-xen-Split-HVM-vector-callback-setup-and-interrup.patch
 ApplyPatch 9002-x86-microcode-AMD-Load-late-on-both-threads-too.patch
@@ -2715,6 +2727,14 @@ fi
 #
 #
 %changelog
+* Thu Sep 21 2023 Andrew Lukoshko <alukoshko@almalinux.org> [4.18.0-477.27.1.el8_8]
+- bluetooth: Perform careful capability checks in hci_sock_ioctl() {CVE-2023-2002}
+- ipvlan:Fix out-of-bounds caused by unclear skb->cb {CVE-2023-3090}
+- net/sched: cls_fw: Fix improper refcount update leads to use-after-free {CVE-2023-3776}
+- netfilter: nft_set_pipapo: fix improper element removal {CVE-2023-4004}
+- netfilter: nf_tables: prevent OOB access in nft_byteorder_eval {CVE-2023-35001}
+- net/sched: flower: fix possible OOB write in fl_set_geneve_opt() {CVE-2023-35788}
+
 * Fri Sep 08 2023 Andrew Lukoshko <alukoshko@almalinux.org> [4.18.0-477.21.3.el8_8]
 - x86/microcode/AMD: Load late on both threads too