rpms
/
kernel-rt
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to 4.18.0-477.27.1.rt7.290.el8_8

This commit is contained in:
Andrew Lukoshko 2023-09-21 11:20:37 +00:00
parent effc079040
commit 57fb2819f5
12 changed files with 901 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
SOURCES/1009-bluetooth-Perform-careful-capability-checks-in-hci_s.patch Normal file
View File

@ -0,0 +1,56 @@
From 5bdcf7f9a8e44d61d724943167c381611b02a5ff Mon Sep 17 00:00:00 2001
From: Ruihan Li <lrh2000@pku.edu.cn>
Date: Sun, 16 Apr 2023 16:14:04 +0800
Subject: [PATCH 1/6] bluetooth: Perform careful capability checks in
hci_sock_ioctl()
Previously, capability was checked using capable(), which verified that the
caller of the ioctl system call had the required capability. In addition,
the result of the check would be stored in the HCI_SOCK_TRUSTED flag,
making it persistent for the socket.
However, malicious programs can abuse this approach by deliberately sharing
an HCI socket with a privileged task. The HCI socket will be marked as
trusted when the privileged task occasionally makes an ioctl call.
This problem can be solved by using sk_capable() to check capability, which
ensures that not only the current task but also the socket opener has the
specified capability, thus reducing the risk of privilege escalation
through the previously identified vulnerability.
Cc: stable@vger.kernel.org
Fixes: f81f5b2db869 ("Bluetooth: Send control open and close messages for HCI raw sockets")
Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
(cherry picked from commit 25c150ac103a4ebeed0319994c742a90634ddf18)
CVE: CVE-2023-2002
Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
---
net/bluetooth/hci_sock.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index d7c9ead69554..3cb8a2879ebb 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -1000,7 +1000,14 @@ static int hci_sock_ioctl(struct socket *sock, unsigned int cmd,
if (hci_sock_gen_cookie(sk)) {
struct sk_buff *skb;
- if (capable(CAP_NET_ADMIN))
+ /* Perform careful checks before setting the HCI_SOCK_TRUSTED
+ * flag. Make sure that not only the current task but also
+ * the socket opener has the required capability, since
+ * privileged programs can be tricked into making ioctl calls
+ * on HCI sockets, and the socket should not be marked as
+ * trusted simply because the ioctl caller is privileged.
+ */
+ if (sk_capable(sk, CAP_NET_ADMIN))
hci_sock_set_flag(sk, HCI_SOCK_TRUSTED);
/* Send event to monitor */
--
2.39.3

172
SOURCES/1010-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch Normal file
View File

@ -0,0 +1,172 @@
From e594c8e25c5f6a3432c324cf8df93d34578825bb Mon Sep 17 00:00:00 2001
From: "t.feng" <fengtao40@huawei.com>
Date: Wed, 10 May 2023 11:50:44 +0800
Subject: [PATCH 2/6] ipvlan:Fix out-of-bounds caused by unclear skb->cb
If skb enqueue the qdisc, fq_skb_cb(skb)->time_to_send is changed which
is actually skb->cb, and IPCB(skb_in)->opt will be used in
__ip_options_echo. It is possible that memcpy is out of bounds and lead
to stack overflow.
We should clear skb->cb before ip_local_out or ip6_local_out.
v2:
1. clean the stack info
2. use IPCB/IP6CB instead of skb->cb
crash on stable-5.10(reproduce in kasan kernel).
Stack info:
[ 2203.651571] BUG: KASAN: stack-out-of-bounds in
__ip_options_echo+0x589/0x800
[ 2203.653327] Write of size 4 at addr ffff88811a388f27 by task
swapper/3/0
[ 2203.655460] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Not tainted
5.10.0-60.18.0.50.h856.kasan.eulerosv2r11.x86_64 #1
[ 2203.655466] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.10.2-0-g5f4c7b1-20181220_000000-szxrtosci10000 04/01/2014
[ 2203.655475] Call Trace:
[ 2203.655481] <IRQ>
[ 2203.655501] dump_stack+0x9c/0xd3
[ 2203.655514] print_address_description.constprop.0+0x19/0x170
[ 2203.655530] __kasan_report.cold+0x6c/0x84
[ 2203.655586] kasan_report+0x3a/0x50
[ 2203.655594] check_memory_region+0xfd/0x1f0
[ 2203.655601] memcpy+0x39/0x60
[ 2203.655608] __ip_options_echo+0x589/0x800
[ 2203.655654] __icmp_send+0x59a/0x960
[ 2203.655755] nf_send_unreach+0x129/0x3d0 [nf_reject_ipv4]
[ 2203.655763] reject_tg+0x77/0x1bf [ipt_REJECT]
[ 2203.655772] ipt_do_table+0x691/0xa40 [ip_tables]
[ 2203.655821] nf_hook_slow+0x69/0x100
[ 2203.655828] __ip_local_out+0x21e/0x2b0
[ 2203.655857] ip_local_out+0x28/0x90
[ 2203.655868] ipvlan_process_v4_outbound+0x21e/0x260 [ipvlan]
[ 2203.655931] ipvlan_xmit_mode_l3+0x3bd/0x400 [ipvlan]
[ 2203.655967] ipvlan_queue_xmit+0xb3/0x190 [ipvlan]
[ 2203.655977] ipvlan_start_xmit+0x2e/0xb0 [ipvlan]
[ 2203.655984] xmit_one.constprop.0+0xe1/0x280
[ 2203.655992] dev_hard_start_xmit+0x62/0x100
[ 2203.656000] sch_direct_xmit+0x215/0x640
[ 2203.656028] __qdisc_run+0x153/0x1f0
[ 2203.656069] __dev_queue_xmit+0x77f/0x1030
[ 2203.656173] ip_finish_output2+0x59b/0xc20
[ 2203.656244] __ip_finish_output.part.0+0x318/0x3d0
[ 2203.656312] ip_finish_output+0x168/0x190
[ 2203.656320] ip_output+0x12d/0x220
[ 2203.656357] __ip_queue_xmit+0x392/0x880
[ 2203.656380] __tcp_transmit_skb+0x1088/0x11c0
[ 2203.656436] __tcp_retransmit_skb+0x475/0xa30
[ 2203.656505] tcp_retransmit_skb+0x2d/0x190
[ 2203.656512] tcp_retransmit_timer+0x3af/0x9a0
[ 2203.656519] tcp_write_timer_handler+0x3ba/0x510
[ 2203.656529] tcp_write_timer+0x55/0x180
[ 2203.656542] call_timer_fn+0x3f/0x1d0
[ 2203.656555] expire_timers+0x160/0x200
[ 2203.656562] run_timer_softirq+0x1f4/0x480
[ 2203.656606] __do_softirq+0xfd/0x402
[ 2203.656613] asm_call_irq_on_stack+0x12/0x20
[ 2203.656617] </IRQ>
[ 2203.656623] do_softirq_own_stack+0x37/0x50
[ 2203.656631] irq_exit_rcu+0x134/0x1a0
[ 2203.656639] sysvec_apic_timer_interrupt+0x36/0x80
[ 2203.656646] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 2203.656654] RIP: 0010:default_idle+0x13/0x20
[ 2203.656663] Code: 89 f0 5d 41 5c 41 5d 41 5e c3 cc cc cc cc cc cc cc
cc cc cc cc cc cc 0f 1f 44 00 00 0f 1f 44 00 00 0f 00 2d 9f 32 57 00 fb
f4 <c3> cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 be 08
[ 2203.656668] RSP: 0018:ffff88810036fe78 EFLAGS: 00000256
[ 2203.656676] RAX: ffffffffaf2a87f0 RBX: ffff888100360000 RCX:
ffffffffaf290191
[ 2203.656681] RDX: 0000000000098b5e RSI: 0000000000000004 RDI:
ffff88811a3c4f60
[ 2203.656686] RBP: 0000000000000000 R08: 0000000000000001 R09:
ffff88811a3c4f63
[ 2203.656690] R10: ffffed10234789ec R11: 0000000000000001 R12:
0000000000000003
[ 2203.656695] R13: ffff888100360000 R14: 0000000000000000 R15:
0000000000000000
[ 2203.656729] default_idle_call+0x5a/0x150
[ 2203.656735] cpuidle_idle_call+0x1c6/0x220
[ 2203.656780] do_idle+0xab/0x100
[ 2203.656786] cpu_startup_entry+0x19/0x20
[ 2203.656793] secondary_startup_64_no_verify+0xc2/0xcb
[ 2203.657409] The buggy address belongs to the page:
[ 2203.658648] page:0000000027a9842f refcount:1 mapcount:0
mapping:0000000000000000 index:0x0 pfn:0x11a388
[ 2203.658665] flags:
0x17ffffc0001000(reserved|node=0|zone=2|lastcpupid=0x1fffff)
[ 2203.658675] raw: 0017ffffc0001000 ffffea000468e208 ffffea000468e208
0000000000000000
[ 2203.658682] raw: 0000000000000000 0000000000000000 00000001ffffffff
0000000000000000
[ 2203.658686] page dumped because: kasan: bad access detected
To reproduce(ipvlan with IPVLAN_MODE_L3):
Env setting:
=======================================================
modprobe ipvlan ipvlan_default_mode=1
sysctl net.ipv4.conf.eth0.forwarding=1
iptables -t nat -A POSTROUTING -s 20.0.0.0/255.255.255.0 -o eth0 -j
MASQUERADE
ip link add gw link eth0 type ipvlan
ip -4 addr add 20.0.0.254/24 dev gw
ip netns add net1
ip link add ipv1 link eth0 type ipvlan
ip link set ipv1 netns net1
ip netns exec net1 ip link set ipv1 up
ip netns exec net1 ip -4 addr add 20.0.0.4/24 dev ipv1
ip netns exec net1 route add default gw 20.0.0.254
ip netns exec net1 tc qdisc add dev ipv1 root netem loss 10%
ifconfig gw up
iptables -t filter -A OUTPUT -p tcp --dport 8888 -j REJECT --reject-with
icmp-port-unreachable
=======================================================
And then excute the shell(curl any address of eth0 can reach):
for((i=1;i<=100000;i++))
do
ip netns exec net1 curl x.x.x.x:8888
done
=======================================================
Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.")
Signed-off-by: "t.feng" <fengtao40@huawei.com>
Suggested-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 90cbed5247439a966b645b34eb0a2e037836ea8e)
CVE: CVE-2023-3090
Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
---
drivers/net/ipvlan/ipvlan_core.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
index 62c73a8ed0c3..f1ffe1800754 100644
--- a/drivers/net/ipvlan/ipvlan_core.c
+++ b/drivers/net/ipvlan/ipvlan_core.c
@@ -443,6 +443,9 @@ static int ipvlan_process_v4_outbound(struct sk_buff *skb)
goto err;
}
skb_dst_set(skb, &rt->dst);
+
+ memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
+
err = ip_local_out(net, skb->sk, skb);
if (unlikely(net_xmit_eval(err)))
dev->stats.tx_errors++;
@@ -481,6 +484,9 @@ static int ipvlan_process_v6_outbound(struct sk_buff *skb)
goto err;
}
skb_dst_set(skb, dst);
+
+ memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
+
err = ip6_local_out(net, skb->sk, skb);
if (unlikely(net_xmit_eval(err)))
dev->stats.tx_errors++;
--
2.39.3

62
SOURCES/1011-net-sched-cls_fw-Fix-improper-refcount-update-leads-.patch Normal file
View File

@ -0,0 +1,62 @@
From 0da574f21ad25aae92e8262b7636dc95cf12aacf Mon Sep 17 00:00:00 2001
From: M A Ramdhan <ramdhan@starlabs.sg>
Date: Wed, 5 Jul 2023 12:15:30 -0400
Subject: [PATCH 3/6] net/sched: cls_fw: Fix improper refcount update leads to
use-after-free
In the event of a failure in tcf_change_indev(), fw_set_parms() will
immediately return an error after incrementing or decrementing
reference counter in tcf_bind_filter(). If attacker can control
reference counter to zero and make reference freed, leading to
use after free.
In order to prevent this, move the point of possible failure above the
point where the TC_FW_CLASSID is handled.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: M A Ramdhan <ramdhan@starlabs.sg>
Signed-off-by: M A Ramdhan <ramdhan@starlabs.sg>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
Message-ID: <20230705161530.52003-1-ramdhan@starlabs.sg>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 0323bce598eea038714f941ce2b22541c46d488f)
CVE: CVE-2023-3776
Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
---
net/sched/cls_fw.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
index 6a0d3ee00758..4240ca68cbc4 100644
--- a/net/sched/cls_fw.c
+++ b/net/sched/cls_fw.c
@@ -214,11 +214,6 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp,
if (err < 0)
return err;
- if (tb[TCA_FW_CLASSID]) {
- f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]);
- tcf_bind_filter(tp, &f->res, base);
- }
-
if (tb[TCA_FW_INDEV]) {
int ret;
ret = tcf_change_indev(net, tb[TCA_FW_INDEV], extack);
@@ -235,6 +230,11 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp,
} else if (head->mask != 0xFFFFFFFF)
return err;
+ if (tb[TCA_FW_CLASSID]) {
+ f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]);
+ tcf_bind_filter(tp, &f->res, base);
+ }
+
return 0;
}
--
2.39.3

63
SOURCES/1012-netfilter-nft_set_pipapo-fix-improper-element-remova.patch Normal file
View File

@ -0,0 +1,63 @@
From 036bd76b11980194badfb3b281a0307b4f6be7df Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Wed, 19 Jul 2023 21:08:21 +0200
Subject: [PATCH 4/6] netfilter: nft_set_pipapo: fix improper element removal
end key should be equal to start unless NFT_SET_EXT_KEY_END is present.
Its possible to add elements that only have a start key
("{ 1.0.0.0 . 2.0.0.0 }") without an internval end.
Insertion treats this via:
if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END))
end = (const u8 *)nft_set_ext_key_end(ext)->data;
else
end = start;
but removal side always uses nft_set_ext_key_end().
This is wrong and leads to garbage remaining in the set after removal
next lookup/insert attempt will give:
BUG: KASAN: slab-use-after-free in pipapo_get+0x8eb/0xb90
Read of size 1 at addr ffff888100d50586 by task nft-pipapo_uaf_/1399
Call Trace:
kasan_report+0x105/0x140
pipapo_get+0x8eb/0xb90
nft_pipapo_insert+0x1dc/0x1710
nf_tables_newsetelem+0x31f5/0x4e00
..
Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges")
Reported-by: lonial con <kongln9170@gmail.com>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit 87b5a5c209405cb6b57424cdfa226a6dbd349232)
CVE: CVE-2023-4004
Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
---
net/netfilter/nft_set_pipapo.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
index 1eab335fb14b..0181617f9628 100644
--- a/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -1797,7 +1797,11 @@ static void nft_pipapo_remove(const struct net *net, const struct nft_set *set,
int i, start, rules_fx;
match_start = data;
- match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data;
+
+ if (nft_set_ext_exists(&e->ext, NFT_SET_EXT_KEY_END))
+ match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data;
+ else
+ match_end = data;
start = first_rule;
rules_fx = rules_f0;
--
2.39.3

217
SOURCES/1013-netfilter-nf_tables-prevent-OOB-access-in-nft_byteor.patch Normal file
View File

@ -0,0 +1,217 @@
From b8f43f1b9945bb063ef0eae3bcdc6e04d8728d8f Mon Sep 17 00:00:00 2001
From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Date: Wed, 5 Jul 2023 18:05:35 -0300
Subject: [PATCH 5/6] netfilter: nf_tables: prevent OOB access in
nft_byteorder_eval
When evaluating byteorder expressions with size 2, a union with 32-bit and
16-bit members is used. Since the 16-bit members are aligned to 32-bit,
the array accesses will be out-of-bounds.
It may lead to a stack-out-of-bounds access like the one below:
[ 23.095215] ==================================================================
[ 23.095625] BUG: KASAN: stack-out-of-bounds in nft_byteorder_eval+0x13c/0x320
[ 23.096020] Read of size 2 at addr ffffc90000007948 by task ping/115
[ 23.096358]
[ 23.096456] CPU: 0 PID: 115 Comm: ping Not tainted 6.4.0+ #413
[ 23.096770] Call Trace:
[ 23.096910] <IRQ>
[ 23.097030] dump_stack_lvl+0x60/0xc0
[ 23.097218] print_report+0xcf/0x630
[ 23.097388] ? nft_byteorder_eval+0x13c/0x320
[ 23.097577] ? kasan_addr_to_slab+0xd/0xc0
[ 23.097760] ? nft_byteorder_eval+0x13c/0x320
[ 23.097949] kasan_report+0xc9/0x110
[ 23.098106] ? nft_byteorder_eval+0x13c/0x320
[ 23.098298] __asan_load2+0x83/0xd0
[ 23.098453] nft_byteorder_eval+0x13c/0x320
[ 23.098659] nft_do_chain+0x1c8/0xc50
[ 23.098852] ? __pfx_nft_do_chain+0x10/0x10
[ 23.099078] ? __kasan_check_read+0x11/0x20
[ 23.099295] ? __pfx___lock_acquire+0x10/0x10
[ 23.099535] ? __pfx___lock_acquire+0x10/0x10
[ 23.099745] ? __kasan_check_read+0x11/0x20
[ 23.099929] nft_do_chain_ipv4+0xfe/0x140
[ 23.100105] ? __pfx_nft_do_chain_ipv4+0x10/0x10
[ 23.100327] ? lock_release+0x204/0x400
[ 23.100515] ? nf_hook.constprop.0+0x340/0x550
[ 23.100779] nf_hook_slow+0x6c/0x100
[ 23.100977] ? __pfx_nft_do_chain_ipv4+0x10/0x10
[ 23.101223] nf_hook.constprop.0+0x334/0x550
[ 23.101443] ? __pfx_ip_local_deliver_finish+0x10/0x10
[ 23.101677] ? __pfx_nf_hook.constprop.0+0x10/0x10
[ 23.101882] ? __pfx_ip_rcv_finish+0x10/0x10
[ 23.102071] ? __pfx_ip_local_deliver_finish+0x10/0x10
[ 23.102291] ? rcu_read_lock_held+0x4b/0x70
[ 23.102481] ip_local_deliver+0xbb/0x110
[ 23.102665] ? __pfx_ip_rcv+0x10/0x10
[ 23.102839] ip_rcv+0x199/0x2a0
[ 23.102980] ? __pfx_ip_rcv+0x10/0x10
[ 23.103140] __netif_receive_skb_one_core+0x13e/0x150
[ 23.103362] ? __pfx___netif_receive_skb_one_core+0x10/0x10
[ 23.103647] ? mark_held_locks+0x48/0xa0
[ 23.103819] ? process_backlog+0x36c/0x380
[ 23.103999] __netif_receive_skb+0x23/0xc0
[ 23.104179] process_backlog+0x91/0x380
[ 23.104350] __napi_poll.constprop.0+0x66/0x360
[ 23.104589] ? net_rx_action+0x1cb/0x610
[ 23.104811] net_rx_action+0x33e/0x610
[ 23.105024] ? _raw_spin_unlock+0x23/0x50
[ 23.105257] ? __pfx_net_rx_action+0x10/0x10
[ 23.105485] ? mark_held_locks+0x48/0xa0
[ 23.105741] __do_softirq+0xfa/0x5ab
[ 23.105956] ? __dev_queue_xmit+0x765/0x1c00
[ 23.106193] do_softirq.part.0+0x49/0xc0
[ 23.106423] </IRQ>
[ 23.106547] <TASK>
[ 23.106670] __local_bh_enable_ip+0xf5/0x120
[ 23.106903] __dev_queue_xmit+0x789/0x1c00
[ 23.107131] ? __pfx___dev_queue_xmit+0x10/0x10
[ 23.107381] ? find_held_lock+0x8e/0xb0
[ 23.107585] ? lock_release+0x204/0x400
[ 23.107798] ? neigh_resolve_output+0x185/0x350
[ 23.108049] ? mark_held_locks+0x48/0xa0
[ 23.108265] ? neigh_resolve_output+0x185/0x350
[ 23.108514] neigh_resolve_output+0x246/0x350
[ 23.108753] ? neigh_resolve_output+0x246/0x350
[ 23.109003] ip_finish_output2+0x3c3/0x10b0
[ 23.109250] ? __pfx_ip_finish_output2+0x10/0x10
[ 23.109510] ? __pfx_nf_hook+0x10/0x10
[ 23.109732] __ip_finish_output+0x217/0x390
[ 23.109978] ip_finish_output+0x2f/0x130
[ 23.110207] ip_output+0xc9/0x170
[ 23.110404] ip_push_pending_frames+0x1a0/0x240
[ 23.110652] raw_sendmsg+0x102e/0x19e0
[ 23.110871] ? __pfx_raw_sendmsg+0x10/0x10
[ 23.111093] ? lock_release+0x204/0x400
[ 23.111304] ? __mod_lruvec_page_state+0x148/0x330
[ 23.111567] ? find_held_lock+0x8e/0xb0
[ 23.111777] ? find_held_lock+0x8e/0xb0
[ 23.111993] ? __rcu_read_unlock+0x7c/0x2f0
[ 23.112225] ? aa_sk_perm+0x18a/0x550
[ 23.112431] ? filemap_map_pages+0x4f1/0x900
[ 23.112665] ? __pfx_aa_sk_perm+0x10/0x10
[ 23.112880] ? find_held_lock+0x8e/0xb0
[ 23.113098] inet_sendmsg+0xa0/0xb0
[ 23.113297] ? inet_sendmsg+0xa0/0xb0
[ 23.113500] ? __pfx_inet_sendmsg+0x10/0x10
[ 23.113727] sock_sendmsg+0xf4/0x100
[ 23.113924] ? move_addr_to_kernel.part.0+0x4f/0xa0
[ 23.114190] __sys_sendto+0x1d4/0x290
[ 23.114391] ? __pfx___sys_sendto+0x10/0x10
[ 23.114621] ? __pfx_mark_lock.part.0+0x10/0x10
[ 23.114869] ? lock_release+0x204/0x400
[ 23.115076] ? find_held_lock+0x8e/0xb0
[ 23.115287] ? rcu_is_watching+0x23/0x60
[ 23.115503] ? __rseq_handle_notify_resume+0x6e2/0x860
[ 23.115778] ? __kasan_check_write+0x14/0x30
[ 23.116008] ? blkcg_maybe_throttle_current+0x8d/0x770
[ 23.116285] ? mark_held_locks+0x28/0xa0
[ 23.116503] ? do_syscall_64+0x37/0x90
[ 23.116713] __x64_sys_sendto+0x7f/0xb0
[ 23.116924] do_syscall_64+0x59/0x90
[ 23.117123] ? irqentry_exit_to_user_mode+0x25/0x30
[ 23.117387] ? irqentry_exit+0x77/0xb0
[ 23.117593] ? exc_page_fault+0x92/0x140
[ 23.117806] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[ 23.118081] RIP: 0033:0x7f744aee2bba
[ 23.118282] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
[ 23.119237] RSP: 002b:00007ffd04a7c9f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[ 23.119644] RAX: ffffffffffffffda RBX: 00007ffd04a7e0a0 RCX: 00007f744aee2bba
[ 23.120023] RDX: 0000000000000040 RSI: 000056488e9e6300 RDI: 0000000000000003
[ 23.120413] RBP: 000056488e9e6300 R08: 00007ffd04a80320 R09: 0000000000000010
[ 23.120809] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040
[ 23.121219] R13: 00007ffd04a7dc38 R14: 00007ffd04a7ca00 R15: 00007ffd04a7e0a0
[ 23.121617] </TASK>
[ 23.121749]
[ 23.121845] The buggy address belongs to the virtual mapping at
[ 23.121845] [ffffc90000000000, ffffc90000009000) created by:
[ 23.121845] irq_init_percpu_irqstack+0x1cf/0x270
[ 23.122707]
[ 23.122803] The buggy address belongs to the physical page:
[ 23.123104] page:0000000072ac19f0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x24a09
[ 23.123609] flags: 0xfffffc0001000(reserved|node=0|zone=1|lastcpupid=0x1fffff)
[ 23.123998] page_type: 0xffffffff()
[ 23.124194] raw: 000fffffc0001000 ffffea0000928248 ffffea0000928248 0000000000000000
[ 23.124610] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[ 23.125023] page dumped because: kasan: bad access detected
[ 23.125326]
[ 23.125421] Memory state around the buggy address:
[ 23.125682] ffffc90000007800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 23.126072] ffffc90000007880: 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 f2 f2 00
[ 23.126455] >ffffc90000007900: 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00
[ 23.126840] ^
[ 23.127138] ffffc90000007980: 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3
[ 23.127522] ffffc90000007a00: f3 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
[ 23.127906] ==================================================================
[ 23.128324] Disabling lock debugging due to kernel taint
Using simple s16 pointers for the 16-bit accesses fixes the problem. For
the 32-bit accesses, src and dst can be used directly.
Fixes: 96518518cc41 ("netfilter: add nftables")
Cc: stable@vger.kernel.org
Reported-by: Tanguy DUBROCA (@SidewayRE) from @Synacktiv working with ZDI
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit caf3ef7468f7534771b5c44cd8dbd6f7f87c2cbd)
CVE: CVE-2023-35001
Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
---
net/netfilter/nft_byteorder.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/nft_byteorder.c b/net/netfilter/nft_byteorder.c
index 6fc6f2f45b0a..a752c98e97fb 100644
--- a/net/netfilter/nft_byteorder.c
+++ b/net/netfilter/nft_byteorder.c
@@ -33,11 +33,11 @@ void nft_byteorder_eval(const struct nft_expr *expr,
const struct nft_byteorder *priv = nft_expr_priv(expr);
u32 *src = &regs->data[priv->sreg];
u32 *dst = &regs->data[priv->dreg];
- union { u32 u32; u16 u16; } *s, *d;
+ u16 *s16, *d16;
unsigned int i;
- s = (void *)src;
- d = (void *)dst;
+ s16 = (void *)src;
+ d16 = (void *)dst;
switch (priv->size) {
case 8: {
@@ -64,11 +64,11 @@ void nft_byteorder_eval(const struct nft_expr *expr,
switch (priv->op) {
case NFT_BYTEORDER_NTOH:
for (i = 0; i < priv->len / 4; i++)
- d[i].u32 = ntohl((__force __be32)s[i].u32);
+ dst[i] = ntohl((__force __be32)src[i]);
break;
case NFT_BYTEORDER_HTON:
for (i = 0; i < priv->len / 4; i++)
- d[i].u32 = (__force __u32)htonl(s[i].u32);
+ dst[i] = (__force __u32)htonl(src[i]);
break;
}
break;
@@ -76,11 +76,11 @@ void nft_byteorder_eval(const struct nft_expr *expr,
switch (priv->op) {
case NFT_BYTEORDER_NTOH:
for (i = 0; i < priv->len / 2; i++)
- d[i].u16 = ntohs((__force __be16)s[i].u16);
+ d16[i] = ntohs((__force __be16)s16[i]);
break;
case NFT_BYTEORDER_HTON:
for (i = 0; i < priv->len / 2; i++)
- d[i].u16 = (__force __u16)htons(s[i].u16);
+ d16[i] = (__force __u16)htons(s16[i]);
break;
}
break;
--
2.39.3

44
SOURCES/1014-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch Normal file
View File

@ -0,0 +1,44 @@
From b07f2873225c6e16abd6ec352e9cd52a72fe7785 Mon Sep 17 00:00:00 2001
From: Hangyu Hua <hbh25y@gmail.com>
Date: Wed, 31 May 2023 18:28:04 +0800
Subject: [PATCH 6/6] net/sched: flower: fix possible OOB write in
fl_set_geneve_opt()
If we send two TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets and their total
size is 252 bytes(key->enc_opts.len = 252) then
key->enc_opts.len = opt->length = data_len / 4 = 0 when the third
TCA_FLOWER_KEY_ENC_OPTS_GENEVE packet enters fl_set_geneve_opt. This
bypasses the next bounds check and results in an out-of-bounds.
Fixes: 0a6e77784f49 ("net/sched: allow flower to match tunnel options")
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Reviewed-by: Pieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com>
Link: https://lore.kernel.org/r/20230531102805.27090-1-hbh25y@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
(cherry picked from commit 4d56304e5827c8cc8cc18c75343d283af7c4825c)
CVE: CVE-2023-35788
Signed-off-by: Mridula Shastry <mridula.c.shastry@oracle.com>
Reviewed-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
---
net/sched/cls_flower.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
index b81abfcd2a19..ca232483cfab 100644
--- a/net/sched/cls_flower.c
+++ b/net/sched/cls_flower.c
@@ -1151,6 +1151,9 @@ static int fl_set_geneve_opt(const struct nlattr *nla, struct fl_flow_key *key,
if (option_len > sizeof(struct geneve_opt))
data_len = option_len - sizeof(struct geneve_opt);
+ if (key->enc_opts.len > FLOW_DIS_TUN_OPTS_MAX - 4)
+ return -ERANGE;
+
opt = (struct geneve_opt *)&key->enc_opts.data[key->enc_opts.len];
memset(opt, 0xff, option_len);
opt->length = data_len / 4;
--
2.39.3

110
SOURCES/9001-x86-xen-Split-HVM-vector-callback-setup-and-interrup.patch Normal file
View File

@ -0,0 +1,110 @@
From a0bb51f2638e0810c347024679239fd10a8f7990 Mon Sep 17 00:00:00 2001
From: Vitaly Kuznetsov <vkuznets@redhat.com>
Date: Tue, 28 Apr 2020 11:38:22 +0200
Subject: [PATCH] x86/xen: Split HVM vector callback setup and interrupt gate
allocation
As a preparatory change for making alloc_intr_gate() __init split
xen_callback_vector() into callback vector setup via hypercall
(xen_setup_callback_vector()) and interrupt gate allocation
(xen_alloc_callback_vector()).
xen_setup_callback_vector() is being called twice: on init and upon
system resume from xen_hvm_post_suspend(). alloc_intr_gate() only
needs to be called once.
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20200428093824.1451532-2-vkuznets@redhat.com
---
arch/x86/xen/suspend_hvm.c | 2 +-
arch/x86/xen/xen-ops.h | 2 +-
drivers/xen/events/events_base.c | 28 +++++++++++++++++-----------
3 files changed, 19 insertions(+), 13 deletions(-)
diff --git a/arch/x86/xen/suspend_hvm.c b/arch/x86/xen/suspend_hvm.c
index e666b614cf6d..5152afe16876 100644
--- a/arch/x86/xen/suspend_hvm.c
+++ b/arch/x86/xen/suspend_hvm.c
@@ -13,6 +13,6 @@ void xen_hvm_post_suspend(int suspend_cancelled)
xen_hvm_init_shared_info();
xen_vcpu_restore();
}
- xen_callback_vector();
+ xen_setup_callback_vector();
xen_unplug_emulated_devices();
}
diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h
index 45a441c33d6d..1cc1568bfe04 100644
--- a/arch/x86/xen/xen-ops.h
+++ b/arch/x86/xen/xen-ops.h
@@ -55,7 +55,7 @@ void xen_enable_sysenter(void);
void xen_enable_syscall(void);
void xen_vcpu_restore(void);
-void xen_callback_vector(void);
+void xen_setup_callback_vector(void);
void xen_hvm_init_shared_info(void);
void xen_unplug_emulated_devices(void);
diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c
index 3a791c8485d0..eb35c3cda9a6 100644
--- a/drivers/xen/events/events_base.c
+++ b/drivers/xen/events/events_base.c
@@ -1639,26 +1639,30 @@ EXPORT_SYMBOL_GPL(xen_set_callback_via);
/* Vector callbacks are better than PCI interrupts to receive event
* channel notifications because we can receive vector callbacks on any
* vcpu and we don't need PCI support or APIC interactions. */
-void xen_callback_vector(void)
+void xen_setup_callback_vector(void)
{
- int rc;
uint64_t callback_via;
if (xen_have_vector_callback) {
callback_via = HVM_CALLBACK_VECTOR(HYPERVISOR_CALLBACK_VECTOR);
- rc = xen_set_callback_via(callback_via);
- if (rc) {
+ if (xen_set_callback_via(callback_via)) {
pr_err("Request for Xen HVM callback vector failed\n");
xen_have_vector_callback = 0;
- return;
}
- pr_info("Xen HVM callback vector for event delivery is enabled\n");
- alloc_intr_gate(HYPERVISOR_CALLBACK_VECTOR,
- xen_hvm_callback_vector);
}
}
+
+static __init void xen_alloc_callback_vector(void)
+{
+ if (!xen_have_vector_callback)
+ return;
+
+ pr_info("Xen HVM callback vector for event delivery is enabled\n");
+ alloc_intr_gate(HYPERVISOR_CALLBACK_VECTOR, xen_hvm_callback_vector);
+}
#else
-void xen_callback_vector(void) {}
+void xen_setup_callback_vector(void) {}
+static inline void xen_alloc_callback_vector(void) {}
#endif
#undef MODULE_PARAM_PREFIX
@@ -1692,8 +1696,10 @@ void __init xen_init_IRQ(void)
if (xen_initial_domain())
pci_xen_initial_domain();
}
- if (xen_feature(XENFEAT_hvm_callback_vector))
- xen_callback_vector();
+ if (xen_feature(XENFEAT_hvm_callback_vector)) {
+ xen_setup_callback_vector();
+ xen_alloc_callback_vector();
+ }
if (xen_hvm_domain()) {
native_init_IRQ();
--
2.27.0

30
SOURCES/9002-x86-microcode-AMD-Load-late-on-both-threads-too.patch Normal file
View File

@ -0,0 +1,30 @@
From a32b0f0db3f396f1c9be2fe621e77c09ec3d8e7d Mon Sep 17 00:00:00 2001
From: "Borislav Petkov (AMD)" <bp@alien8.de>
Date: Tue, 2 May 2023 19:53:50 +0200
Subject: [PATCH] x86/microcode/AMD: Load late on both threads too
Do the same as early loading - load on both threads.
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Cc: <stable@kernel.org>
Link: https://lore.kernel.org/r/20230605141332.25948-1-bp@alien8.de
---
arch/x86/kernel/cpu/microcode/amd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c
index f14f4ea0b537..87208e46f7ed 100644
--- a/arch/x86/kernel/cpu/microcode/amd.c
+++ b/arch/x86/kernel/cpu/microcode/amd.c
@@ -700,7 +700,7 @@ static enum ucode_state apply_microcode_amd(int cpu)
rdmsr(MSR_AMD64_PATCH_LEVEL, rev, dummy);
/* need to apply patch? */
- if (rev >= mc_amd->hdr.patch_id) {
+ if (rev > mc_amd->hdr.patch_id) {
ret = UCODE_OK;
goto out;
}
--
2.27.0

11
SOURCES/debrand-rh-i686-cpu.patch Normal file
View File

@ -0,0 +1,11 @@
--- a/arch/x86/boot/main.c 2019-03-13 04:04:53.000000000 -0700
+++ b/arch/x86/boot/main.c 2019-05-25 14:31:21.043272496 -0700
@@ -147,7 +147,7 @@ void main(void)
/* Make sure we have all the proper CPU support */
if (validate_cpu()) {
- puts("This processor is not supported in this version of RHEL.\n");
+ puts("This processor is not supported in this version of AlmaLinux.\n");
die();
}

81
SOURCES/debrand-rh_taint.patch Normal file
View File

@ -0,0 +1,81 @@
--- a/kernel/rh_taint.c 2020-10-16 10:41:51.000000000 -0500
+++ b/kernel/rh_taint.c 2020-11-19 10:50:24.853039167 -0600
@@ -2,12 +2,12 @@
#include <linux/module.h>
/*
- * The following functions are used by Red Hat to indicate to users that
- * hardware and drivers are unsupported, or have limited support in RHEL major
+ * The following functions are used by AlmaLinux to indicate to users that
+ * hardware and drivers are unsupported, or have limited support in AlmaLinux major
* and minor releases. These functions output loud warning messages to the end
* user and should be USED WITH CAUTION.
*
- * Any use of these functions _MUST_ be documented in the RHEL Release Notes,
+ * Any use of these functions _MUST_ be documented in the AlmaLinux Release Notes,
* and have approval of management.
*/
@@ -16,15 +16,15 @@
* @msg: Hardware name, class, or type
*
* Called to mark a device, class of devices, or types of devices as not having
- * support in any RHEL minor release. This does not TAINT the kernel. Red Hat
- * will not fix bugs against this hardware in this minor release. Red Hat may
+ * support in any AlmaLinux minor release. This does not TAINT the kernel. AlmaLinux
+ * will not fix bugs against this hardware in this minor release. AlmaLinux may
* declare support in a future major or minor update release. This cannot be
* used to mark drivers unsupported.
*/
void mark_hardware_unsupported(const char *msg)
{
/* Print one single message */
- pr_crit("Warning: %s - this hardware has not undergone testing by Red Hat and might not be certified. Please consult https://catalog.redhat.com for certified hardware.\n", msg);
+ pr_crit("Warning: %s - this hardware has not undergone testing by AlmaLinux and might not be certified.\n", msg);
}
EXPORT_SYMBOL(mark_hardware_unsupported);
@@ -35,12 +35,12 @@ EXPORT_SYMBOL(mark_hardware_unsupported)
* Called to minimize the support status of a previously supported device in
* a minor release. This does not TAINT the kernel. Marking hardware
* deprecated is usually done in conjunction with the hardware vendor. Future
- * RHEL major releases may not include this driver. Driver updates and fixes
+ * AlmaLinux major releases may not include this driver. Driver updates and fixes
* for this device will be limited to critical issues in future minor releases.
*/
void mark_hardware_deprecated(const char *msg)
{
- pr_crit("Warning: %s - this hardware is not recommended for new deployments. It continues to be supported in this RHEL release, but it is likely to be removed in the next major release. Driver updates and fixes for this device will be limited to critical issues. Please contact Red Hat Support or your device's hardware vendor for additional information.\n", msg);
+ pr_crit("Warning: %s - this hardware is not recommended for new deployments. It continues to be supported in this AlmaLinux release, but it is likely to be removed in the next major release. Driver updates and fixes for this device will be limited to critical issues. Please contact AlmaLinux Support or your device's hardware vendor for additional information.\n", msg);
}
EXPORT_SYMBOL(mark_hardware_deprecated);
@@ -50,9 +50,9 @@ EXPORT_SYMBOL(mark_hardware_deprecated);
*
* Called to minimize the support status of a new driver. This does TAINT the
* kernel. Calling this function indicates that the driver or subsystem has
- * had limited testing and is not marked for full support within this RHEL
- * minor release. The next RHEL minor release may contain full support for
- * this driver. Red Hat does not guarantee that bugs reported against this
+ * had limited testing and is not marked for full support within this AlmaLinux
+ * minor release. The next AlmaLinux minor release may contain full support for
+ * this driver. AlmaLinux does not guarantee that bugs reported against this
* driver or subsystem will be resolved.
*/
void mark_tech_preview(const char *msg, struct module *mod)
@@ -81,13 +81,13 @@ EXPORT_SYMBOL(mark_tech_preview);
* mark_driver_unsupported - drivers that we know we don't want to support
* @name: the name of the driver
*
- * In some cases Red Hat has chosen to build a driver for internal QE
+ * In some cases AlmaLinux has chosen to build a driver for internal QE
* use. Use this function to mark those drivers as unsupported for
* customers.
*/
void mark_driver_unsupported(const char *name)
{
- pr_crit("Warning: %s - This driver has not undergone sufficient testing by Red Hat for this release and therefore cannot be used in production systems.\n",
+ pr_crit("Warning: %s - This driver has not undergone sufficient testing by AlmaLinux for this release and therefore cannot be used in production systems.\n",
name ? name : "kernel");
}
EXPORT_SYMBOL(mark_driver_unsupported);

11
SOURCES/debrand-single-cpu.patch Normal file
View File

@ -0,0 +1,11 @@
--- a/arch/x86/kernel/setup.c 2019-03-13 04:04:53.000000000 -0700
+++ b/arch/x86/kernel/setup.c 2019-05-27 08:35:54.580595314 -0700
@@ -900,7 +900,7 @@ static void rh_check_supported(void)
if (((boot_cpu_data.x86_max_cores * smp_num_siblings) == 1) &&
!guest && is_kdump_kernel()) {
pr_crit("Detected single cpu native boot.\n");
- pr_crit("Important: In Red Hat Enterprise Linux 8, single threaded, single CPU 64-bit physical systems are unsupported by Red Hat. Please contact your Red Hat support representative for a list of certified and supported systems.");
+ pr_crit("Important: In AlmaLinux 8, single threaded, single CPU 64-bit physical systems are unsupported. Please see https://www.almalinux.org for more information");
}
/*

55
SPECS/kernel.spec
View File

@ -38,11 +38,11 @@
# define buildid .local
%define rpmversion 4.18.0
%define pkgrelease 477.21.1.rt7.284.el8_8
%define pkgrelease 477.27.1.rt7.290.el8_8
%define tarfile_release 477.13.1.rt7.276.el8_8
# allow pkg_release to have configurable %%{?dist} tag
%define specrelease 477.21.1.rt7.284%{?dist}
%define specrelease 477.27.1.rt7.290%{?dist}
%define pkg_release %{specrelease}%{?buildid}
@ -149,7 +149,7 @@
# The preempt RT patch level
%global rttag .rt7
# realtimeN
%global rtbuild .276
%global rtbuild .290
%define with_doc 0
%define with_headers 0
%define with_cross_headers 0
@ -521,14 +521,26 @@ Source4000: gating.yaml
Source4001: rpminspect.yaml
## Patches needed for building this package
Patch1003: 1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch
Patch1004: 1002-Bluetooth-L2CAP-Fix-accepting-connection-request.patch
Patch1005: 1003-net-sched-tcindex-update-imperfect-hash-filters-resp.patch
Patch1006: 1004-net-sched-tcindex-search-key-must-be-16-bits.patch
Patch1007: 1005-net-sched-Retire-tcindex-classifier.patch
Patch1008: 1006-xfs-verify-buffer-contents-when-we-skip-log-replay.patch
Patch1009: 1007-i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch
Patch1010: 1008-perf-Fix-check-before-add_event_to_groups-in-perf_gr.patch
Patch0001: debrand-single-cpu.patch
# Patch0002: debrand-rh_taint.patch
Patch0003: debrand-rh-i686-cpu.patch
Patch1001: 1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch
Patch1002: 1002-Bluetooth-L2CAP-Fix-accepting-connection-request.patch
Patch1003: 1003-net-sched-tcindex-update-imperfect-hash-filters-resp.patch
Patch1004: 1004-net-sched-tcindex-search-key-must-be-16-bits.patch
Patch1005: 1005-net-sched-Retire-tcindex-classifier.patch
Patch1006: 1006-xfs-verify-buffer-contents-when-we-skip-log-replay.patch
Patch1007: 1007-i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch
Patch1008: 1008-perf-Fix-check-before-add_event_to_groups-in-perf_gr.patch
Patch1009: 1009-bluetooth-Perform-careful-capability-checks-in-hci_s.patch
Patch1010: 1010-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch
Patch1011: 1011-net-sched-cls_fw-Fix-improper-refcount-update-leads-.patch
Patch1012: 1012-netfilter-nft_set_pipapo-fix-improper-element-remova.patch
Patch1013: 1013-netfilter-nf_tables-prevent-OOB-access-in-nft_byteor.patch
Patch1014: 1014-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch
Patch9001: 9001-x86-xen-Split-HVM-vector-callback-setup-and-interrup.patch
Patch9002: 9002-x86-microcode-AMD-Load-late-on-both-threads-too.patch
# empty final patch to facilitate testing of kernel patches
Patch999999: linux-kernel-test.patch
@ -1090,6 +1102,9 @@ mv linux-%{rpmversion}-%{tarfile_release} linux-%{KVERREL}
cd linux-%{KVERREL}
ApplyPatch debrand-single-cpu.patch
# ApplyPatch debrand-rh_taint.patch
ApplyPatch debrand-rh-i686-cpu.patch
ApplyPatch 1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch
ApplyPatch 1002-Bluetooth-L2CAP-Fix-accepting-connection-request.patch
ApplyPatch 1003-net-sched-tcindex-update-imperfect-hash-filters-resp.patch
@ -1098,6 +1113,16 @@ ApplyPatch 1005-net-sched-Retire-tcindex-classifier.patch
ApplyPatch 1006-xfs-verify-buffer-contents-when-we-skip-log-replay.patch
ApplyPatch 1007-i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch
ApplyPatch 1008-perf-Fix-check-before-add_event_to_groups-in-perf_gr.patch
ApplyPatch 1009-bluetooth-Perform-careful-capability-checks-in-hci_s.patch
ApplyPatch 1010-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch
ApplyPatch 1011-net-sched-cls_fw-Fix-improper-refcount-update-leads-.patch
ApplyPatch 1012-netfilter-nft_set_pipapo-fix-improper-element-remova.patch
ApplyPatch 1013-netfilter-nf_tables-prevent-OOB-access-in-nft_byteor.patch
ApplyPatch 1014-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch
ApplyPatch 9001-x86-xen-Split-HVM-vector-callback-setup-and-interrup.patch
ApplyPatch 9002-x86-microcode-AMD-Load-late-on-both-threads-too.patch
ApplyOptionalPatch linux-kernel-test.patch
# END OF PATCH APPLICATIONS
@ -2706,6 +2731,14 @@ fi
#
#
%changelog
* Thu Sep 21 2023 Andrew Lukoshko <alukoshko@almalinux.org> [4.18.0-477.27.1.rt7.290.el8_8]
- bluetooth: Perform careful capability checks in hci_sock_ioctl() {CVE-2023-2002}
- ipvlan:Fix out-of-bounds caused by unclear skb->cb {CVE-2023-3090}
- net/sched: cls_fw: Fix improper refcount update leads to use-after-free {CVE-2023-3776}
- netfilter: nft_set_pipapo: fix improper element removal {CVE-2023-4004}
- netfilter: nf_tables: prevent OOB access in nft_byteorder_eval {CVE-2023-35001}
- net/sched: flower: fix possible OOB write in fl_set_geneve_opt() {CVE-2023-35788}
* Tue Aug 8 2023 Nagappan Ramasamy Palaniappan <nagappan.ramasamy.palaniappan@oracle.com> [4.18.0-477.21.1.rt7.284.el8_8]
- Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM (Tamás Koczka) {CVE-2022-42896}
- net/sched: tcindex: update imperfect hash filters respecting rcu (Jamal Hadi Salim) {CVE-2023-1281}