diff --git a/SOURCES/1009-bluetooth-Perform-careful-capability-checks-in-hci_s.patch b/SOURCES/1009-bluetooth-Perform-careful-capability-checks-in-hci_s.patch new file mode 100644 index 0000000..f24e08e --- /dev/null +++ b/SOURCES/1009-bluetooth-Perform-careful-capability-checks-in-hci_s.patch @@ -0,0 +1,56 @@ +From 5bdcf7f9a8e44d61d724943167c381611b02a5ff Mon Sep 17 00:00:00 2001 +From: Ruihan Li +Date: Sun, 16 Apr 2023 16:14:04 +0800 +Subject: [PATCH 1/6] bluetooth: Perform careful capability checks in + hci_sock_ioctl() + +Previously, capability was checked using capable(), which verified that the +caller of the ioctl system call had the required capability. In addition, +the result of the check would be stored in the HCI_SOCK_TRUSTED flag, +making it persistent for the socket. + +However, malicious programs can abuse this approach by deliberately sharing +an HCI socket with a privileged task. The HCI socket will be marked as +trusted when the privileged task occasionally makes an ioctl call. + +This problem can be solved by using sk_capable() to check capability, which +ensures that not only the current task but also the socket opener has the +specified capability, thus reducing the risk of privilege escalation +through the previously identified vulnerability. + +Cc: stable@vger.kernel.org +Fixes: f81f5b2db869 ("Bluetooth: Send control open and close messages for HCI raw sockets") +Signed-off-by: Ruihan Li +Signed-off-by: Luiz Augusto von Dentz +(cherry picked from commit 25c150ac103a4ebeed0319994c742a90634ddf18) + +CVE: CVE-2023-2002 +Signed-off-by: Mridula Shastry +Reviewed-by: Venkat Venkatsubra +--- + net/bluetooth/hci_sock.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c +index d7c9ead69554..3cb8a2879ebb 100644 +--- a/net/bluetooth/hci_sock.c ++++ b/net/bluetooth/hci_sock.c +@@ -1000,7 +1000,14 @@ static int hci_sock_ioctl(struct socket *sock, unsigned int cmd, + if (hci_sock_gen_cookie(sk)) { + struct sk_buff *skb; + +- if (capable(CAP_NET_ADMIN)) ++ /* Perform careful checks before setting the HCI_SOCK_TRUSTED ++ * flag. Make sure that not only the current task but also ++ * the socket opener has the required capability, since ++ * privileged programs can be tricked into making ioctl calls ++ * on HCI sockets, and the socket should not be marked as ++ * trusted simply because the ioctl caller is privileged. ++ */ ++ if (sk_capable(sk, CAP_NET_ADMIN)) + hci_sock_set_flag(sk, HCI_SOCK_TRUSTED); + + /* Send event to monitor */ +-- +2.39.3 + diff --git a/SOURCES/1010-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch b/SOURCES/1010-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch new file mode 100644 index 0000000..1b27d11 --- /dev/null +++ b/SOURCES/1010-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch @@ -0,0 +1,172 @@ +From e594c8e25c5f6a3432c324cf8df93d34578825bb Mon Sep 17 00:00:00 2001 +From: "t.feng" +Date: Wed, 10 May 2023 11:50:44 +0800 +Subject: [PATCH 2/6] ipvlan:Fix out-of-bounds caused by unclear skb->cb + +If skb enqueue the qdisc, fq_skb_cb(skb)->time_to_send is changed which +is actually skb->cb, and IPCB(skb_in)->opt will be used in +__ip_options_echo. It is possible that memcpy is out of bounds and lead +to stack overflow. +We should clear skb->cb before ip_local_out or ip6_local_out. + +v2: +1. clean the stack info +2. use IPCB/IP6CB instead of skb->cb + +crash on stable-5.10(reproduce in kasan kernel). +Stack info: +[ 2203.651571] BUG: KASAN: stack-out-of-bounds in +__ip_options_echo+0x589/0x800 +[ 2203.653327] Write of size 4 at addr ffff88811a388f27 by task +swapper/3/0 +[ 2203.655460] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Not tainted +5.10.0-60.18.0.50.h856.kasan.eulerosv2r11.x86_64 #1 +[ 2203.655466] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), +BIOS rel-1.10.2-0-g5f4c7b1-20181220_000000-szxrtosci10000 04/01/2014 +[ 2203.655475] Call Trace: +[ 2203.655481] +[ 2203.655501] dump_stack+0x9c/0xd3 +[ 2203.655514] print_address_description.constprop.0+0x19/0x170 +[ 2203.655530] __kasan_report.cold+0x6c/0x84 +[ 2203.655586] kasan_report+0x3a/0x50 +[ 2203.655594] check_memory_region+0xfd/0x1f0 +[ 2203.655601] memcpy+0x39/0x60 +[ 2203.655608] __ip_options_echo+0x589/0x800 +[ 2203.655654] __icmp_send+0x59a/0x960 +[ 2203.655755] nf_send_unreach+0x129/0x3d0 [nf_reject_ipv4] +[ 2203.655763] reject_tg+0x77/0x1bf [ipt_REJECT] +[ 2203.655772] ipt_do_table+0x691/0xa40 [ip_tables] +[ 2203.655821] nf_hook_slow+0x69/0x100 +[ 2203.655828] __ip_local_out+0x21e/0x2b0 +[ 2203.655857] ip_local_out+0x28/0x90 +[ 2203.655868] ipvlan_process_v4_outbound+0x21e/0x260 [ipvlan] +[ 2203.655931] ipvlan_xmit_mode_l3+0x3bd/0x400 [ipvlan] +[ 2203.655967] ipvlan_queue_xmit+0xb3/0x190 [ipvlan] +[ 2203.655977] ipvlan_start_xmit+0x2e/0xb0 [ipvlan] +[ 2203.655984] xmit_one.constprop.0+0xe1/0x280 +[ 2203.655992] dev_hard_start_xmit+0x62/0x100 +[ 2203.656000] sch_direct_xmit+0x215/0x640 +[ 2203.656028] __qdisc_run+0x153/0x1f0 +[ 2203.656069] __dev_queue_xmit+0x77f/0x1030 +[ 2203.656173] ip_finish_output2+0x59b/0xc20 +[ 2203.656244] __ip_finish_output.part.0+0x318/0x3d0 +[ 2203.656312] ip_finish_output+0x168/0x190 +[ 2203.656320] ip_output+0x12d/0x220 +[ 2203.656357] __ip_queue_xmit+0x392/0x880 +[ 2203.656380] __tcp_transmit_skb+0x1088/0x11c0 +[ 2203.656436] __tcp_retransmit_skb+0x475/0xa30 +[ 2203.656505] tcp_retransmit_skb+0x2d/0x190 +[ 2203.656512] tcp_retransmit_timer+0x3af/0x9a0 +[ 2203.656519] tcp_write_timer_handler+0x3ba/0x510 +[ 2203.656529] tcp_write_timer+0x55/0x180 +[ 2203.656542] call_timer_fn+0x3f/0x1d0 +[ 2203.656555] expire_timers+0x160/0x200 +[ 2203.656562] run_timer_softirq+0x1f4/0x480 +[ 2203.656606] __do_softirq+0xfd/0x402 +[ 2203.656613] asm_call_irq_on_stack+0x12/0x20 +[ 2203.656617] +[ 2203.656623] do_softirq_own_stack+0x37/0x50 +[ 2203.656631] irq_exit_rcu+0x134/0x1a0 +[ 2203.656639] sysvec_apic_timer_interrupt+0x36/0x80 +[ 2203.656646] asm_sysvec_apic_timer_interrupt+0x12/0x20 +[ 2203.656654] RIP: 0010:default_idle+0x13/0x20 +[ 2203.656663] Code: 89 f0 5d 41 5c 41 5d 41 5e c3 cc cc cc cc cc cc cc +cc cc cc cc cc cc 0f 1f 44 00 00 0f 1f 44 00 00 0f 00 2d 9f 32 57 00 fb +f4 cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 be 08 +[ 2203.656668] RSP: 0018:ffff88810036fe78 EFLAGS: 00000256 +[ 2203.656676] RAX: ffffffffaf2a87f0 RBX: ffff888100360000 RCX: +ffffffffaf290191 +[ 2203.656681] RDX: 0000000000098b5e RSI: 0000000000000004 RDI: +ffff88811a3c4f60 +[ 2203.656686] RBP: 0000000000000000 R08: 0000000000000001 R09: +ffff88811a3c4f63 +[ 2203.656690] R10: ffffed10234789ec R11: 0000000000000001 R12: +0000000000000003 +[ 2203.656695] R13: ffff888100360000 R14: 0000000000000000 R15: +0000000000000000 +[ 2203.656729] default_idle_call+0x5a/0x150 +[ 2203.656735] cpuidle_idle_call+0x1c6/0x220 +[ 2203.656780] do_idle+0xab/0x100 +[ 2203.656786] cpu_startup_entry+0x19/0x20 +[ 2203.656793] secondary_startup_64_no_verify+0xc2/0xcb + +[ 2203.657409] The buggy address belongs to the page: +[ 2203.658648] page:0000000027a9842f refcount:1 mapcount:0 +mapping:0000000000000000 index:0x0 pfn:0x11a388 +[ 2203.658665] flags: +0x17ffffc0001000(reserved|node=0|zone=2|lastcpupid=0x1fffff) +[ 2203.658675] raw: 0017ffffc0001000 ffffea000468e208 ffffea000468e208 +0000000000000000 +[ 2203.658682] raw: 0000000000000000 0000000000000000 00000001ffffffff +0000000000000000 +[ 2203.658686] page dumped because: kasan: bad access detected + +To reproduce(ipvlan with IPVLAN_MODE_L3): +Env setting: +======================================================= +modprobe ipvlan ipvlan_default_mode=1 +sysctl net.ipv4.conf.eth0.forwarding=1 +iptables -t nat -A POSTROUTING -s 20.0.0.0/255.255.255.0 -o eth0 -j +MASQUERADE +ip link add gw link eth0 type ipvlan +ip -4 addr add 20.0.0.254/24 dev gw +ip netns add net1 +ip link add ipv1 link eth0 type ipvlan +ip link set ipv1 netns net1 +ip netns exec net1 ip link set ipv1 up +ip netns exec net1 ip -4 addr add 20.0.0.4/24 dev ipv1 +ip netns exec net1 route add default gw 20.0.0.254 +ip netns exec net1 tc qdisc add dev ipv1 root netem loss 10% +ifconfig gw up +iptables -t filter -A OUTPUT -p tcp --dport 8888 -j REJECT --reject-with +icmp-port-unreachable +======================================================= +And then excute the shell(curl any address of eth0 can reach): + +for((i=1;i<=100000;i++)) +do + ip netns exec net1 curl x.x.x.x:8888 +done +======================================================= + +Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") +Signed-off-by: "t.feng" +Suggested-by: Florian Westphal +Reviewed-by: Paolo Abeni +Signed-off-by: David S. Miller +(cherry picked from commit 90cbed5247439a966b645b34eb0a2e037836ea8e) + +CVE: CVE-2023-3090 +Signed-off-by: Mridula Shastry +Reviewed-by: Venkat Venkatsubra +--- + drivers/net/ipvlan/ipvlan_core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c +index 62c73a8ed0c3..f1ffe1800754 100644 +--- a/drivers/net/ipvlan/ipvlan_core.c ++++ b/drivers/net/ipvlan/ipvlan_core.c +@@ -443,6 +443,9 @@ static int ipvlan_process_v4_outbound(struct sk_buff *skb) + goto err; + } + skb_dst_set(skb, &rt->dst); ++ ++ memset(IPCB(skb), 0, sizeof(*IPCB(skb))); ++ + err = ip_local_out(net, skb->sk, skb); + if (unlikely(net_xmit_eval(err))) + dev->stats.tx_errors++; +@@ -481,6 +484,9 @@ static int ipvlan_process_v6_outbound(struct sk_buff *skb) + goto err; + } + skb_dst_set(skb, dst); ++ ++ memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); ++ + err = ip6_local_out(net, skb->sk, skb); + if (unlikely(net_xmit_eval(err))) + dev->stats.tx_errors++; +-- +2.39.3 + diff --git a/SOURCES/1011-net-sched-cls_fw-Fix-improper-refcount-update-leads-.patch b/SOURCES/1011-net-sched-cls_fw-Fix-improper-refcount-update-leads-.patch new file mode 100644 index 0000000..2a4a108 --- /dev/null +++ b/SOURCES/1011-net-sched-cls_fw-Fix-improper-refcount-update-leads-.patch @@ -0,0 +1,62 @@ +From 0da574f21ad25aae92e8262b7636dc95cf12aacf Mon Sep 17 00:00:00 2001 +From: M A Ramdhan +Date: Wed, 5 Jul 2023 12:15:30 -0400 +Subject: [PATCH 3/6] net/sched: cls_fw: Fix improper refcount update leads to + use-after-free + +In the event of a failure in tcf_change_indev(), fw_set_parms() will +immediately return an error after incrementing or decrementing +reference counter in tcf_bind_filter(). If attacker can control +reference counter to zero and make reference freed, leading to +use after free. + +In order to prevent this, move the point of possible failure above the +point where the TC_FW_CLASSID is handled. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: M A Ramdhan +Signed-off-by: M A Ramdhan +Acked-by: Jamal Hadi Salim +Reviewed-by: Pedro Tammela +Message-ID: <20230705161530.52003-1-ramdhan@starlabs.sg> +Signed-off-by: Jakub Kicinski +(cherry picked from commit 0323bce598eea038714f941ce2b22541c46d488f) + +CVE: CVE-2023-3776 +Signed-off-by: Mridula Shastry +Reviewed-by: Venkat Venkatsubra +--- + net/sched/cls_fw.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c +index 6a0d3ee00758..4240ca68cbc4 100644 +--- a/net/sched/cls_fw.c ++++ b/net/sched/cls_fw.c +@@ -214,11 +214,6 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp, + if (err < 0) + return err; + +- if (tb[TCA_FW_CLASSID]) { +- f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]); +- tcf_bind_filter(tp, &f->res, base); +- } +- + if (tb[TCA_FW_INDEV]) { + int ret; + ret = tcf_change_indev(net, tb[TCA_FW_INDEV], extack); +@@ -235,6 +230,11 @@ static int fw_set_parms(struct net *net, struct tcf_proto *tp, + } else if (head->mask != 0xFFFFFFFF) + return err; + ++ if (tb[TCA_FW_CLASSID]) { ++ f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]); ++ tcf_bind_filter(tp, &f->res, base); ++ } ++ + return 0; + } + +-- +2.39.3 + diff --git a/SOURCES/1012-netfilter-nft_set_pipapo-fix-improper-element-remova.patch b/SOURCES/1012-netfilter-nft_set_pipapo-fix-improper-element-remova.patch new file mode 100644 index 0000000..8aa2c93 --- /dev/null +++ b/SOURCES/1012-netfilter-nft_set_pipapo-fix-improper-element-remova.patch @@ -0,0 +1,63 @@ +From 036bd76b11980194badfb3b281a0307b4f6be7df Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Wed, 19 Jul 2023 21:08:21 +0200 +Subject: [PATCH 4/6] netfilter: nft_set_pipapo: fix improper element removal + +end key should be equal to start unless NFT_SET_EXT_KEY_END is present. + +Its possible to add elements that only have a start key +("{ 1.0.0.0 . 2.0.0.0 }") without an internval end. + +Insertion treats this via: + +if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END)) + end = (const u8 *)nft_set_ext_key_end(ext)->data; +else + end = start; + +but removal side always uses nft_set_ext_key_end(). +This is wrong and leads to garbage remaining in the set after removal +next lookup/insert attempt will give: + +BUG: KASAN: slab-use-after-free in pipapo_get+0x8eb/0xb90 +Read of size 1 at addr ffff888100d50586 by task nft-pipapo_uaf_/1399 +Call Trace: + kasan_report+0x105/0x140 + pipapo_get+0x8eb/0xb90 + nft_pipapo_insert+0x1dc/0x1710 + nf_tables_newsetelem+0x31f5/0x4e00 + .. + +Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") +Reported-by: lonial con +Reviewed-by: Stefano Brivio +Signed-off-by: Florian Westphal +(cherry picked from commit 87b5a5c209405cb6b57424cdfa226a6dbd349232) + +CVE: CVE-2023-4004 +Signed-off-by: Mridula Shastry +Reviewed-by: Venkat Venkatsubra +--- + net/netfilter/nft_set_pipapo.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index 1eab335fb14b..0181617f9628 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -1797,7 +1797,11 @@ static void nft_pipapo_remove(const struct net *net, const struct nft_set *set, + int i, start, rules_fx; + + match_start = data; +- match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data; ++ ++ if (nft_set_ext_exists(&e->ext, NFT_SET_EXT_KEY_END)) ++ match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data; ++ else ++ match_end = data; + + start = first_rule; + rules_fx = rules_f0; +-- +2.39.3 + diff --git a/SOURCES/1013-netfilter-nf_tables-prevent-OOB-access-in-nft_byteor.patch b/SOURCES/1013-netfilter-nf_tables-prevent-OOB-access-in-nft_byteor.patch new file mode 100644 index 0000000..cdec0ec --- /dev/null +++ b/SOURCES/1013-netfilter-nf_tables-prevent-OOB-access-in-nft_byteor.patch @@ -0,0 +1,217 @@ +From b8f43f1b9945bb063ef0eae3bcdc6e04d8728d8f Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Wed, 5 Jul 2023 18:05:35 -0300 +Subject: [PATCH 5/6] netfilter: nf_tables: prevent OOB access in + nft_byteorder_eval + +When evaluating byteorder expressions with size 2, a union with 32-bit and +16-bit members is used. Since the 16-bit members are aligned to 32-bit, +the array accesses will be out-of-bounds. + +It may lead to a stack-out-of-bounds access like the one below: + +[ 23.095215] ================================================================== +[ 23.095625] BUG: KASAN: stack-out-of-bounds in nft_byteorder_eval+0x13c/0x320 +[ 23.096020] Read of size 2 at addr ffffc90000007948 by task ping/115 +[ 23.096358] +[ 23.096456] CPU: 0 PID: 115 Comm: ping Not tainted 6.4.0+ #413 +[ 23.096770] Call Trace: +[ 23.096910] +[ 23.097030] dump_stack_lvl+0x60/0xc0 +[ 23.097218] print_report+0xcf/0x630 +[ 23.097388] ? nft_byteorder_eval+0x13c/0x320 +[ 23.097577] ? kasan_addr_to_slab+0xd/0xc0 +[ 23.097760] ? nft_byteorder_eval+0x13c/0x320 +[ 23.097949] kasan_report+0xc9/0x110 +[ 23.098106] ? nft_byteorder_eval+0x13c/0x320 +[ 23.098298] __asan_load2+0x83/0xd0 +[ 23.098453] nft_byteorder_eval+0x13c/0x320 +[ 23.098659] nft_do_chain+0x1c8/0xc50 +[ 23.098852] ? __pfx_nft_do_chain+0x10/0x10 +[ 23.099078] ? __kasan_check_read+0x11/0x20 +[ 23.099295] ? __pfx___lock_acquire+0x10/0x10 +[ 23.099535] ? __pfx___lock_acquire+0x10/0x10 +[ 23.099745] ? __kasan_check_read+0x11/0x20 +[ 23.099929] nft_do_chain_ipv4+0xfe/0x140 +[ 23.100105] ? __pfx_nft_do_chain_ipv4+0x10/0x10 +[ 23.100327] ? lock_release+0x204/0x400 +[ 23.100515] ? nf_hook.constprop.0+0x340/0x550 +[ 23.100779] nf_hook_slow+0x6c/0x100 +[ 23.100977] ? __pfx_nft_do_chain_ipv4+0x10/0x10 +[ 23.101223] nf_hook.constprop.0+0x334/0x550 +[ 23.101443] ? __pfx_ip_local_deliver_finish+0x10/0x10 +[ 23.101677] ? __pfx_nf_hook.constprop.0+0x10/0x10 +[ 23.101882] ? __pfx_ip_rcv_finish+0x10/0x10 +[ 23.102071] ? __pfx_ip_local_deliver_finish+0x10/0x10 +[ 23.102291] ? rcu_read_lock_held+0x4b/0x70 +[ 23.102481] ip_local_deliver+0xbb/0x110 +[ 23.102665] ? __pfx_ip_rcv+0x10/0x10 +[ 23.102839] ip_rcv+0x199/0x2a0 +[ 23.102980] ? __pfx_ip_rcv+0x10/0x10 +[ 23.103140] __netif_receive_skb_one_core+0x13e/0x150 +[ 23.103362] ? __pfx___netif_receive_skb_one_core+0x10/0x10 +[ 23.103647] ? mark_held_locks+0x48/0xa0 +[ 23.103819] ? process_backlog+0x36c/0x380 +[ 23.103999] __netif_receive_skb+0x23/0xc0 +[ 23.104179] process_backlog+0x91/0x380 +[ 23.104350] __napi_poll.constprop.0+0x66/0x360 +[ 23.104589] ? net_rx_action+0x1cb/0x610 +[ 23.104811] net_rx_action+0x33e/0x610 +[ 23.105024] ? _raw_spin_unlock+0x23/0x50 +[ 23.105257] ? __pfx_net_rx_action+0x10/0x10 +[ 23.105485] ? mark_held_locks+0x48/0xa0 +[ 23.105741] __do_softirq+0xfa/0x5ab +[ 23.105956] ? __dev_queue_xmit+0x765/0x1c00 +[ 23.106193] do_softirq.part.0+0x49/0xc0 +[ 23.106423] +[ 23.106547] +[ 23.106670] __local_bh_enable_ip+0xf5/0x120 +[ 23.106903] __dev_queue_xmit+0x789/0x1c00 +[ 23.107131] ? __pfx___dev_queue_xmit+0x10/0x10 +[ 23.107381] ? find_held_lock+0x8e/0xb0 +[ 23.107585] ? lock_release+0x204/0x400 +[ 23.107798] ? neigh_resolve_output+0x185/0x350 +[ 23.108049] ? mark_held_locks+0x48/0xa0 +[ 23.108265] ? neigh_resolve_output+0x185/0x350 +[ 23.108514] neigh_resolve_output+0x246/0x350 +[ 23.108753] ? neigh_resolve_output+0x246/0x350 +[ 23.109003] ip_finish_output2+0x3c3/0x10b0 +[ 23.109250] ? __pfx_ip_finish_output2+0x10/0x10 +[ 23.109510] ? __pfx_nf_hook+0x10/0x10 +[ 23.109732] __ip_finish_output+0x217/0x390 +[ 23.109978] ip_finish_output+0x2f/0x130 +[ 23.110207] ip_output+0xc9/0x170 +[ 23.110404] ip_push_pending_frames+0x1a0/0x240 +[ 23.110652] raw_sendmsg+0x102e/0x19e0 +[ 23.110871] ? __pfx_raw_sendmsg+0x10/0x10 +[ 23.111093] ? lock_release+0x204/0x400 +[ 23.111304] ? __mod_lruvec_page_state+0x148/0x330 +[ 23.111567] ? find_held_lock+0x8e/0xb0 +[ 23.111777] ? find_held_lock+0x8e/0xb0 +[ 23.111993] ? __rcu_read_unlock+0x7c/0x2f0 +[ 23.112225] ? aa_sk_perm+0x18a/0x550 +[ 23.112431] ? filemap_map_pages+0x4f1/0x900 +[ 23.112665] ? __pfx_aa_sk_perm+0x10/0x10 +[ 23.112880] ? find_held_lock+0x8e/0xb0 +[ 23.113098] inet_sendmsg+0xa0/0xb0 +[ 23.113297] ? inet_sendmsg+0xa0/0xb0 +[ 23.113500] ? __pfx_inet_sendmsg+0x10/0x10 +[ 23.113727] sock_sendmsg+0xf4/0x100 +[ 23.113924] ? move_addr_to_kernel.part.0+0x4f/0xa0 +[ 23.114190] __sys_sendto+0x1d4/0x290 +[ 23.114391] ? __pfx___sys_sendto+0x10/0x10 +[ 23.114621] ? __pfx_mark_lock.part.0+0x10/0x10 +[ 23.114869] ? lock_release+0x204/0x400 +[ 23.115076] ? find_held_lock+0x8e/0xb0 +[ 23.115287] ? rcu_is_watching+0x23/0x60 +[ 23.115503] ? __rseq_handle_notify_resume+0x6e2/0x860 +[ 23.115778] ? __kasan_check_write+0x14/0x30 +[ 23.116008] ? blkcg_maybe_throttle_current+0x8d/0x770 +[ 23.116285] ? mark_held_locks+0x28/0xa0 +[ 23.116503] ? do_syscall_64+0x37/0x90 +[ 23.116713] __x64_sys_sendto+0x7f/0xb0 +[ 23.116924] do_syscall_64+0x59/0x90 +[ 23.117123] ? irqentry_exit_to_user_mode+0x25/0x30 +[ 23.117387] ? irqentry_exit+0x77/0xb0 +[ 23.117593] ? exc_page_fault+0x92/0x140 +[ 23.117806] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 +[ 23.118081] RIP: 0033:0x7f744aee2bba +[ 23.118282] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 +[ 23.119237] RSP: 002b:00007ffd04a7c9f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +[ 23.119644] RAX: ffffffffffffffda RBX: 00007ffd04a7e0a0 RCX: 00007f744aee2bba +[ 23.120023] RDX: 0000000000000040 RSI: 000056488e9e6300 RDI: 0000000000000003 +[ 23.120413] RBP: 000056488e9e6300 R08: 00007ffd04a80320 R09: 0000000000000010 +[ 23.120809] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040 +[ 23.121219] R13: 00007ffd04a7dc38 R14: 00007ffd04a7ca00 R15: 00007ffd04a7e0a0 +[ 23.121617] +[ 23.121749] +[ 23.121845] The buggy address belongs to the virtual mapping at +[ 23.121845] [ffffc90000000000, ffffc90000009000) created by: +[ 23.121845] irq_init_percpu_irqstack+0x1cf/0x270 +[ 23.122707] +[ 23.122803] The buggy address belongs to the physical page: +[ 23.123104] page:0000000072ac19f0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x24a09 +[ 23.123609] flags: 0xfffffc0001000(reserved|node=0|zone=1|lastcpupid=0x1fffff) +[ 23.123998] page_type: 0xffffffff() +[ 23.124194] raw: 000fffffc0001000 ffffea0000928248 ffffea0000928248 0000000000000000 +[ 23.124610] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 +[ 23.125023] page dumped because: kasan: bad access detected +[ 23.125326] +[ 23.125421] Memory state around the buggy address: +[ 23.125682] ffffc90000007800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 23.126072] ffffc90000007880: 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 f2 f2 00 +[ 23.126455] >ffffc90000007900: 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 +[ 23.126840] ^ +[ 23.127138] ffffc90000007980: 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 +[ 23.127522] ffffc90000007a00: f3 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 +[ 23.127906] ================================================================== +[ 23.128324] Disabling lock debugging due to kernel taint + +Using simple s16 pointers for the 16-bit accesses fixes the problem. For +the 32-bit accesses, src and dst can be used directly. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Cc: stable@vger.kernel.org +Reported-by: Tanguy DUBROCA (@SidewayRE) from @Synacktiv working with ZDI +Signed-off-by: Thadeu Lima de Souza Cascardo +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit caf3ef7468f7534771b5c44cd8dbd6f7f87c2cbd) + +CVE: CVE-2023-35001 +Signed-off-by: Mridula Shastry +Reviewed-by: Venkat Venkatsubra +--- + net/netfilter/nft_byteorder.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/net/netfilter/nft_byteorder.c b/net/netfilter/nft_byteorder.c +index 6fc6f2f45b0a..a752c98e97fb 100644 +--- a/net/netfilter/nft_byteorder.c ++++ b/net/netfilter/nft_byteorder.c +@@ -33,11 +33,11 @@ void nft_byteorder_eval(const struct nft_expr *expr, + const struct nft_byteorder *priv = nft_expr_priv(expr); + u32 *src = ®s->data[priv->sreg]; + u32 *dst = ®s->data[priv->dreg]; +- union { u32 u32; u16 u16; } *s, *d; ++ u16 *s16, *d16; + unsigned int i; + +- s = (void *)src; +- d = (void *)dst; ++ s16 = (void *)src; ++ d16 = (void *)dst; + + switch (priv->size) { + case 8: { +@@ -64,11 +64,11 @@ void nft_byteorder_eval(const struct nft_expr *expr, + switch (priv->op) { + case NFT_BYTEORDER_NTOH: + for (i = 0; i < priv->len / 4; i++) +- d[i].u32 = ntohl((__force __be32)s[i].u32); ++ dst[i] = ntohl((__force __be32)src[i]); + break; + case NFT_BYTEORDER_HTON: + for (i = 0; i < priv->len / 4; i++) +- d[i].u32 = (__force __u32)htonl(s[i].u32); ++ dst[i] = (__force __u32)htonl(src[i]); + break; + } + break; +@@ -76,11 +76,11 @@ void nft_byteorder_eval(const struct nft_expr *expr, + switch (priv->op) { + case NFT_BYTEORDER_NTOH: + for (i = 0; i < priv->len / 2; i++) +- d[i].u16 = ntohs((__force __be16)s[i].u16); ++ d16[i] = ntohs((__force __be16)s16[i]); + break; + case NFT_BYTEORDER_HTON: + for (i = 0; i < priv->len / 2; i++) +- d[i].u16 = (__force __u16)htons(s[i].u16); ++ d16[i] = (__force __u16)htons(s16[i]); + break; + } + break; +-- +2.39.3 + diff --git a/SOURCES/1014-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch b/SOURCES/1014-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch new file mode 100644 index 0000000..73bd680 --- /dev/null +++ b/SOURCES/1014-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch @@ -0,0 +1,44 @@ +From b07f2873225c6e16abd6ec352e9cd52a72fe7785 Mon Sep 17 00:00:00 2001 +From: Hangyu Hua +Date: Wed, 31 May 2023 18:28:04 +0800 +Subject: [PATCH 6/6] net/sched: flower: fix possible OOB write in + fl_set_geneve_opt() + +If we send two TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets and their total +size is 252 bytes(key->enc_opts.len = 252) then +key->enc_opts.len = opt->length = data_len / 4 = 0 when the third +TCA_FLOWER_KEY_ENC_OPTS_GENEVE packet enters fl_set_geneve_opt. This +bypasses the next bounds check and results in an out-of-bounds. + +Fixes: 0a6e77784f49 ("net/sched: allow flower to match tunnel options") +Signed-off-by: Hangyu Hua +Reviewed-by: Simon Horman +Reviewed-by: Pieter Jansen van Vuuren +Link: https://lore.kernel.org/r/20230531102805.27090-1-hbh25y@gmail.com +Signed-off-by: Paolo Abeni +(cherry picked from commit 4d56304e5827c8cc8cc18c75343d283af7c4825c) + +CVE: CVE-2023-35788 +Signed-off-by: Mridula Shastry +Reviewed-by: Venkat Venkatsubra +--- + net/sched/cls_flower.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c +index b81abfcd2a19..ca232483cfab 100644 +--- a/net/sched/cls_flower.c ++++ b/net/sched/cls_flower.c +@@ -1151,6 +1151,9 @@ static int fl_set_geneve_opt(const struct nlattr *nla, struct fl_flow_key *key, + if (option_len > sizeof(struct geneve_opt)) + data_len = option_len - sizeof(struct geneve_opt); + ++ if (key->enc_opts.len > FLOW_DIS_TUN_OPTS_MAX - 4) ++ return -ERANGE; ++ + opt = (struct geneve_opt *)&key->enc_opts.data[key->enc_opts.len]; + memset(opt, 0xff, option_len); + opt->length = data_len / 4; +-- +2.39.3 + diff --git a/SOURCES/9001-x86-xen-Split-HVM-vector-callback-setup-and-interrup.patch b/SOURCES/9001-x86-xen-Split-HVM-vector-callback-setup-and-interrup.patch new file mode 100644 index 0000000..e1b1bf4 --- /dev/null +++ b/SOURCES/9001-x86-xen-Split-HVM-vector-callback-setup-and-interrup.patch @@ -0,0 +1,110 @@ +From a0bb51f2638e0810c347024679239fd10a8f7990 Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Tue, 28 Apr 2020 11:38:22 +0200 +Subject: [PATCH] x86/xen: Split HVM vector callback setup and interrupt gate + allocation + +As a preparatory change for making alloc_intr_gate() __init split +xen_callback_vector() into callback vector setup via hypercall +(xen_setup_callback_vector()) and interrupt gate allocation +(xen_alloc_callback_vector()). + +xen_setup_callback_vector() is being called twice: on init and upon +system resume from xen_hvm_post_suspend(). alloc_intr_gate() only +needs to be called once. + +Suggested-by: Thomas Gleixner +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/20200428093824.1451532-2-vkuznets@redhat.com +--- + arch/x86/xen/suspend_hvm.c | 2 +- + arch/x86/xen/xen-ops.h | 2 +- + drivers/xen/events/events_base.c | 28 +++++++++++++++++----------- + 3 files changed, 19 insertions(+), 13 deletions(-) + +diff --git a/arch/x86/xen/suspend_hvm.c b/arch/x86/xen/suspend_hvm.c +index e666b614cf6d..5152afe16876 100644 +--- a/arch/x86/xen/suspend_hvm.c ++++ b/arch/x86/xen/suspend_hvm.c +@@ -13,6 +13,6 @@ void xen_hvm_post_suspend(int suspend_cancelled) + xen_hvm_init_shared_info(); + xen_vcpu_restore(); + } +- xen_callback_vector(); ++ xen_setup_callback_vector(); + xen_unplug_emulated_devices(); + } +diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h +index 45a441c33d6d..1cc1568bfe04 100644 +--- a/arch/x86/xen/xen-ops.h ++++ b/arch/x86/xen/xen-ops.h +@@ -55,7 +55,7 @@ void xen_enable_sysenter(void); + void xen_enable_syscall(void); + void xen_vcpu_restore(void); + +-void xen_callback_vector(void); ++void xen_setup_callback_vector(void); + void xen_hvm_init_shared_info(void); + void xen_unplug_emulated_devices(void); + +diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c +index 3a791c8485d0..eb35c3cda9a6 100644 +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -1639,26 +1639,30 @@ EXPORT_SYMBOL_GPL(xen_set_callback_via); + /* Vector callbacks are better than PCI interrupts to receive event + * channel notifications because we can receive vector callbacks on any + * vcpu and we don't need PCI support or APIC interactions. */ +-void xen_callback_vector(void) ++void xen_setup_callback_vector(void) + { +- int rc; + uint64_t callback_via; + + if (xen_have_vector_callback) { + callback_via = HVM_CALLBACK_VECTOR(HYPERVISOR_CALLBACK_VECTOR); +- rc = xen_set_callback_via(callback_via); +- if (rc) { ++ if (xen_set_callback_via(callback_via)) { + pr_err("Request for Xen HVM callback vector failed\n"); + xen_have_vector_callback = 0; +- return; + } +- pr_info("Xen HVM callback vector for event delivery is enabled\n"); +- alloc_intr_gate(HYPERVISOR_CALLBACK_VECTOR, +- xen_hvm_callback_vector); + } + } ++ ++static __init void xen_alloc_callback_vector(void) ++{ ++ if (!xen_have_vector_callback) ++ return; ++ ++ pr_info("Xen HVM callback vector for event delivery is enabled\n"); ++ alloc_intr_gate(HYPERVISOR_CALLBACK_VECTOR, xen_hvm_callback_vector); ++} + #else +-void xen_callback_vector(void) {} ++void xen_setup_callback_vector(void) {} ++static inline void xen_alloc_callback_vector(void) {} + #endif + + #undef MODULE_PARAM_PREFIX +@@ -1692,8 +1696,10 @@ void __init xen_init_IRQ(void) + if (xen_initial_domain()) + pci_xen_initial_domain(); + } +- if (xen_feature(XENFEAT_hvm_callback_vector)) +- xen_callback_vector(); ++ if (xen_feature(XENFEAT_hvm_callback_vector)) { ++ xen_setup_callback_vector(); ++ xen_alloc_callback_vector(); ++ } + + if (xen_hvm_domain()) { + native_init_IRQ(); +-- +2.27.0 + diff --git a/SOURCES/9002-x86-microcode-AMD-Load-late-on-both-threads-too.patch b/SOURCES/9002-x86-microcode-AMD-Load-late-on-both-threads-too.patch new file mode 100644 index 0000000..e67ff57 --- /dev/null +++ b/SOURCES/9002-x86-microcode-AMD-Load-late-on-both-threads-too.patch @@ -0,0 +1,30 @@ +From a32b0f0db3f396f1c9be2fe621e77c09ec3d8e7d Mon Sep 17 00:00:00 2001 +From: "Borislav Petkov (AMD)" +Date: Tue, 2 May 2023 19:53:50 +0200 +Subject: [PATCH] x86/microcode/AMD: Load late on both threads too + +Do the same as early loading - load on both threads. + +Signed-off-by: Borislav Petkov (AMD) +Cc: +Link: https://lore.kernel.org/r/20230605141332.25948-1-bp@alien8.de +--- + arch/x86/kernel/cpu/microcode/amd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c +index f14f4ea0b537..87208e46f7ed 100644 +--- a/arch/x86/kernel/cpu/microcode/amd.c ++++ b/arch/x86/kernel/cpu/microcode/amd.c +@@ -700,7 +700,7 @@ static enum ucode_state apply_microcode_amd(int cpu) + rdmsr(MSR_AMD64_PATCH_LEVEL, rev, dummy); + + /* need to apply patch? */ +- if (rev >= mc_amd->hdr.patch_id) { ++ if (rev > mc_amd->hdr.patch_id) { + ret = UCODE_OK; + goto out; + } +-- +2.27.0 + diff --git a/SOURCES/debrand-rh-i686-cpu.patch b/SOURCES/debrand-rh-i686-cpu.patch new file mode 100644 index 0000000..8e2e5b8 --- /dev/null +++ b/SOURCES/debrand-rh-i686-cpu.patch @@ -0,0 +1,11 @@ +--- a/arch/x86/boot/main.c 2019-03-13 04:04:53.000000000 -0700 ++++ b/arch/x86/boot/main.c 2019-05-25 14:31:21.043272496 -0700 +@@ -147,7 +147,7 @@ void main(void) + + /* Make sure we have all the proper CPU support */ + if (validate_cpu()) { +- puts("This processor is not supported in this version of RHEL.\n"); ++ puts("This processor is not supported in this version of AlmaLinux.\n"); + die(); + } + diff --git a/SOURCES/debrand-rh_taint.patch b/SOURCES/debrand-rh_taint.patch new file mode 100644 index 0000000..d39bf1a --- /dev/null +++ b/SOURCES/debrand-rh_taint.patch @@ -0,0 +1,81 @@ +--- a/kernel/rh_taint.c 2020-10-16 10:41:51.000000000 -0500 ++++ b/kernel/rh_taint.c 2020-11-19 10:50:24.853039167 -0600 +@@ -2,12 +2,12 @@ + #include + + /* +- * The following functions are used by Red Hat to indicate to users that +- * hardware and drivers are unsupported, or have limited support in RHEL major ++ * The following functions are used by AlmaLinux to indicate to users that ++ * hardware and drivers are unsupported, or have limited support in AlmaLinux major + * and minor releases. These functions output loud warning messages to the end + * user and should be USED WITH CAUTION. + * +- * Any use of these functions _MUST_ be documented in the RHEL Release Notes, ++ * Any use of these functions _MUST_ be documented in the AlmaLinux Release Notes, + * and have approval of management. + */ + +@@ -16,15 +16,15 @@ + * @msg: Hardware name, class, or type + * + * Called to mark a device, class of devices, or types of devices as not having +- * support in any RHEL minor release. This does not TAINT the kernel. Red Hat +- * will not fix bugs against this hardware in this minor release. Red Hat may ++ * support in any AlmaLinux minor release. This does not TAINT the kernel. AlmaLinux ++ * will not fix bugs against this hardware in this minor release. AlmaLinux may + * declare support in a future major or minor update release. This cannot be + * used to mark drivers unsupported. + */ + void mark_hardware_unsupported(const char *msg) + { + /* Print one single message */ +- pr_crit("Warning: %s - this hardware has not undergone testing by Red Hat and might not be certified. Please consult https://catalog.redhat.com for certified hardware.\n", msg); ++ pr_crit("Warning: %s - this hardware has not undergone testing by AlmaLinux and might not be certified.\n", msg); + } + EXPORT_SYMBOL(mark_hardware_unsupported); + +@@ -35,12 +35,12 @@ EXPORT_SYMBOL(mark_hardware_unsupported) + * Called to minimize the support status of a previously supported device in + * a minor release. This does not TAINT the kernel. Marking hardware + * deprecated is usually done in conjunction with the hardware vendor. Future +- * RHEL major releases may not include this driver. Driver updates and fixes ++ * AlmaLinux major releases may not include this driver. Driver updates and fixes + * for this device will be limited to critical issues in future minor releases. + */ + void mark_hardware_deprecated(const char *msg) + { +- pr_crit("Warning: %s - this hardware is not recommended for new deployments. It continues to be supported in this RHEL release, but it is likely to be removed in the next major release. Driver updates and fixes for this device will be limited to critical issues. Please contact Red Hat Support or your device's hardware vendor for additional information.\n", msg); ++ pr_crit("Warning: %s - this hardware is not recommended for new deployments. It continues to be supported in this AlmaLinux release, but it is likely to be removed in the next major release. Driver updates and fixes for this device will be limited to critical issues. Please contact AlmaLinux Support or your device's hardware vendor for additional information.\n", msg); + } + EXPORT_SYMBOL(mark_hardware_deprecated); + +@@ -50,9 +50,9 @@ EXPORT_SYMBOL(mark_hardware_deprecated); + * + * Called to minimize the support status of a new driver. This does TAINT the + * kernel. Calling this function indicates that the driver or subsystem has +- * had limited testing and is not marked for full support within this RHEL +- * minor release. The next RHEL minor release may contain full support for +- * this driver. Red Hat does not guarantee that bugs reported against this ++ * had limited testing and is not marked for full support within this AlmaLinux ++ * minor release. The next AlmaLinux minor release may contain full support for ++ * this driver. AlmaLinux does not guarantee that bugs reported against this + * driver or subsystem will be resolved. + */ + void mark_tech_preview(const char *msg, struct module *mod) +@@ -81,13 +81,13 @@ EXPORT_SYMBOL(mark_tech_preview); + * mark_driver_unsupported - drivers that we know we don't want to support + * @name: the name of the driver + * +- * In some cases Red Hat has chosen to build a driver for internal QE ++ * In some cases AlmaLinux has chosen to build a driver for internal QE + * use. Use this function to mark those drivers as unsupported for + * customers. + */ + void mark_driver_unsupported(const char *name) + { +- pr_crit("Warning: %s - This driver has not undergone sufficient testing by Red Hat for this release and therefore cannot be used in production systems.\n", ++ pr_crit("Warning: %s - This driver has not undergone sufficient testing by AlmaLinux for this release and therefore cannot be used in production systems.\n", + name ? name : "kernel"); + } + EXPORT_SYMBOL(mark_driver_unsupported); diff --git a/SOURCES/debrand-single-cpu.patch b/SOURCES/debrand-single-cpu.patch new file mode 100644 index 0000000..32b00a5 --- /dev/null +++ b/SOURCES/debrand-single-cpu.patch @@ -0,0 +1,11 @@ +--- a/arch/x86/kernel/setup.c 2019-03-13 04:04:53.000000000 -0700 ++++ b/arch/x86/kernel/setup.c 2019-05-27 08:35:54.580595314 -0700 +@@ -900,7 +900,7 @@ static void rh_check_supported(void) + if (((boot_cpu_data.x86_max_cores * smp_num_siblings) == 1) && + !guest && is_kdump_kernel()) { + pr_crit("Detected single cpu native boot.\n"); +- pr_crit("Important: In Red Hat Enterprise Linux 8, single threaded, single CPU 64-bit physical systems are unsupported by Red Hat. Please contact your Red Hat support representative for a list of certified and supported systems."); ++ pr_crit("Important: In AlmaLinux 8, single threaded, single CPU 64-bit physical systems are unsupported. Please see https://www.almalinux.org for more information"); + } + + /* diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index 7725654..15b3a26 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -38,11 +38,11 @@ # define buildid .local %define rpmversion 4.18.0 -%define pkgrelease 477.21.1.rt7.284.el8_8 +%define pkgrelease 477.27.1.rt7.290.el8_8 %define tarfile_release 477.13.1.rt7.276.el8_8 # allow pkg_release to have configurable %%{?dist} tag -%define specrelease 477.21.1.rt7.284%{?dist} +%define specrelease 477.27.1.rt7.290%{?dist} %define pkg_release %{specrelease}%{?buildid} @@ -149,7 +149,7 @@ # The preempt RT patch level %global rttag .rt7 # realtimeN -%global rtbuild .276 +%global rtbuild .290 %define with_doc 0 %define with_headers 0 %define with_cross_headers 0 @@ -521,14 +521,26 @@ Source4000: gating.yaml Source4001: rpminspect.yaml ## Patches needed for building this package -Patch1003: 1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch -Patch1004: 1002-Bluetooth-L2CAP-Fix-accepting-connection-request.patch -Patch1005: 1003-net-sched-tcindex-update-imperfect-hash-filters-resp.patch -Patch1006: 1004-net-sched-tcindex-search-key-must-be-16-bits.patch -Patch1007: 1005-net-sched-Retire-tcindex-classifier.patch -Patch1008: 1006-xfs-verify-buffer-contents-when-we-skip-log-replay.patch -Patch1009: 1007-i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch -Patch1010: 1008-perf-Fix-check-before-add_event_to_groups-in-perf_gr.patch +Patch0001: debrand-single-cpu.patch +# Patch0002: debrand-rh_taint.patch +Patch0003: debrand-rh-i686-cpu.patch +Patch1001: 1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch +Patch1002: 1002-Bluetooth-L2CAP-Fix-accepting-connection-request.patch +Patch1003: 1003-net-sched-tcindex-update-imperfect-hash-filters-resp.patch +Patch1004: 1004-net-sched-tcindex-search-key-must-be-16-bits.patch +Patch1005: 1005-net-sched-Retire-tcindex-classifier.patch +Patch1006: 1006-xfs-verify-buffer-contents-when-we-skip-log-replay.patch +Patch1007: 1007-i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch +Patch1008: 1008-perf-Fix-check-before-add_event_to_groups-in-perf_gr.patch +Patch1009: 1009-bluetooth-Perform-careful-capability-checks-in-hci_s.patch +Patch1010: 1010-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch +Patch1011: 1011-net-sched-cls_fw-Fix-improper-refcount-update-leads-.patch +Patch1012: 1012-netfilter-nft_set_pipapo-fix-improper-element-remova.patch +Patch1013: 1013-netfilter-nf_tables-prevent-OOB-access-in-nft_byteor.patch +Patch1014: 1014-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch + +Patch9001: 9001-x86-xen-Split-HVM-vector-callback-setup-and-interrup.patch +Patch9002: 9002-x86-microcode-AMD-Load-late-on-both-threads-too.patch # empty final patch to facilitate testing of kernel patches Patch999999: linux-kernel-test.patch @@ -1090,6 +1102,9 @@ mv linux-%{rpmversion}-%{tarfile_release} linux-%{KVERREL} cd linux-%{KVERREL} +ApplyPatch debrand-single-cpu.patch +# ApplyPatch debrand-rh_taint.patch +ApplyPatch debrand-rh-i686-cpu.patch ApplyPatch 1001-net-tls-fix-possible-race-condition-between-do_tls_g.patch ApplyPatch 1002-Bluetooth-L2CAP-Fix-accepting-connection-request.patch ApplyPatch 1003-net-sched-tcindex-update-imperfect-hash-filters-resp.patch @@ -1098,6 +1113,16 @@ ApplyPatch 1005-net-sched-Retire-tcindex-classifier.patch ApplyPatch 1006-xfs-verify-buffer-contents-when-we-skip-log-replay.patch ApplyPatch 1007-i2c-xgene-slimpro-Fix-out-of-bounds-bug-in-xgene_sli.patch ApplyPatch 1008-perf-Fix-check-before-add_event_to_groups-in-perf_gr.patch +ApplyPatch 1009-bluetooth-Perform-careful-capability-checks-in-hci_s.patch +ApplyPatch 1010-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch +ApplyPatch 1011-net-sched-cls_fw-Fix-improper-refcount-update-leads-.patch +ApplyPatch 1012-netfilter-nft_set_pipapo-fix-improper-element-remova.patch +ApplyPatch 1013-netfilter-nf_tables-prevent-OOB-access-in-nft_byteor.patch +ApplyPatch 1014-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch + +ApplyPatch 9001-x86-xen-Split-HVM-vector-callback-setup-and-interrup.patch +ApplyPatch 9002-x86-microcode-AMD-Load-late-on-both-threads-too.patch + ApplyOptionalPatch linux-kernel-test.patch # END OF PATCH APPLICATIONS @@ -2706,6 +2731,14 @@ fi # # %changelog +* Thu Sep 21 2023 Andrew Lukoshko [4.18.0-477.27.1.rt7.290.el8_8] +- bluetooth: Perform careful capability checks in hci_sock_ioctl() {CVE-2023-2002} +- ipvlan:Fix out-of-bounds caused by unclear skb->cb {CVE-2023-3090} +- net/sched: cls_fw: Fix improper refcount update leads to use-after-free {CVE-2023-3776} +- netfilter: nft_set_pipapo: fix improper element removal {CVE-2023-4004} +- netfilter: nf_tables: prevent OOB access in nft_byteorder_eval {CVE-2023-35001} +- net/sched: flower: fix possible OOB write in fl_set_geneve_opt() {CVE-2023-35788} + * Tue Aug 8 2023 Nagappan Ramasamy Palaniappan [4.18.0-477.21.1.rt7.284.el8_8] - Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM (Tamás Koczka) {CVE-2022-42896} - net/sched: tcindex: update imperfect hash filters respecting rcu (Jamal Hadi Salim) {CVE-2023-1281}