From 6092e2a74dc4cb6c6581b752ab2d6daceec1705d Mon Sep 17 00:00:00 2001 From: Andrew Lukoshko Date: Tue, 12 Sep 2023 12:59:40 +0000 Subject: [PATCH] Revert "Update with 5.14.0-284.25.1.el9_2 security fixes" This reverts commit e7e939cd1cb94955eaf9a498c166badbfa10c79b. --- ...-race-condition-in-direct_page_fault.patch | 87 --------- ...it-needs-to-have-a-speculation-check.patch | 45 ----- ...Allow-enabling-STIBP-with-legacy-IBR.patch | 95 --------- ...t-of-bounds-caused-by-unclear-skb-cb.patch | 180 ------------------ ...-fix-possible-OOB-write-in-fl_set_ge.patch | 49 ----- SPECS/kernel.spec | 23 +-- 6 files changed, 2 insertions(+), 477 deletions(-) delete mode 100644 SOURCES/1200-KVM-x86-mmu-Fix-race-condition-in-direct_page_fault.patch delete mode 100644 SOURCES/1201-prlimit-do_prlimit-needs-to-have-a-speculation-check.patch delete mode 100644 SOURCES/1202-x86-speculation-Allow-enabling-STIBP-with-legacy-IBR.patch delete mode 100644 SOURCES/1203-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch delete mode 100644 SOURCES/1204-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch diff --git a/SOURCES/1200-KVM-x86-mmu-Fix-race-condition-in-direct_page_fault.patch b/SOURCES/1200-KVM-x86-mmu-Fix-race-condition-in-direct_page_fault.patch deleted file mode 100644 index 57b9495..0000000 --- a/SOURCES/1200-KVM-x86-mmu-Fix-race-condition-in-direct_page_fault.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 6f404ab35a9a684cb6ee146a39413698bba17fe4 Mon Sep 17 00:00:00 2001 -From: Nagappan Ramasamy Palaniappan -Date: Wed, 2 Aug 2023 12:50:36 +0000 -Subject: [PATCH 1/5] KVM: x86/mmu: Fix race condition in direct_page_fault - - make_mmu_pages_available() must be called with mmu_lock held for write. - However, if the TDP MMU is used, it will be called with mmu_lock held for - read. - This function does nothing unless shadow pages are used, so there is no - race unless nested TDP is used. - Since nested TDP uses shadow pages, old shadow pages may be zapped by this - function even when the TDP MMU is enabled. - Since shadow pages are never allocated by kvm_tdp_mmu_map(), a race - condition can be avoided by not calling make_mmu_pages_available() if the - TDP MMU is currently in use. - - I encountered this when repeatedly starting and stopping nested VM. - It can be artificially caused by allocating a large number of nested TDP - SPTEs. - - For example, the following BUG and general protection fault are caused in - the host kernel. - - pte_list_remove: 00000000cd54fc10 many->many - ------------[ cut here ]------------ - kernel BUG at arch/x86/kvm/mmu/mmu.c:963! - invalid opcode: 0000 [#1] PREEMPT SMP NOPTI - RIP: 0010:pte_list_remove.cold+0x16/0x48 [kvm] - Call Trace: - - drop_spte+0xe0/0x180 [kvm] - mmu_page_zap_pte+0x4f/0x140 [kvm] - __kvm_mmu_prepare_zap_page+0x62/0x3e0 [kvm] - kvm_mmu_zap_oldest_mmu_pages+0x7d/0xf0 [kvm] - direct_page_fault+0x3cb/0x9b0 [kvm] - kvm_tdp_page_fault+0x2c/0xa0 [kvm] - kvm_mmu_page_fault+0x207/0x930 [kvm] - npf_interception+0x47/0xb0 [kvm_amd] - svm_invoke_exit_handler+0x13c/0x1a0 [kvm_amd] - svm_handle_exit+0xfc/0x2c0 [kvm_amd] - kvm_arch_vcpu_ioctl_run+0xa79/0x1780 [kvm] - kvm_vcpu_ioctl+0x29b/0x6f0 [kvm] - __x64_sys_ioctl+0x95/0xd0 - do_syscall_64+0x5c/0x90 - - general protection fault, probably for non-canonical address - 0xdead000000000122: 0000 [#1] PREEMPT SMP NOPTI - RIP: 0010:kvm_mmu_commit_zap_page.part.0+0x4b/0xe0 [kvm] - Call Trace: - - kvm_mmu_zap_oldest_mmu_pages+0xae/0xf0 [kvm] - direct_page_fault+0x3cb/0x9b0 [kvm] - kvm_tdp_page_fault+0x2c/0xa0 [kvm] - kvm_mmu_page_fault+0x207/0x930 [kvm] - npf_interception+0x47/0xb0 [kvm_amd] - - CVE: CVE-2022-45869 - Fixes: a2855afc7ee8 ("KVM: x86/mmu: Allow parallel page faults for the TDP MMU") - Signed-off-by: Kazuki Takiguchi - Cc: stable@vger.kernel.org - Signed-off-by: Paolo Bonzini - -Conflicts: dropped hunk in direct_page_fault because the following backported commits do the same thing - a158127f55b98c ("KVM: x86/mmu: Split out TDP MMU page fault handling") - 1290f90e77186b ("KVM: x86/mmu: Stop needlessly making MMU pages available for TDP MMU faults") - -Signed-off-by: Nagappan Ramasamy Palaniappan -Reviewed-by: Laurence Rochfort ---- - arch/x86/kvm/mmu/mmu.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c -index 05c137831..2968f8137 100644 ---- a/arch/x86/kvm/mmu/mmu.c -+++ b/arch/x86/kvm/mmu/mmu.c -@@ -2432,6 +2432,7 @@ static bool __kvm_mmu_prepare_zap_page(struct kvm *kvm, - { - bool list_unstable, zapped_root = false; - -+ lockdep_assert_held_write(&kvm->mmu_lock); - trace_kvm_mmu_prepare_zap_page(sp); - ++kvm->stat.mmu_shadow_zapped; - *nr_zapped = mmu_zap_unsync_children(kvm, sp, invalid_list); --- -2.31.1 - diff --git a/SOURCES/1201-prlimit-do_prlimit-needs-to-have-a-speculation-check.patch b/SOURCES/1201-prlimit-do_prlimit-needs-to-have-a-speculation-check.patch deleted file mode 100644 index bd18a2e..0000000 --- a/SOURCES/1201-prlimit-do_prlimit-needs-to-have-a-speculation-check.patch +++ /dev/null @@ -1,45 +0,0 @@ -From c9e34f92dafffe1fd37ba7ef7fb198002576bea1 Mon Sep 17 00:00:00 2001 -From: Nagappan Ramasamy Palaniappan -Date: Wed, 2 Aug 2023 12:54:02 +0000 -Subject: [PATCH 2/5] prlimit: do_prlimit needs to have a speculation check - -CVE: CVE-2023-0458 - -commit 739790605705ddcf18f21782b9c99ad7d53a8c11 -Author: Greg Kroah-Hartman -Date: Fri Jan 20 11:03:20 2023 +0100 - - prlimit: do_prlimit needs to have a speculation check - - do_prlimit() adds the user-controlled resource value to a pointer that - will subsequently be dereferenced. In order to help prevent this - codepath from being used as a spectre "gadget" a barrier needs to be - added after checking the range. - - Reported-by: Jordy Zomer - Tested-by: Jordy Zomer - Suggested-by: Linus Torvalds - Signed-off-by: Greg Kroah-Hartman - -Signed-off-by: Nagappan Ramasamy Palaniappan -Reviewed-by: Laurence Rochfort ---- - kernel/sys.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/kernel/sys.c b/kernel/sys.c -index 75852f64d..45480f6f6 100644 ---- a/kernel/sys.c -+++ b/kernel/sys.c -@@ -1439,6 +1439,8 @@ static int do_prlimit(struct task_struct *tsk, unsigned int resource, - - if (resource >= RLIM_NLIMITS) - return -EINVAL; -+ resource = array_index_nospec(resource, RLIM_NLIMITS); -+ - if (new_rlim) { - if (new_rlim->rlim_cur > new_rlim->rlim_max) - return -EINVAL; --- -2.31.1 - diff --git a/SOURCES/1202-x86-speculation-Allow-enabling-STIBP-with-legacy-IBR.patch b/SOURCES/1202-x86-speculation-Allow-enabling-STIBP-with-legacy-IBR.patch deleted file mode 100644 index 57846d2..0000000 --- a/SOURCES/1202-x86-speculation-Allow-enabling-STIBP-with-legacy-IBR.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 4758c1f8ad5385e53ea85739ad9f6fa6dfc0abda Mon Sep 17 00:00:00 2001 -From: Nagappan Ramasamy Palaniappan -Date: Wed, 2 Aug 2023 12:55:46 +0000 -Subject: [PATCH 3/5] x86/speculation: Allow enabling STIBP with legacy IBRS -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When plain IBRS is enabled (not enhanced IBRS), the logic in -spectre_v2_user_select_mitigation() determines that STIBP is not needed. - -The IBRS bit implicitly protects against cross-thread branch target -injection. However, with legacy IBRS, the IBRS bit is cleared on -returning to userspace for performance reasons which leaves userspace -threads vulnerable to cross-thread branch target injection against which -STIBP protects. - -Exclude IBRS from the spectre_v2_in_ibrs_mode() check to allow for -enabling STIBP (through seccomp/prctl() by default or always-on, if -selected by spectre_v2_user kernel cmdline parameter). - - [ bp: Massage. ] - -Fixes: 7c693f54c873 ("x86/speculation: Add spectre_v2=ibrs option to support Kernel IBRS") -Reported-by: José Oliveira -Reported-by: Rodrigo Branco -Signed-off-by: KP Singh -Signed-off-by: Borislav Petkov (AMD) -Signed-off-by: Nagappan Ramasamy Palaniappan -Reviewed-by: Laurence Rochfort ---- - arch/x86/kernel/cpu/bugs.c | 25 ++++++++++++++++++------- - 1 file changed, 18 insertions(+), 7 deletions(-) - -diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c -index da7c361f4..e13c4ecdc 100644 ---- a/arch/x86/kernel/cpu/bugs.c -+++ b/arch/x86/kernel/cpu/bugs.c -@@ -1095,14 +1095,18 @@ spectre_v2_parse_user_cmdline(void) - return SPECTRE_V2_USER_CMD_AUTO; - } - --static inline bool spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode) -+static inline bool spectre_v2_in_eibrs_mode(enum spectre_v2_mitigation mode) - { -- return mode == SPECTRE_V2_IBRS || -- mode == SPECTRE_V2_EIBRS || -+ return mode == SPECTRE_V2_EIBRS || - mode == SPECTRE_V2_EIBRS_RETPOLINE || - mode == SPECTRE_V2_EIBRS_LFENCE; - } - -+static inline bool spectre_v2_in_ibrs_mode(enum spectre_v2_mitigation mode) -+{ -+ return spectre_v2_in_eibrs_mode(mode) || mode == SPECTRE_V2_IBRS; -+} -+ - static void __init - spectre_v2_user_select_mitigation(void) - { -@@ -1165,12 +1169,19 @@ spectre_v2_user_select_mitigation(void) - } - - /* -- * If no STIBP, IBRS or enhanced IBRS is enabled, or SMT impossible, -- * STIBP is not required. -+ * If no STIBP, enhanced IBRS is enabled, or SMT impossible, STIBP -+ * is not required. -+ * -+ * Enhanced IBRS also protects against cross-thread branch target -+ * injection in user-mode as the IBRS bit remains always set which -+ * implicitly enables cross-thread protections. However, in legacy IBRS -+ * mode, the IBRS bit is set only on kernel entry and cleared on return -+ * to userspace. This disables the implicit cross-thread protection, -+ * so allow for STIBP to be selected in that case. - */ - if (!boot_cpu_has(X86_FEATURE_STIBP) || - !smt_possible || -- spectre_v2_in_ibrs_mode(spectre_v2_enabled)) -+ spectre_v2_in_eibrs_mode(spectre_v2_enabled)) - return; - - /* -@@ -2295,7 +2306,7 @@ static ssize_t mmio_stale_data_show_state(char *buf) - - static char *stibp_state(void) - { -- if (spectre_v2_in_ibrs_mode(spectre_v2_enabled)) -+ if (spectre_v2_in_eibrs_mode(spectre_v2_enabled)) - return ""; - - switch (spectre_v2_user_stibp) { --- -2.31.1 - diff --git a/SOURCES/1203-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch b/SOURCES/1203-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch deleted file mode 100644 index 008091d..0000000 --- a/SOURCES/1203-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch +++ /dev/null @@ -1,180 +0,0 @@ -From 4308d0e03dfe439f30b356630beb8b941bf84bf7 Mon Sep 17 00:00:00 2001 -From: Nagappan Ramasamy Palaniappan -Date: Wed, 2 Aug 2023 13:05:59 +0000 -Subject: [PATCH 4/5] ipvlan:Fix out-of-bounds caused by unclear skb->cb - -CVE: CVE-2023-3090 - -commit 90cbed5247439a966b645b34eb0a2e037836ea8e -Author: t.feng -Date: Wed May 10 11:50:44 2023 +0800 - - ipvlan:Fix out-of-bounds caused by unclear skb->cb - - If skb enqueue the qdisc, fq_skb_cb(skb)->time_to_send is changed which - is actually skb->cb, and IPCB(skb_in)->opt will be used in - __ip_options_echo. It is possible that memcpy is out of bounds and lead - to stack overflow. - We should clear skb->cb before ip_local_out or ip6_local_out. - - v2: - 1. clean the stack info - 2. use IPCB/IP6CB instead of skb->cb - - crash on stable-5.10(reproduce in kasan kernel). - Stack info: - [ 2203.651571] BUG: KASAN: stack-out-of-bounds in - __ip_options_echo+0x589/0x800 - [ 2203.653327] Write of size 4 at addr ffff88811a388f27 by task - swapper/3/0 - [ 2203.655460] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Not tainted - 5.10.0-60.18.0.50.h856.kasan.eulerosv2r11.x86_64 #1 - [ 2203.655466] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), - BIOS rel-1.10.2-0-g5f4c7b1-20181220_000000-szxrtosci10000 04/01/2014 - [ 2203.655475] Call Trace: - [ 2203.655481] - [ 2203.655501] dump_stack+0x9c/0xd3 - [ 2203.655514] print_address_description.constprop.0+0x19/0x170 - [ 2203.655530] __kasan_report.cold+0x6c/0x84 - [ 2203.655586] kasan_report+0x3a/0x50 - [ 2203.655586] kasan_report+0x3a/0x50 - [ 2203.655594] check_memory_region+0xfd/0x1f0 - [ 2203.655594] check_memory_region+0xfd/0x1f0 - [ 2203.655601] memcpy+0x39/0x60 - [ 2203.655608] __ip_options_echo+0x589/0x800 - [ 2203.655654] __icmp_send+0x59a/0x960 - [ 2203.655755] nf_send_unreach+0x129/0x3d0 [nf_reject_ipv4] - [ 2203.655763] reject_tg+0x77/0x1bf [ipt_REJECT] - [ 2203.655772] ipt_do_table+0x691/0xa40 [ip_tables] - [ 2203.655821] nf_hook_slow+0x69/0x100 - [ 2203.655828] __ip_local_out+0x21e/0x2b0 - [ 2203.655857] ip_local_out+0x28/0x90 - [ 2203.655868] ipvlan_process_v4_outbound+0x21e/0x260 [ipvlan] - [ 2203.655931] ipvlan_xmit_mode_l3+0x3bd/0x400 [ipvlan] - [ 2203.655967] ipvlan_queue_xmit+0xb3/0x190 [ipvlan] - [ 2203.655977] ipvlan_start_xmit+0x2e/0xb0 [ipvlan] - [ 2203.655984] xmit_one.constprop.0+0xe1/0x280 - [ 2203.655992] dev_hard_start_xmit+0x62/0x100 - [ 2203.656000] sch_direct_xmit+0x215/0x640 - [ 2203.656028] __qdisc_run+0x153/0x1f0 - [ 2203.656069] __dev_queue_xmit+0x77f/0x1030 - [ 2203.656173] ip_finish_output2+0x59b/0xc20 - [ 2203.656244] __ip_finish_output.part.0+0x318/0x3d0 - [ 2203.656312] ip_finish_output+0x168/0x190 - [ 2203.656320] ip_output+0x12d/0x220 - [ 2203.656357] __ip_queue_xmit+0x392/0x880 - [ 2203.656380] __tcp_transmit_skb+0x1088/0x11c0 - [ 2203.656436] __tcp_retransmit_skb+0x475/0xa30 - [ 2203.656505] tcp_retransmit_skb+0x2d/0x190 - [ 2203.656512] tcp_retransmit_timer+0x3af/0x9a0 - [ 2203.656519] tcp_write_timer_handler+0x3ba/0x510 - [ 2203.656529] tcp_write_timer+0x55/0x180 - [ 2203.656542] call_timer_fn+0x3f/0x1d0 - [ 2203.656555] expire_timers+0x160/0x200 - [ 2203.656562] run_timer_softirq+0x1f4/0x480 - [ 2203.656606] __do_softirq+0xfd/0x402 - [ 2203.656613] asm_call_irq_on_stack+0x12/0x20 - [ 2203.656617] - [ 2203.656623] do_softirq_own_stack+0x37/0x50 - [ 2203.656631] irq_exit_rcu+0x134/0x1a0 - [ 2203.656639] sysvec_apic_timer_interrupt+0x36/0x80 - [ 2203.656646] asm_sysvec_apic_timer_interrupt+0x12/0x20 - [ 2203.656654] RIP: 0010:default_idle+0x13/0x20 - [ 2203.656663] Code: 89 f0 5d 41 5c 41 5d 41 5e c3 cc cc cc cc cc cc cc - cc cc cc cc cc cc 0f 1f 44 00 00 0f 1f 44 00 00 0f 00 2d 9f 32 57 00 fb - f4 cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 be 08 - [ 2203.656668] RSP: 0018:ffff88810036fe78 EFLAGS: 00000256 - [ 2203.656676] RAX: ffffffffaf2a87f0 RBX: ffff888100360000 RCX: - ffffffffaf290191 - [ 2203.656681] RDX: 0000000000098b5e RSI: 0000000000000004 RDI: - ffff88811a3c4f60 - [ 2203.656686] RBP: 0000000000000000 R08: 0000000000000001 R09: - ffff88811a3c4f63 - [ 2203.656690] R10: ffffed10234789ec R11: 0000000000000001 R12: - 0000000000000003 - [ 2203.656695] R13: ffff888100360000 R14: 0000000000000000 R15: - 0000000000000000 - [ 2203.656729] default_idle_call+0x5a/0x150 - [ 2203.656735] cpuidle_idle_call+0x1c6/0x220 - [ 2203.656780] do_idle+0xab/0x100 - [ 2203.656786] cpu_startup_entry+0x19/0x20 - [ 2203.656793] secondary_startup_64_no_verify+0xc2/0xcb - - [ 2203.657409] The buggy address belongs to the page: - [ 2203.658648] page:0000000027a9842f refcount:1 mapcount:0 - mapping:0000000000000000 index:0x0 pfn:0x11a388 - [ 2203.658665] flags: - 0x17ffffc0001000(reserved|node=0|zone=2|lastcpupid=0x1fffff) - [ 2203.658675] raw: 0017ffffc0001000 ffffea000468e208 ffffea000468e208 - 0000000000000000 - [ 2203.658682] raw: 0000000000000000 0000000000000000 00000001ffffffff - 0000000000000000 - [ 2203.658686] page dumped because: kasan: bad access detected - - To reproduce(ipvlan with IPVLAN_MODE_L3): - Env setting: - ======================================================= - modprobe ipvlan ipvlan_default_mode=1 - sysctl net.ipv4.conf.eth0.forwarding=1 - iptables -t nat -A POSTROUTING -s 20.0.0.0/255.255.255.0 -o eth0 -j - MASQUERADE - ip link add gw link eth0 type ipvlan - ip -4 addr add 20.0.0.254/24 dev gw - ip netns add net1 - ip link add ipv1 link eth0 type ipvlan - ip link set ipv1 netns net1 - ip netns exec net1 ip link set ipv1 up - ip netns exec net1 ip -4 addr add 20.0.0.4/24 dev ipv1 - ip netns exec net1 route add default gw 20.0.0.254 - ip netns exec net1 tc qdisc add dev ipv1 root netem loss 10% - ifconfig gw up - iptables -t filter -A OUTPUT -p tcp --dport 8888 -j REJECT --reject-with - icmp-port-unreachable - ======================================================= - And then excute the shell(curl any address of eth0 can reach): - - for((i=1;i<=100000;i++)) - do - ip netns exec net1 curl x.x.x.x:8888 - done - ======================================================= - - Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.") - Signed-off-by: "t.feng" - Suggested-by: Florian Westphal - Reviewed-by: Paolo Abeni - Signed-off-by: David S. Miller - -Signed-off-by: Nagappan Ramasamy Palaniappan -Reviewed-by: Laurence Rochfort ---- - drivers/net/ipvlan/ipvlan_core.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c -index fe584e8ac..ab14c06d1 100644 ---- a/drivers/net/ipvlan/ipvlan_core.c -+++ b/drivers/net/ipvlan/ipvlan_core.c -@@ -437,6 +437,9 @@ static int ipvlan_process_v4_outbound(struct sk_buff *skb) - goto err; - } - skb_dst_set(skb, &rt->dst); -+ -+ memset(IPCB(skb), 0, sizeof(*IPCB(skb))); -+ - err = ip_local_out(net, skb->sk, skb); - if (unlikely(net_xmit_eval(err))) - dev->stats.tx_errors++; -@@ -475,6 +478,9 @@ static int ipvlan_process_v6_outbound(struct sk_buff *skb) - goto err; - } - skb_dst_set(skb, dst); -+ -+ memset(IP6CB(skb), 0, sizeof(*IP6CB(skb))); -+ - err = ip6_local_out(net, skb->sk, skb); - if (unlikely(net_xmit_eval(err))) - dev->stats.tx_errors++; --- -2.31.1 - diff --git a/SOURCES/1204-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch b/SOURCES/1204-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch deleted file mode 100644 index ce8857d..0000000 --- a/SOURCES/1204-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 68e161867609dafcee1a20343990547a8da9be83 Mon Sep 17 00:00:00 2001 -From: Nagappan Ramasamy Palaniappan -Date: Wed, 2 Aug 2023 13:10:03 +0000 -Subject: [PATCH 5/5] net/sched: flower: fix possible OOB write - in-fl_set_geneve_opt() - -CVE: CVE-2023-35788 - -commit 4d56304e5827c8cc8cc18c75343d283af7c4825c -Author: Hangyu Hua -Date: Wed May 31 18:28:04 2023 +0800 - - net/sched: flower: fix possible OOB write in fl_set_geneve_opt() - - If we send two TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets and their total - size is 252 bytes(key->enc_opts.len = 252) then - key->enc_opts.len = opt->length = data_len / 4 = 0 when the third - TCA_FLOWER_KEY_ENC_OPTS_GENEVE packet enters fl_set_geneve_opt. This - bypasses the next bounds check and results in an out-of-bounds. - - Fixes: 0a6e77784f49 ("net/sched: allow flower to match tunnel options") - Signed-off-by: Hangyu Hua - Reviewed-by: Simon Horman - Reviewed-by: Pieter Jansen van Vuuren - Link: https://lore.kernel.org/r/20230531102805.27090-1-hbh25y@gmail.com - -Signed-off-by: Nagappan Ramasamy Palaniappan -Reviewed-by: Laurence Rochfort ---- - net/sched/cls_flower.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c -index 041d63ff8..65b68bf36 100644 ---- a/net/sched/cls_flower.c -+++ b/net/sched/cls_flower.c -@@ -1145,6 +1145,9 @@ static int fl_set_geneve_opt(const struct nlattr *nla, struct fl_flow_key *key, - if (option_len > sizeof(struct geneve_opt)) - data_len = option_len - sizeof(struct geneve_opt); - -+ if (key->enc_opts.len > FLOW_DIS_TUN_OPTS_MAX - 4) -+ return -ERANGE; -+ - opt = (struct geneve_opt *)&key->enc_opts.data[key->enc_opts.len]; - memset(opt, 0xff, option_len); - opt->length = data_len / 4; --- -2.31.1 - diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index 29e0107..b7dcf22 100755 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -161,13 +161,13 @@ Summary: The Linux kernel # define buildid .local %define specversion 5.14.0 %define patchversion 5.14 -%define pkgrelease 284.25.1 +%define pkgrelease 284.18.1 %define kversion 5 %define tarfile_release 5.14.0-284.18.1.el9_2 # This is needed to do merge window version magic %define patchlevel 14 # This allows pkg_release to have configurable %%{?dist} tag -%define specrelease 284.25.1%{?buildid}%{?dist} +%define specrelease 284.18.1%{?buildid}%{?dist} # This defines the kabi tarball version %define kabiversion 5.14.0-284.18.1.el9_2 @@ -900,13 +900,6 @@ Source4002: gating.yaml Patch1: patch-%{patchversion}-redhat.patch %endif -# Patches from Oracle Linux kernel package -Patch1200: 1200-KVM-x86-mmu-Fix-race-condition-in-direct_page_fault.patch -Patch1201: 1201-prlimit-do_prlimit-needs-to-have-a-speculation-check.patch -Patch1202: 1202-x86-speculation-Allow-enabling-STIBP-with-legacy-IBR.patch -Patch1203: 1203-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch -Patch1204: 1204-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch - # empty final patch to facilitate testing of kernel patches Patch999999: linux-kernel-test.patch @@ -1560,11 +1553,6 @@ cp -a %{SOURCE1} . ApplyOptionalPatch patch-%{patchversion}-redhat.patch %endif -ApplyPatch 1200-KVM-x86-mmu-Fix-race-condition-in-direct_page_fault.patch -ApplyPatch 1201-prlimit-do_prlimit-needs-to-have-a-speculation-check.patch -ApplyPatch 1202-x86-speculation-Allow-enabling-STIBP-with-legacy-IBR.patch -ApplyPatch 1203-ipvlan-Fix-out-of-bounds-caused-by-unclear-skb-cb.patch -ApplyPatch 1204-net-sched-flower-fix-possible-OOB-write-in-fl_set_ge.patch ApplyOptionalPatch linux-kernel-test.patch # END OF PATCH APPLICATIONS @@ -3430,13 +3418,6 @@ fi # # %changelog -* Tue Aug 01 2023 Nagappan Ramasamy Palaniappan - [5.14.0-284.25.1.el9_2] -- KVM x86 mmuFix race condition in direct_page_fault -- prlimit do_prlimit needs to have a speculation check -- x86 speculation Allow enabling STIBP with legacy IBR -- ipvlan Fix out of bounds caused by unclear skb cb -- net sched flower fix possible OOB write in fl_set_geneve_opt - * Wed May 31 2023 Herton R. Krzesinski [5.14.0-284.18.1.el9_2] - x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL (Baoquan He) [2210614 2116317] - bluetooth: Perform careful capability checks in hci_sock_ioctl() (Ricardo Robaina) [2196340 2196341] {CVE-2023-2002}