From 93691ed0e3701b0cf79ac1ea84f11004761ee43d Mon Sep 17 00:00:00 2001 From: Jonathan Wright Date: Fri, 29 Mar 2024 20:02:17 -0500 Subject: [PATCH] update to 4.18.0-513.18.2, fixes CVE-2024-1086 --- SOURCES/CVE-2024-1086.patch | 34 ++++++++++++++++++++++++++++++++++ SPECS/kernel.spec | 11 +++++++++-- 2 files changed, 43 insertions(+), 2 deletions(-) create mode 100644 SOURCES/CVE-2024-1086.patch diff --git a/SOURCES/CVE-2024-1086.patch b/SOURCES/CVE-2024-1086.patch new file mode 100644 index 000000000..cb0bbed21 --- /dev/null +++ b/SOURCES/CVE-2024-1086.patch @@ -0,0 +1,34 @@ +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index c52a1dd1b..3ff44747e 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -8583,16 +8583,10 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, + data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); + + switch (data->verdict.code) { +- default: +- switch (data->verdict.code & NF_VERDICT_MASK) { +- case NF_ACCEPT: +- case NF_DROP: +- case NF_QUEUE: +- break; +- default: +- return -EINVAL; +- } +- /* fall through */ ++ case NF_ACCEPT: ++ case NF_DROP: ++ case NF_QUEUE: ++ break; + case NFT_CONTINUE: + case NFT_BREAK: + case NFT_RETURN: +@@ -8611,6 +8605,8 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, + chain->use++; + data->verdict.chain = chain; + break; ++ default: ++ return -EINVAL; + } + + desc->len = sizeof(data->verdict); diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index c31b0c2be..4d2de4607 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -38,10 +38,11 @@ # define buildid .local %define specversion 4.18.0 -%define pkgrelease 513.18.1.el8_9 +%define pkgrelease 513.18.2.el8_9 # allow pkg_release to have configurable %%{?dist} tag -%define specrelease 513.18.1%{?dist} +# alma patched to 513.18.2 but still using 513.18.1 sources plus patch file +%define specrelease 513.18.2%{?dist} %define pkg_release %{specrelease}%{?buildid} @@ -526,6 +527,7 @@ Patch999999: linux-kernel-test.patch Patch1000: debrand-single-cpu.patch Patch1002: debrand-rh-i686-cpu.patch +Patch1003: CVE-2024-1086.patch Patch1100: 1100-KVM-x86-mmu-Fix-an-sign-extension-bug-with-mmu_seq-t.patch @@ -1092,6 +1094,8 @@ mv linux-%{specversion}-%{pkgrelease} linux-%{KVERREL} cd linux-%{KVERREL} +ApplyPatch CVE-2024-1086.patch + ApplyOptionalPatch debrand-single-cpu.patch ApplyOptionalPatch debrand-rh-i686-cpu.patch # Already applied in the source tarball @@ -2692,6 +2696,9 @@ fi # # %changelog +* Fri Mar 29 2024 Jonathan Wright [4.18.0-513.18.2.el8_9] +- netfilter: nf_tables: reject QUEUE/DROP verdict parameters {CVE-2024-1086} + * Thu Feb 01 2024 Patrick Talbert [4.18.0-513.18.1.el8_9] - net: tls, update curr on splice as well (Sabrina Dubroca) [RHEL-22091 RHEL-19065] {CVE-2024-0646} - smb: client: fix potential OOB in smb2_dump_detail() (Scott Mayhew) [RHEL-21672 RHEL-19144] {CVE-2023-6610}