ykohut/kernel
1
0
Fork 0
forked from rpms/kernel
Code Pull Requests Activity

update to 5.14.0-362.24.2, fixes CVE-2024-1086

Browse Source
This commit is contained in:
Jonathan Wright 2024-03-29 17:34:54 -05:00
parent 8e295c6175
commit 91636725be
2 changed files with 42 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
SOURCES/CVE-2024-1086.patch Normal file
View File

@ -0,0 +1,34 @@
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 38ff119ab..11f4b1aab 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -10442,16 +10442,10 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
switch (data->verdict.code) {
- default:
- switch (data->verdict.code & NF_VERDICT_MASK) {
- case NF_ACCEPT:
- case NF_DROP:
- case NF_QUEUE:
- break;
- default:
- return -EINVAL;
- }
- fallthrough;
+ case NF_ACCEPT:
+ case NF_DROP:
+ case NF_QUEUE:
+ break;
case NFT_CONTINUE:
case NFT_BREAK:
case NFT_RETURN:
@@ -10486,6 +10480,8 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
data->verdict.chain = chain;
break;
+ default:
+ return -EINVAL;
}
desc->len = sizeof(data->verdict);

10
SPECS/kernel.spec
View File

@ -161,13 +161,14 @@ Summary: The Linux kernel
# define buildid .local # define buildid .local
%define specversion 5.14.0 %define specversion 5.14.0
%define patchversion 5.14 %define patchversion 5.14
%define pkgrelease 362.24.1 %define pkgrelease 362.24.2
%define kversion 5 %define kversion 5
%define tarfile_release 5.14.0-362.24.1.el9_3 %define tarfile_release 5.14.0-362.24.1.el9_3
# This is needed to do merge window version magic # This is needed to do merge window version magic
%define patchlevel 14 %define patchlevel 14
# This allows pkg_release to have configurable %%{?dist} tag # This allows pkg_release to have configurable %%{?dist} tag
%define specrelease 362.24.1%{?buildid}%{?dist} # alma patched to 362.24.2 but still using 362.24.1 sources plus patch file
%define specrelease 362.24.2%{?buildid}%{?dist}
# This defines the kabi tarball version # This defines the kabi tarball version
%define kabiversion 5.14.0-362.24.1.el9_3 %define kabiversion 5.14.0-362.24.1.el9_3
@ -949,6 +950,7 @@ Patch1: patch-%{patchversion}-redhat.patch
# AlmaLinux patches # AlmaLinux patches
Patch1001: 0001-nvme-pci-add-BOGUS_NID-for-Intel-0a54-device.patch Patch1001: 0001-nvme-pci-add-BOGUS_NID-for-Intel-0a54-device.patch
Patch1002: CVE-2024-1086.patch
# empty final patch to facilitate testing of kernel patches # empty final patch to facilitate testing of kernel patches
Patch999999: linux-kernel-test.patch Patch999999: linux-kernel-test.patch
@ -1695,6 +1697,7 @@ ApplyOptionalPatch patch-%{patchversion}-redhat.patch
%endif %endif
ApplyPatch 0001-nvme-pci-add-BOGUS_NID-for-Intel-0a54-device.patch ApplyPatch 0001-nvme-pci-add-BOGUS_NID-for-Intel-0a54-device.patch
ApplyPatch CVE-2024-1086.patch
ApplyOptionalPatch linux-kernel-test.patch ApplyOptionalPatch linux-kernel-test.patch
@ -3741,6 +3744,9 @@ fi
# #
# #
%changelog %changelog
* Fri Mar 29 2024 Jonathan Wright <jonathan@almalinux.org> [5.14.0-362.24.2.el9_3]
- netfilter: nf_tables: reject QUEUE/DROP verdict parameters {CVE-2024-1086}
* Thu Feb 15 2024 Jan Stancek <jstancek@redhat.com> [5.14.0-362.24.1.el9_3] * Thu Feb 15 2024 Jan Stancek <jstancek@redhat.com> [5.14.0-362.24.1.el9_3]
- RDMA/mlx5: Fix assigning access flags to cache mkeys (Mohammad Kabat) [RHEL-25242 RHEL-882] - RDMA/mlx5: Fix assigning access flags to cache mkeys (Mohammad Kabat) [RHEL-25242 RHEL-882]
- drm/amdgpu: Fix potential fence use-after-free v2 (Jan Stancek) [RHEL-24501 RHEL-24504 RHEL-22506 RHEL-22507] {CVE-2023-51042} - drm/amdgpu: Fix potential fence use-after-free v2 (Jan Stancek) [RHEL-24501 RHEL-24504 RHEL-22506 RHEL-22507] {CVE-2023-51042}