From 773c19bc20126843dca53a49bd0c2d90d1eaabac Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jun 25 2024 00:12:28 +0000 Subject: import kpatch-patch-3_10_0-1160_108_1-1-3.el7 --- diff --git a/SOURCES/CVE-2024-1086.patch b/SOURCES/CVE-2024-1086.patch new file mode 100644 index 0000000..788da63 --- /dev/null +++ b/SOURCES/CVE-2024-1086.patch @@ -0,0 +1,110 @@ +From 0b95e025ee195fd549a77916c14af38e9b25ac16 Mon Sep 17 00:00:00 2001 +From: Ryan Sullivan +Date: Tue, 16 Apr 2024 13:57:40 -0400 +Subject: [KPATCH CVE-2024-1086] kpatch fixes for CVE-2024-1086 + +Kernels: +3.10.0-1160.102.1.el7 +3.10.0-1160.105.1.el7 +3.10.0-1160.108.1.el7 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/70 +Approved-by: Joe Lawrence (@joe.lawrence) +Changes since last build: +[x86_64]: +nf_tables_api.o: changed function: nft_data_init + +[ppc64le]: +nf_tables_api.o: changed function: nft_data_init +nf_tables_api.o: changed function: nft_del_setelem + +--------------------------- + +Modifications: none + +commit 03d2627c7d53c06b8b28f5a57eb48ddbc1829c12 +Author: Florian Westphal +Date: Fri Feb 2 15:28:35 2024 +0100 + + netfilter: nf_tables: reject QUEUE/DROP verdict parameters + + JIRA: https://issues.redhat.com/browse/RHEL-23500 + Upstream Status: commit f342de4e2f33 + CVE: CVE-2024-1086 + + commit f342de4e2f33e0e39165d8639387aa6c19dff660 + Author: Florian Westphal + Date: Sat Jan 20 22:50:04 2024 +0100 + + netfilter: nf_tables: reject QUEUE/DROP verdict parameters + + This reverts commit e0abdadcc6e1. + + core.c:nf_hook_slow assumes that the upper 16 bits of NF_DROP + verdicts contain a valid errno, i.e. -EPERM, -EHOSTUNREACH or similar, + or 0. + + Due to the reverted commit, its possible to provide a positive + value, e.g. NF_ACCEPT (1), which results in use-after-free. + + Its not clear to me why this commit was made. + + NF_QUEUE is not used by nftables; "queue" rules in nftables + will result in use of "nft_queue" expression. + + If we later need to allow specifiying errno values from userspace + (do not know why), this has to call NF_DROP_GETERR and check that + "err <= 0" holds true. + + Fixes: e0abdadcc6e1 ("netfilter: nf_tables: accept QUEUE/DROP verdict parameters") + Cc: stable@vger.kernel.org + Reported-by: Notselwyn + Signed-off-by: Florian Westphal + Signed-off-by: Pablo Neira Ayuso + + Signed-off-by: Florian Westphal + +Signed-off-by: Ryan Sullivan +--- + net/netfilter/nf_tables_api.c | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index ed8a787ac400..940f947b5fe7 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -4629,16 +4629,10 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, + data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); + + switch (data->verdict.code) { +- default: +- switch (data->verdict.code & NF_VERDICT_MASK) { +- case NF_ACCEPT: +- case NF_DROP: +- case NF_QUEUE: +- break; +- default: +- return -EINVAL; +- } +- /* fall through */ ++ case NF_ACCEPT: ++ case NF_DROP: ++ case NF_QUEUE: ++ break; + case NFT_CONTINUE: + case NFT_BREAK: + case NFT_RETURN: +@@ -4657,6 +4651,8 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, + chain->use++; + data->verdict.chain = chain; + break; ++ default: ++ return -EINVAL; + } + + desc->len = sizeof(data->verdict); +-- +2.45.1 + + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index 02f3dbb..c83a1cd 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -6,7 +6,7 @@ %define kernel_ver 3.10.0-1160.108.1.el7 %define kpatch_ver 0.9.2 %define rpm_ver 1 -%define rpm_rel 2 +%define rpm_rel 3 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. @@ -25,6 +25,9 @@ Source103: CVE-2023-4622.patch # # https://issues.redhat.com/browse/RHEL-16619 Source104: CVE-2023-4623.patch +# +# https://issues.redhat.com/browse/RHEL-32280 +Source105: CVE-2024-1086.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -159,6 +162,9 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Wed Jun 12 2024 Yannick Cote [1-3.el7] +- kernel: nf_tables: use-after-free vulnerability in the nft_verdict_init() function [RHEL-32280] {CVE-2024-1086} + * Tue Apr 16 2024 Yannick Cote [1-2.el7] - kernel: net/sched: sch_hfsc UAF [RHEL-16619] {CVE-2023-4623} - kernel: use after free in unix_stream_sendpage [RHEL-17942] {CVE-2023-4622}