diff --git a/SOURCES/CVE-2021-22555.patch b/SOURCES/CVE-2021-22555.patch new file mode 100644 index 0000000..0a85d0e --- /dev/null +++ b/SOURCES/CVE-2021-22555.patch @@ -0,0 +1,170 @@ +From: Joel Savitz +Subject: [KPATCH 7.9] netfilter: x_tables: kpatch fixes for CVE-2021-22555 +Date: Wed, 28 Jul 2021 12:03:15 -0400 + +Kernels: +3.10.0-1160.el7 +3.10.0-1160.2.1.el7 +3.10.0-1160.2.2.el7 +3.10.0-1160.6.1.el7 +3.10.0-1160.11.1.el7 +3.10.0-1160.15.2.el7 +3.10.0-1160.21.1.el7 +3.10.0-1160.24.1.el7 +3.10.0-1160.25.1.el7 +3.10.0-1160.31.1.el7 +3.10.0-1160.36.2.el7 + +Changes since last build: +arches: x86_64 ppc64le +arp_tables.o: changed function: translate_compat_table +ip6_tables.o: changed function: translate_compat_table +ip_tables.o: changed function: translate_compat_table +x_tables.o: changed function: xt_compat_match_from_user +x_tables.o: changed function: xt_compat_target_from_user +--------------------------- + +Kernels: +3.10.0-1160.el7 +3.10.0-1160.2.1.el7 +3.10.0-1160.2.2.el7 +3.10.0-1160.6.1.el7 +3.10.0-1160.11.1.el7 +3.10.0-1160.15.2.el7 +3.10.0-1160.21.1.el7 +3.10.0-1160.24.1.el7 +3.10.0-1160.25.1.el7 +3.10.0-1160.31.1.el7 +3.10.0-1160.36.2.el7 + +Modifications: none + +Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-7/-/merge_requests/201 +KT0 test PASS: https://beaker.engineering.redhat.com/jobs/5642298 +for scratch build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=38448253 + +commit 06215319786b979bed0f5eb3138de0506db9d39f +Author: Florian Westphal +Date: Fri Jul 9 11:42:55 2021 +0200 + + netfilter: x_tables: fix compat match/target pad out-of-bound write + + Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1980489 + Upstream Status: commit b29c457a65114 + CVE: CVE-2021-22555 + + commit b29c457a6511435960115c0f548c4360d5f4801d + Author: Florian Westphal + Date: Wed Apr 7 21:38:57 2021 +0200 + + netfilter: x_tables: fix compat match/target pad out-of-bound write + + xt_compat_match/target_from_user doesn't check that zeroing the area + to start of next rule won't write past end of allocated ruleset blob. + + Remove this code and zero the entire blob beforehand. + + Reported-by: syzbot+cfc0247ac173f597aaaa@syzkaller.appspotmail.com + Reported-by: Andy Nguyen + Fixes: 9fa492cdc160c ("[NETFILTER]: x_tables: simplify compat API") + Signed-off-by: Florian Westphal + Signed-off-by: Pablo Neira Ayuso + + Signed-off-by: Florian Westphal + +Signed-off-by: Joel Savitz +Acked-by: Joe Lawrence +Acked-by: Artem Savkov +Acked-by: Yannick Cote +--- + net/ipv4/netfilter/arp_tables.c | 2 ++ + net/ipv4/netfilter/ip_tables.c | 2 ++ + net/ipv6/netfilter/ip6_tables.c | 2 ++ + net/netfilter/x_tables.c | 10 ++-------- + 4 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c +index 602d92697038..66ad3b4e194c 100644 +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -1364,6 +1364,8 @@ static int translate_compat_table(struct xt_table_info **pinfo, + if (!newinfo) + goto out_unlock; + ++ memset(newinfo->entries, 0, size); ++ + newinfo->number = compatr->num_entries; + for (i = 0; i < NF_ARP_NUMHOOKS; i++) { + newinfo->hook_entry[i] = info->hook_entry[i]; +diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c +index 3559f7ffa430..d9de653be67e 100644 +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -1622,6 +1622,8 @@ translate_compat_table(struct net *net, + if (!newinfo) + goto out_unlock; + ++ memset(newinfo->entries, 0, size); ++ + newinfo->number = compatr->num_entries; + for (i = 0; i < NF_INET_NUMHOOKS; i++) { + newinfo->hook_entry[i] = compatr->hook_entry[i]; +diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c +index 1772a1797e79..d112bfc86aac 100644 +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -1626,6 +1626,8 @@ translate_compat_table(struct net *net, + if (!newinfo) + goto out_unlock; + ++ memset(newinfo->entries, 0, size); ++ + newinfo->number = compatr->num_entries; + for (i = 0; i < NF_INET_NUMHOOKS; i++) { + newinfo->hook_entry[i] = compatr->hook_entry[i]; +diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c +index 76e40ff48b10..affd08ce7df8 100644 +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -564,7 +564,7 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, + { + const struct xt_match *match = m->u.kernel.match; + struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m; +- int pad, off = xt_compat_match_offset(match); ++ int off = xt_compat_match_offset(match); + u_int16_t msize = cm->u.user.match_size; + char name[sizeof(m->u.user.name)]; + +@@ -574,9 +574,6 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, + match->compat_from_user(m->data, cm->data); + else + memcpy(m->data, cm->data, msize - sizeof(*cm)); +- pad = XT_ALIGN(match->matchsize) - match->matchsize; +- if (pad > 0) +- memset(m->data + match->matchsize, 0, pad); + + msize += off; + m->u.user.match_size = msize; +@@ -913,7 +910,7 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, + { + const struct xt_target *target = t->u.kernel.target; + struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t; +- int pad, off = xt_compat_target_offset(target); ++ int off = xt_compat_target_offset(target); + u_int16_t tsize = ct->u.user.target_size; + char name[sizeof(t->u.user.name)]; + +@@ -923,9 +920,6 @@ void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, + target->compat_from_user(t->data, ct->data); + else + memcpy(t->data, ct->data, tsize - sizeof(*ct)); +- pad = XT_ALIGN(target->targetsize) - target->targetsize; +- if (pad > 0) +- memset(t->data + target->targetsize, 0, pad); + + tsize += off; + t->u.user.target_size = tsize; +-- +2.27.0 + + diff --git a/SOURCES/CVE-2021-32399.patch b/SOURCES/CVE-2021-32399.patch new file mode 100644 index 0000000..37c9586 --- /dev/null +++ b/SOURCES/CVE-2021-32399.patch @@ -0,0 +1,123 @@ +From: Artem Savkov +Subject: [RHEL-7.9 CVE-2021-32399 KPATCH] bluetooth: eliminate the potential race condition when removing the HCI controller +Date: Wed, 7 Jul 2021 17:13:32 +0200 + +Kernels: +3.10.0-1160.el7 +3.10.0-1160.2.1.el7 +3.10.0-1160.2.2.el7 +3.10.0-1160.6.1.el7 +3.10.0-1160.11.1.el7 +3.10.0-1160.15.2.el7 +3.10.0-1160.21.1.el7 +3.10.0-1160.24.1.el7 +3.10.0-1160.25.1.el7 +3.10.0-1160.31.1.el7 + +Changes since last build: +[x86_64]: +hci_request.o: changed function: hci_req_sync + +[ppc64le]: +hci_request.o: changed function: bg_scan_update +hci_request.o: changed function: connectable_update_work +hci_request.o: changed function: discov_off +hci_request.o: changed function: discov_update +hci_request.o: changed function: discoverable_update_work +hci_request.o: changed function: hci_req_sync +hci_request.o: changed function: le_scan_disable_work +hci_request.o: changed function: le_scan_restart_work +hci_request.o: changed function: scan_update_work + +--------------------------- + +Kernels: +3.10.0-1160.el7 +3.10.0-1160.2.1.el7 +3.10.0-1160.2.2.el7 +3.10.0-1160.6.1.el7 +3.10.0-1160.11.1.el7 +3.10.0-1160.15.2.el7 +3.10.0-1160.21.1.el7 +3.10.0-1160.24.1.el7 +3.10.0-1160.25.1.el7 +3.10.0-1160.31.1.el7 +3.10.0-1160.36.2.el7 + +Modifications: none +Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-7/-/merge_requests/171 + +commit 168b363c94eac82c2e3531bd2ae9dfa2f369d4be +Author: Gopal Tiwari +Date: Mon Jun 14 13:04:00 2021 +0530 + + bluetooth: eliminate the potential race condition when removing the HCI controller + + Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1971457 + + Upstream: merged. + + Testing: Sanity_only. + + commit e2cb6b891ad2b8caa9131e3be70f45243df82a80 + Author: Lin Ma + Date: Mon Apr 12 19:17:57 2021 +0800 + + bluetooth: eliminate the potential race condition when removing the HCI controller + + There is a possible race condition vulnerability between issuing a HCI + command and removing the cont. Specifically, functions hci_req_sync() + and hci_dev_do_close() can race each other like below: + + thread-A in hci_req_sync() | thread-B in hci_dev_do_close() + | hci_req_sync_lock(hdev); + test_bit(HCI_UP, &hdev->flags); | + ... | test_and_clear_bit(HCI_UP, &hdev->flags) + hci_req_sync_lock(hdev); | + | + In this commit we alter the sequence in function hci_req_sync(). Hence, + the thread-A cannot issue th. + + Signed-off-by: Lin Ma + Cc: Marcel Holtmann + Fixes: 7c6a329e4447 ("[Bluetooth] Fix regression from using default link policy") + Signed-off-by: Greg Kroah-Hartman + + Signed-off-by: Gopal Tiwari + +Signed-off-by: Artem Savkov +Acked-by: Joe Lawrence +Acked-by: Yannick Cote +--- + net/bluetooth/hci_request.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/bluetooth/hci_request.c b/net/bluetooth/hci_request.c +index 1015d9c8d97dd..9e25e77042503 100644 +--- a/net/bluetooth/hci_request.c ++++ b/net/bluetooth/hci_request.c +@@ -275,12 +275,16 @@ int hci_req_sync(struct hci_dev *hdev, int (*req)(struct hci_request *req, + { + int ret; + +- if (!test_bit(HCI_UP, &hdev->flags)) +- return -ENETDOWN; +- + /* Serialize all requests */ + hci_req_sync_lock(hdev); +- ret = __hci_req_sync(hdev, req, opt, timeout, hci_status); ++ /* check the state after obtaing the lock to protect the HCI_UP ++ * against any races from hci_dev_do_close when the controller ++ * gets removed. ++ */ ++ if (test_bit(HCI_UP, &hdev->flags)) ++ ret = __hci_req_sync(hdev, req, opt, timeout, hci_status); ++ else ++ ret = -ENETDOWN; + hci_req_sync_unlock(hdev); + + return ret; +-- +2.26.3 + + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index 840edcd..9ceb68b 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -6,7 +6,7 @@ %define kernel_ver 3.10.0-1160.31.1.el7 %define kpatch_ver 0.9.2 %define rpm_ver 1 -%define rpm_rel 1 +%define rpm_rel 2 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. @@ -16,6 +16,12 @@ Source100: CVE-2021-33034.patch # # https://bugzilla.redhat.com/1975256 Source101: CVE-2021-33909.patch +# +# https://bugzilla.redhat.com/1971474 +Source102: CVE-2021-32399.patch +# +# https://bugzilla.redhat.com/1980516 +Source103: CVE-2021-22555.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -148,6 +154,10 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Mon Aug 16 2021 Joe Lawrence [1-2.el7] +- kernel: out-of-bounds write in xt_compat_target_from_user() in net/netfilter/x_tables.c [1980516] {CVE-2021-22555} +- kpatch: kernel: race condition for removal of the HCI controller [1971474] {CVE-2021-32399} + * Fri Jul 09 2021 Joe Lawrence [1-1.el7] - kernel: size_t-to-int conversion vulnerability in the filesystem layer [1975256] {CVE-2021-33909} - kernel: use-after-free in net/bluetooth/hci_event.c when destroying an hci_chan [1962518] {CVE-2021-33034}