diff --git a/.gitignore b/.gitignore index e69de29..70f1008 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/kernel-3.10.0-1160.41.1.el7.src.rpm +SOURCES/v0.9.2.tar.gz diff --git a/.kpatch-patch-3_10_0-1160_41_1.metadata b/.kpatch-patch-3_10_0-1160_41_1.metadata index e69de29..04ad05b 100644 --- a/.kpatch-patch-3_10_0-1160_41_1.metadata +++ b/.kpatch-patch-3_10_0-1160_41_1.metadata @@ -0,0 +1,2 @@ +edb473dbf54ab00079218194e6da90e77349fc23 SOURCES/kernel-3.10.0-1160.41.1.el7.src.rpm +c0878679129add77d6fff57093640892ad941155 SOURCES/v0.9.2.tar.gz diff --git a/SOURCES/CVE-2021-3715.patch b/SOURCES/CVE-2021-3715.patch new file mode 100644 index 0000000..2c5f2c8 --- /dev/null +++ b/SOURCES/CVE-2021-3715.patch @@ -0,0 +1,89 @@ +From: Artem Savkov +Subject: [RHEL-7.9 CVE-2021-3715 KPATCH] net_sched: cls_route: remove the right filter from hashtable +Date: Mon, 30 Aug 2021 17:33:51 +0200 + +Kernels: +3.10.0-1160.el7 +3.10.0-1160.2.1.el7 +3.10.0-1160.2.2.el7 +3.10.0-1160.6.1.el7 +3.10.0-1160.11.1.el7 +3.10.0-1160.15.2.el7 +3.10.0-1160.21.1.el7 +3.10.0-1160.24.1.el7 +3.10.0-1160.25.1.el7 +3.10.0-1160.31.1.el7 +3.10.0-1160.36.2.el7 +3.10.0-1160.41.1.el7 + +Changes since last build: +arches: x86_64 ppc64le +cls_route.o: changed function: route4_change +--------------------------- + +Kernels: +3.10.0-1160.41.1.el7 + +Modifications: none +Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-7/-/merge_requests/251 + +commit f4e1814eb56167451ddd819fccb951178f97660b +Author: Ivan Vecera +Date: Tue Aug 17 12:21:33 2021 +0200 + + net_sched: cls_route: remove the right filter from hashtable + + Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1992926 + + commit ef299cc3fa1a9e1288665a9fdc8bff55629fd359 + Author: Cong Wang + Date: Fri Mar 13 22:29:54 2020 -0700 + + net_sched: cls_route: remove the right filter from hashtable + + route4_change() allocates a new filter and copies values from + the old one. After the new filter is inserted into the hash + table, the old filter should be removed and freed, as the final + step of the update. + + However, the current code mistakenly removes the new one. This + looks apparently wrong to me, and it causes double "free" and + use-after-free too, as reported by syzbot. + + Reported-and-tested-by: syzbot+f9b32aaacd60305d9687@syzkaller.appspotmail.com + Reported-and-tested-by: syzbot+2f8c233f131943d6056d@syzkaller.appspotmail.com + Reported-and-tested-by: syzbot+9c2df9fd5e9445b74e01@syzkaller.appspotmail.com + Fixes: 1109c00547fc ("net: sched: RCU cls_route") + Cc: Jamal Hadi Salim + Cc: Jiri Pirko + Cc: John Fastabend + Signed-off-by: Cong Wang + Signed-off-by: David S. Miller + + Signed-off-by: Ivan Vecera + +Signed-off-by: Artem Savkov +Acked-by: Joe Lawrence +--- + net/sched/cls_route.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c +index 7bd464e8d084..2fed29fa504e 100644 +--- a/net/sched/cls_route.c ++++ b/net/sched/cls_route.c +@@ -534,8 +534,8 @@ static int route4_change(struct net *net, struct sk_buff *in_skb, + fp = &b->ht[h]; + for (pfp = rtnl_dereference(*fp); pfp; + fp = &pfp->next, pfp = rtnl_dereference(*fp)) { +- if (pfp == f) { +- *fp = f->next; ++ if (pfp == fold) { ++ rcu_assign_pointer(*fp, fold->next); + break; + } + } +-- +2.31.1 + + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index 388caf3..40ce19f 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -1,17 +1,18 @@ # Set to 1 if building an empty subscription-only package. -%define empty_package 1 +%define empty_package 0 ####################################################### # Only need to update these variables and the changelog %define kernel_ver 3.10.0-1160.41.1.el7 %define kpatch_ver 0.9.2 -%define rpm_ver 0 -%define rpm_rel 0 +%define rpm_ver 1 +%define rpm_rel 1 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. -Source100: XXX.patch -#Source101: YYY.patch +# +# https://bugzilla.redhat.com/1997195 +Source100: CVE-2021-3715.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -144,5 +145,8 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Wed Sep 01 2021 Joe Lawrence [1-1.el7] +- kernel: use-after-free in route4_change() in net/sched/cls_route.c [1997195] {CVE-2021-3715} + * Mon Aug 16 2021 Joel Savitz [0-0.el7] - An empty patch to subscribe to kpatch stream for kernel-3.10.0-1160.41.1.el7 [1994152]