diff --git a/SOURCES/CVE-2022-0492.patch b/SOURCES/CVE-2022-0492.patch new file mode 100644 index 0000000..3f32890 --- /dev/null +++ b/SOURCES/CVE-2022-0492.patch @@ -0,0 +1,107 @@ +From d6dc1581c25221b17e1447f5eea0ee156a69e986 Mon Sep 17 00:00:00 2001 +From: Joe Lawrence +Date: Fri, 25 Mar 2022 14:49:39 -0400 +Subject: [KPATCH CVE-2022-0492] cgroup-v1: kpatch fixes for CVE-2022-0492 +Content-type: text/plain + +Kernels: +3.10.0-1160.24.1.el7 +3.10.0-1160.25.1.el7 +3.10.0-1160.31.1.el7 +3.10.0-1160.36.2.el7 +3.10.0-1160.41.1.el7 +3.10.0-1160.42.2.el7 +3.10.0-1160.45.1.el7 +3.10.0-1160.49.1.el7 +3.10.0-1160.53.1.el7 +3.10.0-1160.59.1.el7 + +Changes since last build: +arches: x86_64 ppc64le +cgroup.o: changed function: cgroup_release_agent_write +cgroup.o: changed function: parse_cgroupfs_options +--------------------------- + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/36 +Approved-by: Yannick Cote (@ycote1) +Modifications: none + +commit a1d7f90e939b5ca2fddb1e295c6cf8bfb97a69f0 +Author: Waiman Long +Date: Wed Feb 9 09:23:49 2022 -0500 + + cgroup-v1: Require capabilities to set release_agent + + Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2052162 + CVE: CVE-2022-0492 + Conflicts: + 1) For RHEL7, the right file to be modified is kernel/cgroup.c. + 2) The cgroup filesystem files in RHEL7 are created via direct + manipulation of dentries and inode and credential at the time of + creation are not stored. So the init_user_ns comparison check in + the upstream commit isn't applicable. It is also less important + and so the checks are dropped. + 3) The cgroup mount parameter parsing is done in + parse_cgroupfs_options() instead. + + commit 24f6008564183aa120d07c03d9289519c2fe02af + Author: Eric W. Biederman + Date: Thu, 20 Jan 2022 11:04:01 -0600 + + cgroup-v1: Require capabilities to set release_agent + + The cgroup release_agent is called with call_usermodehelper. The function + call_usermodehelper starts the release_agent with a full set fo capabilities. + Therefore require capabilities when setting the release_agaent. + + Reported-by: Tabitha Sable + Tested-by: Tabitha Sable + Fixes: 81a6a5cdd2c5 ("Task Control Groups: automatic userspace notification of idle cgroups") + Cc: stable@vger.kernel.org # v2.6.24+ + Signed-off-by: "Eric W. Biederman" + Signed-off-by: Tejun Heo + + Signed-off-by: Waiman Long + +Signed-off-by: Joe Lawrence +--- + kernel/cgroup.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/kernel/cgroup.c b/kernel/cgroup.c +index 4777d5bc3142..e4138e5a7879 100644 +--- a/kernel/cgroup.c ++++ b/kernel/cgroup.c +@@ -1149,6 +1149,13 @@ static int parse_cgroupfs_options(char *data, struct cgroup_sb_opts *opts) + /* Specifying two release agents is forbidden */ + if (opts->release_agent) + return -EINVAL; ++ /* ++ * Release agent gets called with all capabilities, ++ * require capabilities to set release agent. ++ */ ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ + opts->release_agent = + kstrndup(token + 14, PATH_MAX - 1, GFP_KERNEL); + if (!opts->release_agent) +@@ -2196,6 +2203,14 @@ static int cgroup_release_agent_write(struct cgroup *cgrp, struct cftype *cft, + BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX); + if (strlen(buffer) >= PATH_MAX) + return -EINVAL; ++ ++ /* ++ * Release agent gets called with all capabilities, ++ * require capabilities to set release agent. ++ */ ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ + if (!cgroup_lock_live_group(cgrp)) + return -ENODEV; + mutex_lock(&cgroup_root_mutex); +-- +2.26.3 + + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index 3bf2295..6b7dfdd 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -6,7 +6,7 @@ %define kernel_ver 3.10.0-1160.49.1.el7 %define kpatch_ver 0.9.2 %define rpm_ver 1 -%define rpm_rel 2 +%define rpm_rel 3 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. @@ -31,6 +31,9 @@ Source105: CVE-2021-4028.patch # # https://bugzilla.redhat.com/2032491 Source106: CVE-2021-4083.patch +# +# https://bugzilla.redhat.com/2052183 +Source107: CVE-2022-0492.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -163,6 +166,9 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Thu May 12 2022 Joe Lawrence [1-3.el7] +- kernel: cgroups v1 release_agent feature may allow privilege escalation [2052183] {CVE-2022-0492} + * Thu Mar 24 2022 Joe Lawrence [1-2.el7] - kernel: fget: check that the fd still exists after getting a ref to it [2032491] {CVE-2021-4083} - kernel: use-after-free in RDMA listen() [2033360] {CVE-2021-4028}