|
 |
bb7f30 |
From 9729284acf8441ad27c2c87d2d91e5faef742d98 Mon Sep 17 00:00:00 2001
|
|
|
bb7f30 |
From: Julia Denham <jdenham@redhat.com>
|
|
|
bb7f30 |
Date: Wed, 5 Oct 2022 09:14:27 -0400
|
|
|
bb7f30 |
Subject: [KPATCH CVE-2022-2588] kpatch fixes for CVE-2022-2588
|
|
|
bb7f30 |
|
|
|
bb7f30 |
Kernels:
|
|
|
bb7f30 |
3.10.0-1160.45.1.el7
|
|
|
bb7f30 |
3.10.0-1160.62.1.el7
|
|
|
bb7f30 |
3.10.0-1160.66.1.el7
|
|
|
bb7f30 |
3.10.0-1160.71.1.el7
|
|
|
bb7f30 |
3.10.0-1160.76.1.el7
|
|
|
bb7f30 |
|
|
|
bb7f30 |
|
|
|
bb7f30 |
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/45
|
|
|
bb7f30 |
Approved-by: Joe Lawrence (@joe.lawrence)
|
|
|
bb7f30 |
Approved-by: Yannick Cote (@ycote1)
|
|
|
bb7f30 |
Changes since last build:
|
|
|
bb7f30 |
arches: x86_64 ppc64le
|
|
|
bb7f30 |
cls_route.o: changed function: route4_change
|
|
|
bb7f30 |
---------------------------
|
|
|
bb7f30 |
|
|
|
bb7f30 |
Modifications: none
|
|
|
bb7f30 |
|
|
|
bb7f30 |
commit 74eb26c74da4446e9b826103e61361531c6ca716
|
|
|
bb7f30 |
Author: Davide Caratti <dcaratti@redhat.com>
|
|
|
bb7f30 |
Date: Mon Aug 29 15:47:31 2022 +0200
|
|
|
bb7f30 |
|
|
|
bb7f30 |
net_sched: cls_route: remove from list when handle is 0
|
|
|
bb7f30 |
|
|
|
bb7f30 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2121809
|
|
|
bb7f30 |
Upstream Status: net.git commit 9ad36309e271
|
|
|
bb7f30 |
CVE: CVE-2022-2588
|
|
|
bb7f30 |
Conflicts: None
|
|
|
bb7f30 |
|
|
|
bb7f30 |
commit 9ad36309e2719a884f946678e0296be10f0bb4c1
|
|
|
bb7f30 |
Author: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
|
|
|
bb7f30 |
Date: Tue Aug 9 14:05:18 2022 -0300
|
|
|
bb7f30 |
|
|
|
bb7f30 |
net_sched: cls_route: remove from list when handle is 0
|
|
|
bb7f30 |
|
|
|
bb7f30 |
When a route filter is replaced and the old filter has a 0 handle, the old
|
|
|
bb7f30 |
one won't be removed from the hashtable, while it will still be freed.
|
|
|
bb7f30 |
|
|
|
bb7f30 |
The test was there since before commit 1109c00547fc ("net: sched: RCU
|
|
|
bb7f30 |
cls_route"), when a new filter was not allocated when there was an old one.
|
|
|
bb7f30 |
The old filter was reused and the reinserting would only be necessary if an
|
|
|
bb7f30 |
old filter was replaced. That was still wrong for the same case where the
|
|
|
bb7f30 |
old handle was 0.
|
|
|
bb7f30 |
|
|
|
bb7f30 |
Remove the old filter from the list independently from its handle value.
|
|
|
bb7f30 |
|
|
|
bb7f30 |
This fixes CVE-2022-2588, also reported as ZDI-CAN-17440.
|
|
|
bb7f30 |
|
|
|
bb7f30 |
Reported-by: Zhenpeng Lin <zplin@u.northwestern.edu>
|
|
|
bb7f30 |
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
|
|
|
bb7f30 |
Reviewed-by: Kamal Mostafa <kamal@canonical.com>
|
|
|
bb7f30 |
Cc: <stable@vger.kernel.org>
|
|
|
bb7f30 |
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
|
|
|
bb7f30 |
Link: https://lore.kernel.org/r/20220809170518.164662-1-cascardo@canonical.com
|
|
|
bb7f30 |
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
|
|
bb7f30 |
|
|
|
bb7f30 |
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
|
|
|
bb7f30 |
|
|
|
bb7f30 |
Signed-off-by: Julia Denham <jdenham@redhat.com>
|
|
|
bb7f30 |
---
|
|
|
bb7f30 |
net/sched/cls_route.c | 2 +-
|
|
|
bb7f30 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
bb7f30 |
|
|
|
bb7f30 |
diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c
|
|
|
bb7f30 |
index 2fed29fa504e..d97c5bcdfa43 100644
|
|
|
bb7f30 |
--- a/net/sched/cls_route.c
|
|
|
bb7f30 |
+++ b/net/sched/cls_route.c
|
|
|
bb7f30 |
@@ -526,7 +526,7 @@ static int route4_change(struct net *net, struct sk_buff *in_skb,
|
|
|
bb7f30 |
rcu_assign_pointer(f->next, f1);
|
|
|
bb7f30 |
rcu_assign_pointer(*fp, f);
|
|
|
bb7f30 |
|
|
|
bb7f30 |
- if (fold && fold->handle && f->handle != fold->handle) {
|
|
|
bb7f30 |
+ if (fold) {
|
|
|
bb7f30 |
th = to_hash(fold->handle);
|
|
|
bb7f30 |
h = from_hash(fold->handle >> 16);
|
|
|
bb7f30 |
b = rtnl_dereference(head->table[th]);
|
|
|
bb7f30 |
--
|
|
|
bb7f30 |
2.37.3
|
|
|
bb7f30 |
|
|
|
bb7f30 |
|