From 2ec76e1dc3b670f9283d2af0020562db26279c30 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 18 2022 12:36:46 +0000 Subject: import kpatch-patch-3_10_0-1160_62_1-1-1.el7 --- diff --git a/.gitignore b/.gitignore index e69de29..94c7a52 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/kernel-3.10.0-1160.62.1.el7.src.rpm +SOURCES/v0.9.2.tar.gz diff --git a/.kpatch-patch-3_10_0-1160_62_1.metadata b/.kpatch-patch-3_10_0-1160_62_1.metadata index e69de29..e0a0052 100644 --- a/.kpatch-patch-3_10_0-1160_62_1.metadata +++ b/.kpatch-patch-3_10_0-1160_62_1.metadata @@ -0,0 +1,2 @@ +8a44987a4f64dcde23fda1b4c09e0a260a6e0c56 SOURCES/kernel-3.10.0-1160.62.1.el7.src.rpm +c0878679129add77d6fff57093640892ad941155 SOURCES/v0.9.2.tar.gz diff --git a/SOURCES/CVE-2022-0492.patch b/SOURCES/CVE-2022-0492.patch new file mode 100644 index 0000000..3f32890 --- /dev/null +++ b/SOURCES/CVE-2022-0492.patch @@ -0,0 +1,107 @@ +From d6dc1581c25221b17e1447f5eea0ee156a69e986 Mon Sep 17 00:00:00 2001 +From: Joe Lawrence +Date: Fri, 25 Mar 2022 14:49:39 -0400 +Subject: [KPATCH CVE-2022-0492] cgroup-v1: kpatch fixes for CVE-2022-0492 +Content-type: text/plain + +Kernels: +3.10.0-1160.24.1.el7 +3.10.0-1160.25.1.el7 +3.10.0-1160.31.1.el7 +3.10.0-1160.36.2.el7 +3.10.0-1160.41.1.el7 +3.10.0-1160.42.2.el7 +3.10.0-1160.45.1.el7 +3.10.0-1160.49.1.el7 +3.10.0-1160.53.1.el7 +3.10.0-1160.59.1.el7 + +Changes since last build: +arches: x86_64 ppc64le +cgroup.o: changed function: cgroup_release_agent_write +cgroup.o: changed function: parse_cgroupfs_options +--------------------------- + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/36 +Approved-by: Yannick Cote (@ycote1) +Modifications: none + +commit a1d7f90e939b5ca2fddb1e295c6cf8bfb97a69f0 +Author: Waiman Long +Date: Wed Feb 9 09:23:49 2022 -0500 + + cgroup-v1: Require capabilities to set release_agent + + Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2052162 + CVE: CVE-2022-0492 + Conflicts: + 1) For RHEL7, the right file to be modified is kernel/cgroup.c. + 2) The cgroup filesystem files in RHEL7 are created via direct + manipulation of dentries and inode and credential at the time of + creation are not stored. So the init_user_ns comparison check in + the upstream commit isn't applicable. It is also less important + and so the checks are dropped. + 3) The cgroup mount parameter parsing is done in + parse_cgroupfs_options() instead. + + commit 24f6008564183aa120d07c03d9289519c2fe02af + Author: Eric W. Biederman + Date: Thu, 20 Jan 2022 11:04:01 -0600 + + cgroup-v1: Require capabilities to set release_agent + + The cgroup release_agent is called with call_usermodehelper. The function + call_usermodehelper starts the release_agent with a full set fo capabilities. + Therefore require capabilities when setting the release_agaent. + + Reported-by: Tabitha Sable + Tested-by: Tabitha Sable + Fixes: 81a6a5cdd2c5 ("Task Control Groups: automatic userspace notification of idle cgroups") + Cc: stable@vger.kernel.org # v2.6.24+ + Signed-off-by: "Eric W. Biederman" + Signed-off-by: Tejun Heo + + Signed-off-by: Waiman Long + +Signed-off-by: Joe Lawrence +--- + kernel/cgroup.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/kernel/cgroup.c b/kernel/cgroup.c +index 4777d5bc3142..e4138e5a7879 100644 +--- a/kernel/cgroup.c ++++ b/kernel/cgroup.c +@@ -1149,6 +1149,13 @@ static int parse_cgroupfs_options(char *data, struct cgroup_sb_opts *opts) + /* Specifying two release agents is forbidden */ + if (opts->release_agent) + return -EINVAL; ++ /* ++ * Release agent gets called with all capabilities, ++ * require capabilities to set release agent. ++ */ ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ + opts->release_agent = + kstrndup(token + 14, PATH_MAX - 1, GFP_KERNEL); + if (!opts->release_agent) +@@ -2196,6 +2203,14 @@ static int cgroup_release_agent_write(struct cgroup *cgrp, struct cftype *cft, + BUILD_BUG_ON(sizeof(cgrp->root->release_agent_path) < PATH_MAX); + if (strlen(buffer) >= PATH_MAX) + return -EINVAL; ++ ++ /* ++ * Release agent gets called with all capabilities, ++ * require capabilities to set release agent. ++ */ ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ + if (!cgroup_lock_live_group(cgrp)) + return -ENODEV; + mutex_lock(&cgroup_root_mutex); +-- +2.26.3 + + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index ad66add..317d599 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -1,17 +1,18 @@ # Set to 1 if building an empty subscription-only package. -%define empty_package 1 +%define empty_package 0 ####################################################### # Only need to update these variables and the changelog %define kernel_ver 3.10.0-1160.62.1.el7 %define kpatch_ver 0.9.2 -%define rpm_ver 0 -%define rpm_rel 0 +%define rpm_ver 1 +%define rpm_rel 1 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. -Source100: XXX.patch -#Source101: YYY.patch +# +# https://bugzilla.redhat.com/2052183 +Source100: CVE-2022-0492.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -144,5 +145,8 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Thu May 12 2022 Joe Lawrence [1-1.el7] +- kernel: cgroups v1 release_agent feature may allow privilege escalation [2052183] {CVE-2022-0492} + * Thu Mar 24 2022 Joe Lawrence [0-0.el7] - An empty patch to subscribe to kpatch stream for kernel-3.10.0-1160.62.1.el7 [2068101]