From 82094dcabae9f3fb6c08663adcc762124c9bd629 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 07 2023 09:25:53 +0000 Subject: import kpatch-patch-3_10_0-1160_83_1-1-1.el7 --- diff --git a/.gitignore b/.gitignore index e69de29..1ac0cc8 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/kernel-3.10.0-1160.83.1.el7.src.rpm +SOURCES/v0.9.2.tar.gz diff --git a/.kpatch-patch-3_10_0-1160_83_1.metadata b/.kpatch-patch-3_10_0-1160_83_1.metadata index e69de29..3ee1afd 100644 --- a/.kpatch-patch-3_10_0-1160_83_1.metadata +++ b/.kpatch-patch-3_10_0-1160_83_1.metadata @@ -0,0 +1,2 @@ +8e97a09204cfd6994c2e7ee68df086f16492f006 SOURCES/kernel-3.10.0-1160.83.1.el7.src.rpm +c0878679129add77d6fff57093640892ad941155 SOURCES/v0.9.2.tar.gz diff --git a/SOURCES/CVE-2022-4378.patch b/SOURCES/CVE-2022-4378.patch new file mode 100644 index 0000000..d328f3a --- /dev/null +++ b/SOURCES/CVE-2022-4378.patch @@ -0,0 +1,264 @@ +From 794229b5711a96a488d85dd719511a278b4a4956 Mon Sep 17 00:00:00 2001 +From: Ryan Sullivan +Date: Fri, 27 Jan 2023 11:25:43 -0500 +Subject: [KPATCH CVE-2022-4378] kpatch fixes for CVE-2022-4378 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/51 +Approved-by: Yannick Cote (@ycote1) +Approved-by: Joe Lawrence (@joe.lawrence) +Kernels: +3.10.0-1160.76.1.el7 +3.10.0-1160.80.1.el7 +3.10.0-1160.81.1.el7 +3.10.0-1160.83.1.el7 + +Changes since last build: +[x86_64]: +sysctl.o: changed function: __do_proc_dointvec +sysctl.o: changed function: __do_proc_douintvec +sysctl.o: changed function: __do_proc_doulongvec_minmax +sysctl.o: changed function: proc_dostring +sysctl.o: changed function: proc_get_long.constprop.13 + +[ppc64le]: +sysctl.o: changed function: __do_proc_doulongvec_minmax +sysctl.o: changed function: proc_do_cad_pid +sysctl.o: changed function: proc_dointvec +sysctl.o: changed function: proc_dointvec_jiffies +sysctl.o: changed function: proc_dointvec_minmax +sysctl.o: changed function: proc_dointvec_minmax_coredump +sysctl.o: changed function: proc_dointvec_minmax_sysadmin +sysctl.o: changed function: proc_dointvec_ms_jiffies +sysctl.o: changed function: proc_dointvec_userhz_jiffies +sysctl.o: changed function: proc_dopipe_max_size +sysctl.o: changed function: proc_dostring +sysctl.o: changed function: proc_dostring_coredump +sysctl.o: changed function: proc_douintvec +sysctl.o: changed function: proc_douintvec_minmax +sysctl.o: changed function: proc_doulongvec_minmax +sysctl.o: changed function: proc_doulongvec_ms_jiffies_minmax +sysctl.o: changed function: proc_get_long.constprop.13 +sysctl.o: changed function: sysrq_sysctl_handler +sysctl.o: new function: __do_proc_dointvec + +--------------------------- + +Modifications: +added '__attribute__((optimize("-fno-optimize-sibling-calls")))' to +proc_dointvec_jiffies(), proc_dointvec_ms_jiffies(), proc_doulongvec_ms_jiffies_minmax(), +proc_doulongvec_minmax(), proc_dointvec_userhz_jiffies(), and proc_dointvec() definitions. + +commit f4f6d6bf0cd6fc3d1b88341f784b2f7e8589ff61 +Author: Wander Lairson Costa +Date: Tue Dec 13 08:13:31 2022 -0300 + + proc: avoid integer type confusion in get_proc_long + + Bugzilla: https://bugzilla.redhat.com/2152565 + CVE: CVE-2022-4378 + + commit e6cfaf34be9fcd1a8285a294e18986bfc41a409c + Author: Linus Torvalds + Date: Mon Dec 5 11:33:40 2022 -0800 + + proc: avoid integer type confusion in get_proc_long + + proc_get_long() is passed a size_t, but then assigns it to an 'int' + variable for the length. Let's not do that, even if our IO paths are + limited to MAX_RW_COUNT (exactly because of these kinds of type errors). + + So do the proper test in the rigth type. + + Reported-by: Kyle Zeng + Signed-off-by: Linus Torvalds + + Signed-off-by: Wander Lairson Costa + +commit c727ac3f665ed51c096edeedf039552cea6053f6 +Author: Wander Lairson Costa +Date: Tue Dec 13 08:12:23 2022 -0300 + + proc: proc_skip_spaces() shouldn't think it is working on C strings + + Bugzilla: https://bugzilla.redhat.com/2152565 + CVE: CVE-2022-4378 + + Conflicts: some context hunks because we are way behind upstream. + + commit bce9332220bd677d83b19d21502776ad555a0e73 + Author: Linus Torvalds + Date: Mon Dec 5 12:09:06 2022 -0800 + + proc: proc_skip_spaces() shouldn't think it is working on C strings + + proc_skip_spaces() seems to think it is working on C strings, and ends + up being just a wrapper around skip_spaces() with a really odd calling + convention. + + Instead of basing it on skip_spaces(), it should have looked more like + proc_skip_char(), which really is the exact same function (except it + skips a particular character, rather than whitespace). So use that as + inspiration, odd coding and all. + + Now the calling convention actually makes sense and works for the + intended purpose. + + Reported-and-tested-by: Kyle Zeng + Acked-by: Eric Dumazet + Signed-off-by: Linus Torvalds + + Signed-off-by: Wander Lairson Costa + +Signed-off-by: Ryan Sullivan +--- + kernel/sysctl.c | 36 +++++++++++++++++++++--------------- + 1 file changed, 21 insertions(+), 15 deletions(-) + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 62e2788cf09a..6f7d80afda89 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -1999,13 +1999,14 @@ int proc_dostring(struct ctl_table *table, int write, + (char __user *)buffer, lenp, ppos); + } + +-static size_t proc_skip_spaces(char **buf) ++static void proc_skip_spaces(char **buf, size_t *size) + { +- size_t ret; +- char *tmp = skip_spaces(*buf); +- ret = tmp - *buf; +- *buf = tmp; +- return ret; ++ while (*size) { ++ if (!isspace(**buf)) ++ break; ++ (*size)--; ++ (*buf)++; ++ } + } + + static void proc_skip_char(char **buf, size_t *size, const char v) +@@ -2074,13 +2075,12 @@ static int proc_get_long(char **buf, size_t *size, + unsigned long *val, bool *neg, + const char *perm_tr, unsigned perm_tr_len, char *tr) + { +- int len; + char *p, tmp[TMPBUFLEN]; ++ ssize_t len = *size; + +- if (!*size) ++ if (len <= 0) + return -EINVAL; + +- len = *size; + if (len > TMPBUFLEN - 1) + len = TMPBUFLEN - 1; + +@@ -2250,7 +2250,7 @@ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table, + bool neg; + + if (write) { +- left -= proc_skip_spaces(&kbuf); ++ proc_skip_spaces(&kbuf, &left); + + if (!left) + break; +@@ -2281,7 +2281,7 @@ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table, + if (!write && !first && left && !err) + err = proc_put_char(&buffer, &left, '\n'); + if (write && !err && left) +- left -= proc_skip_spaces(&kbuf); ++ proc_skip_spaces(&kbuf, &left); + free: + if (write) { + free_page(page); +@@ -2331,7 +2331,7 @@ static int do_proc_douintvec_w(unsigned int *tbl_data, + if (IS_ERR(kbuf)) + return -EINVAL; + +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + if (!left) { + err = -EINVAL; + goto out_free; +@@ -2351,7 +2351,7 @@ static int do_proc_douintvec_w(unsigned int *tbl_data, + } + + if (!err && left) +- left -= proc_skip_spaces(&p); ++ proc_skip_spaces(&p, &left); + + out_free: + kfree(kbuf); +@@ -2457,6 +2457,7 @@ static int do_proc_douintvec(struct ctl_table *table, int write, + * + * Returns 0 on success. + */ ++__attribute__((optimize("-fno-optimize-sibling-calls"))) + int proc_dointvec(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, loff_t *ppos) + { +@@ -2775,7 +2776,7 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int + if (write) { + bool neg; + +- left -= proc_skip_spaces(&kbuf); ++ proc_skip_spaces(&kbuf, &left); + + err = proc_get_long(&kbuf, &left, &val, &neg, + proc_wspace_sep, +@@ -2800,7 +2801,7 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int + if (!write && !first && left && !err) + err = proc_put_char(&buffer, &left, '\n'); + if (write && !err) +- left -= proc_skip_spaces(&kbuf); ++ proc_skip_spaces(&kbuf, &left); + free: + if (write) { + free_page(page); +@@ -2839,6 +2840,7 @@ static int do_proc_doulongvec_minmax(struct ctl_table *table, int write, + * + * Returns 0 on success. + */ ++__attribute__((optimize("-fno-optimize-sibling-calls"))) + int proc_doulongvec_minmax(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, loff_t *ppos) + { +@@ -2862,6 +2864,7 @@ int proc_doulongvec_minmax(struct ctl_table *table, int write, + * + * Returns 0 on success. + */ ++__attribute__((optimize("-fno-optimize-sibling-calls"))) + int proc_doulongvec_ms_jiffies_minmax(struct ctl_table *table, int write, + void __user *buffer, + size_t *lenp, loff_t *ppos) +@@ -2957,6 +2960,7 @@ static int do_proc_dointvec_ms_jiffies_conv(bool *negp, unsigned long *lvalp, + * + * Returns 0 on success. + */ ++__attribute__((optimize("-fno-optimize-sibling-calls"))) + int proc_dointvec_jiffies(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, loff_t *ppos) + { +@@ -2979,6 +2983,7 @@ int proc_dointvec_jiffies(struct ctl_table *table, int write, + * + * Returns 0 on success. + */ ++__attribute__((optimize("-fno-optimize-sibling-calls"))) + int proc_dointvec_userhz_jiffies(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, loff_t *ppos) + { +@@ -3002,6 +3007,7 @@ int proc_dointvec_userhz_jiffies(struct ctl_table *table, int write, + * + * Returns 0 on success. + */ ++__attribute__((optimize("-fno-optimize-sibling-calls"))) + int proc_dointvec_ms_jiffies(struct ctl_table *table, int write, + void __user *buffer, size_t *lenp, loff_t *ppos) + { +-- +2.39.1 + + diff --git a/SOURCES/v0.9.2-backport-MR-1200-Make-sure-section-symbols-ex.patch b/SOURCES/v0.9.2-backport-MR-1200-Make-sure-section-symbols-ex.patch new file mode 100644 index 0000000..2aec990 --- /dev/null +++ b/SOURCES/v0.9.2-backport-MR-1200-Make-sure-section-symbols-ex.patch @@ -0,0 +1,83 @@ +From c1a07a5329c0b7db0ec54eea093e5d2d77735c06 Mon Sep 17 00:00:00 2001 +From: Joe Lawrence +Date: Fri, 9 Dec 2022 15:37:49 -0500 +Subject: [PATCH] v0.9.2 backport: MR!1200 ("Make sure section symbols exist") +Content-type: text/plain + +commit 5622e3cc3d393fd77866b9838d16cd064de6fba5 +Author: Artem Savkov +Date: Fri Jun 18 10:59:26 2021 +0200 + + Make sure section symbols exist + + Binutils recently became much more aggressive about removing unused + section symbols. Since we can not rely on those being available anymore + add additional checks before using them. + + Fixes: #1193 + + Signed-off-by: Artem Savkov + +Fixes: KLP-216 ("Backport kpatch-build section symbol check") +Signed-off-by: Joe Lawrence +--- + kpatch-build/create-diff-object.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/kpatch-build/create-diff-object.c b/kpatch-build/create-diff-object.c +index c9afe33bbdae..94879b5fce6a 100644 +--- a/kpatch-build/create-diff-object.c ++++ b/kpatch-build/create-diff-object.c +@@ -1241,7 +1241,8 @@ static void kpatch_correlate_static_local_variables(struct kpatch_elf *base, + if (bundled && sym->sec->twin) { + UNCORRELATE_ELEMENT(sym->sec); + +- UNCORRELATE_ELEMENT(sym->sec->secsym); ++ if (sym->sec->secsym) ++ UNCORRELATE_ELEMENT(sym->sec->secsym); + + if (sym->sec->rela) + UNCORRELATE_ELEMENT(sym->sec->rela); +@@ -1744,7 +1745,7 @@ static int kpatch_include_callback_elements(struct kpatch_elf *kelf) + sym = rela->sym; + log_normal("found callback: %s\n",sym->name); + kpatch_include_symbol(sym); +- } else { ++ } else if (sec->secsym) { + sec->secsym->include = 1; + } + } +@@ -1772,7 +1773,8 @@ static void kpatch_include_force_elements(struct kpatch_elf *kelf) + sec->include = 1; + if (!is_rela_section(sec)) { + /* .kpatch.force */ +- sec->secsym->include = 1; ++ if (sec->secsym) ++ sec->secsym->include = 1; + continue; + } + /* .rela.kpatch.force */ +@@ -2381,7 +2383,8 @@ static void kpatch_regenerate_special_section(struct kpatch_elf *kelf, + sec->include = 1; + sec->base->include = 1; + /* include secsym so .kpatch.arch relas can point to section symbols */ +- sec->base->secsym->include = 1; ++ if (sec->base->secsym) ++ sec->base->secsym->include = 1; + + /* + * Update text section data buf and size. +@@ -2564,7 +2567,9 @@ static void kpatch_mark_ignored_sections(struct kpatch_elf *kelf) + * from the section data comparison, but this is a simpler way. + */ + strsec->include = 1; +- strsec->secsym->include = 1; ++ if (strsec->secsym) ++ strsec->secsym->include = 1; ++ + name = strsec->data->d_buf + rela->addend; + ignoresec = find_section_by_name(&kelf->sections, name); + if (!ignoresec) +-- +2.38.1 + diff --git a/SOURCES/v0.9.2-backport-MR-1281-create-diff-object-add-suppo.patch b/SOURCES/v0.9.2-backport-MR-1281-create-diff-object-add-suppo.patch new file mode 100644 index 0000000..38ef70c --- /dev/null +++ b/SOURCES/v0.9.2-backport-MR-1281-create-diff-object-add-suppo.patch @@ -0,0 +1,54 @@ +From d98f100dc979f87296ec88b63a0d506aaf4cd2bd Mon Sep 17 00:00:00 2001 +From: Joe Lawrence +Date: Thu, 8 Dec 2022 12:31:17 -0500 +Subject: [PATCH] v0.9.2 backport: MR!1281 ("create-diff-object: add support + for .return_sites section (x86)") +Content-type: text/plain + +commit 33368a88cdf875b0edd02b0dfd3356a7e93b24db +Author: Jonathan Dobson +Date: Sat Jul 16 15:46:54 2022 -0600 + + create-diff-object: add support for .return_sites section (x86) + + Conflicts: + kpatch-build/create-diff-object.c + - Manually apply patch to avoid diff context, v0.9.2 structure + special_section structure doesn't have .arch + +Signed-off-by: Joe Lawrence +--- + kpatch-build/create-diff-object.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/kpatch-build/create-diff-object.c b/kpatch-build/create-diff-object.c +index cee8adf333dc..c9afe33bbdae 100644 +--- a/kpatch-build/create-diff-object.c ++++ b/kpatch-build/create-diff-object.c +@@ -1991,6 +1991,11 @@ static int altinstructions_group_size(struct kpatch_elf *kelf, int offset) + return size; + } + ++static int return_sites_group_size(struct kpatch_elf *kelf, int offset) ++{ ++ return 4; ++} ++ + static int smp_locks_group_size(struct kpatch_elf *kelf, int offset) + { + return 4; +@@ -2103,6 +2108,11 @@ static struct special_section special_sections[] = { + .name = ".altinstructions", + .group_size = altinstructions_group_size, + }, ++ { ++ .name = ".return_sites", ++ .group_size = return_sites_group_size, ++ }, ++ + #endif + #ifdef __powerpc64__ + { +-- +2.38.1 + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index 2a471e1..2bb6cd0 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -1,17 +1,18 @@ # Set to 1 if building an empty subscription-only package. -%define empty_package 1 +%define empty_package 0 ####################################################### # Only need to update these variables and the changelog %define kernel_ver 3.10.0-1160.83.1.el7 %define kpatch_ver 0.9.2 -%define rpm_ver 0 -%define rpm_rel 0 +%define rpm_ver 1 +%define rpm_rel 1 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. -Source100: XXX.patch -#Source101: YYY.patch +# +# https://bugzilla.redhat.com/2152592 +Source100: CVE-2022-4378.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -146,5 +147,8 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Tue Feb 21 2023 Yannick Cote [1-1.el7] +- kernel: stack overflow in do_proc_dointvec and proc_skip_spaces [2152592] {CVE-2022-4378} + * Tue Jan 10 2023 Yannick Cote [0-0.el7] - An empty patch to subscribe to kpatch stream for kernel-3.10.0-1160.83.1.el7 [2159730]