From db14cb5581bccf33cae27b6d8f3285023fc4e744 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jul 20 2021 20:07:44 +0000 Subject: import kpatch-patch-4_18_0-305_3_1-1-2.el8_4 --- diff --git a/SOURCES/CVE-2021-32399.patch b/SOURCES/CVE-2021-32399.patch new file mode 100644 index 0000000..3eb2cdf --- /dev/null +++ b/SOURCES/CVE-2021-32399.patch @@ -0,0 +1,114 @@ +From d50512e6312824861ce342eb68bb1eb7dea984e2 Mon Sep 17 00:00:00 2001 +From: Artem Savkov +Date: Mon, 21 Jun 2021 12:09:28 +0200 +Subject: [PATCH] bluetooth: eliminate the potential race condition when + removing the HCI controller + +Kernels: +4.18.0-305.el8 +4.18.0-305.3.1.el8_4 +4.18.0-305.7.1.el8_4 + +Changes since last build: +[x86_64]: +hci_request.o: changed function: hci_req_sync + +[ppc64le]: +hci_request.o: changed function: bg_scan_update +hci_request.o: changed function: connectable_update_work +hci_request.o: changed function: discov_off +hci_request.o: changed function: discov_update +hci_request.o: changed function: discoverable_update_work +hci_request.o: changed function: hci_req_sync +hci_request.o: changed function: le_scan_disable_work +hci_request.o: changed function: le_scan_restart_work +hci_request.o: changed function: scan_update_work + +--------------------------- + +Kernels: +4.18.0-305.el8 +4.18.0-305.3.1.el8_4 +4.18.0-305.7.1.el8_4 + +Modifications: none +Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-8/-/merge_requests/804 + +commit 84466ca3bdf0d5d77d4c8a851336406627de2628 +Author: Gopal Tiwari +Date: Mon Jun 14 13:47:30 2021 +0530 + + bluetooth: eliminate the potential race condition when removing the HCI controller + + Bugzilla: https://bugzilla.redhat.com/1971464 + CVE: CVE-2021-32399 + Y-Commit: 54c81477df19422cbc3c8cf3b555159ff642f15b + + O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1971488 + + Upstream: Merged + + Testing: Sanity_only. + + commit e2cb6b891ad2b8caa9131e3be70f45243df82a80 + Author: Lin Ma + Date: Mon Apr 12 19:17:57 2021 +0800 + + bluetooth: eliminate the potential race condition when removing the HCI controller + + There is a possible race condition vulnerability between issuing a HCI + command and removing the cont. Specifically, functions hci_req_sync() + and hci_dev_do_close() can race each other like below: + + thread-A in hci_req_sync() | thread-B in hci_dev_do_close() + | hci_req_sync_lock(hdev); + test_bit(HCI_UP, &hdev->flags); | + ... | test_and_clear_bit(HCI_UP, &hdev->flags) + hci_req_sync_lock(hdev); | + | + In this commit we alter the sequence in function hci_req_sync(). Hence, + the thread-A cannot issue th. + + Signed-off-by: Lin Ma + Cc: Marcel Holtmann + Fixes: 7c6a329e4447 ("[Bluetooth] Fix regression from using default link policy") + Signed-off-by: Greg Kroah-Hartman + (cherry picked from commit e2cb6b891ad2b8caa9131e3be70f45243df82a80) + Signed-off-by: Gopal Tiwari + Signed-off-by: Jan Stancek + +Signed-off-by: Artem Savkov +Acked-by: Yannick Cote +Acked-by: Joe Lawrence +--- + net/bluetooth/hci_request.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/bluetooth/hci_request.c b/net/bluetooth/hci_request.c +index cf1b42ec40af97..ca9088d439460e 100644 +--- a/net/bluetooth/hci_request.c ++++ b/net/bluetooth/hci_request.c +@@ -274,12 +274,16 @@ int hci_req_sync(struct hci_dev *hdev, int (*req)(struct hci_request *req, + { + int ret; + +- if (!test_bit(HCI_UP, &hdev->flags)) +- return -ENETDOWN; +- + /* Serialize all requests */ + hci_req_sync_lock(hdev); +- ret = __hci_req_sync(hdev, req, opt, timeout, hci_status); ++ /* check the state after obtaing the lock to protect the HCI_UP ++ * against any races from hci_dev_do_close when the controller ++ * gets removed. ++ */ ++ if (test_bit(HCI_UP, &hdev->flags)) ++ ret = __hci_req_sync(hdev, req, opt, timeout, hci_status); ++ else ++ ret = -ENETDOWN; + hci_req_sync_unlock(hdev); + + return ret; +-- +2.26.3 + diff --git a/SOURCES/CVE-2021-33034.patch b/SOURCES/CVE-2021-33034.patch index 90984f8..548fbf7 100644 --- a/SOURCES/CVE-2021-33034.patch +++ b/SOURCES/CVE-2021-33034.patch @@ -1,3 +1,7 @@ +From: Joe Lawrence +Subject: [RHEL8.4 KPATCH v2] bluetooth: kpatch fixes for CVE-2021-33034 +Date: Thu, 10 Jun 2021 09:06:37 -0400 + Changes since last build: [x86_64]: hci_event.o: changed function: hci_event_packet @@ -140,6 +144,9 @@ Date: Thu May 20 11:27:10 2021 +0530 Signed-off-by: Joel Savitz for v1 Signed-off-by: Joe Lawrence +Acked-by: Artem Savkov +Acked-by: Yannick Cote + --- v2: diff --git a/SOURCES/CVE-2021-33909.patch b/SOURCES/CVE-2021-33909.patch new file mode 100644 index 0000000..c4aa06d --- /dev/null +++ b/SOURCES/CVE-2021-33909.patch @@ -0,0 +1,83 @@ +From 867b652db42ff8fa41b3c25e7ef9df48003ea4eb Mon Sep 17 00:00:00 2001 +From: Joe Lawrence +Date: Tue, 6 Jul 2021 13:18:41 -0400 +Subject: [PATCH] seq_files: kpatch fix for CVE-2021-33909 + +Kernels: +4.18.0-305.el8 +4.18.0-305.3.1.el8_4 +4.18.0-305.7.1.el8_4 + +Changes since last build: +[x86_64]: +seq_file.o: changed function: seq_read +seq_file.o: changed function: single_open_size +seq_file.o: changed function: traverse + +[ppc64le]: +seq_file.o: changed function: seq_read +seq_file.o: changed function: single_open_size +seq_file.o: changed function: traverse.part.4 + +--------------------------- + +Kernels: +4.18.0-305.el8 +4.18.0-305.3.1.el8_4 +4.18.0-305.7.1.el8_4 + +Modifications: none + +commit 217fcaff73c6916b817280df9310852192026615 +Author: Ian Kent +Date: Thu Jul 1 08:10:39 2021 +0800 + + seq_file: Disallow extremely large seq buffer allocations + + Bugzilla: https://bugzilla.redhat.com/1975181 + CVE: CVE-2021-33909 + Y-Commit: 61d17175cddbac1f305c2704b336c9119b71bbfe + + O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1975182 + Brew build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=37831839 + Testing: The patch has been tested by Qualys and it has been + confirmed the patch fixes the problem. + Upstream status: RHEL only (CVE-2021-33909) + + Author: Eric Sandeen + + seq_file: Disallow extremely large seq buffer allocations + + There is no reasonable need for a buffer larger than this, + and it avoids int overflow pitfalls. + + Suggested-by: Al Viro + Signed-off-by: Eric Sandeen + + Signed-off-by: Ian Kent + Signed-off-by: Frantisek Hrbata + +Signed-off-by: Joe Lawrence +Acked-by: Yannick Cote +Acked-by: Artem Savkov +--- + fs/seq_file.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/seq_file.c b/fs/seq_file.c +index 1600034a929bb1..c19ecc1f2d5023 100644 +--- a/fs/seq_file.c ++++ b/fs/seq_file.c +@@ -29,6 +29,9 @@ static void seq_set_overflow(struct seq_file *m) + + static void *seq_buf_alloc(unsigned long size) + { ++ if (unlikely(size > MAX_RW_COUNT)) ++ return NULL; ++ + return kvmalloc(size, GFP_KERNEL_ACCOUNT); + } + +-- +2.26.3 + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index f1cbfd0..94f2cad 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -6,13 +6,19 @@ %define kernel_ver 4.18.0-305.3.1.el8_4 %define kpatch_ver 0.9.3 %define rpm_ver 1 -%define rpm_rel 1 +%define rpm_rel 2 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. # # https://bugzilla.redhat.com/1962521 Source100: CVE-2021-33034.patch +# +# https://bugzilla.redhat.com/1971478 +Source101: CVE-2021-32399.patch +# +# https://bugzilla.redhat.com/1975190 +Source102: CVE-2021-33909.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -151,6 +157,10 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Mon Jul 12 2021 Artem Savkov [1-2.el8_4] +- kernel: size_t-to-int conversion vulnerability in the filesystem layer [1975190] {CVE-2021-33909} +- kernel: race condition for removal of the HCI controller [1971478] {CVE-2021-32399} + * Thu Jun 17 2021 Yannick Cote [1-1.el8_4] - kernel: use-after-free in net/bluetooth/hci_event.c when destroying an hci_chan [1962521] {CVE-2021-33034}