From 0403904d1a096a8bec1a9aac8c82db1e0b8d2bc7 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jul 20 2021 20:02:18 +0000 Subject: import kpatch-patch-4_18_0-305_7_1-1-1.el8_4 --- diff --git a/.gitignore b/.gitignore index e69de29..bfb8e96 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/kernel-4.18.0-305.7.1.el8_4.src.rpm +SOURCES/v0.9.3.tar.gz diff --git a/.kpatch-patch-4_18_0-305_7_1.metadata b/.kpatch-patch-4_18_0-305_7_1.metadata index e69de29..f9e3046 100644 --- a/.kpatch-patch-4_18_0-305_7_1.metadata +++ b/.kpatch-patch-4_18_0-305_7_1.metadata @@ -0,0 +1,2 @@ +08bfd4c72e40f90106ccc2d4598b94f731bd70ed SOURCES/kernel-4.18.0-305.7.1.el8_4.src.rpm +2b781cf5acd4869510950696e610b747ed508913 SOURCES/v0.9.3.tar.gz diff --git a/SOURCES/CVE-2021-32399.patch b/SOURCES/CVE-2021-32399.patch new file mode 100644 index 0000000..3eb2cdf --- /dev/null +++ b/SOURCES/CVE-2021-32399.patch @@ -0,0 +1,114 @@ +From d50512e6312824861ce342eb68bb1eb7dea984e2 Mon Sep 17 00:00:00 2001 +From: Artem Savkov +Date: Mon, 21 Jun 2021 12:09:28 +0200 +Subject: [PATCH] bluetooth: eliminate the potential race condition when + removing the HCI controller + +Kernels: +4.18.0-305.el8 +4.18.0-305.3.1.el8_4 +4.18.0-305.7.1.el8_4 + +Changes since last build: +[x86_64]: +hci_request.o: changed function: hci_req_sync + +[ppc64le]: +hci_request.o: changed function: bg_scan_update +hci_request.o: changed function: connectable_update_work +hci_request.o: changed function: discov_off +hci_request.o: changed function: discov_update +hci_request.o: changed function: discoverable_update_work +hci_request.o: changed function: hci_req_sync +hci_request.o: changed function: le_scan_disable_work +hci_request.o: changed function: le_scan_restart_work +hci_request.o: changed function: scan_update_work + +--------------------------- + +Kernels: +4.18.0-305.el8 +4.18.0-305.3.1.el8_4 +4.18.0-305.7.1.el8_4 + +Modifications: none +Z-MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-8/-/merge_requests/804 + +commit 84466ca3bdf0d5d77d4c8a851336406627de2628 +Author: Gopal Tiwari +Date: Mon Jun 14 13:47:30 2021 +0530 + + bluetooth: eliminate the potential race condition when removing the HCI controller + + Bugzilla: https://bugzilla.redhat.com/1971464 + CVE: CVE-2021-32399 + Y-Commit: 54c81477df19422cbc3c8cf3b555159ff642f15b + + O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1971488 + + Upstream: Merged + + Testing: Sanity_only. + + commit e2cb6b891ad2b8caa9131e3be70f45243df82a80 + Author: Lin Ma + Date: Mon Apr 12 19:17:57 2021 +0800 + + bluetooth: eliminate the potential race condition when removing the HCI controller + + There is a possible race condition vulnerability between issuing a HCI + command and removing the cont. Specifically, functions hci_req_sync() + and hci_dev_do_close() can race each other like below: + + thread-A in hci_req_sync() | thread-B in hci_dev_do_close() + | hci_req_sync_lock(hdev); + test_bit(HCI_UP, &hdev->flags); | + ... | test_and_clear_bit(HCI_UP, &hdev->flags) + hci_req_sync_lock(hdev); | + | + In this commit we alter the sequence in function hci_req_sync(). Hence, + the thread-A cannot issue th. + + Signed-off-by: Lin Ma + Cc: Marcel Holtmann + Fixes: 7c6a329e4447 ("[Bluetooth] Fix regression from using default link policy") + Signed-off-by: Greg Kroah-Hartman + (cherry picked from commit e2cb6b891ad2b8caa9131e3be70f45243df82a80) + Signed-off-by: Gopal Tiwari + Signed-off-by: Jan Stancek + +Signed-off-by: Artem Savkov +Acked-by: Yannick Cote +Acked-by: Joe Lawrence +--- + net/bluetooth/hci_request.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/bluetooth/hci_request.c b/net/bluetooth/hci_request.c +index cf1b42ec40af97..ca9088d439460e 100644 +--- a/net/bluetooth/hci_request.c ++++ b/net/bluetooth/hci_request.c +@@ -274,12 +274,16 @@ int hci_req_sync(struct hci_dev *hdev, int (*req)(struct hci_request *req, + { + int ret; + +- if (!test_bit(HCI_UP, &hdev->flags)) +- return -ENETDOWN; +- + /* Serialize all requests */ + hci_req_sync_lock(hdev); +- ret = __hci_req_sync(hdev, req, opt, timeout, hci_status); ++ /* check the state after obtaing the lock to protect the HCI_UP ++ * against any races from hci_dev_do_close when the controller ++ * gets removed. ++ */ ++ if (test_bit(HCI_UP, &hdev->flags)) ++ ret = __hci_req_sync(hdev, req, opt, timeout, hci_status); ++ else ++ ret = -ENETDOWN; + hci_req_sync_unlock(hdev); + + return ret; +-- +2.26.3 + diff --git a/SOURCES/CVE-2021-33909.patch b/SOURCES/CVE-2021-33909.patch new file mode 100644 index 0000000..c4aa06d --- /dev/null +++ b/SOURCES/CVE-2021-33909.patch @@ -0,0 +1,83 @@ +From 867b652db42ff8fa41b3c25e7ef9df48003ea4eb Mon Sep 17 00:00:00 2001 +From: Joe Lawrence +Date: Tue, 6 Jul 2021 13:18:41 -0400 +Subject: [PATCH] seq_files: kpatch fix for CVE-2021-33909 + +Kernels: +4.18.0-305.el8 +4.18.0-305.3.1.el8_4 +4.18.0-305.7.1.el8_4 + +Changes since last build: +[x86_64]: +seq_file.o: changed function: seq_read +seq_file.o: changed function: single_open_size +seq_file.o: changed function: traverse + +[ppc64le]: +seq_file.o: changed function: seq_read +seq_file.o: changed function: single_open_size +seq_file.o: changed function: traverse.part.4 + +--------------------------- + +Kernels: +4.18.0-305.el8 +4.18.0-305.3.1.el8_4 +4.18.0-305.7.1.el8_4 + +Modifications: none + +commit 217fcaff73c6916b817280df9310852192026615 +Author: Ian Kent +Date: Thu Jul 1 08:10:39 2021 +0800 + + seq_file: Disallow extremely large seq buffer allocations + + Bugzilla: https://bugzilla.redhat.com/1975181 + CVE: CVE-2021-33909 + Y-Commit: 61d17175cddbac1f305c2704b336c9119b71bbfe + + O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1975182 + Brew build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=37831839 + Testing: The patch has been tested by Qualys and it has been + confirmed the patch fixes the problem. + Upstream status: RHEL only (CVE-2021-33909) + + Author: Eric Sandeen + + seq_file: Disallow extremely large seq buffer allocations + + There is no reasonable need for a buffer larger than this, + and it avoids int overflow pitfalls. + + Suggested-by: Al Viro + Signed-off-by: Eric Sandeen + + Signed-off-by: Ian Kent + Signed-off-by: Frantisek Hrbata + +Signed-off-by: Joe Lawrence +Acked-by: Yannick Cote +Acked-by: Artem Savkov +--- + fs/seq_file.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/seq_file.c b/fs/seq_file.c +index 1600034a929bb1..c19ecc1f2d5023 100644 +--- a/fs/seq_file.c ++++ b/fs/seq_file.c +@@ -29,6 +29,9 @@ static void seq_set_overflow(struct seq_file *m) + + static void *seq_buf_alloc(unsigned long size) + { ++ if (unlikely(size > MAX_RW_COUNT)) ++ return NULL; ++ + return kvmalloc(size, GFP_KERNEL_ACCOUNT); + } + +-- +2.26.3 + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index 0da3f2b..257d088 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -1,17 +1,21 @@ # Set to 1 if building an empty subscription-only package. -%define empty_package 1 +%define empty_package 0 ####################################################### # Only need to update these variables and the changelog %define kernel_ver 4.18.0-305.7.1.el8_4 %define kpatch_ver 0.9.3 -%define rpm_ver 0 -%define rpm_rel 0 +%define rpm_ver 1 +%define rpm_rel 1 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. -Source100: XXX.patch -#Source101: YYY.patch +# +# https://bugzilla.redhat.com/1971478 +Source100: CVE-2021-32399.patch +# +# https://bugzilla.redhat.com/1975190 +Source101: CVE-2021-33909.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -150,5 +154,9 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Mon Jul 12 2021 Artem Savkov [1-1.el8_4] +- kernel: size_t-to-int conversion vulnerability in the filesystem layer [1975190] {CVE-2021-33909} +- kernel: race condition for removal of the HCI controller [1971478] {CVE-2021-32399} + * Wed Jun 16 2021 Yannick Cote [0-0.el8_4] - An empty patch to subscribe to kpatch stream for kernel-4.18.0-305.7.1.el8_4 [1972823]