diff --git a/.gitignore b/.gitignore index e69de29..10825b2 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/kernel-4.18.0-348.el8.src.rpm +SOURCES/v0.9.5.tar.gz diff --git a/.kpatch-patch-4_18_0-348.metadata b/.kpatch-patch-4_18_0-348.metadata index e69de29..7511d65 100644 --- a/.kpatch-patch-4_18_0-348.metadata +++ b/.kpatch-patch-4_18_0-348.metadata @@ -0,0 +1,2 @@ +58661bf09a08f466d28d40666f505cb148d0f581 SOURCES/kernel-4.18.0-348.el8.src.rpm +c0e52391403352e83c08e778c34bf4b8b196a621 SOURCES/v0.9.5.tar.gz diff --git a/SOURCES/CVE-2021-43267.patch b/SOURCES/CVE-2021-43267.patch new file mode 100644 index 0000000..2054e70 --- /dev/null +++ b/SOURCES/CVE-2021-43267.patch @@ -0,0 +1,128 @@ +From e414978bb06091697e96008f8500db4e86dc8b23 Mon Sep 17 00:00:00 2001 +From: Artem Savkov +Date: Fri, 5 Nov 2021 15:13:50 +0100 +Subject: [KPATCH CVE-2021-43267] tipc: fix size validations for the MSG_CRYPTO + type + +Kernels: +4.18.0-348.el8 +4.18.0-348.1.1.el8_5 + +Changes since last build: +arches: x86_64 ppc64le +crypto.o: changed function: tipc_crypto_msg_rcv +--------------------------- + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/7 +Approved-by: Joe Lawrence (@joe.lawrence) +Kernels: +4.18.0-348.el8 + +Modifications: none + +commit ff06de0480d0fdbdd6a3a9db663ffcd0297025c0 +Author: Bruno Meneguele +Date: Fri Nov 5 10:38:28 2021 -0300 + + tipc: fix size validations for the MSG_CRYPTO type + + Bugzilla: https://bugzilla.redhat.com/2020506 + CVE: CVE-2021-43267 + Y-Commit: fa40d9734a57bcbfa79a280189799f76c88f7bb0 + + O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2020506 + O-CVE: CVE-2021-43267 + + The function tipc_crypto_key_rcv is used to parse MSG_CRYPTO messages + to receive keys from other nodes in the cluster in order to decrypt any + further messages from them. + This patch verifies that any supplied sizes in the message body are + valid for the received message. + + Fixes: 1ef6f7c9390f ("tipc: add automatic session key exchange") + Signed-off-by: Max VA + Acked-by: Ying Xue + Signed-off-by: Greg Kroah-Hartman + Acked-by: Jon Maloy + Signed-off-by: David S. Miller + (cherry picked from commit fa40d9734a57bcbfa79a280189799f76c88f7bb0) + Signed-off-by: Bruno Meneguele + +Signed-off-by: Artem Savkov +--- + net/tipc/crypto.c | 32 +++++++++++++++++++++----------- + 1 file changed, 21 insertions(+), 11 deletions(-) + +diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c +index 40ff244f2499..b4f8c0a234a0 100644 +--- a/net/tipc/crypto.c ++++ b/net/tipc/crypto.c +@@ -2279,43 +2279,53 @@ static bool tipc_crypto_key_rcv(struct tipc_crypto *rx, struct tipc_msg *hdr) + u16 key_gen = msg_key_gen(hdr); + u16 size = msg_data_sz(hdr); + u8 *data = msg_data(hdr); ++ unsigned int keylen; ++ ++ /* Verify whether the size can exist in the packet */ ++ if (unlikely(size < sizeof(struct tipc_aead_key) + TIPC_AEAD_KEYLEN_MIN)) { ++ pr_debug("%s: message data size is too small\n", rx->name); ++ goto exit; ++ } ++ ++ keylen = ntohl(*((__be32 *)(data + TIPC_AEAD_ALG_NAME))); ++ ++ /* Verify the supplied size values */ ++ if (unlikely(size != keylen + sizeof(struct tipc_aead_key) || ++ keylen > TIPC_AEAD_KEY_SIZE_MAX)) { ++ pr_debug("%s: invalid MSG_CRYPTO key size\n", rx->name); ++ goto exit; ++ } + + spin_lock(&rx->lock); + if (unlikely(rx->skey || (key_gen == rx->key_gen && rx->key.keys))) { + pr_err("%s: key existed <%p>, gen %d vs %d\n", rx->name, + rx->skey, key_gen, rx->key_gen); +- goto exit; ++ goto exit_unlock; + } + + /* Allocate memory for the key */ + skey = kmalloc(size, GFP_ATOMIC); + if (unlikely(!skey)) { + pr_err("%s: unable to allocate memory for skey\n", rx->name); +- goto exit; ++ goto exit_unlock; + } + + /* Copy key from msg data */ +- skey->keylen = ntohl(*((__be32 *)(data + TIPC_AEAD_ALG_NAME))); ++ skey->keylen = keylen; + memcpy(skey->alg_name, data, TIPC_AEAD_ALG_NAME); + memcpy(skey->key, data + TIPC_AEAD_ALG_NAME + sizeof(__be32), + skey->keylen); + +- /* Sanity check */ +- if (unlikely(size != tipc_aead_key_size(skey))) { +- kfree(skey); +- skey = NULL; +- goto exit; +- } +- + rx->key_gen = key_gen; + rx->skey_mode = msg_key_mode(hdr); + rx->skey = skey; + rx->nokey = 0; + mb(); /* for nokey flag */ + +-exit: ++exit_unlock: + spin_unlock(&rx->lock); + ++exit: + /* Schedule the key attaching on this crypto */ + if (likely(skey && queue_delayed_work(tx->wq, &rx->work, 0))) + return true; +-- +2.31.1 + + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index 6bce793..fd9a20d 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -1,17 +1,18 @@ # Set to 1 if building an empty subscription-only package. -%define empty_package 1 +%define empty_package 0 ####################################################### # Only need to update these variables and the changelog %define kernel_ver 4.18.0-348.el8 %define kpatch_ver 0.9.5 -%define rpm_ver 0 -%define rpm_rel 0 +%define rpm_ver 1 +%define rpm_rel 1 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. -Source100: XXX.patch -#Source101: YYY.patch +# +# https://bugzilla.redhat.com/2020562 +Source100: CVE-2021-43267.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -150,5 +151,8 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Tue Nov 09 2021 Artem Savkov [1-1.el8] +- Insufficient validation of user-supplied sizes for the MSG_CRYPTO message type [2020562] {CVE-2021-43267} + * Thu Oct 21 2021 Joe Lawrence [0-0.el8] - An empty patch to subscribe to kpatch stream for kernel-4.18.0-348.el8 [2016072]