rpms / kpatch-patch-4_18_0-348_12_2

Clone
Source Code
GIT

Blame SOURCES/CVE-2022-0435.patch

c8
  1.   ec4dc69402e4e402ecc7e24d4c40169fe87659d0
  2.   SOURCES
  3.   CVE-2022-0435.patch
Blob History Raw
23221e 
From 8db2609e76912d088d19ba0938e80c5628e58e9e Mon Sep 17 00:00:00 2001
23221e 
From: Joe Lawrence <joe.lawrence@redhat.com>
23221e 
Date: Thu, 3 Mar 2022 11:44:42 -0500
23221e 
Subject: [KPATCH CVE-2022-0435] tipc: kpatch fixes for CVE-2022-0435
23221e
23221e 
Kernels:
23221e 
4.18.0-348.el8
23221e 
4.18.0-348.2.1.el8_5
23221e 
4.18.0-348.7.1.el8_5
23221e 
4.18.0-348.12.2.el8_5
23221e
23221e 
Changes since last build:
23221e 
[x86_64]:
23221e 
link.o: changed function: tipc_link_rcv
23221e 
monitor.o: changed function: tipc_mon_rcv
23221e
23221e 
[ppc64le]:
23221e 
link.o: changed function: tipc_link_proto_rcv
23221e 
monitor.o: changed function: tipc_mon_rcv
23221e
23221e 
---------------------------
23221e
23221e 
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/36
23221e 
Approved-by: Yannick Cote (@ycote1)
23221e 
Kernels:
23221e 
4.18.0-348.el8
23221e 
4.18.0-348.2.1.el8_5
23221e 
4.18.0-348.7.1.el8_5
23221e 
4.18.0-348.12.2.el8_5
23221e
23221e 
Modifications: none
23221e
23221e 
commit 8b2b73e6cb7bd6d9d5af8d21f15d002a373d0a2e
23221e 
Author: Xin Long <lxin@redhat.com>
23221e 
Date:   Thu Feb 10 21:43:20 2022 -0500
23221e
23221e 
    tipc: improve size validations for received domain records
23221e
23221e 
    Bugzilla: https://bugzilla.redhat.com/2048970
23221e 
    CVE: CVE-2022-0435
23221e 
    Y-Commit: 0e080c279fd19325b263617515835d6ce45e88f4
23221e
23221e 
    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2048971
23221e 
    O-CVE: CVE-2022-0435
23221e 
    Tested: compile only
23221e
23221e 
    commit 9aa422ad326634b76309e8ff342c246800621216
23221e 
    Author: Jon Maloy <jmaloy@redhat.com>
23221e 
    Date:   Sat Feb 5 14:11:18 2022 -0500
23221e
23221e 
        tipc: improve size validations for received domain records
23221e
23221e 
        The function tipc_mon_rcv() allows a node to receive and process
23221e 
        domain_record structs from peer nodes to track their views of the
23221e 
        network topology.
23221e
23221e 
        This patch verifies that the number of members in a received domain
23221e 
        record does not exceed the limit defined by MAX_MON_DOMAIN, something
23221e 
        that may otherwise lead to a stack overflow.
23221e
23221e 
        tipc_mon_rcv() is called from the function tipc_link_proto_rcv(), where
23221e 
        we are reading a 32 bit message data length field into a uint16.  To
23221e 
        avert any risk of bit overflow, we add an extra sanity check for this in
23221e 
        that function.  We cannot see that happen with the current code, but
23221e 
        future designers being unaware of this risk, may introduce it by
23221e 
        allowing delivery of very large (> 64k) sk buffers from the bearer
23221e 
        layer.  This potential problem was identified by Eric Dumazet.
23221e
23221e 
        This fixes CVE-2022-0435
23221e
23221e 
        Reported-by: Samuel Page <samuel.page@appgate.com>
23221e 
        Reported-by: Eric Dumazet <edumazet@google.com>
23221e 
        Fixes: 35c55c9877f8 ("tipc: add neighbor monitoring framework")
23221e 
        Signed-off-by: Jon Maloy <jmaloy@redhat.com>
23221e 
        Reviewed-by: Xin Long <lucien.xin@gmail.com>
23221e 
        Reviewed-by: Samuel Page <samuel.page@appgate.com>
23221e 
        Reviewed-by: Eric Dumazet <edumazet@google.com>
23221e 
        Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
23221e
23221e 
    Signed-off-by: Xin Long <lxin@redhat.com>
23221e 
    Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
23221e
23221e 
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
23221e 
---
23221e 
 net/tipc/link.c    | 9 +++++++--
23221e 
 net/tipc/monitor.c | 2 ++
23221e 
 2 files changed, 9 insertions(+), 2 deletions(-)
23221e
23221e 
diff --git a/net/tipc/link.c b/net/tipc/link.c
23221e 
index b5ed87dded2c..062ec1989c41 100644
23221e 
--- a/net/tipc/link.c
23221e 
+++ b/net/tipc/link.c
23221e 
@@ -2165,7 +2165,7 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
23221e 
 	struct tipc_msg *hdr = buf_msg(skb);
23221e 
 	struct tipc_gap_ack_blks *ga = NULL;
23221e 
 	bool reply = msg_probe(hdr), retransmitted = false;
23221e 
-	u16 dlen = msg_data_sz(hdr), glen = 0;
23221e 
+	u32 dlen = msg_data_sz(hdr), glen = 0;
23221e 
 	u16 peers_snd_nxt =  msg_next_sent(hdr);
23221e 
 	u16 peers_tol = msg_link_tolerance(hdr);
23221e 
 	u16 peers_prio = msg_linkprio(hdr);
23221e 
@@ -2179,6 +2179,10 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
23221e 
 	void *data;
23221e
23221e 
 	trace_tipc_proto_rcv(skb, false, l->name);
23221e 
+
23221e 
+	if (dlen > U16_MAX)
23221e 
+		goto exit;
23221e 
+
23221e 
 	if (tipc_link_is_blocked(l) || !xmitq)
23221e 
 		goto exit;
23221e
23221e 
@@ -2275,7 +2279,8 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
23221e
23221e 
 		/* Receive Gap ACK blocks from peer if any */
23221e 
 		glen = tipc_get_gap_ack_blks(&ga, l, hdr, true);
23221e 
-
23221e 
+		if(glen > dlen)
23221e 
+			break;
23221e 
 		tipc_mon_rcv(l->net, data + glen, dlen - glen, l->addr,
23221e 
 			     &l->mon_state, l->bearer_id);
23221e
23221e 
diff --git a/net/tipc/monitor.c b/net/tipc/monitor.c
23221e 
index 6dce2abf436e..a37190da5a50 100644
23221e 
--- a/net/tipc/monitor.c
23221e 
+++ b/net/tipc/monitor.c
23221e 
@@ -465,6 +465,8 @@ void tipc_mon_rcv(struct net *net, void *data, u16 dlen, u32 addr,
23221e 
 	state->probing = false;
23221e
23221e 
 	/* Sanity check received domain record */
23221e 
+	if (new_member_cnt > MAX_MON_DOMAIN)
23221e 
+		return;
23221e 
 	if (dlen < dom_rec_len(arrv_dom, 0))
23221e 
 		return;
23221e 
 	if (dlen != dom_rec_len(arrv_dom, new_member_cnt))
23221e 
--
23221e 
2.34.1
23221e
23221e

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation