rpms / kpatch-patch-4_18_0-348_2_1

Clone
Source Code
GIT

Blame SOURCES/CVE-2022-0435.patch

c8
  1.   ec80f5258216992e72ae462cf8d3a10ffb1f2f5f
  2.   SOURCES
  3.   CVE-2022-0435.patch
Blob History Raw
ec80f5 
From 8db2609e76912d088d19ba0938e80c5628e58e9e Mon Sep 17 00:00:00 2001
ec80f5 
From: Joe Lawrence <joe.lawrence@redhat.com>
ec80f5 
Date: Thu, 3 Mar 2022 11:44:42 -0500
ec80f5 
Subject: [KPATCH CVE-2022-0435] tipc: kpatch fixes for CVE-2022-0435
ec80f5
ec80f5 
Kernels:
ec80f5 
4.18.0-348.el8
ec80f5 
4.18.0-348.2.1.el8_5
ec80f5 
4.18.0-348.7.1.el8_5
ec80f5 
4.18.0-348.12.2.el8_5
ec80f5
ec80f5 
Changes since last build:
ec80f5 
[x86_64]:
ec80f5 
link.o: changed function: tipc_link_rcv
ec80f5 
monitor.o: changed function: tipc_mon_rcv
ec80f5
ec80f5 
[ppc64le]:
ec80f5 
link.o: changed function: tipc_link_proto_rcv
ec80f5 
monitor.o: changed function: tipc_mon_rcv
ec80f5
ec80f5 
---------------------------
ec80f5
ec80f5 
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/36
ec80f5 
Approved-by: Yannick Cote (@ycote1)
ec80f5 
Kernels:
ec80f5 
4.18.0-348.el8
ec80f5 
4.18.0-348.2.1.el8_5
ec80f5 
4.18.0-348.7.1.el8_5
ec80f5 
4.18.0-348.12.2.el8_5
ec80f5
ec80f5 
Modifications: none
ec80f5
ec80f5 
commit 8b2b73e6cb7bd6d9d5af8d21f15d002a373d0a2e
ec80f5 
Author: Xin Long <lxin@redhat.com>
ec80f5 
Date:   Thu Feb 10 21:43:20 2022 -0500
ec80f5
ec80f5 
    tipc: improve size validations for received domain records
ec80f5
ec80f5 
    Bugzilla: https://bugzilla.redhat.com/2048970
ec80f5 
    CVE: CVE-2022-0435
ec80f5 
    Y-Commit: 0e080c279fd19325b263617515835d6ce45e88f4
ec80f5
ec80f5 
    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2048971
ec80f5 
    O-CVE: CVE-2022-0435
ec80f5 
    Tested: compile only
ec80f5
ec80f5 
    commit 9aa422ad326634b76309e8ff342c246800621216
ec80f5 
    Author: Jon Maloy <jmaloy@redhat.com>
ec80f5 
    Date:   Sat Feb 5 14:11:18 2022 -0500
ec80f5
ec80f5 
        tipc: improve size validations for received domain records
ec80f5
ec80f5 
        The function tipc_mon_rcv() allows a node to receive and process
ec80f5 
        domain_record structs from peer nodes to track their views of the
ec80f5 
        network topology.
ec80f5
ec80f5 
        This patch verifies that the number of members in a received domain
ec80f5 
        record does not exceed the limit defined by MAX_MON_DOMAIN, something
ec80f5 
        that may otherwise lead to a stack overflow.
ec80f5
ec80f5 
        tipc_mon_rcv() is called from the function tipc_link_proto_rcv(), where
ec80f5 
        we are reading a 32 bit message data length field into a uint16.  To
ec80f5 
        avert any risk of bit overflow, we add an extra sanity check for this in
ec80f5 
        that function.  We cannot see that happen with the current code, but
ec80f5 
        future designers being unaware of this risk, may introduce it by
ec80f5 
        allowing delivery of very large (> 64k) sk buffers from the bearer
ec80f5 
        layer.  This potential problem was identified by Eric Dumazet.
ec80f5
ec80f5 
        This fixes CVE-2022-0435
ec80f5
ec80f5 
        Reported-by: Samuel Page <samuel.page@appgate.com>
ec80f5 
        Reported-by: Eric Dumazet <edumazet@google.com>
ec80f5 
        Fixes: 35c55c9877f8 ("tipc: add neighbor monitoring framework")
ec80f5 
        Signed-off-by: Jon Maloy <jmaloy@redhat.com>
ec80f5 
        Reviewed-by: Xin Long <lucien.xin@gmail.com>
ec80f5 
        Reviewed-by: Samuel Page <samuel.page@appgate.com>
ec80f5 
        Reviewed-by: Eric Dumazet <edumazet@google.com>
ec80f5 
        Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
ec80f5
ec80f5 
    Signed-off-by: Xin Long <lxin@redhat.com>
ec80f5 
    Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
ec80f5
ec80f5 
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
ec80f5 
---
ec80f5 
 net/tipc/link.c    | 9 +++++++--
ec80f5 
 net/tipc/monitor.c | 2 ++
ec80f5 
 2 files changed, 9 insertions(+), 2 deletions(-)
ec80f5
ec80f5 
diff --git a/net/tipc/link.c b/net/tipc/link.c
ec80f5 
index b5ed87dded2c..062ec1989c41 100644
ec80f5 
--- a/net/tipc/link.c
ec80f5 
+++ b/net/tipc/link.c
ec80f5 
@@ -2165,7 +2165,7 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
ec80f5 
 	struct tipc_msg *hdr = buf_msg(skb);
ec80f5 
 	struct tipc_gap_ack_blks *ga = NULL;
ec80f5 
 	bool reply = msg_probe(hdr), retransmitted = false;
ec80f5 
-	u16 dlen = msg_data_sz(hdr), glen = 0;
ec80f5 
+	u32 dlen = msg_data_sz(hdr), glen = 0;
ec80f5 
 	u16 peers_snd_nxt =  msg_next_sent(hdr);
ec80f5 
 	u16 peers_tol = msg_link_tolerance(hdr);
ec80f5 
 	u16 peers_prio = msg_linkprio(hdr);
ec80f5 
@@ -2179,6 +2179,10 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
ec80f5 
 	void *data;
ec80f5
ec80f5 
 	trace_tipc_proto_rcv(skb, false, l->name);
ec80f5 
+
ec80f5 
+	if (dlen > U16_MAX)
ec80f5 
+		goto exit;
ec80f5 
+
ec80f5 
 	if (tipc_link_is_blocked(l) || !xmitq)
ec80f5 
 		goto exit;
ec80f5
ec80f5 
@@ -2275,7 +2279,8 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
ec80f5
ec80f5 
 		/* Receive Gap ACK blocks from peer if any */
ec80f5 
 		glen = tipc_get_gap_ack_blks(&ga, l, hdr, true);
ec80f5 
-
ec80f5 
+		if(glen > dlen)
ec80f5 
+			break;
ec80f5 
 		tipc_mon_rcv(l->net, data + glen, dlen - glen, l->addr,
ec80f5 
 			     &l->mon_state, l->bearer_id);
ec80f5
ec80f5 
diff --git a/net/tipc/monitor.c b/net/tipc/monitor.c
ec80f5 
index 6dce2abf436e..a37190da5a50 100644
ec80f5 
--- a/net/tipc/monitor.c
ec80f5 
+++ b/net/tipc/monitor.c
ec80f5 
@@ -465,6 +465,8 @@ void tipc_mon_rcv(struct net *net, void *data, u16 dlen, u32 addr,
ec80f5 
 	state->probing = false;
ec80f5
ec80f5 
 	/* Sanity check received domain record */
ec80f5 
+	if (new_member_cnt > MAX_MON_DOMAIN)
ec80f5 
+		return;
ec80f5 
 	if (dlen < dom_rec_len(arrv_dom, 0))
ec80f5 
 		return;
ec80f5 
 	if (dlen != dom_rec_len(arrv_dom, new_member_cnt))
ec80f5 
--
ec80f5 
2.34.1
ec80f5
ec80f5

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation