rpms / kpatch-patch-4_18_0-348_7_1

Clone
Source Code
GIT

Blame SOURCES/CVE-2022-0435.patch

c8
  1.   df284a2fbe30875d59c0afd796eb968eda6c415c
  2.   SOURCES
  3.   CVE-2022-0435.patch
Blob History Raw
df284a 
From 8db2609e76912d088d19ba0938e80c5628e58e9e Mon Sep 17 00:00:00 2001
df284a 
From: Joe Lawrence <joe.lawrence@redhat.com>
df284a 
Date: Thu, 3 Mar 2022 11:44:42 -0500
df284a 
Subject: [KPATCH CVE-2022-0435] tipc: kpatch fixes for CVE-2022-0435
df284a
df284a 
Kernels:
df284a 
4.18.0-348.el8
df284a 
4.18.0-348.2.1.el8_5
df284a 
4.18.0-348.7.1.el8_5
df284a 
4.18.0-348.12.2.el8_5
df284a
df284a 
Changes since last build:
df284a 
[x86_64]:
df284a 
link.o: changed function: tipc_link_rcv
df284a 
monitor.o: changed function: tipc_mon_rcv
df284a
df284a 
[ppc64le]:
df284a 
link.o: changed function: tipc_link_proto_rcv
df284a 
monitor.o: changed function: tipc_mon_rcv
df284a
df284a 
---------------------------
df284a
df284a 
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/36
df284a 
Approved-by: Yannick Cote (@ycote1)
df284a 
Kernels:
df284a 
4.18.0-348.el8
df284a 
4.18.0-348.2.1.el8_5
df284a 
4.18.0-348.7.1.el8_5
df284a 
4.18.0-348.12.2.el8_5
df284a
df284a 
Modifications: none
df284a
df284a 
commit 8b2b73e6cb7bd6d9d5af8d21f15d002a373d0a2e
df284a 
Author: Xin Long <lxin@redhat.com>
df284a 
Date:   Thu Feb 10 21:43:20 2022 -0500
df284a
df284a 
    tipc: improve size validations for received domain records
df284a
df284a 
    Bugzilla: https://bugzilla.redhat.com/2048970
df284a 
    CVE: CVE-2022-0435
df284a 
    Y-Commit: 0e080c279fd19325b263617515835d6ce45e88f4
df284a
df284a 
    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2048971
df284a 
    O-CVE: CVE-2022-0435
df284a 
    Tested: compile only
df284a
df284a 
    commit 9aa422ad326634b76309e8ff342c246800621216
df284a 
    Author: Jon Maloy <jmaloy@redhat.com>
df284a 
    Date:   Sat Feb 5 14:11:18 2022 -0500
df284a
df284a 
        tipc: improve size validations for received domain records
df284a
df284a 
        The function tipc_mon_rcv() allows a node to receive and process
df284a 
        domain_record structs from peer nodes to track their views of the
df284a 
        network topology.
df284a
df284a 
        This patch verifies that the number of members in a received domain
df284a 
        record does not exceed the limit defined by MAX_MON_DOMAIN, something
df284a 
        that may otherwise lead to a stack overflow.
df284a
df284a 
        tipc_mon_rcv() is called from the function tipc_link_proto_rcv(), where
df284a 
        we are reading a 32 bit message data length field into a uint16.  To
df284a 
        avert any risk of bit overflow, we add an extra sanity check for this in
df284a 
        that function.  We cannot see that happen with the current code, but
df284a 
        future designers being unaware of this risk, may introduce it by
df284a 
        allowing delivery of very large (> 64k) sk buffers from the bearer
df284a 
        layer.  This potential problem was identified by Eric Dumazet.
df284a
df284a 
        This fixes CVE-2022-0435
df284a
df284a 
        Reported-by: Samuel Page <samuel.page@appgate.com>
df284a 
        Reported-by: Eric Dumazet <edumazet@google.com>
df284a 
        Fixes: 35c55c9877f8 ("tipc: add neighbor monitoring framework")
df284a 
        Signed-off-by: Jon Maloy <jmaloy@redhat.com>
df284a 
        Reviewed-by: Xin Long <lucien.xin@gmail.com>
df284a 
        Reviewed-by: Samuel Page <samuel.page@appgate.com>
df284a 
        Reviewed-by: Eric Dumazet <edumazet@google.com>
df284a 
        Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
df284a
df284a 
    Signed-off-by: Xin Long <lxin@redhat.com>
df284a 
    Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
df284a
df284a 
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
df284a 
---
df284a 
 net/tipc/link.c    | 9 +++++++--
df284a 
 net/tipc/monitor.c | 2 ++
df284a 
 2 files changed, 9 insertions(+), 2 deletions(-)
df284a
df284a 
diff --git a/net/tipc/link.c b/net/tipc/link.c
df284a 
index b5ed87dded2c..062ec1989c41 100644
df284a 
--- a/net/tipc/link.c
df284a 
+++ b/net/tipc/link.c
df284a 
@@ -2165,7 +2165,7 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
df284a 
 	struct tipc_msg *hdr = buf_msg(skb);
df284a 
 	struct tipc_gap_ack_blks *ga = NULL;
df284a 
 	bool reply = msg_probe(hdr), retransmitted = false;
df284a 
-	u16 dlen = msg_data_sz(hdr), glen = 0;
df284a 
+	u32 dlen = msg_data_sz(hdr), glen = 0;
df284a 
 	u16 peers_snd_nxt =  msg_next_sent(hdr);
df284a 
 	u16 peers_tol = msg_link_tolerance(hdr);
df284a 
 	u16 peers_prio = msg_linkprio(hdr);
df284a 
@@ -2179,6 +2179,10 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
df284a 
 	void *data;
df284a
df284a 
 	trace_tipc_proto_rcv(skb, false, l->name);
df284a 
+
df284a 
+	if (dlen > U16_MAX)
df284a 
+		goto exit;
df284a 
+
df284a 
 	if (tipc_link_is_blocked(l) || !xmitq)
df284a 
 		goto exit;
df284a
df284a 
@@ -2275,7 +2279,8 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
df284a
df284a 
 		/* Receive Gap ACK blocks from peer if any */
df284a 
 		glen = tipc_get_gap_ack_blks(&ga, l, hdr, true);
df284a 
-
df284a 
+		if(glen > dlen)
df284a 
+			break;
df284a 
 		tipc_mon_rcv(l->net, data + glen, dlen - glen, l->addr,
df284a 
 			     &l->mon_state, l->bearer_id);
df284a
df284a 
diff --git a/net/tipc/monitor.c b/net/tipc/monitor.c
df284a 
index 6dce2abf436e..a37190da5a50 100644
df284a 
--- a/net/tipc/monitor.c
df284a 
+++ b/net/tipc/monitor.c
df284a 
@@ -465,6 +465,8 @@ void tipc_mon_rcv(struct net *net, void *data, u16 dlen, u32 addr,
df284a 
 	state->probing = false;
df284a
df284a 
 	/* Sanity check received domain record */
df284a 
+	if (new_member_cnt > MAX_MON_DOMAIN)
df284a 
+		return;
df284a 
 	if (dlen < dom_rec_len(arrv_dom, 0))
df284a 
 		return;
df284a 
 	if (dlen != dom_rec_len(arrv_dom, new_member_cnt))
df284a 
--
df284a 
2.34.1
df284a
df284a

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation