Blame SOURCES/CVE-2022-2588.patch

3618d7
From 40fea653c0535b0963a20f3768475a21745966a1 Mon Sep 17 00:00:00 2001
3618d7
From: Julia Denham <jdenham@redhat.com>
3618d7
Date: Wed, 5 Oct 2022 10:46:32 -0400
3618d7
Subject: [KPATCH CVE-2022-2588] kpatch fixes for CVE-2022-2588
3618d7
3618d7
Kernels:
3618d7
4.18.0-372.9.1.el8
3618d7
4.18.0-372.13.1.el8_6
3618d7
4.18.0-372.16.1.el8_6
3618d7
4.18.0-372.19.1.el8_6
3618d7
4.18.0-372.26.1.el8_6
3618d7
3618d7
3618d7
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/57
3618d7
Approved-by: Joe Lawrence (@joe.lawrence)
3618d7
Approved-by: Yannick Cote (@ycote1)
3618d7
Changes since last build:
3618d7
arches: x86_64 ppc64le
3618d7
cls_route.o: changed function: route4_change
3618d7
---------------------------
3618d7
3618d7
Modifications: none
3618d7
3618d7
commit da65135ce599844336767732fe9f4adc731ddf03
3618d7
Author: Felix Maurer <fmaurer@redhat.com>
3618d7
Date:   Fri Aug 19 15:28:46 2022 +0200
3618d7
3618d7
    net_sched: cls_route: remove from list when handle is 0
3618d7
3618d7
    Bugzilla: https://bugzilla.redhat.com/2121817
3618d7
    CVE: CVE-2022-2588
3618d7
    Y-Commit: 30cff48f9bf8efc15d8a7294c6bf88f013eed546
3618d7
3618d7
    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2116328
3618d7
    O-CVE: CVE-2022-2588
3618d7
3618d7
    commit 9ad36309e2719a884f946678e0296be10f0bb4c1
3618d7
    Author: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
3618d7
    Date:   Tue Aug 9 14:05:18 2022 -0300
3618d7
3618d7
        net_sched: cls_route: remove from list when handle is 0
3618d7
3618d7
        When a route filter is replaced and the old filter has a 0 handle, the old
3618d7
        one won't be removed from the hashtable, while it will still be freed.
3618d7
3618d7
        The test was there since before commit 1109c00547fc ("net: sched: RCU
3618d7
        cls_route"), when a new filter was not allocated when there was an old one.
3618d7
        The old filter was reused and the reinserting would only be necessary if an
3618d7
        old filter was replaced. That was still wrong for the same case where the
3618d7
        old handle was 0.
3618d7
3618d7
        Remove the old filter from the list independently from its handle value.
3618d7
3618d7
        This fixes CVE-2022-2588, also reported as ZDI-CAN-17440.
3618d7
3618d7
        Reported-by: Zhenpeng Lin <zplin@u.northwestern.edu>
3618d7
        Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
3618d7
        Reviewed-by: Kamal Mostafa <kamal@canonical.com>
3618d7
        Cc: <stable@vger.kernel.org>
3618d7
        Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
3618d7
        Link: https://lore.kernel.org/r/20220809170518.164662-1-cascardo@canonical.com
3618d7
        Signed-off-by: Jakub Kicinski <kuba@kernel.org>
3618d7
3618d7
    Signed-off-by: Felix Maurer <fmaurer@redhat.com>
3618d7
    Signed-off-by: Augusto Caringi <acaringi@redhat.com>
3618d7
3618d7
Signed-off-by: Julia Denham <jdenham@redhat.com>
3618d7
---
3618d7
 net/sched/cls_route.c | 2 +-
3618d7
 1 file changed, 1 insertion(+), 1 deletion(-)
3618d7
3618d7
diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c
3618d7
index 94dbc05e40f7..882a0ad65af5 100644
3618d7
--- a/net/sched/cls_route.c
3618d7
+++ b/net/sched/cls_route.c
3618d7
@@ -530,7 +530,7 @@ static int route4_change(struct net *net, struct sk_buff *in_skb,
3618d7
 	rcu_assign_pointer(f->next, f1);
3618d7
 	rcu_assign_pointer(*fp, f);
3618d7
 
3618d7
-	if (fold && fold->handle && f->handle != fold->handle) {
3618d7
+	if (fold) {
3618d7
 		th = to_hash(fold->handle);
3618d7
 		h = from_hash(fold->handle >> 16);
3618d7
 		b = rtnl_dereference(head->table[th]);
3618d7
-- 
3618d7
2.37.3
3618d7
3618d7