rpms / kpatch-patch-4_18_0-372_9_1

Clone
Source Code
GIT

Blame SOURCES/CVE-2022-2588.patch

c8
  1.   c8
  2.   SOURCES
  3.   CVE-2022-2588.patch
Blob History Raw
4c8a07 
From 40fea653c0535b0963a20f3768475a21745966a1 Mon Sep 17 00:00:00 2001
4c8a07 
From: Julia Denham <jdenham@redhat.com>
4c8a07 
Date: Wed, 5 Oct 2022 10:46:32 -0400
4c8a07 
Subject: [KPATCH CVE-2022-2588] kpatch fixes for CVE-2022-2588
4c8a07
4c8a07 
Kernels:
4c8a07 
4.18.0-372.9.1.el8
4c8a07 
4.18.0-372.13.1.el8_6
4c8a07 
4.18.0-372.16.1.el8_6
4c8a07 
4.18.0-372.19.1.el8_6
4c8a07 
4.18.0-372.26.1.el8_6
4c8a07
4c8a07
4c8a07 
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/57
4c8a07 
Approved-by: Joe Lawrence (@joe.lawrence)
4c8a07 
Approved-by: Yannick Cote (@ycote1)
4c8a07 
Changes since last build:
4c8a07 
arches: x86_64 ppc64le
4c8a07 
cls_route.o: changed function: route4_change
4c8a07 
---------------------------
4c8a07
4c8a07 
Modifications: none
4c8a07
4c8a07 
commit da65135ce599844336767732fe9f4adc731ddf03
4c8a07 
Author: Felix Maurer <fmaurer@redhat.com>
4c8a07 
Date:   Fri Aug 19 15:28:46 2022 +0200
4c8a07
4c8a07 
    net_sched: cls_route: remove from list when handle is 0
4c8a07
4c8a07 
    Bugzilla: https://bugzilla.redhat.com/2121817
4c8a07 
    CVE: CVE-2022-2588
4c8a07 
    Y-Commit: 30cff48f9bf8efc15d8a7294c6bf88f013eed546
4c8a07
4c8a07 
    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2116328
4c8a07 
    O-CVE: CVE-2022-2588
4c8a07
4c8a07 
    commit 9ad36309e2719a884f946678e0296be10f0bb4c1
4c8a07 
    Author: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
4c8a07 
    Date:   Tue Aug 9 14:05:18 2022 -0300
4c8a07
4c8a07 
        net_sched: cls_route: remove from list when handle is 0
4c8a07
4c8a07 
        When a route filter is replaced and the old filter has a 0 handle, the old
4c8a07 
        one won't be removed from the hashtable, while it will still be freed.
4c8a07
4c8a07 
        The test was there since before commit 1109c00547fc ("net: sched: RCU
4c8a07 
        cls_route"), when a new filter was not allocated when there was an old one.
4c8a07 
        The old filter was reused and the reinserting would only be necessary if an
4c8a07 
        old filter was replaced. That was still wrong for the same case where the
4c8a07 
        old handle was 0.
4c8a07
4c8a07 
        Remove the old filter from the list independently from its handle value.
4c8a07
4c8a07 
        This fixes CVE-2022-2588, also reported as ZDI-CAN-17440.
4c8a07
4c8a07 
        Reported-by: Zhenpeng Lin <zplin@u.northwestern.edu>
4c8a07 
        Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
4c8a07 
        Reviewed-by: Kamal Mostafa <kamal@canonical.com>
4c8a07 
        Cc: <stable@vger.kernel.org>
4c8a07 
        Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
4c8a07 
        Link: https://lore.kernel.org/r/20220809170518.164662-1-cascardo@canonical.com
4c8a07 
        Signed-off-by: Jakub Kicinski <kuba@kernel.org>
4c8a07
4c8a07 
    Signed-off-by: Felix Maurer <fmaurer@redhat.com>
4c8a07 
    Signed-off-by: Augusto Caringi <acaringi@redhat.com>
4c8a07
4c8a07 
Signed-off-by: Julia Denham <jdenham@redhat.com>
4c8a07 
---
4c8a07 
 net/sched/cls_route.c | 2 +-
4c8a07 
 1 file changed, 1 insertion(+), 1 deletion(-)
4c8a07
4c8a07 
diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c
4c8a07 
index 94dbc05e40f7..882a0ad65af5 100644
4c8a07 
--- a/net/sched/cls_route.c
4c8a07 
+++ b/net/sched/cls_route.c
4c8a07 
@@ -530,7 +530,7 @@ static int route4_change(struct net *net, struct sk_buff *in_skb,
4c8a07 
 	rcu_assign_pointer(f->next, f1);
4c8a07 
 	rcu_assign_pointer(*fp, f);
4c8a07
4c8a07 
-	if (fold && fold->handle && f->handle != fold->handle) {
4c8a07 
+	if (fold) {
4c8a07 
 		th = to_hash(fold->handle);
4c8a07 
 		h = from_hash(fold->handle >> 16);
4c8a07 
 		b = rtnl_dereference(head->table[th]);
4c8a07 
--
4c8a07 
2.37.3
4c8a07
4c8a07

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation