rpms / kpatch-patch-4_18_0-372_9_1

Clone
Source Code
GIT

Blame SOURCES/CVE-2022-27666.patch

c8
  1.   c8
  2.   SOURCES
  3.   CVE-2022-27666.patch
Blob History Raw
26c3fa 
From 106df426732fc582d1a1bcd6b823b5f16a08b933 Mon Sep 17 00:00:00 2001
26c3fa 
From: "C. Erastus Toe" <ctoe@redhat.com>
26c3fa 
Date: Tue, 24 May 2022 09:59:53 -0400
26c3fa 
Subject: [KPATCH CVE-2022-27666] kpatch fixes for CVE-2022-27666
26c3fa 
Content-type: text/plain
26c3fa
26c3fa 
Kernels:
26c3fa 
4.18.0-372.9.1.el8
26c3fa
26c3fa 
Changes since last build:
26c3fa 
arches: x86_64 ppc64le
26c3fa 
esp4.o: changed function: esp_output_head
26c3fa 
esp6.o: changed function: esp6_output_head
26c3fa 
---------------------------
26c3fa
26c3fa 
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/49
26c3fa 
Approved-by: Joe Lawrence (@joe.lawrence)
26c3fa 
Modifications: none
26c3fa
26c3fa 
commit 3217bc60aaf7f21f0704da5989de7bdd01a69742
26c3fa 
Author: Sabrina Dubroca <sdubroca@redhat.com>
26c3fa 
Date:   Wed May 11 11:44:45 2022 +0200
26c3fa
26c3fa 
    esp: Fix possible buffer overflow in ESP transformation
26c3fa
26c3fa 
    Bugzilla: https://bugzilla.redhat.com/2062114
26c3fa 
    CVE: CVE-2022-27666
26c3fa 
    Y-Commit: 72c973454384f9f432ca5ba5ebaa778e471050bd
26c3fa
26c3fa 
    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062115
26c3fa 
    Tested: reproducer + basic ipsec tests
26c3fa 
    O-CVE: CVE-2022-27666
26c3fa
26c3fa 
    commit ebe48d368e97d007bfeb76fcb065d6cfc4c96645
26c3fa 
    Author: Steffen Klassert <steffen.klassert@secunet.com>
26c3fa 
    Date:   Mon Mar 7 13:11:39 2022 +0100
26c3fa
26c3fa 
        esp: Fix possible buffer overflow in ESP transformation
26c3fa
26c3fa 
        The maximum message size that can be send is bigger than
26c3fa 
        the  maximum site that skb_page_frag_refill can allocate.
26c3fa 
        So it is possible to write beyond the allocated buffer.
26c3fa
26c3fa 
        Fix this by doing a fallback to COW in that case.
26c3fa
26c3fa 
        v2:
26c3fa
26c3fa 
        Avoid get get_order() costs as suggested by Linus Torvalds.
26c3fa
26c3fa 
        Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
26c3fa 
        Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
26c3fa 
        Reported-by: valis <sec@valis.email>
26c3fa 
        Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
26c3fa
26c3fa 
    Signed-off-by: Sabrina Dubroca <sdubroca@redhat.com>
26c3fa 
    Signed-off-by: Augusto Caringi <acaringi@redhat.com>
26c3fa
26c3fa 
commit 3525e8a7ea460ac64682bce8889212830dfe371a
26c3fa 
Author: Sabrina Dubroca <sdubroca@redhat.com>
26c3fa 
Date:   Wed May 11 11:44:56 2022 +0200
26c3fa
26c3fa 
    esp: limit skb_page_frag_refill use to a single page
26c3fa
26c3fa 
    Bugzilla: https://bugzilla.redhat.com/2062114
26c3fa 
    CVE: CVE-2022-27666
26c3fa 
    Y-Commit: a1efd3ffe608ccbe9be08a691a939360f2c7c362
26c3fa
26c3fa 
    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062115
26c3fa 
    Tested: reproducer + basic ipsec tests
26c3fa 
    O-CVE: CVE-2022-27666
26c3fa
26c3fa 
    commit 5bd8baab087dff657e05387aee802e70304cc813
26c3fa 
    Author: Sabrina Dubroca <sd@queasysnail.net>
26c3fa 
    Date:   Wed Apr 13 10:10:50 2022 +0200
26c3fa
26c3fa 
        esp: limit skb_page_frag_refill use to a single page
26c3fa
26c3fa 
        Commit ebe48d368e97 ("esp: Fix possible buffer overflow in ESP
26c3fa 
        transformation") tried to fix skb_page_frag_refill usage in ESP by
26c3fa 
        capping allocsize to 32k, but that doesn't completely solve the issue,
26c3fa 
        as skb_page_frag_refill may return a single page. If that happens, we
26c3fa 
        will write out of bounds, despite the check introduced in the previous
26c3fa 
        patch.
26c3fa
26c3fa 
        This patch forces COW in cases where we would end up calling
26c3fa 
        skb_page_frag_refill with a size larger than a page (first in
26c3fa 
        esp_output_head with tailen, then in esp_output_tail with
26c3fa 
        skb->data_len).
26c3fa
26c3fa 
        Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
26c3fa 
        Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
26c3fa 
        Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
26c3fa 
        Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
26c3fa
26c3fa 
    Signed-off-by: Sabrina Dubroca <sdubroca@redhat.com>
26c3fa 
    Signed-off-by: Augusto Caringi <acaringi@redhat.com>
26c3fa
26c3fa 
Signed-off-by: C. Erastus Toe <ctoe@redhat.com>
26c3fa 
---
26c3fa 
 net/ipv4/esp4.c | 4 ++++
26c3fa 
 net/ipv6/esp6.c | 4 ++++
26c3fa 
 2 files changed, 8 insertions(+)
26c3fa
26c3fa 
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
26c3fa 
index e86d59f9a6ea..af0eaa4e6c2b 100644
26c3fa 
--- a/net/ipv4/esp4.c
26c3fa 
+++ b/net/ipv4/esp4.c
26c3fa 
@@ -453,6 +453,10 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
26c3fa 
 			return err;
26c3fa 
 	}
26c3fa
26c3fa 
+	if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE ||
26c3fa 
+	    ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE)
26c3fa 
+		goto cow;
26c3fa 
+
26c3fa 
 	if (!skb_cloned(skb)) {
26c3fa 
 		if (tailen <= skb_tailroom(skb)) {
26c3fa 
 			nfrags = 1;
26c3fa 
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
26c3fa 
index 5e19455e14f3..2ff1a109f464 100644
26c3fa 
--- a/net/ipv6/esp6.c
26c3fa 
+++ b/net/ipv6/esp6.c
26c3fa 
@@ -500,6 +500,10 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
26c3fa 
 			return err;
26c3fa 
 	}
26c3fa
26c3fa 
+	if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE ||
26c3fa 
+	    ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE)
26c3fa 
+		goto cow;
26c3fa 
+
26c3fa 
 	if (!skb_cloned(skb)) {
26c3fa 
 		if (tailen <= skb_tailroom(skb)) {
26c3fa 
 			nfrags = 1;
26c3fa 
--
26c3fa 
2.26.3
26c3fa
26c3fa

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation