From 26c3fa4f1b01ad2ec149453c4a64ff71fe0dd1f0 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jun 28 2022 06:45:22 +0000
Subject: import kpatch-patch-4_18_0-372_9_1-1-1.el8


---

diff --git a/.gitignore b/.gitignore
index e69de29..7970654 100644
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,2 @@
+SOURCES/kernel-4.18.0-372.9.1.el8.src.rpm
+SOURCES/v0.9.6.tar.gz
diff --git a/.kpatch-patch-4_18_0-372_9_1.metadata b/.kpatch-patch-4_18_0-372_9_1.metadata
index e69de29..13c42c3 100644
--- a/.kpatch-patch-4_18_0-372_9_1.metadata
+++ b/.kpatch-patch-4_18_0-372_9_1.metadata
@@ -0,0 +1,2 @@
+6aca389e10a1bf94fb1f8a9a8e69cd8393e4990e SOURCES/kernel-4.18.0-372.9.1.el8.src.rpm
+223c224ddd6896c467b9347ab297e3f7f013f5d7 SOURCES/v0.9.6.tar.gz
diff --git a/SOURCES/CVE-2022-27666.patch b/SOURCES/CVE-2022-27666.patch
new file mode 100644
index 0000000..6d5f886
--- /dev/null
+++ b/SOURCES/CVE-2022-27666.patch
@@ -0,0 +1,137 @@
+From 106df426732fc582d1a1bcd6b823b5f16a08b933 Mon Sep 17 00:00:00 2001
+From: "C. Erastus Toe" <ctoe@redhat.com>
+Date: Tue, 24 May 2022 09:59:53 -0400
+Subject: [KPATCH CVE-2022-27666] kpatch fixes for CVE-2022-27666
+Content-type: text/plain
+
+Kernels:
+4.18.0-372.9.1.el8
+
+Changes since last build:
+arches: x86_64 ppc64le
+esp4.o: changed function: esp_output_head
+esp6.o: changed function: esp6_output_head
+---------------------------
+
+Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/49
+Approved-by: Joe Lawrence (@joe.lawrence)
+Modifications: none
+
+commit 3217bc60aaf7f21f0704da5989de7bdd01a69742
+Author: Sabrina Dubroca <sdubroca@redhat.com>
+Date:   Wed May 11 11:44:45 2022 +0200
+
+    esp: Fix possible buffer overflow in ESP transformation
+
+    Bugzilla: https://bugzilla.redhat.com/2062114
+    CVE: CVE-2022-27666
+    Y-Commit: 72c973454384f9f432ca5ba5ebaa778e471050bd
+
+    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062115
+    Tested: reproducer + basic ipsec tests
+    O-CVE: CVE-2022-27666
+
+    commit ebe48d368e97d007bfeb76fcb065d6cfc4c96645
+    Author: Steffen Klassert <steffen.klassert@secunet.com>
+    Date:   Mon Mar 7 13:11:39 2022 +0100
+
+        esp: Fix possible buffer overflow in ESP transformation
+
+        The maximum message size that can be send is bigger than
+        the  maximum site that skb_page_frag_refill can allocate.
+        So it is possible to write beyond the allocated buffer.
+
+        Fix this by doing a fallback to COW in that case.
+
+        v2:
+
+        Avoid get get_order() costs as suggested by Linus Torvalds.
+
+        Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
+        Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
+        Reported-by: valis <sec@valis.email>
+        Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+
+    Signed-off-by: Sabrina Dubroca <sdubroca@redhat.com>
+    Signed-off-by: Augusto Caringi <acaringi@redhat.com>
+
+commit 3525e8a7ea460ac64682bce8889212830dfe371a
+Author: Sabrina Dubroca <sdubroca@redhat.com>
+Date:   Wed May 11 11:44:56 2022 +0200
+
+    esp: limit skb_page_frag_refill use to a single page
+
+    Bugzilla: https://bugzilla.redhat.com/2062114
+    CVE: CVE-2022-27666
+    Y-Commit: a1efd3ffe608ccbe9be08a691a939360f2c7c362
+
+    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062115
+    Tested: reproducer + basic ipsec tests
+    O-CVE: CVE-2022-27666
+
+    commit 5bd8baab087dff657e05387aee802e70304cc813
+    Author: Sabrina Dubroca <sd@queasysnail.net>
+    Date:   Wed Apr 13 10:10:50 2022 +0200
+
+        esp: limit skb_page_frag_refill use to a single page
+
+        Commit ebe48d368e97 ("esp: Fix possible buffer overflow in ESP
+        transformation") tried to fix skb_page_frag_refill usage in ESP by
+        capping allocsize to 32k, but that doesn't completely solve the issue,
+        as skb_page_frag_refill may return a single page. If that happens, we
+        will write out of bounds, despite the check introduced in the previous
+        patch.
+
+        This patch forces COW in cases where we would end up calling
+        skb_page_frag_refill with a size larger than a page (first in
+        esp_output_head with tailen, then in esp_output_tail with
+        skb->data_len).
+
+        Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
+        Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
+        Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+        Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+
+    Signed-off-by: Sabrina Dubroca <sdubroca@redhat.com>
+    Signed-off-by: Augusto Caringi <acaringi@redhat.com>
+
+Signed-off-by: C. Erastus Toe <ctoe@redhat.com>
+---
+ net/ipv4/esp4.c | 4 ++++
+ net/ipv6/esp6.c | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
+index e86d59f9a6ea..af0eaa4e6c2b 100644
+--- a/net/ipv4/esp4.c
++++ b/net/ipv4/esp4.c
+@@ -453,6 +453,10 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
+ 			return err;
+ 	}
+ 
++	if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE ||
++	    ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE)
++		goto cow;
++
+ 	if (!skb_cloned(skb)) {
+ 		if (tailen <= skb_tailroom(skb)) {
+ 			nfrags = 1;
+diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
+index 5e19455e14f3..2ff1a109f464 100644
+--- a/net/ipv6/esp6.c
++++ b/net/ipv6/esp6.c
+@@ -500,6 +500,10 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
+ 			return err;
+ 	}
+ 
++	if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE ||
++	    ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE)
++		goto cow;
++
+ 	if (!skb_cloned(skb)) {
+ 		if (tailen <= skb_tailroom(skb)) {
+ 			nfrags = 1;
+-- 
+2.26.3
+
+
diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec
index 52a48cc..4b09af7 100644
--- a/SPECS/kpatch-patch.spec
+++ b/SPECS/kpatch-patch.spec
@@ -1,17 +1,18 @@
 # Set to 1 if building an empty subscription-only package.
-%define empty_package		1
+%define empty_package		0
 
 #######################################################
 # Only need to update these variables and the changelog
 %define kernel_ver	4.18.0-372.9.1.el8
 %define kpatch_ver	0.9.6
-%define rpm_ver		0
-%define rpm_rel		0
+%define rpm_ver		1
+%define rpm_rel		1
 
 %if !%{empty_package}
 # Patch sources below. DO NOT REMOVE THIS LINE.
-Source100:		XXX.patch
-#Source101:		YYY.patch
+#
+# https://bugzilla.redhat.com/2087136
+Source100: CVE-2022-27666.patch
 # End of patch sources. DO NOT REMOVE THIS LINE.
 %endif
 
@@ -150,5 +151,8 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}.
 %endif
 
 %changelog
+* Thu Jun 09 2022 Joe Lawrence <joe.lawrence@redhat.com> [1-1.el8]
+- kernel: buffer overflow in IPsec ESP transformation code [2087136] {CVE-2022-27666}
+
 * Thu Apr 28 2022 Joe Lawrence <joe.lawrence@redhat.com> [0-0.el8]
 - An empty patch to subscribe to kpatch stream for kernel-4.18.0-372.9.1.el8 [2080030]