diff --git a/.gitignore b/.gitignore index e69de29..7970654 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/kernel-4.18.0-372.9.1.el8.src.rpm +SOURCES/v0.9.6.tar.gz diff --git a/.kpatch-patch-4_18_0-372_9_1.metadata b/.kpatch-patch-4_18_0-372_9_1.metadata index e69de29..13c42c3 100644 --- a/.kpatch-patch-4_18_0-372_9_1.metadata +++ b/.kpatch-patch-4_18_0-372_9_1.metadata @@ -0,0 +1,2 @@ +6aca389e10a1bf94fb1f8a9a8e69cd8393e4990e SOURCES/kernel-4.18.0-372.9.1.el8.src.rpm +223c224ddd6896c467b9347ab297e3f7f013f5d7 SOURCES/v0.9.6.tar.gz diff --git a/SOURCES/CVE-2022-27666.patch b/SOURCES/CVE-2022-27666.patch new file mode 100644 index 0000000..6d5f886 --- /dev/null +++ b/SOURCES/CVE-2022-27666.patch @@ -0,0 +1,137 @@ +From 106df426732fc582d1a1bcd6b823b5f16a08b933 Mon Sep 17 00:00:00 2001 +From: "C. Erastus Toe" +Date: Tue, 24 May 2022 09:59:53 -0400 +Subject: [KPATCH CVE-2022-27666] kpatch fixes for CVE-2022-27666 +Content-type: text/plain + +Kernels: +4.18.0-372.9.1.el8 + +Changes since last build: +arches: x86_64 ppc64le +esp4.o: changed function: esp_output_head +esp6.o: changed function: esp6_output_head +--------------------------- + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/49 +Approved-by: Joe Lawrence (@joe.lawrence) +Modifications: none + +commit 3217bc60aaf7f21f0704da5989de7bdd01a69742 +Author: Sabrina Dubroca +Date: Wed May 11 11:44:45 2022 +0200 + + esp: Fix possible buffer overflow in ESP transformation + + Bugzilla: https://bugzilla.redhat.com/2062114 + CVE: CVE-2022-27666 + Y-Commit: 72c973454384f9f432ca5ba5ebaa778e471050bd + + O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062115 + Tested: reproducer + basic ipsec tests + O-CVE: CVE-2022-27666 + + commit ebe48d368e97d007bfeb76fcb065d6cfc4c96645 + Author: Steffen Klassert + Date: Mon Mar 7 13:11:39 2022 +0100 + + esp: Fix possible buffer overflow in ESP transformation + + The maximum message size that can be send is bigger than + the maximum site that skb_page_frag_refill can allocate. + So it is possible to write beyond the allocated buffer. + + Fix this by doing a fallback to COW in that case. + + v2: + + Avoid get get_order() costs as suggested by Linus Torvalds. + + Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") + Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") + Reported-by: valis + Signed-off-by: Steffen Klassert + + Signed-off-by: Sabrina Dubroca + Signed-off-by: Augusto Caringi + +commit 3525e8a7ea460ac64682bce8889212830dfe371a +Author: Sabrina Dubroca +Date: Wed May 11 11:44:56 2022 +0200 + + esp: limit skb_page_frag_refill use to a single page + + Bugzilla: https://bugzilla.redhat.com/2062114 + CVE: CVE-2022-27666 + Y-Commit: a1efd3ffe608ccbe9be08a691a939360f2c7c362 + + O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062115 + Tested: reproducer + basic ipsec tests + O-CVE: CVE-2022-27666 + + commit 5bd8baab087dff657e05387aee802e70304cc813 + Author: Sabrina Dubroca + Date: Wed Apr 13 10:10:50 2022 +0200 + + esp: limit skb_page_frag_refill use to a single page + + Commit ebe48d368e97 ("esp: Fix possible buffer overflow in ESP + transformation") tried to fix skb_page_frag_refill usage in ESP by + capping allocsize to 32k, but that doesn't completely solve the issue, + as skb_page_frag_refill may return a single page. If that happens, we + will write out of bounds, despite the check introduced in the previous + patch. + + This patch forces COW in cases where we would end up calling + skb_page_frag_refill with a size larger than a page (first in + esp_output_head with tailen, then in esp_output_tail with + skb->data_len). + + Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") + Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") + Signed-off-by: Sabrina Dubroca + Signed-off-by: Steffen Klassert + + Signed-off-by: Sabrina Dubroca + Signed-off-by: Augusto Caringi + +Signed-off-by: C. Erastus Toe +--- + net/ipv4/esp4.c | 4 ++++ + net/ipv6/esp6.c | 4 ++++ + 2 files changed, 8 insertions(+) + +diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c +index e86d59f9a6ea..af0eaa4e6c2b 100644 +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -453,6 +453,10 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * + return err; + } + ++ if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE || ++ ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE) ++ goto cow; ++ + if (!skb_cloned(skb)) { + if (tailen <= skb_tailroom(skb)) { + nfrags = 1; +diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c +index 5e19455e14f3..2ff1a109f464 100644 +--- a/net/ipv6/esp6.c ++++ b/net/ipv6/esp6.c +@@ -500,6 +500,10 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info + return err; + } + ++ if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE || ++ ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE) ++ goto cow; ++ + if (!skb_cloned(skb)) { + if (tailen <= skb_tailroom(skb)) { + nfrags = 1; +-- +2.26.3 + + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index 52a48cc..4b09af7 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -1,17 +1,18 @@ # Set to 1 if building an empty subscription-only package. -%define empty_package 1 +%define empty_package 0 ####################################################### # Only need to update these variables and the changelog %define kernel_ver 4.18.0-372.9.1.el8 %define kpatch_ver 0.9.6 -%define rpm_ver 0 -%define rpm_rel 0 +%define rpm_ver 1 +%define rpm_rel 1 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. -Source100: XXX.patch -#Source101: YYY.patch +# +# https://bugzilla.redhat.com/2087136 +Source100: CVE-2022-27666.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -150,5 +151,8 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Thu Jun 09 2022 Joe Lawrence [1-1.el8] +- kernel: buffer overflow in IPsec ESP transformation code [2087136] {CVE-2022-27666} + * Thu Apr 28 2022 Joe Lawrence [0-0.el8] - An empty patch to subscribe to kpatch stream for kernel-4.18.0-372.9.1.el8 [2080030]