diff --git a/SOURCES/CVE-2022-32250.patch b/SOURCES/CVE-2022-32250.patch new file mode 100644 index 0000000..e2e27f7 --- /dev/null +++ b/SOURCES/CVE-2022-32250.patch @@ -0,0 +1,140 @@ +From 2f9874af7248b917772c8673054118267b3be415 Mon Sep 17 00:00:00 2001 +From: Julia Denham +Date: Mon, 11 Jul 2022 08:10:32 -0400 +Subject: [KPATCH CVE-2022-32250] kpatch fixes for CVE-2022-1966 +Content-type: text/plain + +Kernels: +4.18.0-372.9.1.el8 + +Changes since last build: +arches: x86_64 ppc64le +nf_tables_api.o: changed function: nft_expr_init +nf_tables_api.o: changed function: nft_set_elem_expr_alloc +--------------------------- + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/53 +Approved-by: Joe Lawrence (@joe.lawrence) +Approved-by: Yannick Cote (@ycote1) +Modifications: none + +commit afeaad78f78f7593e89f540a87b8796e8d705d57 +Author: Phil Sutter +Date: Thu Jun 2 20:58:22 2022 +0200 + + netfilter: nf_tables: disallow non-stateful expression in sets earlier + + Bugzilla: https://bugzilla.redhat.com/2092986 + CVE: CVE-2022-32250 + Y-Commit: cfb0d599ec74a88a5f02455616f96946defb849e + + O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2092987 + Upstream Status: net.git commit 520778042ccca + O-CVE: CVE-2022-32250 + Conflicts: Upstream renamed info -> expr_info. + + commit 520778042ccca019f3ffa136dd0ca565c486cedd + Author: Pablo Neira Ayuso + Date: Wed May 25 10:36:38 2022 +0200 + + netfilter: nf_tables: disallow non-stateful expression in sets earlier + + Since 3e135cd499bf ("netfilter: nft_dynset: dynamic stateful expression + instantiation"), it is possible to attach stateful expressions to set + elements. + + cd5125d8f518 ("netfilter: nf_tables: split set destruction in deactivate + and destroy phase") introduces conditional destruction on the object to + accomodate transaction semantics. + + nft_expr_init() calls expr->ops->init() first, then check for + NFT_STATEFUL_EXPR, this stills allows to initialize a non-stateful + lookup expressions which points to a set, which might lead to UAF since + the set is not properly detached from the set->binding for this case. + Anyway, this combination is non-sense from nf_tables perspective. + + This patch fixes this problem by checking for NFT_STATEFUL_EXPR before + expr->ops->init() is called. + + The reporter provides a KASAN splat and a poc reproducer (similar to + those autogenerated by syzbot to report use-after-free errors). It is + unknown to me if they are using syzbot or if they use similar automated + tool to locate the bug that they are reporting. + + For the record, this is the KASAN splat. + + [ 85.431824] ================================================================== + [ 85.432901] BUG: KASAN: use-after-free in nf_tables_bind_set+0x81b/0xa20 + [ 85.433825] Write of size 8 at addr ffff8880286f0e98 by task poc/776 + [ 85.434756] + [ 85.434999] CPU: 1 PID: 776 Comm: poc Tainted: G W 5.18.0+ #2 + [ 85.436023] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 + + Fixes: 0b2d8a7b638b ("netfilter: nf_tables: add helper functions for expression handling") + Reported-and-tested-by: Aaron Adams + Signed-off-by: Pablo Neira Ayuso + + Signed-off-by: Phil Sutter + Signed-off-by: Augusto Caringi + +Signed-off-by: Julia Denham +--- + net/netfilter/nf_tables_api.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index aa095db8d0ca..097680c5f914 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2576,27 +2576,31 @@ static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx, + + err = nf_tables_expr_parse(ctx, nla, &info); + if (err < 0) +- goto err1; ++ goto err_expr_parse; ++ ++ err = -EOPNOTSUPP; ++ if (!(info.ops->type->flags & NFT_EXPR_STATEFUL)) ++ goto err_expr_stateful; + + err = -ENOMEM; + expr = kzalloc(info.ops->size, GFP_KERNEL); + if (expr == NULL) +- goto err2; ++ goto err_expr_stateful; + + err = nf_tables_newexpr(ctx, &info, expr); + if (err < 0) +- goto err3; ++ goto err_expr_new; + + return expr; +-err3: ++err_expr_new: + kfree(expr); +-err2: ++err_expr_stateful: + owner = info.ops->type->owner; + if (info.ops->type->release_ops) + info.ops->type->release_ops(info.ops); + + module_put(owner); +-err1: ++err_expr_parse: + return ERR_PTR(err); + } + +@@ -4983,9 +4987,6 @@ struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx, + return expr; + + err = -EOPNOTSUPP; +- if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL)) +- goto err_set_elem_expr; +- + if (expr->ops->type->flags & NFT_EXPR_GC) { + if (set->flags & NFT_SET_TIMEOUT) + goto err_set_elem_expr; +-- +2.26.3 + + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index 4b09af7..56e9742 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -6,13 +6,16 @@ %define kernel_ver 4.18.0-372.9.1.el8 %define kpatch_ver 0.9.6 %define rpm_ver 1 -%define rpm_rel 1 +%define rpm_rel 2 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. # # https://bugzilla.redhat.com/2087136 Source100: CVE-2022-27666.patch +# +# https://bugzilla.redhat.com/2093006 +Source101: CVE-2022-32250.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -151,6 +154,9 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Thu Jul 21 2022 Joe Lawrence [1-2.el8] +- kernel: a use-after-free write in the netfilter subsystem can lead to privilege escalation to root [2093006] {CVE-2022-32250} + * Thu Jun 09 2022 Joe Lawrence [1-1.el8] - kernel: buffer overflow in IPsec ESP transformation code [2087136] {CVE-2022-27666}