diff --git a/SOURCES/CVE-2022-2588.patch b/SOURCES/CVE-2022-2588.patch new file mode 100644 index 0000000..1a9683f --- /dev/null +++ b/SOURCES/CVE-2022-2588.patch @@ -0,0 +1,88 @@ +From 40fea653c0535b0963a20f3768475a21745966a1 Mon Sep 17 00:00:00 2001 +From: Julia Denham +Date: Wed, 5 Oct 2022 10:46:32 -0400 +Subject: [KPATCH CVE-2022-2588] kpatch fixes for CVE-2022-2588 + +Kernels: +4.18.0-372.9.1.el8 +4.18.0-372.13.1.el8_6 +4.18.0-372.16.1.el8_6 +4.18.0-372.19.1.el8_6 +4.18.0-372.26.1.el8_6 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/57 +Approved-by: Joe Lawrence (@joe.lawrence) +Approved-by: Yannick Cote (@ycote1) +Changes since last build: +arches: x86_64 ppc64le +cls_route.o: changed function: route4_change +--------------------------- + +Modifications: none + +commit da65135ce599844336767732fe9f4adc731ddf03 +Author: Felix Maurer +Date: Fri Aug 19 15:28:46 2022 +0200 + + net_sched: cls_route: remove from list when handle is 0 + + Bugzilla: https://bugzilla.redhat.com/2121817 + CVE: CVE-2022-2588 + Y-Commit: 30cff48f9bf8efc15d8a7294c6bf88f013eed546 + + O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2116328 + O-CVE: CVE-2022-2588 + + commit 9ad36309e2719a884f946678e0296be10f0bb4c1 + Author: Thadeu Lima de Souza Cascardo + Date: Tue Aug 9 14:05:18 2022 -0300 + + net_sched: cls_route: remove from list when handle is 0 + + When a route filter is replaced and the old filter has a 0 handle, the old + one won't be removed from the hashtable, while it will still be freed. + + The test was there since before commit 1109c00547fc ("net: sched: RCU + cls_route"), when a new filter was not allocated when there was an old one. + The old filter was reused and the reinserting would only be necessary if an + old filter was replaced. That was still wrong for the same case where the + old handle was 0. + + Remove the old filter from the list independently from its handle value. + + This fixes CVE-2022-2588, also reported as ZDI-CAN-17440. + + Reported-by: Zhenpeng Lin + Signed-off-by: Thadeu Lima de Souza Cascardo + Reviewed-by: Kamal Mostafa + Cc: + Acked-by: Jamal Hadi Salim + Link: https://lore.kernel.org/r/20220809170518.164662-1-cascardo@canonical.com + Signed-off-by: Jakub Kicinski + + Signed-off-by: Felix Maurer + Signed-off-by: Augusto Caringi + +Signed-off-by: Julia Denham +--- + net/sched/cls_route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c +index 94dbc05e40f7..882a0ad65af5 100644 +--- a/net/sched/cls_route.c ++++ b/net/sched/cls_route.c +@@ -530,7 +530,7 @@ static int route4_change(struct net *net, struct sk_buff *in_skb, + rcu_assign_pointer(f->next, f1); + rcu_assign_pointer(*fp, f); + +- if (fold && fold->handle && f->handle != fold->handle) { ++ if (fold) { + th = to_hash(fold->handle); + h = from_hash(fold->handle >> 16); + b = rtnl_dereference(head->table[th]); +-- +2.37.3 + + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index 56e9742..219144d 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -6,7 +6,7 @@ %define kernel_ver 4.18.0-372.9.1.el8 %define kpatch_ver 0.9.6 %define rpm_ver 1 -%define rpm_rel 2 +%define rpm_rel 3 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. @@ -16,6 +16,9 @@ Source100: CVE-2022-27666.patch # # https://bugzilla.redhat.com/2093006 Source101: CVE-2022-32250.patch +# +# https://bugzilla.redhat.com/2122584 +Source102: CVE-2022-2588.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -154,6 +157,9 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Mon Oct 10 2022 Yannick Cote [1-3.el8] +- kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation [2122584] {CVE-2022-2588} + * Thu Jul 21 2022 Joe Lawrence [1-2.el8] - kernel: a use-after-free write in the netfilter subsystem can lead to privilege escalation to root [2093006] {CVE-2022-32250}