From b58b33b23f6f93d19fe83d2cc555f7c6baf5ca31 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Feb 21 2023 08:47:26 +0000 Subject: import kpatch-patch-4_18_0-425_3_1-1-3.el8 --- diff --git a/SOURCES/CVE-2022-41222.patch b/SOURCES/CVE-2022-41222.patch new file mode 100644 index 0000000..1438823 --- /dev/null +++ b/SOURCES/CVE-2022-41222.patch @@ -0,0 +1,58 @@ +From 17f7e33c1a0008537d53add1f8e70df8e760486f Mon Sep 17 00:00:00 2001 +From: Joe Lawrence +Date: Fri, 6 Jan 2023 10:45:27 -0500 +Subject: [KPATCH CVE-2022-41222] kpatch fixes for CVE-2022-41222 + +If a race condition happens between rmap walk and mremap, this can +result in stale TLB entries. Waiman suggested a simple RHEL-only fix +for kpatch (always taking the rmap_locks) while z-stream opted to +backport about dozen related commits. + +Kernels: +4.18.0-425.3.1.el8 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/68 +Approved-by: Yannick Cote (@ycote1) +Changes since last build: +arches: x86_64 ppc64le +callback_xdr.o: changed function: nfs_callback_dispatch +mremap.o: changed function: move_page_tables +nfs3proc.o: changed function: nfsd3_init_dirlist_pages +nfs3proc.o: changed function: nfsd3_proc_read +nfsproc.o: changed function: nfsd_proc_read +nfsproc.o: changed function: nfsd_proc_readdir +nfssvc.o: changed function: nfsd_dispatch +svc.o: changed function: nlmsvc_dispatch +--------------------------- + +Modifications: RHEL-only +Suggested-by: Waiman Long +Signed-off-by: Joe Lawrence +--- + mm/mremap.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/mm/mremap.c b/mm/mremap.c +index 3c8a797d5693..d837de27011b 100644 +--- a/mm/mremap.c ++++ b/mm/mremap.c +@@ -289,12 +289,10 @@ unsigned long move_page_tables(struct vm_area_struct *vma, + if (extent == HPAGE_PMD_SIZE) { + bool moved; + /* See comment in move_ptes() */ +- if (need_rmap_locks) +- take_rmap_locks(vma); ++ take_rmap_locks(vma); + moved = move_huge_pmd(vma, old_addr, new_addr, + old_end, old_pmd, new_pmd); +- if (need_rmap_locks) +- drop_rmap_locks(vma); ++ drop_rmap_locks(vma); + if (moved) + continue; + } +-- +2.39.1 + + diff --git a/SOURCES/CVE-2022-43945.patch b/SOURCES/CVE-2022-43945.patch new file mode 100644 index 0000000..d736081 --- /dev/null +++ b/SOURCES/CVE-2022-43945.patch @@ -0,0 +1,497 @@ +From 9b4bc5423447796134efeabaf76fbd669428a028 Mon Sep 17 00:00:00 2001 +From: Yannick Cote +Date: Fri, 2 Dec 2022 12:58:38 -0500 +Subject: [KPATCH CVE-2022-43945] kpatch fixes for CVE-2022-43945 + +Kernels: +4.18.0-425.3.1.el8 +4.18.0-425.10.1.el8_7 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/76 +Approved-by: Joe Lawrence (@joe.lawrence) +Changes since last build: +arches: x86_64 ppc64le +callback_xdr.o: changed function: nfs_callback_dispatch +mremap.o: changed function: move_page_tables +nfs3proc.o: changed function: nfsd3_init_dirlist_pages +nfs3proc.o: changed function: nfsd3_proc_read +nfsproc.o: changed function: nfsd_proc_read +nfsproc.o: changed function: nfsd_proc_readdir +nfssvc.o: changed function: nfsd_dispatch +svc.o: changed function: nlmsvc_dispatch +--------------------------- + +Modifications: +- Take out modifications to header routines and roll new kpatch versions + of them to be included at all call sites. +- Wrapped new routines: svcxdr_init_decode(), svcxdr_init_encode() + +commit e608b2dbbb132ebed6b63967b0915159cdf52ce4 +Author: Scott Mayhew +Date: Thu Nov 10 13:46:47 2022 -0500 + + SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation + + Bugzilla: https://bugzilla.redhat.com/2143172 + CVE: CVE-2022-43945 + Y-Commit: 804daece339d51a00b7b466cc648139009b1c0fb + + O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2141774 + O-CVE: CVE-2022-43945 + + commit 90bfc37b5ab91c1a6165e3e5cfc49bf04571b762 + Author: Chuck Lever + Date: Thu Sep 1 15:09:53 2022 -0400 + + SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation + + Ensure that stream-based argument decoding can't go past the actual + end of the receive buffer. xdr_init_decode's calculation of the + value of xdr->end over-estimates the end of the buffer because the + Linux kernel RPC server code does not remove the size of the RPC + header from rqstp->rq_arg before calling the upper layer's + dispatcher. + + The server-side still uses the svc_getnl() macros to decode the + RPC call header. These macros reduce the length of the head iov + but do not update the total length of the message in the buffer + (buf->len). + + A proper fix for this would be to replace the use of svc_getnl() and + friends in the RPC header decoder, but that would be a large and + invasive change that would be difficult to backport. + + Fixes: 5191955d6fc6 ("SUNRPC: Prepare for xdr_stream-style decoding on the server-side") + Reviewed-by: Jeff Layton + Signed-off-by: Chuck Lever + + Signed-off-by: Scott Mayhew + Signed-off-by: Jarod Wilson + +commit c43d2ebcf1b3893e044ee76490cbc225212dcd09 +Author: Scott Mayhew +Date: Thu Nov 10 13:46:47 2022 -0500 + + SUNRPC: Fix svcxdr_init_encode's buflen calculation + + Bugzilla: https://bugzilla.redhat.com/2143172 + CVE: CVE-2022-43945 + Y-Commit: 0dfe425436b4e11f1cd68ed8cbf4a8c4276d47c6 + + O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2141774 + O-CVE: CVE-2022-43945 + + commit 1242a87da0d8cd2a428e96ca68e7ea899b0f4624 + Author: Chuck Lever + Date: Thu Sep 1 15:09:59 2022 -0400 + + SUNRPC: Fix svcxdr_init_encode's buflen calculation + + Commit 2825a7f90753 ("nfsd4: allow encoding across page boundaries") + added an explicit computation of the remaining length in the rq_res + XDR buffer. + + The computation appears to suffer from an "off-by-one" bug. Because + buflen is too large by one page, XDR encoding can run off the end of + the send buffer by eventually trying to use the struct page address + in rq_page_end, which always contains NULL. + + Fixes: bddfdbcddbe2 ("NFSD: Extract the svcxdr_init_encode() helper") + Reviewed-by: Jeff Layton + Signed-off-by: Chuck Lever + + Signed-off-by: Scott Mayhew + Signed-off-by: Jarod Wilson + +commit 2c36509ef08d24a538bca8369ec0e88420813c3b +Author: Scott Mayhew +Date: Thu Nov 10 13:46:47 2022 -0500 + + NFSD: Protect against send buffer overflow in NFSv2 READDIR + + Bugzilla: https://bugzilla.redhat.com/2143172 + CVE: CVE-2022-43945 + Y-Commit: f4e8bb36f1ddd7d2111db324154793c7c6d3cad1 + + O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2141774 + O-CVE: CVE-2022-43945 + + commit 00b4492686e0497fdb924a9d4c8f6f99377e176c + Author: Chuck Lever + Date: Thu Sep 1 15:10:05 2022 -0400 + + NFSD: Protect against send buffer overflow in NFSv2 READDIR + + Restore the previous limit on the @count argument to prevent a + buffer overflow attack. + + Fixes: 53b1119a6e50 ("NFSD: Fix READDIR buffer overflow") + Signed-off-by: Chuck Lever + Reviewed-by: Jeff Layton + Signed-off-by: Chuck Lever + + Signed-off-by: Scott Mayhew + Signed-off-by: Jarod Wilson + +commit e7f5ff9960dd6667538bf642a42168473e1d987d +Author: Scott Mayhew +Date: Thu Nov 10 13:46:47 2022 -0500 + + NFSD: Protect against send buffer overflow in NFSv3 READDIR + + Bugzilla: https://bugzilla.redhat.com/2143172 + CVE: CVE-2022-43945 + Y-Commit: c33579e1e26c423888888482a0e1ca9a0980f292 + + O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2141774 + O-CVE: CVE-2022-43945 + + commit 640f87c190e0d1b2a0fcb2ecf6d2cd53b1c41991 + Author: Chuck Lever + Date: Thu Sep 1 15:10:12 2022 -0400 + + NFSD: Protect against send buffer overflow in NFSv3 READDIR + + Since before the git era, NFSD has conserved the number of pages + held by each nfsd thread by combining the RPC receive and send + buffers into a single array of pages. This works because there are + no cases where an operation needs a large RPC Call message and a + large RPC Reply message at the same time. + + Once an RPC Call has been received, svc_process() updates + svc_rqst::rq_res to describe the part of rq_pages that can be + used for constructing the Reply. This means that the send buffer + (rq_res) shrinks when the received RPC record containing the RPC + Call is large. + + A client can force this shrinkage on TCP by sending a correctly- + formed RPC Call header contained in an RPC record that is + excessively large. The full maximum payload size cannot be + constructed in that case. + + Thanks to Aleksi Illikainen and Kari Hulkko for uncovering this + issue. + + Reported-by: Ben Ronallo + Cc: + Signed-off-by: Chuck Lever + Reviewed-by: Jeff Layton + Signed-off-by: Chuck Lever + + Signed-off-by: Scott Mayhew + Signed-off-by: Jarod Wilson + +commit be58a0f8fe047e3cbc9891133b34cd323d01f8e3 +Author: Scott Mayhew +Date: Thu Nov 10 13:46:47 2022 -0500 + + NFSD: Protect against send buffer overflow in NFSv2 READ + + Bugzilla: https://bugzilla.redhat.com/2143172 + CVE: CVE-2022-43945 + Y-Commit: 436325d0734d253f50a547b842a95ed4bb752ae3 + + O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2141774 + O-CVE: CVE-2022-43945 + + commit 401bc1f90874280a80b93f23be33a0e7e2d1f912 + Author: Chuck Lever + Date: Thu Sep 1 15:10:18 2022 -0400 + + NFSD: Protect against send buffer overflow in NFSv2 READ + + Since before the git era, NFSD has conserved the number of pages + held by each nfsd thread by combining the RPC receive and send + buffers into a single array of pages. This works because there are + no cases where an operation needs a large RPC Call message and a + large RPC Reply at the same time. + + Once an RPC Call has been received, svc_process() updates + svc_rqst::rq_res to describe the part of rq_pages that can be + used for constructing the Reply. This means that the send buffer + (rq_res) shrinks when the received RPC record containing the RPC + Call is large. + + A client can force this shrinkage on TCP by sending a correctly- + formed RPC Call header contained in an RPC record that is + excessively large. The full maximum payload size cannot be + constructed in that case. + + Cc: + Signed-off-by: Chuck Lever + Reviewed-by: Jeff Layton + Signed-off-by: Chuck Lever + + Signed-off-by: Scott Mayhew + Signed-off-by: Jarod Wilson + +commit b0be04c547fb3f2c98bda81f9f93e68dfdcad398 +Author: Scott Mayhew +Date: Thu Nov 10 13:46:46 2022 -0500 + + NFSD: Protect against send buffer overflow in NFSv3 READ + + Bugzilla: https://bugzilla.redhat.com/2143172 + CVE: CVE-2022-43945 + Y-Commit: cc970cde839098c5dd3d1dd013620ca972d4c9db + + O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2141774 + O-CVE: CVE-2022-43945 + + commit fa6be9cc6e80ec79892ddf08a8c10cabab9baf38 + Author: Chuck Lever + Date: Thu Sep 1 15:10:24 2022 -0400 + + NFSD: Protect against send buffer overflow in NFSv3 READ + + Since before the git era, NFSD has conserved the number of pages + held by each nfsd thread by combining the RPC receive and send + buffers into a single array of pages. This works because there are + no cases where an operation needs a large RPC Call message and a + large RPC Reply at the same time. + + Once an RPC Call has been received, svc_process() updates + svc_rqst::rq_res to describe the part of rq_pages that can be + used for constructing the Reply. This means that the send buffer + (rq_res) shrinks when the received RPC record containing the RPC + Call is large. + + A client can force this shrinkage on TCP by sending a correctly- + formed RPC Call header contained in an RPC record that is + excessively large. The full maximum payload size cannot be + constructed in that case. + + Cc: + Signed-off-by: Chuck Lever + Reviewed-by: Jeff Layton + Signed-off-by: Chuck Lever + + Signed-off-by: Scott Mayhew + Signed-off-by: Jarod Wilson + +Signed-off-by: Yannick Cote +--- + fs/lockd/svc.c | 6 ++- + fs/nfs/callback_xdr.c | 6 ++- + fs/nfsd/nfs3proc.c | 11 +++--- + fs/nfsd/nfsproc.c | 6 +-- + fs/nfsd/nfssvc.c | 6 ++- + include/linux/kpatch_cve_2022_43945.h | 53 +++++++++++++++++++++++++++ + 6 files changed, 74 insertions(+), 14 deletions(-) + create mode 100644 include/linux/kpatch_cve_2022_43945.h + +diff --git a/fs/lockd/svc.c b/fs/lockd/svc.c +index 31fd841010c2..13f3813b38a8 100644 +--- a/fs/lockd/svc.c ++++ b/fs/lockd/svc.c +@@ -767,6 +767,8 @@ static void __exit exit_nlm(void) + module_init(init_nlm); + module_exit(exit_nlm); + ++#include ++ + /** + * nlmsvc_dispatch - Process an NLM Request + * @rqstp: incoming request +@@ -780,7 +782,7 @@ static int nlmsvc_dispatch(struct svc_rqst *rqstp, __be32 *statp) + { + const struct svc_procedure *procp = rqstp->rq_procinfo; + +- svcxdr_init_decode(rqstp); ++ kpatch_cve_2022_43945_svcxdr_init_decode(rqstp); + if (!procp->pc_decode(rqstp, &rqstp->rq_arg_stream)) + goto out_decode_err; + +@@ -790,7 +792,7 @@ static int nlmsvc_dispatch(struct svc_rqst *rqstp, __be32 *statp) + if (*statp != rpc_success) + return 1; + +- svcxdr_init_encode(rqstp); ++ kpatch_cve_2022_43945_svcxdr_init_encode(rqstp); + if (!procp->pc_encode(rqstp, &rqstp->rq_res_stream)) + goto out_encode_err; + +diff --git a/fs/nfs/callback_xdr.c b/fs/nfs/callback_xdr.c +index a67c41ec545f..9438f91b9c2d 100644 +--- a/fs/nfs/callback_xdr.c ++++ b/fs/nfs/callback_xdr.c +@@ -983,13 +983,15 @@ static __be32 nfs4_callback_compound(struct svc_rqst *rqstp) + return rpc_success; + } + ++#include ++ + static int + nfs_callback_dispatch(struct svc_rqst *rqstp, __be32 *statp) + { + const struct svc_procedure *procp = rqstp->rq_procinfo; + +- svcxdr_init_decode(rqstp); +- svcxdr_init_encode(rqstp); ++ kpatch_cve_2022_43945_svcxdr_init_decode(rqstp); ++ kpatch_cve_2022_43945_svcxdr_init_encode(rqstp); + + *statp = procp->pc_func(rqstp); + return 1; +diff --git a/fs/nfsd/nfs3proc.c b/fs/nfsd/nfs3proc.c +index f1d81704d5bd..233f07958b09 100644 +--- a/fs/nfsd/nfs3proc.c ++++ b/fs/nfsd/nfs3proc.c +@@ -146,7 +146,6 @@ nfsd3_proc_read(struct svc_rqst *rqstp) + { + struct nfsd3_readargs *argp = rqstp->rq_argp; + struct nfsd3_readres *resp = rqstp->rq_resp; +- u32 max_blocksize = svc_max_payload(rqstp); + unsigned int len; + int v; + +@@ -155,7 +154,8 @@ nfsd3_proc_read(struct svc_rqst *rqstp) + (unsigned long) argp->count, + (unsigned long long) argp->offset); + +- argp->count = min_t(u32, argp->count, max_blocksize); ++ argp->count = min_t(u32, argp->count, svc_max_payload(rqstp)); ++ argp->count = min_t(u32, argp->count, rqstp->rq_res.buflen); + if (argp->offset > (u64)OFFSET_MAX) + argp->offset = (u64)OFFSET_MAX; + if (argp->offset + argp->count > (u64)OFFSET_MAX) +@@ -451,13 +451,14 @@ static void nfsd3_init_dirlist_pages(struct svc_rqst *rqstp, + { + struct xdr_buf *buf = &resp->dirlist; + struct xdr_stream *xdr = &resp->xdr; +- +- count = clamp(count, (u32)(XDR_UNIT * 2), svc_max_payload(rqstp)); ++ unsigned int sendbuf = min_t(unsigned int, rqstp->rq_res.buflen, ++ svc_max_payload(rqstp)); + + memset(buf, 0, sizeof(*buf)); + + /* Reserve room for the NULL ptr & eof flag (-2 words) */ +- buf->buflen = count - XDR_UNIT * 2; ++ buf->buflen = clamp(count, (u32)(XDR_UNIT * 2), sendbuf); ++ buf->buflen -= XDR_UNIT * 2; + buf->pages = rqstp->rq_next_page; + rqstp->rq_next_page += (buf->buflen + PAGE_SIZE - 1) >> PAGE_SHIFT; + +diff --git a/fs/nfsd/nfsproc.c b/fs/nfsd/nfsproc.c +index e4b0e0e6d1bc..87d0c443767c 100644 +--- a/fs/nfsd/nfsproc.c ++++ b/fs/nfsd/nfsproc.c +@@ -182,6 +182,7 @@ nfsd_proc_read(struct svc_rqst *rqstp) + argp->count, argp->offset); + + argp->count = min_t(u32, argp->count, NFSSVC_MAXBLKSIZE_V2); ++ argp->count = min_t(u32, argp->count, rqstp->rq_res.buflen); + + v = 0; + len = argp->count; +@@ -561,12 +562,11 @@ static void nfsd_init_dirlist_pages(struct svc_rqst *rqstp, + struct xdr_buf *buf = &resp->dirlist; + struct xdr_stream *xdr = &resp->xdr; + +- count = clamp(count, (u32)(XDR_UNIT * 2), svc_max_payload(rqstp)); +- + memset(buf, 0, sizeof(*buf)); + + /* Reserve room for the NULL ptr & eof flag (-2 words) */ +- buf->buflen = count - XDR_UNIT * 2; ++ buf->buflen = clamp(count, (u32)(XDR_UNIT * 2), (u32)PAGE_SIZE); ++ buf->buflen -= XDR_UNIT * 2; + buf->pages = rqstp->rq_next_page; + rqstp->rq_next_page++; + +diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c +index c3c5613c29a8..b9aaf205ec0f 100644 +--- a/fs/nfsd/nfssvc.c ++++ b/fs/nfsd/nfssvc.c +@@ -985,6 +985,8 @@ nfsd(void *vrqstp) + return 0; + } + ++#include ++ + /** + * nfsd_dispatch - Process an NFS or NFSACL Request + * @rqstp: incoming request +@@ -1006,7 +1008,7 @@ int nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp) + */ + rqstp->rq_cachetype = proc->pc_cachetype; + +- svcxdr_init_decode(rqstp); ++ kpatch_cve_2022_43945_svcxdr_init_decode(rqstp); + if (!proc->pc_decode(rqstp, &rqstp->rq_arg_stream)) + goto out_decode_err; + +@@ -1023,7 +1025,7 @@ int nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp) + * Need to grab the location to store the status, as + * NFSv4 does some encoding while processing + */ +- svcxdr_init_encode(rqstp); ++ kpatch_cve_2022_43945_svcxdr_init_encode(rqstp); + + *statp = proc->pc_func(rqstp); + if (*statp == rpc_drop_reply || test_bit(RQ_DROPME, &rqstp->rq_flags)) +diff --git a/include/linux/kpatch_cve_2022_43945.h b/include/linux/kpatch_cve_2022_43945.h +new file mode 100644 +index 000000000000..d52392485a57 +--- /dev/null ++++ b/include/linux/kpatch_cve_2022_43945.h +@@ -0,0 +1,53 @@ ++#ifndef _KPATCH_CVE_2022_43945_H ++#define _KPATCH_CVE_2022_43945_H ++ ++/* ++ * svcxdr_init_decode - Prepare an xdr_stream for Call decoding ++ * @rqstp: controlling server RPC transaction context ++ * ++ * This function currently assumes the RPC header in rq_arg has ++ * already been decoded. Upon return, xdr->p points to the ++ * location of the upper layer header. ++ */ ++static inline void kpatch_cve_2022_43945_svcxdr_init_decode(struct svc_rqst *rqstp) ++{ ++ struct xdr_stream *xdr = &rqstp->rq_arg_stream; ++ struct xdr_buf *buf = &rqstp->rq_arg; ++ struct kvec *argv = buf->head; ++ ++ /* ++ * svc_getnl() and friends do not keep the xdr_buf's ::len ++ * field up to date. Refresh that field before initializing ++ * the argument decoding stream. ++ */ ++ buf->len = buf->head->iov_len + buf->page_len + buf->tail->iov_len; ++ ++ xdr_init_decode(xdr, buf, argv->iov_base, NULL); ++ xdr_set_scratch_page(xdr, rqstp->rq_scratch_page); ++} ++ ++/* ++ * svcxdr_init_encode - Prepare an xdr_stream for svc Reply encoding ++ * @rqstp: controlling server RPC transaction context ++ * ++ */ ++static inline void kpatch_cve_2022_43945_svcxdr_init_encode(struct svc_rqst *rqstp) ++{ ++ struct xdr_stream *xdr = &rqstp->rq_res_stream; ++ struct xdr_buf *buf = &rqstp->rq_res; ++ struct kvec *resv = buf->head; ++ ++ xdr_reset_scratch_buffer(xdr); ++ ++ xdr->buf = buf; ++ xdr->iov = resv; ++ xdr->p = resv->iov_base + resv->iov_len; ++ xdr->end = resv->iov_base + PAGE_SIZE - rqstp->rq_auth_slack; ++ buf->len = resv->iov_len; ++ xdr->page_ptr = buf->pages - 1; ++ buf->buflen = PAGE_SIZE * (rqstp->rq_page_end - buf->pages); ++ buf->buflen -= rqstp->rq_auth_slack; ++ xdr->rqst = NULL; ++} ++ ++#endif /* _KPATCH_CVE_2022_43945_H */ +-- +2.39.1 + + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index 39a2129..b4ed019 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -6,7 +6,7 @@ %define kernel_ver 4.18.0-425.3.1.el8 %define kpatch_ver 0.9.6 %define rpm_ver 1 -%define rpm_rel 2 +%define rpm_rel 3 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. @@ -16,6 +16,12 @@ Source100: CVE-2022-2964.patch # # https://bugzilla.redhat.com/2147587 Source101: CVE-2022-4139.patch +# +# https://bugzilla.redhat.com/2141242 +Source102: CVE-2022-41222.patch +# +# https://bugzilla.redhat.com/2143184 +Source103: CVE-2022-43945.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -155,6 +161,10 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Mon Feb 06 2023 Yannick Cote [1-3.el8] +- kernel: nfsd buffer overflow by RPC message over TCP with garbage data [2143184] {CVE-2022-43945} +- kernel: mm/mremap.c use-after-free vulnerability [2141242] {CVE-2022-41222} + * Fri Jan 06 2023 Joe Lawrence [1-2.el8] - kernel: i915: Incorrect GPU TLB flush can lead to random memory access [2147587] {CVE-2022-4139}