rpms / kpatch-patch-5_14_0-162_12_1

Clone
Source Code
GIT

Blame SOURCES/CVE-2022-4378.patch

c9
  1.   c9
  2.   SOURCES
  3.   CVE-2022-4378.patch
Blob History Raw
734205 
From 5b91e65d83213b25cc9529884a2106eee80c6c04 Mon Sep 17 00:00:00 2001
734205 
From: Ryan Sullivan <rysulliv@redhat.com>
734205 
Date: Thu, 26 Jan 2023 09:44:30 -0500
734205 
Subject: [KPATCH CVE-2022-4378] kpatch fixes for CVE-2022-4378
734205
734205 
Kernels:
734205 
5.14.0-162.6.1.el9_1
734205 
5.14.0-162.12.1.el9_1
734205
734205
734205 
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-9/-/merge_requests/19
734205 
Approved-by: Joe Lawrence (@joe.lawrence)
734205 
Approved-by: Yannick Cote (@ycote1)
734205 
Changes since last build:
734205 
arches: x86_64 ppc64le
734205 
l2cap_core.o: changed function: l2cap_rx_state_recv
734205 
l2cap_core.o: changed function: l2cap_stream_rx
734205 
nfs4proc.o: changed function: nfsd4_copy
734205 
nfs4proc.o: changed function: nfsd4_do_async_copy
734205 
nft_payload.o: changed function: nft_payload_copy_vlan
734205 
sysctl.o: changed function: __do_proc_dointvec
734205 
sysctl.o: changed function: __do_proc_douintvec
734205 
sysctl.o: changed function: __do_proc_doulongvec_minmax
734205 
sysctl.o: changed function: proc_get_long.constprop.0
734205 
---------------------------
734205
734205 
Modifications: none
734205
734205 
commit d4c4d465e31fae6c3729b9c52a6bc3610494ead4
734205 
Author: Wander Lairson Costa <wander@redhat.com>
734205 
Date:   Mon Dec 12 15:30:46 2022 -0300
734205
734205 
    proc: avoid integer type confusion in get_proc_long
734205
734205 
    Bugzilla: https://bugzilla.redhat.com/2152580
734205 
    CVE: CVE-2022-4378
734205 
    Y-Commit: ab93541c2e72e570f9b6cf79ff943400961a30e1
734205
734205 
    O-Bugzilla: https://bugzilla.redhat.com/2152581
734205 
    O-CVE: CVE-2022-4378
734205
734205 
    commit e6cfaf34be9fcd1a8285a294e18986bfc41a409c
734205 
    Author: Linus Torvalds <torvalds@linux-foundation.org>
734205 
    Date:   Mon Dec 5 11:33:40 2022 -0800
734205
734205 
        proc: avoid integer type confusion in get_proc_long
734205
734205 
        proc_get_long() is passed a size_t, but then assigns it to an 'int'
734205 
        variable for the length.  Let's not do that, even if our IO paths are
734205 
        limited to MAX_RW_COUNT (exactly because of these kinds of type errors).
734205
734205 
        So do the proper test in the rigth type.
734205
734205 
        Reported-by: Kyle Zeng <zengyhkyle@gmail.com>
734205 
        Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
734205
734205 
    Signed-off-by: Wander Lairson Costa <wander@redhat.com>
734205 
    Signed-off-by: Patrick Talbert <ptalbert@redhat.com>
734205
734205 
commit 250391dd6ddc268d65901a1eaeb966a7256ef1cb
734205 
Author: Wander Lairson Costa <wander@redhat.com>
734205 
Date:   Mon Dec 12 15:30:50 2022 -0300
734205
734205 
    proc: proc_skip_spaces() shouldn't think it is working on C strings
734205
734205 
    Bugzilla: https://bugzilla.redhat.com/2152580
734205 
    CVE: CVE-2022-4378
734205 
    Y-Commit: a664fa0ecf20645f630e278b6da6aaabb3192954
734205
734205 
    O-Bugzilla: https://bugzilla.redhat.com/2152581
734205 
    O-CVE: CVE-2022-4378
734205
734205 
    commit bce9332220bd677d83b19d21502776ad555a0e73
734205 
    Author: Linus Torvalds <torvalds@linux-foundation.org>
734205 
    Date:   Mon Dec 5 12:09:06 2022 -0800
734205
734205 
        proc: proc_skip_spaces() shouldn't think it is working on C strings
734205
734205 
        proc_skip_spaces() seems to think it is working on C strings, and ends
734205 
        up being just a wrapper around skip_spaces() with a really odd calling
734205 
        convention.
734205
734205 
        Instead of basing it on skip_spaces(), it should have looked more like
734205 
        proc_skip_char(), which really is the exact same function (except it
734205 
        skips a particular character, rather than whitespace).  So use that as
734205 
        inspiration, odd coding and all.
734205
734205 
        Now the calling convention actually makes sense and works for the
734205 
        intended purpose.
734205
734205 
        Reported-and-tested-by: Kyle Zeng <zengyhkyle@gmail.com>
734205 
        Acked-by: Eric Dumazet <edumazet@google.com>
734205 
        Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
734205
734205 
    Signed-off-by: Wander Lairson Costa <wander@redhat.com>
734205 
    Signed-off-by: Patrick Talbert <ptalbert@redhat.com>
734205
734205 
Signed-off-by: Ryan Sullivan <rysulliv@redhat.com>
734205 
---
734205 
 kernel/sysctl.c | 30 +++++++++++++++---------------
734205 
 1 file changed, 15 insertions(+), 15 deletions(-)
734205
734205 
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
734205 
index 0dd902ee206e..e72cf05ca07b 100644
734205 
--- a/kernel/sysctl.c
734205 
+++ b/kernel/sysctl.c
734205 
@@ -391,13 +391,14 @@ int proc_dostring(struct ctl_table *table, int write,
734205 
 			ppos);
734205 
 }
734205
734205 
-static size_t proc_skip_spaces(char **buf)
734205 
+static void proc_skip_spaces(char **buf, size_t *size)
734205 
 {
734205 
-	size_t ret;
734205 
-	char *tmp = skip_spaces(*buf);
734205 
-	ret = tmp - *buf;
734205 
-	*buf = tmp;
734205 
-	return ret;
734205 
+	while (*size) {
734205 
+		if (!isspace(**buf))
734205 
+			break;
734205 
+		(*size)--;
734205 
+		(*buf)++;
734205 
+	}
734205 
 }
734205
734205 
 static void proc_skip_char(char **buf, size_t *size, const char v)
734205 
@@ -466,13 +467,12 @@ static int proc_get_long(char **buf, size_t *size,
734205 
 			  unsigned long *val, bool *neg,
734205 
 			  const char *perm_tr, unsigned perm_tr_len, char *tr)
734205 
 {
734205 
-	int len;
734205 
 	char *p, tmp[TMPBUFLEN];
734205 
+	ssize_t len = *size;
734205
734205 
-	if (!*size)
734205 
+	if (len <= 0)
734205 
 		return -EINVAL;
734205
734205 
-	len = *size;
734205 
 	if (len > TMPBUFLEN - 1)
734205 
 		len = TMPBUFLEN - 1;
734205
734205 
@@ -645,7 +645,7 @@ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table,
734205 
 		bool neg;
734205
734205 
 		if (write) {
734205 
-			left -= proc_skip_spaces(&p);
734205 
+			proc_skip_spaces(&p, &left);
734205
734205 
 			if (!left)
734205 
 				break;
734205 
@@ -672,7 +672,7 @@ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table,
734205 
 	if (!write && !first && left && !err)
734205 
 		proc_put_char(&buffer, &left, '\n');
734205 
 	if (write && !err && left)
734205 
-		left -= proc_skip_spaces(&p);
734205 
+		proc_skip_spaces(&p, &left);
734205 
 	if (write && first)
734205 
 		return err ? : -EINVAL;
734205 
 	*lenp -= left;
734205 
@@ -714,7 +714,7 @@ static int do_proc_douintvec_w(unsigned int *tbl_data,
734205 
 	if (left > PAGE_SIZE - 1)
734205 
 		left = PAGE_SIZE - 1;
734205
734205 
-	left -= proc_skip_spaces(&p);
734205 
+	proc_skip_spaces(&p, &left);
734205 
 	if (!left) {
734205 
 		err = -EINVAL;
734205 
 		goto out_free;
734205 
@@ -734,7 +734,7 @@ static int do_proc_douintvec_w(unsigned int *tbl_data,
734205 
 	}
734205
734205 
 	if (!err && left)
734205 
-		left -= proc_skip_spaces(&p);
734205 
+		proc_skip_spaces(&p, &left);
734205
734205 
 out_free:
734205 
 	if (err)
734205 
@@ -1271,7 +1271,7 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table,
734205 
 		if (write) {
734205 
 			bool neg;
734205
734205 
-			left -= proc_skip_spaces(&p);
734205 
+			proc_skip_spaces(&p, &left);
734205 
 			if (!left)
734205 
 				break;
734205
734205 
@@ -1299,7 +1299,7 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table,
734205 
 	if (!write && !first && left && !err)
734205 
 		proc_put_char(&buffer, &left, '\n');
734205 
 	if (write && !err)
734205 
-		left -= proc_skip_spaces(&p);
734205 
+		proc_skip_spaces(&p, &left);
734205 
 	if (write && first)
734205 
 		return err ? : -EINVAL;
734205 
 	*lenp -= left;
734205 
--
734205 
2.39.1
734205
734205

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation