Blame SPECS/kpatch-patch.spec

d59fc8
# Set to 1 if building an empty subscription-only package.
734205
%define empty_package		0
d59fc8
d59fc8
#######################################################
d59fc8
# Only need to update these variables and the changelog
d59fc8
%define kernel_ver	5.14.0-162.12.1.el9_1
d59fc8
%define kpatch_ver	0.9.7
734205
%define rpm_ver		1
734205
%define rpm_rel		1
d59fc8
d59fc8
%if !%{empty_package}
d59fc8
# Patch sources below. DO NOT REMOVE THIS LINE.
734205
#
734205
# https://bugzilla.redhat.com/2153007
734205
Source100: CVE-2022-3564.patch
734205
#
734205
# https://bugzilla.redhat.com/2152599
734205
Source101: CVE-2022-4378.patch
734205
#
734205
# https://bugzilla.redhat.com/2153157
734205
Source102: CVE-2022-4379.patch
734205
#
734205
# https://bugzilla.redhat.com/2161747
734205
Source103: CVE-2023-0179.patch
d59fc8
# End of patch sources. DO NOT REMOVE THIS LINE.
d59fc8
%endif
d59fc8
d59fc8
%define sanitized_rpm_rel	%{lua: print((string.gsub(rpm.expand("%rpm_rel"), "%.", "_")))}
d59fc8
%define sanitized_kernel_ver   %{lua: print((string.gsub(string.gsub(rpm.expand("%kernel_ver"), '.el9_?\%d?', ""), "%.", "_")))}
d59fc8
%define kernel_ver_arch        %{kernel_ver}.%{_arch}
d59fc8
d59fc8
Name:		kpatch-patch-%{sanitized_kernel_ver}
d59fc8
Version:	%{rpm_ver}
d59fc8
Release:	%{rpm_rel}%{?dist}
d59fc8
d59fc8
%if %{empty_package}
d59fc8
Summary:	Initial empty kpatch-patch for kernel-%{kernel_ver_arch}
d59fc8
%else
d59fc8
Summary:	Live kernel patching module for kernel-%{kernel_ver_arch}
d59fc8
%endif
d59fc8
d59fc8
Group:		System Environment/Kernel
d59fc8
License:	GPLv2
d59fc8
ExclusiveArch:	x86_64 ppc64le
d59fc8
d59fc8
Conflicts:	%{name} < %{version}-%{release}
d59fc8
d59fc8
Provides:	kpatch-patch = %{kernel_ver_arch}
d59fc8
Provides:	kpatch-patch = %{kernel_ver}
d59fc8
d59fc8
%if !%{empty_package}
d59fc8
Requires:	systemd
d59fc8
%endif
d59fc8
Requires:	kpatch >= 0.6.1-1
d59fc8
Requires:	kernel-uname-r = %{kernel_ver_arch}
d59fc8
d59fc8
%if !%{empty_package}
d59fc8
BuildRequires:	patchutils
d59fc8
BuildRequires:	kernel-devel = %{kernel_ver}
d59fc8
BuildRequires:	kernel-debuginfo = %{kernel_ver}
d59fc8
d59fc8
# kernel build requirements, generated from:
d59fc8
#   % rpmspec -q --buildrequires kernel.spec | sort | awk '{print "BuildRequires:\t" $0}'
d59fc8
# with arch-specific packages moved into conditional block
d59fc8
BuildRequires:	bash
d59fc8
BuildRequires:	bc
d59fc8
BuildRequires:	binutils
d59fc8
BuildRequires:	bison
d59fc8
BuildRequires:	bpftool
d59fc8
BuildRequires:	bzip2
d59fc8
BuildRequires:	coreutils
d59fc8
BuildRequires:	diffutils
d59fc8
BuildRequires:	dwarves
d59fc8
BuildRequires:	elfutils
d59fc8
BuildRequires:	elfutils-devel
d59fc8
BuildRequires:	findutils
d59fc8
BuildRequires:	flex
d59fc8
BuildRequires:	gawk
d59fc8
BuildRequires:	gcc
d59fc8
BuildRequires:	gcc-c++
d59fc8
BuildRequires:	gcc-plugin-devel
d59fc8
BuildRequires:	git-core
d59fc8
BuildRequires:	glibc-static
d59fc8
BuildRequires:	gzip
d59fc8
BuildRequires:	hmaccalc
d59fc8
BuildRequires:	hostname
d59fc8
BuildRequires:	kernel-rpm-macros >= 185-9
d59fc8
BuildRequires:	kmod
d59fc8
BuildRequires:	m4
d59fc8
BuildRequires:	make
d59fc8
BuildRequires:	net-tools
d59fc8
BuildRequires:	nss-tools
d59fc8
BuildRequires:	openssl
d59fc8
BuildRequires:	openssl-devel
d59fc8
BuildRequires:	patch
d59fc8
BuildRequires:	perl-Carp
d59fc8
BuildRequires:	perl-devel
d59fc8
BuildRequires:	perl-generators
d59fc8
BuildRequires:	perl-interpreter
d59fc8
BuildRequires:	python3-devel
d59fc8
BuildRequires:	redhat-rpm-config
d59fc8
BuildRequires:	rpm-build
d59fc8
BuildRequires:	system-sb-certs
d59fc8
BuildRequires:	tar
d59fc8
BuildRequires:	which
d59fc8
BuildRequires:	xz
d59fc8
d59fc8
%ifarch x86_64
d59fc8
BuildRequires:	pesign >= 0.10-4
d59fc8
%endif
d59fc8
d59fc8
Source0:	https://github.com/dynup/kpatch/archive/v%{kpatch_ver}.tar.gz
d59fc8
d59fc8
Source10:	kernel-%{kernel_ver}.src.rpm
d59fc8
d59fc8
# kpatch-build patches
d59fc8
Patch1: v0.9.7-backport-MR-1314-create-diff-object-fix-__UNI.patch
d59fc8
Patch2: v0.9.7-backport-MR-1315-Static-call-fixes.patch
d59fc8
d59fc8
%global _dupsign_opts --keyname=rhelkpatch1
d59fc8
d59fc8
%define builddir	%{_builddir}/kpatch-%{kpatch_ver}
d59fc8
%define kpatch		%{_sbindir}/kpatch
d59fc8
%define kmoddir 	%{_usr}/lib/kpatch/%{kernel_ver_arch}
d59fc8
%define kinstdir	%{_sharedstatedir}/kpatch/%{kernel_ver_arch}
d59fc8
%define patchmodname	kpatch-%{sanitized_kernel_ver}-%{version}-%{sanitized_rpm_rel}
d59fc8
%define patchmod	%{patchmodname}.ko
d59fc8
d59fc8
%define _missing_build_ids_terminate_build 1
d59fc8
%define _find_debuginfo_opts -r
d59fc8
%undefine _include_minidebuginfo
d59fc8
%undefine _find_debuginfo_dwz_opts
d59fc8
d59fc8
%description
d59fc8
This is a kernel live patch module which can be loaded by the kpatch
d59fc8
command line utility to modify the code of a running kernel.  This patch
d59fc8
module is targeted for kernel-%{kernel_ver}.
d59fc8
d59fc8
%prep
d59fc8
%autosetup -n kpatch-%{kpatch_ver} -p1
d59fc8
d59fc8
%build
d59fc8
kdevdir=/usr/src/kernels/%{kernel_ver_arch}
d59fc8
vmlinux=/usr/lib/debug/lib/modules/%{kernel_ver_arch}/vmlinux
d59fc8
d59fc8
# kpatch-build
d59fc8
make -C kpatch-build
d59fc8
d59fc8
# patch module
d59fc8
for i in %{sources}; do
d59fc8
	[[ $i == *.patch ]] && patch_sources="$patch_sources $i"
d59fc8
done
d59fc8
export CACHEDIR="%{builddir}/.kpatch"
d59fc8
kpatch-build/kpatch-build -n %{patchmodname} -r %{SOURCE10} -v $vmlinux --skip-cleanup $patch_sources || { cat "${CACHEDIR}/build.log"; exit 1; }
d59fc8
d59fc8
d59fc8
%install
d59fc8
installdir=%{buildroot}/%{kmoddir}
d59fc8
install -d $installdir
d59fc8
install -m 755 %{builddir}/%{patchmod} $installdir
d59fc8
d59fc8
d59fc8
%files
d59fc8
%{_usr}/lib/kpatch
d59fc8
d59fc8
d59fc8
%post
d59fc8
%{kpatch} install -k %{kernel_ver_arch} %{kmoddir}/%{patchmod}
d59fc8
chcon -t modules_object_t %{kinstdir}/%{patchmod}
d59fc8
sync
d59fc8
if [[ %{kernel_ver_arch} = $(uname -r) && "${LEAPP_IPU_IN_PROGRESS}" != "8to9" ]]; then
d59fc8
	cver="%{rpm_ver}_%{rpm_rel}"
d59fc8
	pname=$(echo "kpatch_%{sanitized_kernel_ver}" | sed 's/-/_/')
d59fc8
d59fc8
	lver=$({ %{kpatch} list | sed -nr "s/^${pname}_([0-9_]+)\ \[enabled\]$/\1/p"; echo "${cver}"; } | sort -V | tail -1)
d59fc8
d59fc8
	if [ "${lver}" != "${cver}" ]; then
d59fc8
		echo "WARNING: at least one loaded kpatch-patch (${pname}_${lver}) has a newer version than the one being installed."
d59fc8
		echo "WARNING: You will have to reboot to load a downgraded kpatch-patch"
d59fc8
	else
d59fc8
		%{kpatch} load %{patchmod}
d59fc8
	fi
d59fc8
fi
d59fc8
exit 0
d59fc8
d59fc8
d59fc8
%postun
d59fc8
%{kpatch} uninstall -k %{kernel_ver_arch} %{patchmod}
d59fc8
sync
d59fc8
exit 0
d59fc8
d59fc8
%else
d59fc8
%description
d59fc8
This is an empty kpatch-patch package which does not contain any real patches.
d59fc8
It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}.
d59fc8
d59fc8
%files
d59fc8
%doc
d59fc8
%endif
d59fc8
d59fc8
%changelog
734205
* Tue Feb 14 2023 Yannick Cote <ycote@redhat.com> [1-1.el9_1]
734205
- kernel: Netfilter integer overflow vulnerability in nft_payload_copy_vlan [2161747] {CVE-2023-0179}
734205
- kernel: use-after-free in __nfs42_ssc_open() in fs/nfs/nfs4file.c leading to remote Denial of Service attack [2153157] {CVE-2022-4379}
734205
- kernel: a stack overflow in do_proc_dointvec and proc_skip_spaces [2152599] {CVE-2022-4378}
734205
- kernel: use-after-free caused by l2cap_reassemble_sdu() in net/bluetooth/l2cap_core.c [2153007] {CVE-2022-3564}
734205
d59fc8
* Thu Dec 22 2022 Linqing Lu <lilu@redhat.com> [0-0.el9]
d59fc8
- An empty patch to subscribe to kpatch stream for kernel-5.14.0-162.12.1.el9_1 [2155884]