diff --git a/SOURCES/CVE-2023-0386.patch b/SOURCES/CVE-2023-0386.patch new file mode 100644 index 0000000..4cf956d --- /dev/null +++ b/SOURCES/CVE-2023-0386.patch @@ -0,0 +1,79 @@ +From 3bf90da39cf14660a11e3980451c757398bcf84e Mon Sep 17 00:00:00 2001 +From: Ryan Sullivan +Date: Wed, 15 Mar 2023 10:24:04 -0400 +Subject: [KPATCH CVE-2023-0386] kpatch fixes for CVE-2023-0386 + +Kernels: +5.14.0-162.6.1.el9_1 +5.14.0-162.12.1.el9_1 +5.14.0-162.18.1.el9_1 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-9/-/merge_requests/26 +Approved-by: Joe Lawrence (@joe.lawrence) +Approved-by: Yannick Cote (@ycote1) +Changes since last build: +arches: x86_64 ppc64le +copy_up.o: changed function: ovl_copy_up_one +--------------------------- + +Modifications: none + +commit 977edea04b2c1dd1dc51ae7a1dbf5b484c048045 +Author: Miklos Szeredi +Date: Tue Jan 24 16:41:18 2023 +0100 + + ovl: fail on invalid uid/gid mapping at copy up + + Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2165344 + CVE: CVE-2023-0386 + + If st_uid/st_gid doesn't have a mapping in the mounter's user_ns, then + copy-up should fail, just like it would fail if the mounter task was doing + the copy using "cp -a". + + There's a corner case where the "cp -a" would succeed but copy up fail: if + there's a mapping of the invalid uid/gid (65534 by default) in the user + namespace. This is because stat(2) will return this value if the mapping + doesn't exist in the current user_ns and "cp -a" will in turn be able to + create a file with this uid/gid. + + This behavior would be inconsistent with POSIX ACL's, which return -1 for + invalid uid/gid which result in a failed copy. + + For consistency and simplicity fail the copy of the st_uid/st_gid are + invalid. + + Fixes: 459c7c565ac3 ("ovl: unprivieged mounts") + Cc: # v5.11 + Signed-off-by: Miklos Szeredi + Reviewed-by: Christian Brauner + Reviewed-by: Seth Forshee + (cherry picked from commit 4f11ada10d0ad3fd53e2bd67806351de63a4f9c3) + + Signed-off-by: Miklos Szeredi + +Signed-off-by: Ryan Sullivan +--- + fs/overlayfs/copy_up.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c +index 2846b943e80c..95b2173ab9bc 100644 +--- a/fs/overlayfs/copy_up.c ++++ b/fs/overlayfs/copy_up.c +@@ -886,6 +886,10 @@ static int ovl_copy_up_one(struct dentry *parent, struct dentry *dentry, + if (err) + return err; + ++ if (!kuid_has_mapping(current_user_ns(), ctx.stat.uid) || ++ !kgid_has_mapping(current_user_ns(), ctx.stat.gid)) ++ return -EOVERFLOW; ++ + ctx.metacopy = ovl_need_meta_copy_up(dentry, ctx.stat.mode, flags); + + if (parent) { +-- +2.39.2 + + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index e2f0ff3..ab4f9ed 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -6,7 +6,7 @@ %define kernel_ver 5.14.0-162.12.1.el9_1 %define kpatch_ver 0.9.7 %define rpm_ver 1 -%define rpm_rel 2 +%define rpm_rel 3 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. @@ -28,6 +28,9 @@ Source104: CVE-2022-4744.patch # # https://bugzilla.redhat.com/2163415 Source105: CVE-2023-0266.patch +# +# https://bugzilla.redhat.com/2165362 +Source106: CVE-2023-0386.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -205,6 +208,9 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Mon Mar 27 2023 Yannick Cote [1-3.el9_1] +- kernel: FUSE filesystem low-privileged user privileges escalation [2165362] {CVE-2023-0386} + * Sat Mar 18 2023 Yannick Cote [1-2.el9_1] - ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF [2163415] {CVE-2023-0266} - EMBARGOED CVE-2022-4744 kernel: tun: avoid double free in tun_free_netdev [2156383] {CVE-2022-4744}