Blame SPECS/kpatch-patch.spec

451e8b
# Set to 1 if building an empty subscription-only package.
cf3d8e
%define empty_package		0
451e8b
451e8b
#######################################################
451e8b
# Only need to update these variables and the changelog
451e8b
%define kernel_ver	5.14.0-162.6.1.el9_1
451e8b
%define kpatch_ver	0.9.7
cf3d8e
%define rpm_ver		1
4be359
%define rpm_rel		3
451e8b
451e8b
%if !%{empty_package}
451e8b
# Patch sources below. DO NOT REMOVE THIS LINE.
cf3d8e
#
cf3d8e
# https://bugzilla.redhat.com/2141637
cf3d8e
Source100: CVE-2022-2959.patch
cf3d8e
#
cf3d8e
# https://bugzilla.redhat.com/2142785
cf3d8e
Source101: CVE-2022-2964.patch
cf3d8e
#
cf3d8e
# https://bugzilla.redhat.com/2147591
cf3d8e
Source102: CVE-2022-4139.patch
cf3d8e
#
cf3d8e
# https://bugzilla.redhat.com/2143187
cf3d8e
Source103: CVE-2022-43945.patch
81ae6d
#
81ae6d
# https://bugzilla.redhat.com/2153007
81ae6d
Source104: CVE-2022-3564.patch
81ae6d
#
81ae6d
# https://bugzilla.redhat.com/2152599
81ae6d
Source105: CVE-2022-4378.patch
81ae6d
#
81ae6d
# https://bugzilla.redhat.com/2153157
81ae6d
Source106: CVE-2022-4379.patch
81ae6d
#
81ae6d
# https://bugzilla.redhat.com/2161747
81ae6d
Source107: CVE-2023-0179.patch
4be359
#
4be359
# https://bugzilla.redhat.com/2156383
4be359
Source108: CVE-2022-4744.patch
4be359
#
4be359
# https://bugzilla.redhat.com/2163415
4be359
Source109: CVE-2023-0266.patch
451e8b
# End of patch sources. DO NOT REMOVE THIS LINE.
451e8b
%endif
451e8b
451e8b
%define sanitized_rpm_rel	%{lua: print((string.gsub(rpm.expand("%rpm_rel"), "%.", "_")))}
451e8b
%define sanitized_kernel_ver   %{lua: print((string.gsub(string.gsub(rpm.expand("%kernel_ver"), '.el9_?\%d?', ""), "%.", "_")))}
451e8b
%define kernel_ver_arch        %{kernel_ver}.%{_arch}
451e8b
451e8b
Name:		kpatch-patch-%{sanitized_kernel_ver}
451e8b
Version:	%{rpm_ver}
451e8b
Release:	%{rpm_rel}%{?dist}
451e8b
451e8b
%if %{empty_package}
451e8b
Summary:	Initial empty kpatch-patch for kernel-%{kernel_ver_arch}
451e8b
%else
451e8b
Summary:	Live kernel patching module for kernel-%{kernel_ver_arch}
451e8b
%endif
451e8b
451e8b
Group:		System Environment/Kernel
451e8b
License:	GPLv2
451e8b
ExclusiveArch:	x86_64 ppc64le
451e8b
451e8b
Conflicts:	%{name} < %{version}-%{release}
451e8b
451e8b
Provides:	kpatch-patch = %{kernel_ver_arch}
451e8b
Provides:	kpatch-patch = %{kernel_ver}
451e8b
451e8b
%if !%{empty_package}
451e8b
Requires:	systemd
451e8b
%endif
451e8b
Requires:	kpatch >= 0.6.1-1
451e8b
Requires:	kernel-uname-r = %{kernel_ver_arch}
451e8b
451e8b
%if !%{empty_package}
451e8b
BuildRequires:	patchutils
451e8b
BuildRequires:	kernel-devel = %{kernel_ver}
451e8b
BuildRequires:	kernel-debuginfo = %{kernel_ver}
451e8b
451e8b
# kernel build requirements, generated from:
451e8b
#   % rpmspec -q --buildrequires kernel.spec | sort | awk '{print "BuildRequires:\t" $0}'
451e8b
# with arch-specific packages moved into conditional block
451e8b
BuildRequires:	bash
451e8b
BuildRequires:	bc
451e8b
BuildRequires:	binutils
451e8b
BuildRequires:	bison
451e8b
BuildRequires:	bpftool
451e8b
BuildRequires:	bzip2
451e8b
BuildRequires:	coreutils
451e8b
BuildRequires:	diffutils
451e8b
BuildRequires:	dwarves
451e8b
BuildRequires:	elfutils
451e8b
BuildRequires:	elfutils-devel
451e8b
BuildRequires:	findutils
451e8b
BuildRequires:	flex
451e8b
BuildRequires:	gawk
451e8b
BuildRequires:	gcc
451e8b
BuildRequires:	gcc-c++
451e8b
BuildRequires:	gcc-plugin-devel
451e8b
BuildRequires:	git-core
451e8b
BuildRequires:	glibc-static
451e8b
BuildRequires:	gzip
451e8b
BuildRequires:	hmaccalc
451e8b
BuildRequires:	hostname
451e8b
BuildRequires:	kernel-rpm-macros >= 185-9
451e8b
BuildRequires:	kmod
451e8b
BuildRequires:	m4
451e8b
BuildRequires:	make
451e8b
BuildRequires:	net-tools
451e8b
BuildRequires:	nss-tools
451e8b
BuildRequires:	openssl
451e8b
BuildRequires:	openssl-devel
451e8b
BuildRequires:	patch
451e8b
BuildRequires:	perl-Carp
451e8b
BuildRequires:	perl-devel
451e8b
BuildRequires:	perl-generators
451e8b
BuildRequires:	perl-interpreter
451e8b
BuildRequires:	python3-devel
451e8b
BuildRequires:	redhat-rpm-config
451e8b
BuildRequires:	rpm-build
451e8b
BuildRequires:	system-sb-certs
451e8b
BuildRequires:	tar
451e8b
BuildRequires:	which
451e8b
BuildRequires:	xz
451e8b
451e8b
%ifarch x86_64
451e8b
BuildRequires:	pesign >= 0.10-4
451e8b
%endif
451e8b
451e8b
Source0:	https://github.com/dynup/kpatch/archive/v%{kpatch_ver}.tar.gz
451e8b
451e8b
Source10:	kernel-%{kernel_ver}.src.rpm
451e8b
451e8b
# kpatch-build patches
cf3d8e
Patch1: v0.9.7-backport-MR-1314-create-diff-object-fix-__UNI.patch
cf3d8e
Patch2: v0.9.7-backport-MR-1315-Static-call-fixes.patch
451e8b
451e8b
%global _dupsign_opts --keyname=rhelkpatch1
451e8b
451e8b
%define builddir	%{_builddir}/kpatch-%{kpatch_ver}
451e8b
%define kpatch		%{_sbindir}/kpatch
451e8b
%define kmoddir 	%{_usr}/lib/kpatch/%{kernel_ver_arch}
451e8b
%define kinstdir	%{_sharedstatedir}/kpatch/%{kernel_ver_arch}
451e8b
%define patchmodname	kpatch-%{sanitized_kernel_ver}-%{version}-%{sanitized_rpm_rel}
451e8b
%define patchmod	%{patchmodname}.ko
451e8b
451e8b
%define _missing_build_ids_terminate_build 1
451e8b
%define _find_debuginfo_opts -r
451e8b
%undefine _include_minidebuginfo
451e8b
%undefine _find_debuginfo_dwz_opts
451e8b
451e8b
%description
451e8b
This is a kernel live patch module which can be loaded by the kpatch
451e8b
command line utility to modify the code of a running kernel.  This patch
451e8b
module is targeted for kernel-%{kernel_ver}.
451e8b
451e8b
%prep
451e8b
%autosetup -n kpatch-%{kpatch_ver} -p1
451e8b
451e8b
%build
451e8b
kdevdir=/usr/src/kernels/%{kernel_ver_arch}
451e8b
vmlinux=/usr/lib/debug/lib/modules/%{kernel_ver_arch}/vmlinux
451e8b
451e8b
# kpatch-build
451e8b
make -C kpatch-build
451e8b
451e8b
# patch module
451e8b
for i in %{sources}; do
451e8b
	[[ $i == *.patch ]] && patch_sources="$patch_sources $i"
451e8b
done
451e8b
export CACHEDIR="%{builddir}/.kpatch"
451e8b
kpatch-build/kpatch-build -n %{patchmodname} -r %{SOURCE10} -v $vmlinux --skip-cleanup $patch_sources || { cat "${CACHEDIR}/build.log"; exit 1; }
451e8b
451e8b
451e8b
%install
451e8b
installdir=%{buildroot}/%{kmoddir}
451e8b
install -d $installdir
451e8b
install -m 755 %{builddir}/%{patchmod} $installdir
451e8b
451e8b
451e8b
%files
451e8b
%{_usr}/lib/kpatch
451e8b
451e8b
451e8b
%post
451e8b
%{kpatch} install -k %{kernel_ver_arch} %{kmoddir}/%{patchmod}
451e8b
chcon -t modules_object_t %{kinstdir}/%{patchmod}
451e8b
sync
451e8b
if [[ %{kernel_ver_arch} = $(uname -r) && "${LEAPP_IPU_IN_PROGRESS}" != "8to9" ]]; then
451e8b
	cver="%{rpm_ver}_%{rpm_rel}"
451e8b
	pname=$(echo "kpatch_%{sanitized_kernel_ver}" | sed 's/-/_/')
451e8b
451e8b
	lver=$({ %{kpatch} list | sed -nr "s/^${pname}_([0-9_]+)\ \[enabled\]$/\1/p"; echo "${cver}"; } | sort -V | tail -1)
451e8b
451e8b
	if [ "${lver}" != "${cver}" ]; then
451e8b
		echo "WARNING: at least one loaded kpatch-patch (${pname}_${lver}) has a newer version than the one being installed."
451e8b
		echo "WARNING: You will have to reboot to load a downgraded kpatch-patch"
451e8b
	else
451e8b
		%{kpatch} load %{patchmod}
451e8b
	fi
451e8b
fi
451e8b
exit 0
451e8b
451e8b
451e8b
%postun
451e8b
%{kpatch} uninstall -k %{kernel_ver_arch} %{patchmod}
451e8b
sync
451e8b
exit 0
451e8b
451e8b
%else
451e8b
%description
451e8b
This is an empty kpatch-patch package which does not contain any real patches.
451e8b
It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}.
451e8b
451e8b
%files
451e8b
%doc
451e8b
%endif
451e8b
451e8b
%changelog
4be359
* Sat Mar 18 2023 Yannick Cote <ycote@redhat.com> [1-3.el9_1]
4be359
- ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF [2163415] {CVE-2023-0266}
4be359
- EMBARGOED CVE-2022-4744 kernel: tun: avoid double free in tun_free_netdev [2156383] {CVE-2022-4744}
4be359
81ae6d
* Tue Feb 14 2023 Yannick Cote <ycote@redhat.com> [1-2.el9_1]
81ae6d
- kernel: Netfilter integer overflow vulnerability in nft_payload_copy_vlan [2161747] {CVE-2023-0179}
81ae6d
- kernel: use-after-free in __nfs42_ssc_open() in fs/nfs/nfs4file.c leading to remote Denial of Service attack [2153157] {CVE-2022-4379}
81ae6d
- kernel: a stack overflow in do_proc_dointvec and proc_skip_spaces [2152599] {CVE-2022-4378}
81ae6d
- kernel: use-after-free caused by l2cap_reassemble_sdu() in net/bluetooth/l2cap_core.c [2153007] {CVE-2022-3564}
81ae6d
cf3d8e
* Wed Jan 04 2023 Yannick Cote <ycote@redhat.com> [1-1.el9_1]
cf3d8e
- kernel: nfsd buffer overflow by RPC message over TCP with garbage data [2143187] {CVE-2022-43945}
cf3d8e
- kernel: i915: Incorrect GPU TLB flush can lead to random memory access [2147591] {CVE-2022-4139}
cf3d8e
- kernel: memory corruption in AX88179_178A based USB ethernet device. [2142785] {CVE-2022-2964}
cf3d8e
- kernel: watch queue race condition can lead to privilege escalation [2141637] {CVE-2022-2959}
cf3d8e
451e8b
* Mon Oct 24 2022 Yannick Cote <ycote@redhat.com> [0-0.el9]
451e8b
- An empty patch to subscribe to kpatch stream for kernel-5.14.0-162.6.1.el9_1 [2137424]