|
 |
098754 |
From 92c3b6c8877712c364a633749f937e2902e621f1 Mon Sep 17 00:00:00 2001
|
|
|
098754 |
From: Joe Lawrence <joe.lawrence@redhat.com>
|
|
|
098754 |
Date: Mon, 16 May 2022 16:40:57 -0400
|
|
|
098754 |
Subject: [KPATCH CVE-2022-27666] kpatch fixes for CVE-2022-27666
|
|
|
098754 |
Content-type: text/plain
|
|
|
098754 |
|
|
|
098754 |
Kernels:
|
|
|
098754 |
5.14.0-70.13.1.el9_0
|
|
|
098754 |
|
|
|
098754 |
Changes since last build:
|
|
|
098754 |
arches: x86_64 ppc64le
|
|
|
098754 |
esp4.o: changed function: esp_output_head
|
|
|
098754 |
esp6.o: changed function: esp6_output_head
|
|
|
098754 |
---------------------------
|
|
|
098754 |
|
|
|
098754 |
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-9/-/merge_requests/1
|
|
|
098754 |
Approved-by: Yannick Cote (@ycote1)
|
|
|
098754 |
Approved-by: C. Erastus Toe (@ctoe)
|
|
|
098754 |
Modifications: none
|
|
|
098754 |
|
|
|
098754 |
commit 817a9ce752e72d1633d4fed9e5fcdeed50765a01
|
|
|
098754 |
Author: Sabrina Dubroca <sdubroca@redhat.com>
|
|
|
098754 |
Date: Wed Apr 13 15:56:45 2022 +0200
|
|
|
098754 |
|
|
|
098754 |
esp: Fix possible buffer overflow in ESP transformation
|
|
|
098754 |
|
|
|
098754 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062108
|
|
|
098754 |
Tested: reproducer + basic ipsec tests
|
|
|
098754 |
CVE: CVE-2022-27666
|
|
|
098754 |
|
|
|
098754 |
commit ebe48d368e97d007bfeb76fcb065d6cfc4c96645
|
|
|
098754 |
Author: Steffen Klassert <steffen.klassert@secunet.com>
|
|
|
098754 |
Date: Mon Mar 7 13:11:39 2022 +0100
|
|
|
098754 |
|
|
|
098754 |
esp: Fix possible buffer overflow in ESP transformation
|
|
|
098754 |
|
|
|
098754 |
The maximum message size that can be send is bigger than
|
|
|
098754 |
the maximum site that skb_page_frag_refill can allocate.
|
|
|
098754 |
So it is possible to write beyond the allocated buffer.
|
|
|
098754 |
|
|
|
098754 |
Fix this by doing a fallback to COW in that case.
|
|
|
098754 |
|
|
|
098754 |
v2:
|
|
|
098754 |
|
|
|
098754 |
Avoid get get_order() costs as suggested by Linus Torvalds.
|
|
|
098754 |
|
|
|
098754 |
Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
|
|
|
098754 |
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
|
|
|
098754 |
Reported-by: valis <sec@valis.email>
|
|
|
098754 |
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
|
|
|
098754 |
|
|
|
098754 |
Signed-off-by: Sabrina Dubroca <sdubroca@redhat.com>
|
|
|
098754 |
|
|
|
098754 |
commit 70414a083333d52297d1915374d78a200d7dcd4d
|
|
|
098754 |
Author: Sabrina Dubroca <sdubroca@redhat.com>
|
|
|
098754 |
Date: Wed Apr 13 15:56:58 2022 +0200
|
|
|
098754 |
|
|
|
098754 |
esp: limit skb_page_frag_refill use to a single page
|
|
|
098754 |
|
|
|
098754 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062108
|
|
|
098754 |
Upstream Status: 5bd8baab087d in ipsec/master
|
|
|
098754 |
Tested: reproducer + basic ipsec tests
|
|
|
098754 |
CVE: CVE-2022-27666
|
|
|
098754 |
|
|
|
098754 |
commit 5bd8baab087dff657e05387aee802e70304cc813
|
|
|
098754 |
Author: Sabrina Dubroca <sd@queasysnail.net>
|
|
|
098754 |
Date: Wed Apr 13 10:10:50 2022 +0200
|
|
|
098754 |
|
|
|
098754 |
esp: limit skb_page_frag_refill use to a single page
|
|
|
098754 |
|
|
|
098754 |
Commit ebe48d368e97 ("esp: Fix possible buffer overflow in ESP
|
|
|
098754 |
transformation") tried to fix skb_page_frag_refill usage in ESP by
|
|
|
098754 |
capping allocsize to 32k, but that doesn't completely solve the issue,
|
|
|
098754 |
as skb_page_frag_refill may return a single page. If that happens, we
|
|
|
098754 |
will write out of bounds, despite the check introduced in the previous
|
|
|
098754 |
patch.
|
|
|
098754 |
|
|
|
098754 |
This patch forces COW in cases where we would end up calling
|
|
|
098754 |
skb_page_frag_refill with a size larger than a page (first in
|
|
|
098754 |
esp_output_head with tailen, then in esp_output_tail with
|
|
|
098754 |
skb->data_len).
|
|
|
098754 |
|
|
|
098754 |
Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
|
|
|
098754 |
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
|
|
|
098754 |
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
|
|
|
098754 |
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
|
|
|
098754 |
|
|
|
098754 |
Signed-off-by: Sabrina Dubroca <sdubroca@redhat.com>
|
|
|
098754 |
|
|
|
098754 |
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
|
|
|
098754 |
---
|
|
|
098754 |
net/ipv4/esp4.c | 4 ++++
|
|
|
098754 |
net/ipv6/esp6.c | 4 ++++
|
|
|
098754 |
2 files changed, 8 insertions(+)
|
|
|
098754 |
|
|
|
098754 |
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
|
|
|
098754 |
index a09e36c4a413..2b52b40fde27 100644
|
|
|
098754 |
--- a/net/ipv4/esp4.c
|
|
|
098754 |
+++ b/net/ipv4/esp4.c
|
|
|
098754 |
@@ -457,6 +457,10 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
|
|
|
098754 |
return err;
|
|
|
098754 |
}
|
|
|
098754 |
|
|
|
098754 |
+ if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE ||
|
|
|
098754 |
+ ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE)
|
|
|
098754 |
+ goto cow;
|
|
|
098754 |
+
|
|
|
098754 |
if (!skb_cloned(skb)) {
|
|
|
098754 |
if (tailen <= skb_tailroom(skb)) {
|
|
|
098754 |
nfrags = 1;
|
|
|
098754 |
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
|
|
|
098754 |
index ed2f061b8768..7f7b2e27109e 100644
|
|
|
098754 |
--- a/net/ipv6/esp6.c
|
|
|
098754 |
+++ b/net/ipv6/esp6.c
|
|
|
098754 |
@@ -491,6 +491,10 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
|
|
|
098754 |
return err;
|
|
|
098754 |
}
|
|
|
098754 |
|
|
|
098754 |
+ if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE ||
|
|
|
098754 |
+ ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE)
|
|
|
098754 |
+ goto cow;
|
|
|
098754 |
+
|
|
|
098754 |
if (!skb_cloned(skb)) {
|
|
|
098754 |
if (tailen <= skb_tailroom(skb)) {
|
|
|
098754 |
nfrags = 1;
|
|
|
098754 |
--
|
|
|
098754 |
2.26.3
|
|
|
098754 |
|
|
|
098754 |
|