From 92c3b6c8877712c364a633749f937e2902e621f1 Mon Sep 17 00:00:00 2001 From: Joe Lawrence Date: Mon, 16 May 2022 16:40:57 -0400 Subject: [KPATCH CVE-2022-27666] kpatch fixes for CVE-2022-27666 Content-type: text/plain Kernels: 5.14.0-70.13.1.el9_0 Changes since last build: arches: x86_64 ppc64le esp4.o: changed function: esp_output_head esp6.o: changed function: esp6_output_head --------------------------- Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-9/-/merge_requests/1 Approved-by: Yannick Cote (@ycote1) Approved-by: C. Erastus Toe (@ctoe) Modifications: none commit 817a9ce752e72d1633d4fed9e5fcdeed50765a01 Author: Sabrina Dubroca Date: Wed Apr 13 15:56:45 2022 +0200 esp: Fix possible buffer overflow in ESP transformation Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062108 Tested: reproducer + basic ipsec tests CVE: CVE-2022-27666 commit ebe48d368e97d007bfeb76fcb065d6cfc4c96645 Author: Steffen Klassert Date: Mon Mar 7 13:11:39 2022 +0100 esp: Fix possible buffer overflow in ESP transformation The maximum message size that can be send is bigger than the maximum site that skb_page_frag_refill can allocate. So it is possible to write beyond the allocated buffer. Fix this by doing a fallback to COW in that case. v2: Avoid get get_order() costs as suggested by Linus Torvalds. Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") Reported-by: valis Signed-off-by: Steffen Klassert Signed-off-by: Sabrina Dubroca commit 70414a083333d52297d1915374d78a200d7dcd4d Author: Sabrina Dubroca Date: Wed Apr 13 15:56:58 2022 +0200 esp: limit skb_page_frag_refill use to a single page Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062108 Upstream Status: 5bd8baab087d in ipsec/master Tested: reproducer + basic ipsec tests CVE: CVE-2022-27666 commit 5bd8baab087dff657e05387aee802e70304cc813 Author: Sabrina Dubroca Date: Wed Apr 13 10:10:50 2022 +0200 esp: limit skb_page_frag_refill use to a single page Commit ebe48d368e97 ("esp: Fix possible buffer overflow in ESP transformation") tried to fix skb_page_frag_refill usage in ESP by capping allocsize to 32k, but that doesn't completely solve the issue, as skb_page_frag_refill may return a single page. If that happens, we will write out of bounds, despite the check introduced in the previous patch. This patch forces COW in cases where we would end up calling skb_page_frag_refill with a size larger than a page (first in esp_output_head with tailen, then in esp_output_tail with skb->data_len). Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") Signed-off-by: Sabrina Dubroca Signed-off-by: Steffen Klassert Signed-off-by: Sabrina Dubroca Signed-off-by: Joe Lawrence --- net/ipv4/esp4.c | 4 ++++ net/ipv6/esp6.c | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index a09e36c4a413..2b52b40fde27 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c @@ -457,6 +457,10 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * return err; } + if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE || + ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE) + goto cow; + if (!skb_cloned(skb)) { if (tailen <= skb_tailroom(skb)) { nfrags = 1; diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index ed2f061b8768..7f7b2e27109e 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c @@ -491,6 +491,10 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info return err; } + if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE || + ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE) + goto cow; + if (!skb_cloned(skb)) { if (tailen <= skb_tailroom(skb)) { nfrags = 1; -- 2.26.3