diff --git a/SOURCES/CVE-2022-34918.patch b/SOURCES/CVE-2022-34918.patch new file mode 100644 index 0000000..c1ef116 --- /dev/null +++ b/SOURCES/CVE-2022-34918.patch @@ -0,0 +1,84 @@ +From 4dbabad13fa5c506138d15506f220006cde28d30 Mon Sep 17 00:00:00 2001 +From: Linqing Lu +Date: Thu, 4 Aug 2022 16:36:13 -0400 +Subject: [KPATCH CVE-2022-34918] kpatch fixes for CVE-2022-34918 + +Kernels: +5.14.0-70.13.1.el9_0 +5.14.0-70.17.1.el9_0 + + +Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-9/-/merge_requests/4 +Approved-by: Joe Lawrence (@joe.lawrence) +Changes since last build: +arches: x86_64 ppc64le +nf_tables_api.o: changed function: nft_add_set_elem +--------------------------- + +Modifications: none + +commit 6fd61750c2355e23d4cb1b1d9de297b884076a06 +Author: Florian Westphal +Date: Mon Jul 4 08:12:40 2022 +0200 + + netfilter: nf_tables: stricter validation of element data + + Bugzilla: https://bugzilla.redhat.com/2104591 + CVE: CVE-2022-34918 + Y-Commit: 42087f51a09378ae5fa93d3bea82b4883f983e57 + + O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2104592 + Upstream Status: commit 7e6bc1f6cabc + O-CVE: CVE-2022-34918 + + commit 7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6 + Author: Pablo Neira Ayuso + Date: Sat Jul 2 04:16:30 2022 +0200 + + netfilter: nf_tables: stricter validation of element data + + Make sure element data type and length do not mismatch the one specified + by the set declaration. + + Fixes: 7d7402642eaf ("netfilter: nf_tables: variable sized set element keys / data") + Reported-by: Hugues ANGUELKOV + Signed-off-by: Pablo Neira Ayuso + + Signed-off-by: Florian Westphal + Signed-off-by: Herton R. Krzesinski + +Signed-off-by: Linqing Lu +--- + net/netfilter/nf_tables_api.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index d495e10044dc..741a4e937e6f 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -5094,13 +5094,20 @@ static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set, + struct nft_data *data, + struct nlattr *attr) + { ++ u32 dtype; + int err; + + err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr); + if (err < 0) + return err; + +- if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) { ++ if (set->dtype == NFT_DATA_VERDICT) ++ dtype = NFT_DATA_VERDICT; ++ else ++ dtype = NFT_DATA_VALUE; ++ ++ if (dtype != desc->type || ++ set->dlen != desc->len) { + nft_data_release(data, desc->type); + return -EINVAL; + } +-- +2.37.2 + + diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec index f5b3c5d..fabf1a8 100644 --- a/SPECS/kpatch-patch.spec +++ b/SPECS/kpatch-patch.spec @@ -6,7 +6,7 @@ %define kernel_ver 5.14.0-70.13.1.el9_0 %define kpatch_ver 0.9.6 %define rpm_ver 1 -%define rpm_rel 1 +%define rpm_rel 2 %if !%{empty_package} # Patch sources below. DO NOT REMOVE THIS LINE. @@ -19,6 +19,9 @@ Source101: CVE-2022-1966.patch # # https://bugzilla.redhat.com/2087132 Source102: CVE-2022-1012.patch +# +# https://bugzilla.redhat.com/2106306 +Source103: CVE-2022-34918.patch # End of patch sources. DO NOT REMOVE THIS LINE. %endif @@ -194,6 +197,9 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}. %endif %changelog +* Wed Sep 07 2022 Yannick Cote [1-2.el9_0] +- kernel: heap overflow in nft_set_elem_init() [2106306] {CVE-2022-34918} + * Wed Jun 22 2022 Joe Lawrence [1-1.el9_0] - kernel: Small table perturb size in the TCP source port generation algorithm can lead to information leak [2087132] {CVE-2022-1012} - kernel: a use-after-free write in the netfilter subsystem can lead to privilege escalation to root [2093170] {CVE-2022-1966}