From aa804e48dc6bfb73eb24b61b8955a34673aa3280 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Sep 20 2022 11:39:56 +0000
Subject: import kpatch-patch-5_14_0-70_17_1-1-1.el9_0


---

diff --git a/.gitignore b/.gitignore
index e69de29..2958436 100644
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,2 @@
+SOURCES/kernel-5.14.0-70.17.1.el9_0.src.rpm
+SOURCES/v0.9.6.tar.gz
diff --git a/.kpatch-patch-5_14_0-70_17_1.metadata b/.kpatch-patch-5_14_0-70_17_1.metadata
index e69de29..c48f26a 100644
--- a/.kpatch-patch-5_14_0-70_17_1.metadata
+++ b/.kpatch-patch-5_14_0-70_17_1.metadata
@@ -0,0 +1,2 @@
+7e816c04a9be958e20935eb9809d41856ce43cd0 SOURCES/kernel-5.14.0-70.17.1.el9_0.src.rpm
+223c224ddd6896c467b9347ab297e3f7f013f5d7 SOURCES/v0.9.6.tar.gz
diff --git a/SOURCES/CVE-2022-34918.patch b/SOURCES/CVE-2022-34918.patch
new file mode 100644
index 0000000..c1ef116
--- /dev/null
+++ b/SOURCES/CVE-2022-34918.patch
@@ -0,0 +1,84 @@
+From 4dbabad13fa5c506138d15506f220006cde28d30 Mon Sep 17 00:00:00 2001
+From: Linqing Lu <lilu@redhat.com>
+Date: Thu, 4 Aug 2022 16:36:13 -0400
+Subject: [KPATCH CVE-2022-34918] kpatch fixes for CVE-2022-34918
+
+Kernels:
+5.14.0-70.13.1.el9_0
+5.14.0-70.17.1.el9_0
+
+
+Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-9/-/merge_requests/4
+Approved-by: Joe Lawrence (@joe.lawrence)
+Changes since last build:
+arches: x86_64 ppc64le
+nf_tables_api.o: changed function: nft_add_set_elem
+---------------------------
+
+Modifications: none
+
+commit 6fd61750c2355e23d4cb1b1d9de297b884076a06
+Author: Florian Westphal <fwestpha@redhat.com>
+Date:   Mon Jul 4 08:12:40 2022 +0200
+
+    netfilter: nf_tables: stricter validation of element data
+
+    Bugzilla: https://bugzilla.redhat.com/2104591
+    CVE: CVE-2022-34918
+    Y-Commit: 42087f51a09378ae5fa93d3bea82b4883f983e57
+
+    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2104592
+    Upstream Status: commit 7e6bc1f6cabc
+    O-CVE: CVE-2022-34918
+
+    commit 7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6
+    Author: Pablo Neira Ayuso <pablo@netfilter.org>
+    Date:   Sat Jul 2 04:16:30 2022 +0200
+
+        netfilter: nf_tables: stricter validation of element data
+
+        Make sure element data type and length do not mismatch the one specified
+        by the set declaration.
+
+        Fixes: 7d7402642eaf ("netfilter: nf_tables: variable sized set element keys / data")
+        Reported-by: Hugues ANGUELKOV <hanguelkov@randorisec.fr>
+        Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+    Signed-off-by: Florian Westphal <fwestpha@redhat.com>
+    Signed-off-by: Herton R. Krzesinski <herton@redhat.com>
+
+Signed-off-by: Linqing Lu <lilu@redhat.com>
+---
+ net/netfilter/nf_tables_api.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index d495e10044dc..741a4e937e6f 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -5094,13 +5094,20 @@ static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
+ 				  struct nft_data *data,
+ 				  struct nlattr *attr)
+ {
++	u32 dtype;
+ 	int err;
+ 
+ 	err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr);
+ 	if (err < 0)
+ 		return err;
+ 
+-	if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) {
++	if (set->dtype == NFT_DATA_VERDICT)
++		dtype = NFT_DATA_VERDICT;
++	else
++		dtype = NFT_DATA_VALUE;
++
++	if (dtype != desc->type ||
++	    set->dlen != desc->len) {
+ 		nft_data_release(data, desc->type);
+ 		return -EINVAL;
+ 	}
+-- 
+2.37.2
+
+
diff --git a/SPECS/kpatch-patch.spec b/SPECS/kpatch-patch.spec
index eb6c4d2..56ae90c 100644
--- a/SPECS/kpatch-patch.spec
+++ b/SPECS/kpatch-patch.spec
@@ -1,17 +1,18 @@
 # Set to 1 if building an empty subscription-only package.
-%define empty_package		1
+%define empty_package		0
 
 #######################################################
 # Only need to update these variables and the changelog
 %define kernel_ver	5.14.0-70.17.1.el9_0
 %define kpatch_ver	0.9.6
-%define rpm_ver		0
-%define rpm_rel		0
+%define rpm_ver		1
+%define rpm_rel		1
 
 %if !%{empty_package}
 # Patch sources below. DO NOT REMOVE THIS LINE.
-Source100:		XXX.patch
-#Source101:		YYY.patch
+#
+# https://bugzilla.redhat.com/2106306
+Source100: CVE-2022-34918.patch
 # End of patch sources. DO NOT REMOVE THIS LINE.
 %endif
 
@@ -187,5 +188,8 @@ It is only a method to subscribe to the kpatch stream for kernel-%{kernel_ver}.
 %endif
 
 %changelog
+* Wed Sep 07 2022 Yannick Cote <ycote@redhat.com> [1-1.el9_0]
+- kernel: heap overflow in nft_set_elem_init() [2106306] {CVE-2022-34918}
+
 * Wed Jun 29 2022 Yannick Cote <ycote@redhat.com> [0-0.el9]
 - An empty patch to subscribe to kpatch stream for kernel-5.14.0-70.17.1.el9_0 [2100132]