From e3d1b985a1b9ba34c99fb54b17b836044e0676d5 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Thu, 11 Aug 2022 08:44:46 -0500 Subject: kernel-5.18.17-200 * Thu Aug 11 2022 Justin M. Forbes [5.18.17-0] - netfilter: nf_tables: do not allow RULE_ID to refer to another chain (Thadeu Lima de Souza Cascardo) - netfilter: nf_tables: do not allow CHAIN_ID to refer to another table (Thadeu Lima de Souza Cascardo) - netfilter: nf_tables: do not allow SET_ID to refer to another table (Thadeu Lima de Souza Cascardo) - net_sched: cls_route: remove from list when handle is 0 (Thadeu Lima de Souza Cascardo) - posix-cpu-timers: Cleanup CPU timers before freeing them during exec (Thadeu Lima de Souza Cascardo) - Linux v5.18.16 (Justin M. Forbes) Resolves: Signed-off-by: Justin M. Forbes --- Patchlist.changelog | 15 ++++++ kernel.spec | 11 ++-- patch-5.18-redhat.patch | 139 +++++++++++++++++++++++++++++++++++++++++++++++- sources | 6 +-- 4 files changed, 163 insertions(+), 8 deletions(-) diff --git a/Patchlist.changelog b/Patchlist.changelog index 7e374847f..78dcd535a 100644 --- a/Patchlist.changelog +++ b/Patchlist.changelog @@ -1,3 +1,18 @@ +"https://gitlab.com/cki-project/kernel-ark/-/commit"/9602f79ee66be0de1e67917bfc95252c6e596a9c + 9602f79ee66be0de1e67917bfc95252c6e596a9c netfilter: nf_tables: do not allow RULE_ID to refer to another chain + +"https://gitlab.com/cki-project/kernel-ark/-/commit"/659e3d168cadf504f65adc830287592f0397f8d4 + 659e3d168cadf504f65adc830287592f0397f8d4 netfilter: nf_tables: do not allow CHAIN_ID to refer to another table + +"https://gitlab.com/cki-project/kernel-ark/-/commit"/29e6901364bcdd9d664b3a5bb142063710f66745 + 29e6901364bcdd9d664b3a5bb142063710f66745 netfilter: nf_tables: do not allow SET_ID to refer to another table + +"https://gitlab.com/cki-project/kernel-ark/-/commit"/2aff526ed9ac346017df36be2ee8cf3cb08a85f0 + 2aff526ed9ac346017df36be2ee8cf3cb08a85f0 net_sched: cls_route: remove from list when handle is 0 + +"https://gitlab.com/cki-project/kernel-ark/-/commit"/5bd3fa9e52be0ddcacde0c305a19e500f9572606 + 5bd3fa9e52be0ddcacde0c305a19e500f9572606 posix-cpu-timers: Cleanup CPU timers before freeing them during exec + "https://gitlab.com/cki-project/kernel-ark/-/commit"/f014b0b869404c24a955539ae044dae72f639cce f014b0b869404c24a955539ae044dae72f639cce um: Add missing apply_returns() diff --git a/kernel.spec b/kernel.spec index 0bc5747c2..97f117884 100755 --- a/kernel.spec +++ b/kernel.spec @@ -122,11 +122,11 @@ Summary: The Linux kernel # the --with-release option overrides this setting.) %define debugbuildsenabled 1 # define buildid .local -%define specversion 5.18.16 +%define specversion 5.18.17 %define patchversion 5.18 %define pkgrelease 200 %define kversion 5 -%define tarfile_release 5.18.16 +%define tarfile_release 5.18.17 # This is needed to do merge window version magic %define patchlevel 18 # allow pkg_release to have configurable %%{?dist} tag @@ -3034,7 +3034,12 @@ fi # # %changelog -* Wed Aug 03 2022 Justin M. Forbes [5.18.16-200] +* Thu Aug 11 2022 Justin M. Forbes [5.18.17-0] +- netfilter: nf_tables: do not allow RULE_ID to refer to another chain (Thadeu Lima de Souza Cascardo) +- netfilter: nf_tables: do not allow CHAIN_ID to refer to another table (Thadeu Lima de Souza Cascardo) +- netfilter: nf_tables: do not allow SET_ID to refer to another table (Thadeu Lima de Souza Cascardo) +- net_sched: cls_route: remove from list when handle is 0 (Thadeu Lima de Souza Cascardo) +- posix-cpu-timers: Cleanup CPU timers before freeing them during exec (Thadeu Lima de Souza Cascardo) - Linux v5.18.16 (Justin M. Forbes) * Wed Aug 03 2022 Justin M. Forbes [5.18.16-0] diff --git a/patch-5.18-redhat.patch b/patch-5.18-redhat.patch index 2dd9176fe..c9afbe732 100644 --- a/patch-5.18-redhat.patch +++ b/patch-5.18-redhat.patch @@ -30,6 +30,7 @@ drivers/nvme/host/nvme.h | 4 + drivers/pci/quirks.c | 24 ++++ drivers/usb/core/hub.c | 7 ++ + fs/exec.c | 3 + include/linux/efi.h | 24 ++-- include/linux/lsm_hook_defs.h | 2 + include/linux/lsm_hooks.h | 6 + @@ -37,15 +38,17 @@ include/linux/security.h | 5 + init/Kconfig | 2 +- kernel/module_signing.c | 9 +- + net/netfilter/nf_tables_api.c | 17 ++- + net/sched/cls_route.c | 2 +- scripts/tags.sh | 2 + security/integrity/platform_certs/load_uefi.c | 6 +- security/lockdown/Kconfig | 13 +++ security/lockdown/lockdown.c | 1 + security/security.c | 6 + - 44 files changed, 721 insertions(+), 191 deletions(-) + 47 files changed, 737 insertions(+), 197 deletions(-) diff --git a/Makefile b/Makefile -index 18bcbcd037f0..0d3bf7d650c0 100644 +index ef8c18e5c161..81900a28f77b 100644 --- a/Makefile +++ b/Makefile @@ -18,6 +18,10 @@ $(if $(filter __%, $(MAKECMDGOALS)), \ @@ -1516,6 +1519,20 @@ index 1460857026e0..7e1964891089 100644 /* Lock the device, then check to see if we were * disconnected while waiting for the lock to succeed. */ usb_lock_device(hdev); +diff --git a/fs/exec.c b/fs/exec.c +index 5a75e92b1a0a..a9f5acf8f0ec 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1297,6 +1297,9 @@ int begin_new_exec(struct linux_binprm * bprm) + bprm->mm = NULL; + + #ifdef CONFIG_POSIX_TIMERS ++ spin_lock_irq(&me->sighand->siglock); ++ posix_cpu_timers_exit(me); ++ spin_unlock_irq(&me->sighand->siglock); + exit_itimers(me); + flush_itimer_signals(); + #endif diff --git a/include/linux/efi.h b/include/linux/efi.h index cc6d2be2ffd5..418d814d2eb7 100644 --- a/include/linux/efi.h @@ -1699,6 +1716,124 @@ index 8723ae70ea1f..fb2d773498c2 100644 + } + return ret; } +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index de3dc35ce609..30dd77d58f20 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2472,6 +2472,7 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, + } + + static struct nft_chain *nft_chain_lookup_byid(const struct net *net, ++ const struct nft_table *table, + const struct nlattr *nla) + { + struct nftables_pernet *nft_net = nft_pernet(net); +@@ -2482,6 +2483,7 @@ static struct nft_chain *nft_chain_lookup_byid(const struct net *net, + struct nft_chain *chain = trans->ctx.chain; + + if (trans->msg_type == NFT_MSG_NEWCHAIN && ++ chain->table == table && + id == nft_trans_chain_id(trans)) + return chain; + } +@@ -3369,6 +3371,7 @@ static int nft_table_validate(struct net *net, const struct nft_table *table) + } + + static struct nft_rule *nft_rule_lookup_byid(const struct net *net, ++ const struct nft_chain *chain, + const struct nlattr *nla); + + #define NFT_RULE_MAXEXPRS 128 +@@ -3415,7 +3418,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, + return -EOPNOTSUPP; + + } else if (nla[NFTA_RULE_CHAIN_ID]) { +- chain = nft_chain_lookup_byid(net, nla[NFTA_RULE_CHAIN_ID]); ++ chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID]); + if (IS_ERR(chain)) { + NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]); + return PTR_ERR(chain); +@@ -3457,7 +3460,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, + return PTR_ERR(old_rule); + } + } else if (nla[NFTA_RULE_POSITION_ID]) { +- old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]); ++ old_rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_POSITION_ID]); + if (IS_ERR(old_rule)) { + NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]); + return PTR_ERR(old_rule); +@@ -3602,6 +3605,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, + } + + static struct nft_rule *nft_rule_lookup_byid(const struct net *net, ++ const struct nft_chain *chain, + const struct nlattr *nla) + { + struct nftables_pernet *nft_net = nft_pernet(net); +@@ -3612,6 +3616,7 @@ static struct nft_rule *nft_rule_lookup_byid(const struct net *net, + struct nft_rule *rule = nft_trans_rule(trans); + + if (trans->msg_type == NFT_MSG_NEWRULE && ++ trans->ctx.chain == chain && + id == nft_trans_rule_id(trans)) + return rule; + } +@@ -3661,7 +3666,7 @@ static int nf_tables_delrule(struct sk_buff *skb, const struct nfnl_info *info, + + err = nft_delrule(&ctx, rule); + } else if (nla[NFTA_RULE_ID]) { +- rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]); ++ rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]); + if (IS_ERR(rule)) { + NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]); + return PTR_ERR(rule); +@@ -3840,6 +3845,7 @@ static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table, + } + + static struct nft_set *nft_set_lookup_byid(const struct net *net, ++ const struct nft_table *table, + const struct nlattr *nla, u8 genmask) + { + struct nftables_pernet *nft_net = nft_pernet(net); +@@ -3851,6 +3857,7 @@ static struct nft_set *nft_set_lookup_byid(const struct net *net, + struct nft_set *set = nft_trans_set(trans); + + if (id == nft_trans_set_id(trans) && ++ set->table == table && + nft_active_genmask(set, genmask)) + return set; + } +@@ -3871,7 +3878,7 @@ struct nft_set *nft_set_lookup_global(const struct net *net, + if (!nla_set_id) + return set; + +- set = nft_set_lookup_byid(net, nla_set_id, genmask); ++ set = nft_set_lookup_byid(net, table, nla_set_id, genmask); + } + return set; + } +@@ -9595,7 +9602,7 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, + tb[NFTA_VERDICT_CHAIN], + genmask); + } else if (tb[NFTA_VERDICT_CHAIN_ID]) { +- chain = nft_chain_lookup_byid(ctx->net, ++ chain = nft_chain_lookup_byid(ctx->net, ctx->table, + tb[NFTA_VERDICT_CHAIN_ID]); + if (IS_ERR(chain)) + return PTR_ERR(chain); +diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c +index a35ab8c27866..3f935cbbaff6 100644 +--- a/net/sched/cls_route.c ++++ b/net/sched/cls_route.c +@@ -526,7 +526,7 @@ static int route4_change(struct net *net, struct sk_buff *in_skb, + rcu_assign_pointer(f->next, f1); + rcu_assign_pointer(*fp, f); + +- if (fold && fold->handle && f->handle != fold->handle) { ++ if (fold) { + th = to_hash(fold->handle); + h = from_hash(fold->handle >> 16); + b = rtnl_dereference(head->table[th]); diff --git a/scripts/tags.sh b/scripts/tags.sh index 16d475b3e203..4e333f14b84e 100755 --- a/scripts/tags.sh diff --git a/sources b/sources index 826fc1829..ca4db52f7 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (linux-5.18.16.tar.xz) = 57f6ccbbc3dfe08ae171737b389b3e25577c893d32ff73e97eae36ce44f97aae254862c0234f3e5f84f8512c2ed20f5fd45f57a06a4ea5e76cdeda7ba421782e -SHA512 (kernel-abi-stablelists-5.18.16-200.tar.bz2) = d7e2b5a7bf24edff408232d5682384925386183312f9ae2730a1da727b11c37baa619f286332341a97e209f786987ac60b7c1fba2d396bcc5026788a35769425 -SHA512 (kernel-kabi-dw-5.18.16-200.tar.bz2) = f018d6d055f1683900bf23135e8ebebebb511494136b807c29a939f591d3f864bd8f6843724c08f9427247a157487edfd2951fc0500f178041a3a9468ae0d98b +SHA512 (linux-5.18.17.tar.xz) = fb838f8f93faf83a41d9f42178c1ccd296d2a9e10fd1508f868e3e6d0bae4ebe2fb6ec2537cc3a6c955aec4520f402f53066e769c5be9244410fd3ae47b49faa +SHA512 (kernel-abi-stablelists-5.18.17-200.tar.bz2) = 1bb833a38b5ac70988e69645bc18045f2df011652f48afb8f073ae393694fec024aaae0999cb606888d99bb010b135c415907c8068649c616a8d939e2b3a3206 +SHA512 (kernel-kabi-dw-5.18.17-200.tar.bz2) = a7bae8b6c6e312475257435f33510d725374b213998d439aaa786c68255871715c4d300738dd72d7eb943989f690e1c0fc73108c0ee329dd5c7f3da8d5239920 -- cgit