Patched CVE-2022-34918 with livepatch-5.15.48.1-4.cm2. (#3963)

SPECS-SIGNED/livepatch-5.15.48.1-4.cm2-signed/livepatch-5.15.48.1-4.cm2-signed.spec

@@ -0,0 +1,123 @@
+# The default %%__os_install_post macro ends up stripping the signatures off of the kernel module.
+%define __os_install_post %{__os_install_post_leave_signatures} %{nil}
+
+%global debug_package %{nil}
+
+%define kernel_version_release 5.15.48.1-4.cm2
+%define kernel_version %(echo %{kernel_version_release} | grep -oP "^[^-]+")
+%define kernel_release %(echo %{kernel_version_release} | grep -oP "(?<=-).+")
+
+%define livepatch_unsigned_name livepatch-%{kernel_version_release}
+
+# Kpatch module names allow only alphanumeric characters and '_'.
+%define livepatch_name %(value="%{livepatch_unsigned_name}-%{version}-%{release}"; echo "${value//[^a-zA-Z0-9_]/_}")
+%define livepatch_install_dir %{_libdir}/livepatching/%{kernel_version_release}
+%define livepatch_module_name %{livepatch_name}.ko
+%define livepatch_module_path %{livepatch_install_dir}/%{livepatch_module_name}
+
+%define patch_applicable_for_kernel [[ -f "%{livepatch_module_path}" && "$(uname -r)" == "%{kernel_version_release}" ]]
+%define patch_installed kpatch list | grep -qP "%{livepatch_name}.*%{kernel_version_release}"
+%define patch_loaded    kpatch list | grep -qP "%{livepatch_name}.*enabled"
+
+# Install patch if the RUNNING kernel matches.
+# No-op for initial (empty) livepatch.
+%define install_if_should \
+if %{patch_applicable_for_kernel} && ! %{patch_installed} \
+then \
+    kpatch install %{livepatch_module_path} \
+fi
+
+# Load patch, if the RUNNING kernel matches.
+# No-op for initial (empty) livepatch.
+%define load_if_should \
+if %{patch_applicable_for_kernel} && ! %{patch_loaded} \
+then \
+    kpatch load %{livepatch_module_path} \
+fi
+
+%define uninstall_if_should \
+if %{patch_installed} \
+then \
+    kpatch uninstall %{livepatch_name} \
+fi
+
+%define unload_if_should \
+if %{patch_loaded} \
+then \
+    kpatch unload %{livepatch_name} \
+fi
+
+Summary:        Set of livepatches for kernel %{kernel_version_release}
+Name:           %{livepatch_unsigned_name}-signed
+Version:        1.0.0
+Release:        2%{?dist}
+License:        MIT
+Vendor:         Microsoft Corporation
+Distribution:   Mariner
+Group:          System Environment/Base
+URL:            https://github.com/microsoft/CBL-Mariner
+Source0:        https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/%{kernel_version}.tar.gz#/%{livepatch_module_name}
+
+ExclusiveArch:  x86_64
+
+%description
+A set of kernel livepatches addressing CVEs present in Mariner's
+5.15.48.1-4.cm2 kernel.
+
+Patches list ('*' - fixed, '!' - unfixable through livepatching, kernel update required):
+*CVE-2022-34918
+
+%package -n     %{livepatch_unsigned_name}
+Summary:        %{summary}
+
+Requires:       coreutils
+Requires:       livepatching-filesystem
+
+Requires(post): coreutils
+Requires(post): kpatch
+
+Requires(preun): kpatch
+
+Provides:       livepatch = %{kernel_version_release}
+
+%description -n %{livepatch_unsigned_name}
+A set of kernel livepatches addressing CVEs present in Mariner's
+5.15.48.1-4.cm2 kernel.
+
+Patches list ('*' - fixed, '!' - unfixable through livepatching, kernel update required):
+*CVE-2022-34918
+
+%install
+install -dm 755 %{buildroot}%{livepatch_install_dir}
+install -m 744 %{SOURCE0} %{buildroot}%{livepatch_module_path}
+
+%post -n %{livepatch_unsigned_name}
+%load_if_should
+%install_if_should
+
+%preun -n %{livepatch_unsigned_name}
+%uninstall_if_should
+%unload_if_should
+
+# Re-enable patch on rollbacks to supported kernel.
+%triggerin -n %{livepatch_unsigned_name} -- kernel = %{kernel_version_release}
+%load_if_should
+%install_if_should
+
+# Prevent the patch from being loaded after a reboot to a different kernel.
+# Previous kernel is still running, do NOT unload the livepatch.
+%triggerin -n %{livepatch_unsigned_name} -- kernel > %{kernel_version_release}, kernel < %{kernel_version_release}
+%uninstall_if_should
+
+%files -n %{livepatch_unsigned_name}
+%defattr(-,root,root)
+%dir %{livepatch_install_dir}
+%{livepatch_module_path}
+
+%changelog
+* Sat Oct 01 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.0.0-2
+- Patching CVE-2022-34918.
+
+* Sat Oct 01 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.0.0-1
+- Original version for CBL-Mariner.
+- License verified.

SPECS/LICENSES-AND-NOTICES/data/licenses.json

@@ -2023,6 +2023,8 @@
                 "libsafec",
                 "libuv",
                 "libxml++",
+                "livepatch-5.15.48.1-4.cm2",
+                "livepatch-5.15.48.1-4.cm2-signed",
                 "livepatch-5.15.72.1-1.cm2",
                 "livepatching",
                 "lld",

SPECS/livepatch-5.15.48.1-4.cm2/CVE-2022-34918.patch

@@ -0,0 +1,47 @@
+From c1784d2075138992b00c17ab4ffc6d855171fe6d Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Sat, 2 Jul 2022 04:16:30 +0200
+Subject: [PATCH] netfilter: nf_tables: stricter validation of element data
+
+commit 7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6 upstream.
+
+Make sure element data type and length do not mismatch the one specified
+by the set declaration.
+
+Fixes: 7d7402642eaf ("netfilter: nf_tables: variable sized set element keys / data")
+Reported-by: Hugues ANGUELKOV <hanguelkov@randorisec.fr>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 1b4bc588f8d6..65d96439e2be 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -5118,13 +5118,20 @@ static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
+ 				  struct nft_data *data,
+ 				  struct nlattr *attr)
+ {
++	u32 dtype;
+ 	int err;
+ 
+ 	err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr);
+ 	if (err < 0)
+ 		return err;
+ 
+-	if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) {
++	if (set->dtype == NFT_DATA_VERDICT)
++		dtype = NFT_DATA_VERDICT;
++	else
++		dtype = NFT_DATA_VALUE;
++
++	if (dtype != desc->type ||
++	    set->dlen != desc->len) {
+ 		nft_data_release(data, desc->type);
+ 		return -EINVAL;
+ 	}
+-- 
+2.34.1
+

SPECS/livepatch-5.15.48.1-4.cm2/livepatch-5.15.48.1-4.cm2.signatures.json

@@ -0,0 +1,7 @@
+{
+  "Signatures": {
+    "config-5.15.48.1-4.cm2": "ec1b08d0a04d33649a7917cebe14b6bdbbe258dfb4000f403cc7ae84473246c6",
+    "kernel-5.15.48.1.tar.gz": "de79bc5d2bc0943e3efa4085f6066192d6df0478235999de204f6a60b46e2f90",
+    "mariner-5.15.48.1-4.cm2.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0"
+  }
+}

SPECS/livepatch-5.15.48.1-4.cm2/livepatch-5.15.48.1-4.cm2.spec

@@ -0,0 +1,194 @@
+%define kernel_version_release 5.15.48.1-4.cm2
+%define kernel_version %(echo %{kernel_version_release} | grep -oP "^[^-]+")
+%define kernel_release %(echo %{kernel_version_release} | grep -oP "(?<=-).+")
+
+%define builds_module %([[ -n "$(echo "%{patches}" | grep -oP "CVE-\\d+-\\d+(?=\\.patch)")" ]] && echo 1 || echo 0)
+
+# Kpatch module names allow only alphanumeric characters and '_'.
+%define livepatch_name %(value="%{name}-%{version}-%{release}"; echo "${value//[^a-zA-Z0-9_]/_}")
+%define livepatch_install_dir %{_libdir}/livepatching/%{kernel_version_release}
+%define livepatch_module_name %{livepatch_name}.ko
+%define livepatch_module_path %{livepatch_install_dir}/%{livepatch_module_name}
+
+%define patch_applicable_for_kernel [[ -f "%{livepatch_module_path}" && "$(uname -r)" == "%{kernel_version_release}" ]]
+%define patch_installed kpatch list | grep -qP "%{livepatch_name}.*%{kernel_version_release}"
+%define patch_loaded    kpatch list | grep -qP "%{livepatch_name}.*enabled"
+
+# Install patch if the RUNNING kernel matches.
+# No-op for initial (empty) livepatch.
+%define install_if_should \
+if %{patch_applicable_for_kernel} && ! %{patch_installed} \
+then \
+    kpatch install %{livepatch_module_path} \
+fi
+
+# Load patch, if the RUNNING kernel matches.
+# No-op for initial (empty) livepatch.
+%define load_if_should \
+if %{patch_applicable_for_kernel} && ! %{patch_loaded} \
+then \
+    kpatch load %{livepatch_module_path} \
+fi
+
+%define uninstall_if_should \
+if %{patch_installed} \
+then \
+    kpatch uninstall %{livepatch_name} \
+fi
+
+%define unload_if_should \
+if %{patch_loaded} \
+then \
+    kpatch unload %{livepatch_name} \
+fi
+
+%define patches_description \
+%(
+    echo "Patches list ('*' - fixed, '!' - unfixable through livepatching, kernel update required):"
+    for patch in %{patches}
+    do
+        patch_file=$(basename "$patch")
+
+        cve_number="${patch_file%.*}"
+        patch_suffix="${patch_file#*.}"
+
+        if [ "$patch_suffix" = "patch" ]
+        then
+            echo "*$cve_number"
+        else
+            echo "\!$cve_number: $(cat "$patch")"
+        fi
+    done
+)
+
+Summary:        Set of livepatches for kernel %{kernel_version_release}
+Name:           livepatch-%{kernel_version_release}
+Version:        1.0.0
+Release:        2%{?dist}
+License:        MIT
+Vendor:         Microsoft Corporation
+Distribution:   Mariner
+Group:          System Environment/Base
+URL:            https://github.com/microsoft/CBL-Mariner
+Source0:        https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/%{kernel_version}.tar.gz#/kernel-%{kernel_version}.tar.gz
+Source1:        config-%{kernel_version_release}
+Source2:        mariner-%{kernel_version_release}.pem
+Patch0:         CVE-2022-34918.patch
+
+
+ExclusiveArch:  x86_64
+
+Provides:       livepatch = %{kernel_version_release}
+
+# Must be kept below the "Patch" tags to correctly evaluate %%builds_module.
+%if %{builds_module}
+BuildRequires:  audit-devel
+BuildRequires:  bash
+BuildRequires:  bc
+BuildRequires:  binutils
+BuildRequires:  bison
+BuildRequires:  diffutils
+BuildRequires:  dwarves
+BuildRequires:  elfutils-libelf-devel
+BuildRequires:  flex
+BuildRequires:  gcc
+BuildRequires:  glib-devel
+BuildRequires:  glibc-devel
+BuildRequires:  kbd
+BuildRequires:  kernel-debuginfo = %{kernel_version_release}
+BuildRequires:  kernel-headers = %{kernel_version_release}
+BuildRequires:  kmod-devel
+BuildRequires:  kpatch-build
+BuildRequires:  libdnet-devel
+BuildRequires:  libmspack-devel
+BuildRequires:  make
+BuildRequires:  openssl
+BuildRequires:  openssl-devel
+BuildRequires:  pam-devel
+BuildRequires:  procps-ng-devel
+BuildRequires:  python3-devel
+BuildRequires:  rpm-build
+
+Requires:       coreutils
+Requires:       livepatching-filesystem
+
+Requires(post): coreutils
+Requires(post): kpatch
+
+Requires(preun): kpatch
+
+%description
+A set of kernel livepatches addressing CVEs present in Mariner's
+%{kernel_version_release} kernel.
+%{patches_description}
+
+%prep
+%setup -q -n CBL-Mariner-Linux-Kernel-rolling-lts-mariner-2-%{kernel_version}
+
+cp %{SOURCE1} .config
+cp %{SOURCE2} certs/mariner.pem
+
+sed -i 's#CONFIG_SYSTEM_TRUSTED_KEYS=""#CONFIG_SYSTEM_TRUSTED_KEYS="certs/mariner.pem"#' .config
+sed -i 's/CONFIG_LOCALVERSION=""/CONFIG_LOCALVERSION="-%{kernel_release}"/' .config
+
+%build
+# Building cumulative patch.
+all_patches_file=all.patch
+for patch in %{patches}
+do
+    [[ "$patch" == *.patch ]] && cat "$patch" >> $all_patches_file
+done
+
+kpatch-build -ddd \
+    --sourcedir . \
+    --vmlinux %{_libdir}/debug/lib/modules/%{kernel_version_release}/vmlinux \
+    --name %{livepatch_name} \
+    $all_patches_file
+
+%install
+install -dm 755 %{buildroot}%{livepatch_install_dir}
+install -m 744 %{livepatch_module_name} %{buildroot}%{livepatch_module_path}
+
+%post
+%load_if_should
+%install_if_should
+
+%preun
+%uninstall_if_should
+%unload_if_should
+
+# Re-enable patch on rollbacks to supported kernel.
+%triggerin -- kernel = %{kernel_version_release}
+%load_if_should
+%install_if_should
+
+# Prevent the patch from being loaded after a reboot to a different kernel.
+# Previous kernel is still running, do NOT unload the livepatch.
+%triggerin -- kernel > %{kernel_version_release}, kernel < %{kernel_version_release}
+%uninstall_if_should
+
+%files
+%defattr(-,root,root)
+%dir %{livepatch_install_dir}
+%{livepatch_module_path}
+
+# else builds_module
+%else
+%global debug_package %{nil}
+
+%description
+Empty package enabling subscription to future kernel livepatches
+addressing CVEs present in Mariner's %{kernel_version_release} kernel.
+
+%files
+
+# endif builds_module
+%endif
+
+%changelog
+* Sat Oct 01 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.0.0-2
+- Patching CVE-2022-34918.
+
+* Sat Oct 01 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.0.0-1
+- Original version for CBL-Mariner.
+- License verified.

SPECS/livepatch-5.15.48.1-4.cm2/mariner-5.15.48.1-4.cm2.pem

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIFBjCCA+6gAwIBAgITMwAABO5/lN6NQyelHwABAAAE7jANBgkqhkiG9w0BAQsF
+ADB5MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH
+UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSMwIQYDVQQD
+ExpNaWNyb3NvZnQgVGVzdGluZyBQQ0EgMjAxMDAeFw0yMTEwMTQxNzI4MDVaFw0y
+MjEwMTMxNzI4MDVaMIGGMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3Rv
+bjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0
+aW9uMTAwLgYDVQQDEydNYXJpbmVyIFNlY3VyZSBCb290KFByb2R1Y3Rpb24gU2ln
+bmluZykwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDF45hTHPQAA7yc
+6g3iVuqcQKF51ylCynjUySYqqQha2sQzE7tbJ2egVkW4cfY1UbJsm65i2/VGI1OL
+Zia4sRwXRN7toRK5aElYfpsghMgGEaCSPs6915BVqO4WX0jxXswqRZ2CPH+evNCC
+hQnOqtjvFCqp7aeQ44b/DpZmaMicL/DwbI4925HWGSYa+/Mp1Fs3yGhP5X75+c9v
+w4gJ5KoxcOFRmQEt0c7lOclOi5Np5jys7lrrdmPPbjoALERBatiXj8w72LUZu4+I
+970/6jqNEkHeGxqVSPRRNIEZubjvRIfg8uULr8k/Kj8TbznCWoGuaT/9yoVbHhqU
+KQMJxxFrAgMBAAGjggF3MIIBczATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4E
+FgQUtC1rnigJt7kJfP+emwGUuG6Av5UwRQYDVR0RBD4wPKQ6MDgxHjAcBgNVBAsT
+FU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEWMBQGA1UEBRMNNDYwODk3KzQ2ODU5NzAf
+BgNVHSMEGDAWgBS/ZaKrb3WjTkWWVwXPOYf0wBUcHDBcBgNVHR8EVTBTMFGgT6BN
+hktodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3NvZnQl
+MjBUZXN0aW5nJTIwUENBJTIwMjAxMCgxKS5jcmwwaQYIKwYBBQUHAQEEXTBbMFkG
+CCsGAQUFBzAChk1odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRz
+L01pY3Jvc29mdCUyMFRlc3RpbmclMjBQQ0ElMjAyMDEwKDEpLmNydDAMBgNVHRMB
+Af8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQCybuv6kmhT2y97FOLRljLCLvQlBL/E
+dxKPDYNFhHCKIUd550yUoUW8XIxSYa+Dmx/1+NYS4Nxql7ecuR4g9+4i0DOmNjYO
+NY8epPspIpjUd9OAiKNKJSs2303i2TQojXQcZVeTO89bK3pX+spoACGuEVEuWSdL
+q+oPDYZwNTKyobj9wHYO6WXJfcdLPlYZghDjR/WNO5bzvzpi2nn/c4OYvMihLNq0
+5uNO0IB/zquyAaCKbi15v/PqYos1BsT+Yft4zf8ry17yFVBIqJMa2An6Gex7SNWj
+jj1S7uBga3oZcTHvR8xv3fmbwfQMIrZRmZrq8xkySxQV7xea0sE7X/pJ
+-----END CERTIFICATE-----

cgmanifest.json

@@ -10886,6 +10886,16 @@
         }
       }
     },
+    {
+      "component": {
+        "type": "other",
+        "other": {
+          "name": "livepatch-5.15.48.1-4.cm2",
+          "version": "1.0.0",
+          "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-2/5.15.48.1.tar.gz"
+        }
+      }
+    },
     {
       "component": {
         "type": "other",