diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-kernel')
4 files changed, 169 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-20158-1.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-20158-1.patch new file mode 100644 index 000000000..ace5ed4ab --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-20158-1.patch @@ -0,0 +1,55 @@ +From 0b3ea0926afb8dde70cfab00316ae0a70b93a7cc Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig <hch@lst.de> +Date: Fri, 5 Nov 2021 13:36:58 -0700 +Subject: [PATCH] fs: explicitly unregister per-superblock BDIs + +Add a new SB_I_ flag to mark superblocks that have an ephemeral bdi +associated with them, and unregister it when the superblock is shut +down. + +Link: https://lkml.kernel.org/r/20211021124441.668816-4-hch@lst.de +Signed-off-by: Christoph Hellwig <hch@lst.de> +Reviewed-by: Jan Kara <jack@suse.cz> +Cc: Miquel Raynal <miquel.raynal@bootlin.com> +Cc: Richard Weinberger <richard@nod.at> +Cc: Vignesh Raghavendra <vigneshr@ti.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +--- + fs/super.c | 3 +++ + include/linux/fs.h | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/fs/super.c b/fs/super.c +index bcef3a6f4c4b5..3bfc0f8fbd5bc 100644 +--- a/fs/super.c ++++ b/fs/super.c +@@ -476,6 +476,8 @@ void generic_shutdown_super(struct super_block *sb) + spin_unlock(&sb_lock); + up_write(&sb->s_umount); + if (sb->s_bdi != &noop_backing_dev_info) { ++ if (sb->s_iflags & SB_I_PERSB_BDI) ++ bdi_unregister(sb->s_bdi); + bdi_put(sb->s_bdi); + sb->s_bdi = &noop_backing_dev_info; + } +@@ -1562,6 +1564,7 @@ int super_setup_bdi_name(struct super_block *sb, char *fmt, ...) + } + WARN_ON(sb->s_bdi != &noop_backing_dev_info); + sb->s_bdi = bdi; ++ sb->s_iflags |= SB_I_PERSB_BDI; + + return 0; + } +diff --git a/include/linux/fs.h b/include/linux/fs.h +index e7a633353fd20..226de651f52e6 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -1443,6 +1443,7 @@ extern int send_sigurg(struct fown_struct *fown); + #define SB_I_UNTRUSTED_MOUNTER 0x00000040 + + #define SB_I_SKIP_SYNC 0x00000100 /* Skip superblock at global sync */ ++#define SB_I_PERSB_BDI 0x00000200 /* has a per-sb bdi */ + + /* Possible states of 'frozen' field */ + enum { diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2663-1.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2663-1.patch new file mode 100644 index 000000000..bc459492c --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2663-1.patch @@ -0,0 +1,76 @@ +From e8d5dfd1d8747b56077d02664a8838c71ced948e Mon Sep 17 00:00:00 2001 +From: David Leadbeater <dgl@dgl.cx> +Date: Fri, 26 Aug 2022 14:56:57 +1000 +Subject: [PATCH] netfilter: nf_conntrack_irc: Tighten matching on DCC message + +CTCP messages should only be at the start of an IRC message, not +anywhere within it. + +While the helper only decodes packes in the ORIGINAL direction, its +possible to make a client send a CTCP message back by empedding one into +a PING request. As-is, thats enough to make the helper believe that it +saw a CTCP message. + +Fixes: 869f37d8e48f ("[NETFILTER]: nf_conntrack/nf_nat: add IRC helper port") +Signed-off-by: David Leadbeater <dgl@dgl.cx> +Signed-off-by: Florian Westphal <fw@strlen.de> +--- + net/netfilter/nf_conntrack_irc.c | 34 ++++++++++++++++++++++++++------ + 1 file changed, 28 insertions(+), 6 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c +index 992decbcaa5c1e..5703846bea3b69 100644 +--- a/net/netfilter/nf_conntrack_irc.c ++++ b/net/netfilter/nf_conntrack_irc.c +@@ -157,15 +157,37 @@ static int help(struct sk_buff *skb, unsigned int protoff, + data = ib_ptr; + data_limit = ib_ptr + datalen; + +- /* strlen("\1DCC SENT t AAAAAAAA P\1\n")=24 +- * 5+MINMATCHLEN+strlen("t AAAAAAAA P\1\n")=14 */ +- while (data < data_limit - (19 + MINMATCHLEN)) { +- if (memcmp(data, "\1DCC ", 5)) { ++ /* Skip any whitespace */ ++ while (data < data_limit - 10) { ++ if (*data == ' ' || *data == '\r' || *data == '\n') ++ data++; ++ else ++ break; ++ } ++ ++ /* strlen("PRIVMSG x ")=10 */ ++ if (data < data_limit - 10) { ++ if (strncasecmp("PRIVMSG ", data, 8)) ++ goto out; ++ data += 8; ++ } ++ ++ /* strlen(" :\1DCC SENT t AAAAAAAA P\1\n")=26 ++ * 7+MINMATCHLEN+strlen("t AAAAAAAA P\1\n")=26 ++ */ ++ while (data < data_limit - (21 + MINMATCHLEN)) { ++ /* Find first " :", the start of message */ ++ if (memcmp(data, " :", 2)) { + data++; + continue; + } ++ data += 2; ++ ++ /* then check that place only for the DCC command */ ++ if (memcmp(data, "\1DCC ", 5)) ++ goto out; + data += 5; +- /* we have at least (19+MINMATCHLEN)-5 bytes valid data left */ ++ /* we have at least (21+MINMATCHLEN)-(2+5) bytes valid data left */ + + iph = ip_hdr(skb); + pr_debug("DCC found in master %pI4:%u %pI4:%u\n", +@@ -181,7 +203,7 @@ static int help(struct sk_buff *skb, unsigned int protoff, + pr_debug("DCC %s detected\n", dccprotos[i]); + + /* we have at least +- * (19+MINMATCHLEN)-5-dccprotos[i].matchlen bytes valid ++ * (21+MINMATCHLEN)-7-dccprotos[i].matchlen bytes valid + * data left (== 14/13 bytes) */ + if (parse_dcc(data, data_limit, &dcc_ip, + &dcc_port, &addr_beg_p, &addr_end_p)) { diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2663-2.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2663-2.patch new file mode 100644 index 000000000..849183f7d --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2663-2.patch @@ -0,0 +1,35 @@ +From 0efe125cfb99e6773a7434f3463f7c2fa28f3a43 Mon Sep 17 00:00:00 2001 +From: David Leadbeater <dgl@dgl.cx> +Date: Fri, 26 Aug 2022 14:56:58 +1000 +Subject: [PATCH] netfilter: nf_conntrack_irc: Fix forged IP logic + +Ensure the match happens in the right direction, previously the +destination used was the server, not the NAT host, as the comment +shows the code intended. + +Additionally nf_nat_irc uses port 0 as a signal and there's no valid way +it can appear in a DCC message, so consider port 0 also forged. + +Fixes: 869f37d8e48f ("[NETFILTER]: nf_conntrack/nf_nat: add IRC helper port") +Signed-off-by: David Leadbeater <dgl@dgl.cx> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + net/netfilter/nf_conntrack_irc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c +index 1796c456ac98be..992decbcaa5c1e 100644 +--- a/net/netfilter/nf_conntrack_irc.c ++++ b/net/netfilter/nf_conntrack_irc.c +@@ -194,8 +194,9 @@ static int help(struct sk_buff *skb, unsigned int protoff, + + /* dcc_ip can be the internal OR external (NAT'ed) IP */ + tuple = &ct->tuplehash[dir].tuple; +- if (tuple->src.u3.ip != dcc_ip && +- tuple->dst.u3.ip != dcc_ip) { ++ if ((tuple->src.u3.ip != dcc_ip && ++ ct->tuplehash[!dir].tuple.dst.u3.ip != dcc_ip) || ++ dcc_port == 0) { + net_warn_ratelimited("Forged DCC command from %pI4: %pI4:%u\n", + &tuple->src.u3.ip, + &dcc_ip, dcc_port); diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend index a8d09586b..92620086d 100644 --- a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend @@ -49,6 +49,9 @@ SRC_URI += " \ file://CVE-2022-20368.patch\ file://CVE-2022-0168.patch\ file://CVE-2022-40476.patch\ + file://CVE-2022-2663-1.patch\ + file://CVE-2022-2663-2.patch\ + file://CVE-2022-20158-1.patch\ " SRC_URI += "${@bb.utils.contains('IMAGE_FSTYPES', 'intel-pfr', 'file://1000-128MB-flashmap-for-PFR.patch', '', d)}" |