升级软件版本至2.24.1 - Fix CVE-2024-52336, CVE-2024-52337

(cherry picked from commit a6591b265bafd76d7763a0c8327f5cb2894b31fd)
2024-11-27 23:19:31 +08:00 · 2024-11-27 23:19:31 +08:00 · 41dad37e14
commit 41dad37e14
parent 09385a23d0
6 changed files with 58 additions and 36 deletions
--- a/profiles-drop-sched_-tuning-where-appropriate.patch
+++ b/profiles-drop-sched_-tuning-where-appropriate.patch
@ -12,6 +12,7 @@ should be dropped in several profiles.
 Resolves: rhbz#1957829

 Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com>
+
 ---
 profiles/latency-performance/tuned.conf    | 13 -------------
 profiles/sap-hana/tuned.conf               |  4 ----
@ -20,14 +21,13 @@ Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com>
 4 files changed, 45 deletions(-)

 diff --git a/profiles/latency-performance/tuned.conf b/profiles/latency-performance/tuned.conf
-index 66f06ae..da1e357 100644
+index 585c836..c780602 100644
 --- a/profiles/latency-performance/tuned.conf
 +++ b/profiles/latency-performance/tuned.conf
-@@ -32,16 +32,3 @@ vm.dirty_background_ratio=3
- # 100 tells the kernel to aggressively swap processes out of physical memory
+@@ -36,18 +36,5 @@ vm.dirty_background_ratio=3
 # and move them to swap cache
 vm.swappiness=10
-
+ 
 -[scheduler]
 -# ktune sysctl settings for rhel6 servers, maximizing i/o throughput
 -#
@ -40,8 +40,11 @@ index 66f06ae..da1e357 100644
 -# "cache hot" and thus less likely to be re-migrated
 -# (system default is 500000, i.e. 0.5 ms)
 -sched_migration_cost_ns = 5000000
+-
+ [video]
+ panel_power_savings=0
 diff --git a/profiles/sap-hana/tuned.conf b/profiles/sap-hana/tuned.conf
-index c91a9ee..81d5930 100644
+index 8dcee57..aeecf53 100644
 --- a/profiles/sap-hana/tuned.conf
 +++ b/profiles/sap-hana/tuned.conf
@@ -20,7 +20,3 @@ kernel.numa_balancing = 0
@ -53,10 +56,10 @@ index c91a9ee..81d5930 100644
 -sched_min_granularity_ns = 3000000
 -sched_wakeup_granularity_ns = 4000000
 diff --git a/profiles/throughput-performance/tuned.conf b/profiles/throughput-performance/tuned.conf
-index ebb3f7d..98c6b26 100644
+index 738a8a0..734fedc 100644
 --- a/profiles/throughput-performance/tuned.conf
 +++ b/profiles/throughput-performance/tuned.conf
-@@ -58,31 +58,9 @@ vm.dirty_background_ratio = 10
+@@ -66,21 +66,6 @@ vm.swappiness=10
 # on older kernels
 net.core.somaxconn=>2048
 
@ -78,18 +81,21 @@ index ebb3f7d..98c6b26 100644
 # Marvell ThunderX
 [sysctl.thunderx]
 type=sysctl
- uname_regex=aarch64
+@@ -88,12 +73,5 @@ uname_regex=aarch64
 cpuinfo_regex=${thunderx_cpuinfo_regex}
 kernel.numa_balancing=0
-
+ 
 -# AMD
 -[scheduler.amd]
 -type=scheduler
 -uname_regex=x86_64
 -cpuinfo_regex=${amd_cpuinfo_regex}
 -sched_migration_cost_ns=5000000
+-
+ [video]
+ panel_power_savings=0
 diff --git a/profiles/virtual-host/tuned.conf b/profiles/virtual-host/tuned.conf
-index 3358105..c1942da 100644
+index 74a5fb0..5301d9f 100644
 --- a/profiles/virtual-host/tuned.conf
 +++ b/profiles/virtual-host/tuned.conf
@@ -14,9 +14,3 @@ vm.dirty_background_ratio = 5
--- a/tuned-2.18.0-rhel-8-profiles.patch
+++ b/tuned-2.18.0-rhel-8-profiles.patch
@ -1,12 +1,11 @@
 diff --git a/profiles/latency-performance/tuned.conf b/profiles/latency-performance/tuned.conf
-index d200b5c..877229f 100644
+index c780602..585c836 100644
 --- a/profiles/latency-performance/tuned.conf
 +++ b/profiles/latency-performance/tuned.conf
-@@ -32,3 +32,16 @@ vm.dirty_background_ratio=3
- # 100 tells the kernel to aggressively swap processes out of physical memory
+@@ -36,5 +36,18 @@ vm.dirty_background_ratio=3
 # and move them to swap cache
 vm.swappiness=10
-+
+ 
 +[scheduler]
 +# ktune sysctl settings for rhel6 servers, maximizing i/o throughput
 +#
@ -19,6 +18,9 @@ index d200b5c..877229f 100644
 +# "cache hot" and thus less likely to be re-migrated
 +# (system default is 500000, i.e. 0.5 ms)
 +sched_migration_cost_ns = 5000000
+
+ [video]
+ panel_power_savings=0
 diff --git a/profiles/sap-hana/tuned.conf b/profiles/sap-hana/tuned.conf
 index aeecf53..8dcee57 100644
 --- a/profiles/sap-hana/tuned.conf
@ -32,10 +34,10 @@ index aeecf53..8dcee57 100644
 +sched_min_granularity_ns = 3000000
 +sched_wakeup_granularity_ns = 4000000
 diff --git a/profiles/throughput-performance/tuned.conf b/profiles/throughput-performance/tuned.conf
-index 98c6b26..ebb3f7d 100644
+index b5e266d..8fb7c04 100644
 --- a/profiles/throughput-performance/tuned.conf
 +++ b/profiles/throughput-performance/tuned.conf
-@@ -58,9 +58,31 @@ vm.dirty_background_ratio = 10
+@@ -66,6 +66,21 @@ vm.swappiness=10
 # on older kernels
 net.core.somaxconn=>2048
 
@ -57,16 +59,19 @@ index 98c6b26..ebb3f7d 100644
 # Marvell ThunderX
 [sysctl.thunderx]
 type=sysctl
- uname_regex=aarch64
+@@ -73,5 +88,12 @@ uname_regex=aarch64
 cpuinfo_regex=${thunderx_cpuinfo_regex}
 kernel.numa_balancing=0
-+
+ 
 +# AMD
 +[scheduler.amd]
 +type=scheduler
 +uname_regex=x86_64
 +cpuinfo_regex=${amd_cpuinfo_regex}
 +sched_migration_cost_ns=5000000
+
+ [video]
+ panel_power_savings=0
 diff --git a/profiles/virtual-host/tuned.conf b/profiles/virtual-host/tuned.conf
 index 5301d9f..74a5fb0 100644
 --- a/profiles/virtual-host/tuned.conf
@ -81,3 +86,6 @@ index 5301d9f..74a5fb0 100644
 +# "cache hot" and thus less likely to be re-migrated
 +# (system default is 500000, i.e. 0.5 ms)
 +sched_migration_cost_ns = 5000000
+-- 
+2.43.0
+
--- a/tuned-2.18.0-sd-load-balance.patch
+++ b/tuned-2.18.0-sd-load-balance.patch
@ -1,5 +1,5 @@
 diff --git a/profiles/cpu-partitioning/script.sh b/profiles/cpu-partitioning/script.sh
-index 84e04fd..8677050 100755
+index ec422ca..6e004a3 100755
 --- a/profiles/cpu-partitioning/script.sh
 +++ b/profiles/cpu-partitioning/script.sh
@@ -2,6 +2,38 @@
@ -41,17 +41,16 @@ index 84e04fd..8677050 100755
 start() {
     mkdir -p "${TUNED_tmpdir}/etc/systemd"
     mkdir -p "${TUNED_tmpdir}/usr/lib/dracut/hooks/pre-udev"
-@@ -9,6 +41,9 @@ start() {
+@@ -9,6 +41,8 @@ start() {
     cp 00-tuned-pre-udev.sh "${TUNED_tmpdir}/usr/lib/dracut/hooks/pre-udev/"
     setup_kvm_mod_low_latency
     disable_ksm
-+
 +    echo "$TUNED_no_balance_cores_expanded" | sed 's/,/ /g' > $no_balance_cpus_file
 +    disable_balance_domains
     return "$?"
 }
 
-@@ -18,6 +53,7 @@ stop() {
+@@ -18,6 +52,7 @@ stop() {
         teardown_kvm_mod_low_latency
         enable_ksm
     fi
@ -60,7 +59,7 @@ index 84e04fd..8677050 100755
 }
 
 diff --git a/profiles/cpu-partitioning/tuned.conf b/profiles/cpu-partitioning/tuned.conf
-index 979e40b..842e2bd 100644
+index 11f03cf..a682c9c 100644
 --- a/profiles/cpu-partitioning/tuned.conf
 +++ b/profiles/cpu-partitioning/tuned.conf
@@ -35,8 +35,6 @@ no_balance_cores_expanded=${f:cpulist_unpack:${no_balance_cores}}
@ -69,12 +68,15 @@ index 979e40b..842e2bd 100644
 
 -cmd_isolcpus=${f:regex_search_ternary:${no_balance_cores}:\s*[0-9]: isolcpus=${no_balance_cores}:}
 -
- [sysctl]
- kernel.hung_task_timeout_secs = 600
- kernel.nmi_watchdog = 0
-@@ -68,4 +66,4 @@ priority=10
+ [sysfs]
+ /sys/bus/workqueue/devices/writeback/cpumask = ${not_isolated_cpumask}
+ /sys/devices/virtual/workqueue/cpumask = ${not_isolated_cpumask}
+@@ -62,4 +60,4 @@ priority=10
 initrd_remove_dir=True
 initrd_dst_img=tuned-initrd.img
 initrd_add_dir=${tmpdir}
 -cmdline_cpu_part=+nohz=on${cmd_isolcpus} nohz_full=${isolated_cores} rcu_nocbs=${isolated_cores} tuned.non_isolcpus=${not_isolated_cpumask} intel_pstate=disable nosoftlockup
 +cmdline_cpu_part=+nohz=on nohz_full=${isolated_cores} rcu_nocbs=${isolated_cores} tuned.non_isolcpus=${not_isolated_cpumask} intel_pstate=disable nosoftlockup
+-- 
+2.43.0
+
--- a/tuned-2.20.0.tar.gz
+++ b/tuned-2.20.0.tar.gz
--- a/tuned-2.24.1.tar.gz
+++ b/tuned-2.24.1.tar.gz
--- a/tuned.spec
+++ b/tuned.spec
@ -1,7 +1,7 @@
 Summary: A system tuning service for Linux
 Name: tuned
-Version: 2.20.0
-Release: 4
+Version: 2.24.1
+Release: 1
 License: GPLv2+
 Source0: https://github.com/redhat-performance/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 URL: http://www.tuned-project.org/
@ -243,9 +243,9 @@ fi
 %{_sbindir}/diskdevstat
 %{_sbindir}/scomes

-%exclude %{_prefix}/lib/%{name}/realtime
-%exclude %{_prefix}/lib/%{name}/realtime-virtual-guest
-%exclude %{_prefix}/lib/%{name}/realtime-virtual-host
+%exclude %{_prefix}/lib/%{name}/profiles/realtime
+%exclude %{_prefix}/lib/%{name}/profiles/realtime-virtual-guest
+%exclude %{_prefix}/lib/%{name}/profiles/realtime-virtual-host
 %{_prefix}/lib/%{name}

 %config(noreplace) %{_sysconfdir}/%{name}/cpu-partitioning-variables.conf
@ -259,7 +259,7 @@ fi
 %{_libexecdir}/%{name}/defirqaffinity*
 %{_libexecdir}/%{name}/pmqos-static*
 %{python3_sitelib}/%{name}
-%{_sysconfdir}/dbus-1/system.d/com.redhat.%{name}.conf
+%{_datadir}/dbus-1/system.d/com.redhat.%{name}.conf
 %verify(not size mtime md5) %{_sysconfdir}/modprobe.d/%{name}.conf
 %{_tmpfilesdir}/%{name}.conf
 %{_unitdir}/%{name}.service
@ -282,11 +282,11 @@ fi

 %files profiles-devel
 %config(noreplace) %{_sysconfdir}/%{name}/realtime-variables.conf
-%{_prefix}/lib/%{name}/realtime
+%{_prefix}/lib/%{name}/profiles/realtime
 %config(noreplace) %{_sysconfdir}/%{name}/realtime-virtual-guest-variables.conf
-%{_prefix}/lib/%{name}/realtime-virtual-guest
+%{_prefix}/lib/%{name}/profiles/realtime-virtual-guest
 %config(noreplace) %{_sysconfdir}/%{name}/realtime-virtual-host-variables.conf
-%{_prefix}/lib/%{name}/realtime-virtual-host
+%{_prefix}/lib/%{name}/profiles/realtime-virtual-host
 %{_mandir}/man7/%{name}-profiles-realtime.7*
 %{_mandir}/man7/%{name}-profiles-nfv-guest.7*
 %{_mandir}/man7/%{name}-profiles-nfv-host.7*
@ -297,6 +297,12 @@ fi
 %{_mandir}/man7/tuned-profiles-spectrumscale-ece.7*

 %changelog
+* Wed Nov 27 2024 ZhaoYu Jiang <jiangzhaoyu@kylinos.cn> - 2.24.1-1
+- Upgrade to 2.24.1:
+  - fixed privileged execution of arbitrary scripts by active local user. (CVE-2024-52336)
+  - added sanity checks for API methods parameters. (CVE-2024-52337)
+  - tuned-ppd: fixed controller init to correctly set_on_battery
+
 * Fri Sep 20 2024 dufuhang <dufuhang@kylinos.cn> - 2.20.0-4
 - bugfix: expand variables in Plugin._verify_all_device_commands