Skip to content

[cbr79] Many VULNs 9-26-25 #595

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Sep 29, 2025
Merged

[cbr79] Many VULNs 9-26-25 #595

merged 4 commits into from
Sep 29, 2025

Conversation

bmastbergen
Copy link
Collaborator

Commits

    misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram()

    jira VULN-65834
    cve CVE-2022-49788
    commit-author Alexander Potapenko <glider@google.com>
    commit e5b0d06d9b10f5f43101bd6598b076c347f9295f

    ext4: fix off-by-one error in do_split

    jira VULN-66668
    cve CVE-2025-23150
    commit-author Artem Sadovnikov <a.sadovnikov@ispras.ru>
    commit 94824ac9a8aaf2fb3c54b4bdde842db80ffa555d

    sch_hfsc: make hfsc_qlen_notify() idempotent

    jira VULN-71943
    cve CVE-2025-38177
    commit-author Cong Wang <xiyou.wangcong@gmail.com>
    commit 51eb3b65544c9efd6a1026889ee5fb5aa62da3bb

    scsi: lpfc: Use memcpy() for BIOS version

    jira VULN-72452
    cve CVE-2025-38332
    commit-author Daniel Wagner <wagi@kernel.org>
    commit ae82eaf4aeea060bb736c3e20c0568b67c701d7d

Build Log

/home/brett/kernel-src-tree
Running make mrproper...
[TIMER]{MRPROPER}: 9s
x86_64 architecture detected, copying config
‘configs/kernel-3.10.0-x86_64.config’ -> ‘.config’
Setting Local Version for build
CONFIG_LOCALVERSION="-bmastbergen_ciqcbr7_9_many-vulns-9-26-25-f74987c"
Making olddefconfig
--
  HOSTLD  scripts/kconfig/conf
scripts/kconfig/conf --olddefconfig Kconfig
#
# configuration written to .config
#
Starting Build
scripts/kconfig/conf --silentoldconfig Kconfig
  SYSHDR  arch/x86/syscalls/../include/generated/uapi/asm/unistd_32.h
  SYSHDR  arch/x86/syscalls/../include/generated/uapi/asm/unistd_64.h
  SYSHDR  arch/x86/syscalls/../include/generated/uapi/asm/unistd_x32.h
  SYSTBL  arch/x86/syscalls/../include/generated/asm/syscalls_32.h
--
  H16TOFW firmware/edgeport/down2.fw
  IHEX2FW firmware/whiteheat_loader.fw
  IHEX2FW firmware/whiteheat.fw
  IHEX2FW firmware/keyspan_pda/keyspan_pda.fw
  IHEX2FW firmware/keyspan_pda/xircom_pgs.fw
[TIMER]{BUILD}: 630s
Making Modules
  INSTALL arch/x86/crypto/aesni-intel.ko
  INSTALL arch/x86/crypto/ablk_helper.ko
  INSTALL arch/x86/crypto/camellia-aesni-avx-x86_64.ko
  INSTALL arch/x86/crypto/blowfish-x86_64.ko
--
  INSTALL /lib/firmware/whiteheat_loader.fw
  INSTALL /lib/firmware/whiteheat.fw
  INSTALL /lib/firmware/keyspan_pda/keyspan_pda.fw
  INSTALL /lib/firmware/keyspan_pda/xircom_pgs.fw
  DEPMOD  3.10.0-bmastbergen_ciqcbr7_9_many-vulns-9-26-25-f74987c+
[TIMER]{MODULES}: 19s
Making Install
sh ./arch/x86/boot/install.sh 3.10.0-bmastbergen_ciqcbr7_9_many-vulns-9-26-25-f74987c+ arch/x86/boot/bzImage \
	System.map "/boot"
[TIMER]{INSTALL}: 30s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-3.10.0-bmastbergen_ciqcbr7_9_many-vulns-9-26-25-f74987c+ and Index to 0
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 9s
[TIMER]{BUILD}: 630s
[TIMER]{MODULES}: 19s
[TIMER]{INSTALL}: 30s
[TIMER]{TOTAL} 694s
Rebooting in 10 seconds

Testing

selftest-3.10.0-1160.119.1.el7_9.ciqcbr.8.1.x86_64-1.log

selftest-3.10.0-bmastbergen_ciqcbr7_9_many-vulns-9-26-25-f74987c+-1.log

brett@lycia ~/ciq/many-79-vulns-9-26-25
 % grep ^ok selftest-3.10.0-1160.119.1.el7_9.ciqcbr.8.1.x86_64-1.log | wc -l
4
brett@lycia ~/ciq/many-79-vulns-9-26-25
 % grep ^ok selftest-3.10.0-bmastbergen_ciqcbr7_9_many-vulns-9-26-25-f74987c+-1.log | wc -l
4
brett@lycia ~/ciq/many-79-vulns-9-26-25
 % grep ok <(diff -adU0 <(grep ^ok selftest-3.10.0-1160.119.1.el7_9.ciqcbr.8.1.x86_64-1.log | sort -h) <(grep ^ok selftest-3.10.0-bmastbergen_ciqcbr7_9_many-vulns-9-26-25-f74987c+-1.log | sort -h))
brett@lycia ~/ciq/many-79-vulns-9-26-25
 %

@bmastbergen
misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram()
1aace11 
jira VULN-65834
cve CVE-2022-49788
commit-author Alexander Potapenko <glider@google.com>
commit e5b0d06

`struct vmci_event_qp` allocated by qp_notify_peer() contains padding,
which may carry uninitialized data to the userspace, as observed by
KMSAN:

  BUG: KMSAN: kernel-infoleak in instrument_copy_to_user ./include/linux/instrumented.h:121
   instrument_copy_to_user ./include/linux/instrumented.h:121
   _copy_to_user+0x5f/0xb0 lib/usercopy.c:33
   copy_to_user ./include/linux/uaccess.h:169
   vmci_host_do_receive_datagram drivers/misc/vmw_vmci/vmci_host.c:431
   vmci_host_unlocked_ioctl+0x33d/0x43d0 drivers/misc/vmw_vmci/vmci_host.c:925
   vfs_ioctl fs/ioctl.c:51
  ...

  Uninit was stored to memory at:
   kmemdup+0x74/0xb0 mm/util.c:131
   dg_dispatch_as_host drivers/misc/vmw_vmci/vmci_datagram.c:271
   vmci_datagram_dispatch+0x4f8/0xfc0 drivers/misc/vmw_vmci/vmci_datagram.c:339
   qp_notify_peer+0x19a/0x290 drivers/misc/vmw_vmci/vmci_queue_pair.c:1479
   qp_broker_attach drivers/misc/vmw_vmci/vmci_queue_pair.c:1662
   qp_broker_alloc+0x2977/0x2f30 drivers/misc/vmw_vmci/vmci_queue_pair.c:1750
   vmci_qp_broker_alloc+0x96/0xd0 drivers/misc/vmw_vmci/vmci_queue_pair.c:1940
   vmci_host_do_alloc_queuepair drivers/misc/vmw_vmci/vmci_host.c:488
   vmci_host_unlocked_ioctl+0x24fd/0x43d0 drivers/misc/vmw_vmci/vmci_host.c:927
  ...

  Local variable ev created at:
   qp_notify_peer+0x54/0x290 drivers/misc/vmw_vmci/vmci_queue_pair.c:1456
   qp_broker_attach drivers/misc/vmw_vmci/vmci_queue_pair.c:1662
   qp_broker_alloc+0x2977/0x2f30 drivers/misc/vmw_vmci/vmci_queue_pair.c:1750

  Bytes 28-31 of 48 are uninitialized
  Memory access of size 48 starts at ffff888035155e00
  Data copied to user address 0000000020000100

Use memset() to prevent the infoleaks.

Also speculatively fix qp_notify_peer_local(), which may suffer from the
same problem.

	Reported-by: syzbot+39be4da489ed2493ba25@syzkaller.appspotmail.com
	Cc: stable <stable@kernel.org>
Fixes: 06164d2 ("VMCI: queue pairs implementation.")
	Signed-off-by: Alexander Potapenko <glider@google.com>
	Reviewed-by: Vishnu Dasa <vdasa@vmware.com>
Link: https://lore.kernel.org/r/20221104175849.2782567-1-glider@google.com
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit e5b0d06)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
@bmastbergen
ext4: fix off-by-one error in do_split
55658bb 
jira VULN-66668
cve CVE-2025-23150
commit-author Artem Sadovnikov <a.sadovnikov@ispras.ru>
commit 94824ac

Syzkaller detected a use-after-free issue in ext4_insert_dentry that was
caused by out-of-bounds access due to incorrect splitting in do_split.

BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109
Write of size 251 at addr ffff888074572f14 by task syz-executor335/5847

CPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
 ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109
 add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154
 make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351
 ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455
 ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796
 ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431
 vfs_symlink+0x137/0x2e0 fs/namei.c:4615
 do_symlinkat+0x222/0x3a0 fs/namei.c:4641
 __do_sys_symlink fs/namei.c:4662 [inline]
 __se_sys_symlink fs/namei.c:4660 [inline]
 __x64_sys_symlink+0x7a/0x90 fs/namei.c:4660
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
 </TASK>

The following loop is located right above 'if' statement.

for (i = count-1; i >= 0; i--) {
	/* is more than half of this entry in 2nd half of the block? */
	if (size + map[i].size/2 > blocksize/2)
		break;
	size += map[i].size;
	move++;
}

'i' in this case could go down to -1, in which case sum of active entries
wouldn't exceed half the block size, but previous behaviour would also do
split in half if sum would exceed at the very last block, which in case of
having too many long name files in a single block could lead to
out-of-bounds access and following use-after-free.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

	Cc: stable@vger.kernel.org
Fixes: 5872331 ("ext4: fix potential negative array index in do_split()")
	Signed-off-by: Artem Sadovnikov <a.sadovnikov@ispras.ru>
	Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20250404082804.2567-3-a.sadovnikov@ispras.ru
	Signed-off-by: Theodore Ts'o <tytso@mit.edu>
(cherry picked from commit 94824ac)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
@bmastbergen
sch_hfsc: make hfsc_qlen_notify() idempotent
4db51fa 
jira VULN-71943
cve CVE-2025-38177
commit-author Cong Wang <xiyou.wangcong@gmail.com>
commit 51eb3b6

hfsc_qlen_notify() is not idempotent either and not friendly
to its callers, like fq_codel_dequeue(). Let's make it idempotent
to ease qdisc_tree_reduce_backlog() callers' life:

1. update_vf() decreases cl->cl_nactive, so we can check whether it is
non-zero before calling it.

2. eltree_remove() always removes RB node cl->el_node, but we can use
   RB_EMPTY_NODE() + RB_CLEAR_NODE() to make it safe.

	Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg>
	Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
	Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250403211033.166059-4-xiyou.wangcong@gmail.com
	Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
	Signed-off-by: Paolo Abeni <pabeni@redhat.com>
(cherry picked from commit 51eb3b6)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
@bmastbergen
scsi: lpfc: Use memcpy() for BIOS version
f74987c 
jira VULN-72452
cve CVE-2025-38332
commit-author Daniel Wagner <wagi@kernel.org>
commit ae82eaf

The strlcat() with FORTIFY support is triggering a panic because it
thinks the target buffer will overflow although the correct target
buffer size is passed in.

Anyway, instead of memset() with 0 followed by a strlcat(), just use
memcpy() and ensure that the resulting buffer is NULL terminated.

BIOSVersion is only used for the lpfc_printf_log() which expects a
properly terminated string.

	Signed-off-by: Daniel Wagner <wagi@kernel.org>
Link: https://lore.kernel.org/r/20250409-fix-lpfc-bios-str-v1-1-05dac9e51e13@kernel.org
	Reviewed-by: Justin Tee <justin.tee@broadcom.com>
	Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
(cherry picked from commit ae82eaf)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
PlaidCat
PlaidCat approved these changes Sep 26, 2025
View reviewed changes
Copy link
Collaborator

@PlaidCat PlaidCat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@bmastbergen bmastbergen merged commit 714a753 into ciqcbr7_9 Sep 29, 2025
2 checks passed
@bmastbergen bmastbergen deleted the bmastbergen_ciqcbr7_9/many-vulns-9-26-25 branch September 29, 2025 13:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PlaidCat PlaidCat PlaidCat approved these changes

@shreeya-patel98 shreeya-patel98 shreeya-patel98 approved these changes

@kerneltoast kerneltoast Awaiting requested review from kerneltoast

@thefossguy-ciq thefossguy-ciq Awaiting requested review from thefossguy-ciq

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bmastbergen @PlaidCat @shreeya-patel98