[FIPS 8 Compliant] Many CVES #596

PlaidCat · 2025-09-26T19:24:03Z

Commits

    use uniform permission checks for all mount propagation changes

    jira VULN-98606
    jira VULN-98607
    cve-bf CVE-2025-38498
    commit-author Al Viro <viro@zeniv.linux.org.uk>
    commit cffd0441872e7f6b1fce5e78fb1c99187a291330
    upstream-diff This is a partial backport due to missing 9ffb14ef61ba
            which introduces do_set_group(). This is where the below
            operation on diffferent aspects of the same thing is introduced.
            This change does however introduce some additional safety checks
            which should be considered.

    net: fix udp gso skb_segment after pull from frag_list

    jira VULN-156444
    jira VULN-156445
    cve CVE-2025-38124
    commit-author Shiming Cheng <shiming.cheng@mediatek.com>
    commit 3382a1ed7f778db841063f5d7e317ac55f9e7f72

    bpf: Fix a segment issue when downgrading gso_size

    jira VULN-38750
    jira VULN-38751
    cve CVE-2024-42281
    commit-author Fred Li <dracodingfly@gmail.com>
    commit fa5ef655615a01533035c6139248c5b33aa27028

    do_change_type(): refuse to operate on unmounted/not ours mounts

    jira VULN-98607
    jira VULN-98606
    cve CVE-2025-38498
    commit-author Al Viro <viro@zeniv.linux.org.uk>
    commit 12f147ddd6de7382dad54812e65f3f08d05809fc

    vsock: Fix transport_* TOCTOU

    jira VULN-80682
    jira VULN-80681
    cve CVE-2025-38461
    commit-author Michal Luczaj <mhal@rbox.co>
    commit 687aa0c5581b8d4aa87fd92973e4ee576b550cdf

    gso: fix udp gso fraglist segmentation after pull from frag_list

    jira VULN-45766
    jira VULN-45767
    cve cve-2024-49978
    commit-author Willem de Bruijn <willemb@google.com>
    commit a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab
    upstream-diff contextual diff is off due to massive reworks.
            In addition __udpv6_gso_segment_list_csum definition is not
            included.  This was included via "net/gro.h" via 75082e7f4680
            which is a bug fix to 4721031c3559 "net: move gro definitions to
            include/net/gro.h". Since we also do not have that we're just
            directly including net/ip6_checksum.h to this file.

Build

[jmaple@devbox code]$ egrep -B 5 -A 5 "\[TIMER\]|^Starting Build" $(ls -t kbuild* | head -n1)
/mnt/code/kernel-src-tree-build
Running make mrproper...
  CLEAN   cscope.in.out cscope.po.out cscope.out cscope.files
[TIMER]{MRPROPER}: 4s
x86_64 architecture detected, copying config
'configs/kernel-x86_64.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-jmaple_udp_gso_fraglist-106adb1d0a8f"
Making olddefconfig
--
  HOSTLD  scripts/kconfig/conf
scripts/kconfig/conf  --olddefconfig Kconfig
#
# configuration written to .config
#
Starting Build
scripts/kconfig/conf  --syncconfig Kconfig
  SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_32_ia32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_64_x32.h
  SYSTBL  arch/x86/include/generated/asm/syscalls_64.h
--
  LD [M]  sound/usb/usx2y/snd-usb-usx2y.ko
  LD [M]  sound/virtio/virtio_snd.ko
  LD [M]  sound/x86/snd-hdmi-lpe-audio.ko
  LD [M]  sound/xen/snd_xen_front.ko
  LD [M]  virt/lib/irqbypass.ko
[TIMER]{BUILD}: 1894s
Making Modules
  INSTALL arch/x86/crypto/blowfish-x86_64.ko
  INSTALL arch/x86/crypto/camellia-aesni-avx-x86_64.ko
  INSTALL arch/x86/crypto/camellia-aesni-avx2.ko
  INSTALL arch/x86/crypto/camellia-x86_64.ko
--
  INSTALL sound/virtio/virtio_snd.ko
  INSTALL sound/x86/snd-hdmi-lpe-audio.ko
  INSTALL sound/xen/snd_xen_front.ko
  INSTALL virt/lib/irqbypass.ko
  DEPMOD  4.18.0-jmaple_udp_gso_fraglist-106adb1d0a8f+
[TIMER]{MODULES}: 17s
Making Install
sh ./arch/x86/boot/install.sh 4.18.0-jmaple_udp_gso_fraglist-106adb1d0a8f+ arch/x86/boot/bzImage \
        System.map "/boot"
[TIMER]{INSTALL}: 18s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-4.18.0-jmaple_udp_gso_fraglist-8f2f35383ed4+ and Index to 2
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 4s
[TIMER]{BUILD}: 1894s
[TIMER]{MODULES}: 17s
[TIMER]{INSTALL}: 18s
[TIMER]{TOTAL} 1938s
Rebooting in 10 seconds

KeslfTests

[jmaple@devbox code]$ ./get_kselftest_diff.sh
kselftest.4.18.0-jmaple_batch_12_fips-8-compliant_4.18.0-553.16.1-0bc2+.log
204
kselftest.4.18.0-jmaple_batch_12_fips-8-compliant_4.18.0-553.16.1-d70e+.log
204
kselftest.4.18.0-jmaple_batch_12_fips-8-compliant_4.18.0-553.16.1-9a06+.log
204
kselftest.4.18.0-jmaple_udp_gso_fraglist-106adb1d0a8f+.log
204
Before: kselftest.4.18.0-jmaple_batch_12_fips-8-compliant_4.18.0-553.16.1-9a06+.log
After: kselftest.4.18.0-jmaple_udp_gso_fraglist-106adb1d0a8f+.log
Diff:
No differences found.

get_kselftest_diff.sh experimental script

#!/bin/bash

FILES=$(ls -rt kselftest.* | tail -n4)

while read -r line; do
        echo $line; grep '^ok ' $line | wc -l ;
done <<< "$FILES"

BEFORE=""
AFTER+=""

while read -r line; do
    BEFORE=${AFTER}
    AFTER=${line}
done <<< "$FILES"

echo "Before: $BEFORE"
echo "After: $AFTER"
echo "Diff:"
DIFF=$(grep ok <(diff -adU0 <(grep ^ok "${BEFORE}" | sort -h) <(grep ^ok "${AFTER}" | sort -h)))
if [ -z "$DIFF" ]; then
    echo "No differences found."
else
    echo "$DIFF"
fi

jira VULN-45766 jira VULN-45767 cve cve-2024-49978 commit-author Willem de Bruijn <willemb@google.com> commit a1e40ac upstream-diff contextual diff is off due to massive reworks. In addition __udpv6_gso_segment_list_csum definition is not included. This was included via "net/gro.h" via 75082e7 which is a bug fix to 4721031 "net: move gro definitions to include/net/gro.h". Since we also do not have that we're just directly including net/ip6_checksum.h to this file. Detect gso fraglist skbs with corrupted geometry (see below) and pass these to skb_segment instead of skb_segment_list, as the first can segment them correctly. Valid SKB_GSO_FRAGLIST skbs - consist of two or more segments - the head_skb holds the protocol headers plus first gso_size - one or more frag_list skbs hold exactly one segment - all but the last must be gso_size Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can modify these skbs, breaking these invariants. In extreme cases they pull all data into skb linear. For UDP, this causes a NULL ptr deref in __udpv4_gso_segment_list_csum at udp_hdr(seg->next)->dest. Detect invalid geometry due to pull, by checking head_skb size. Don't just drop, as this may blackhole a destination. Convert to be able to pass to regular skb_segment. Link: https://lore.kernel.org/netdev/20240428142913.18666-1-shiming.cheng@mediatek.com/ Fixes: 9fd1ff5 ("udp: Support UDP fraglist GRO/GSO.") Signed-off-by: Willem de Bruijn <willemb@google.com> Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20241001171752.107580-1-willemdebruijn.kernel@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit a1e40ac) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira VULN-80682 jira VULN-80681 cve CVE-2025-38461 commit-author Michal Luczaj <mhal@rbox.co> commit 687aa0c Transport assignment may race with module unload. Protect new_transport from becoming a stale pointer. This also takes care of an insecure call in vsock_use_local_transport(); add a lockdep assert. BUG: unable to handle page fault for address: fffffbfff8056000 Oops: Oops: 0000 [#1] SMP KASAN RIP: 0010:vsock_assign_transport+0x366/0x600 Call Trace: vsock_connect+0x59c/0xc40 __sys_connect+0xe8/0x100 __x64_sys_connect+0x6e/0xc0 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Fixes: c0cfa2d ("vsock: add multi-transports support") Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: Michal Luczaj <mhal@rbox.co> Link: https://patch.msgid.link/20250703-vsock-transports-toctou-v4-2-98f0eb530747@rbox.co Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 687aa0c) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira VULN-98607 jira VULN-98606 cve CVE-2025-38498 commit-author Al Viro <viro@zeniv.linux.org.uk> commit 12f147d Ensure that propagation settings can only be changed for mounts located in the caller's mount namespace. This change aligns permission checking with the rest of mount(2). Reviewed-by: Christian Brauner <brauner@kernel.org> Fixes: 07b2088 ("beginning of the shared-subtree proper") Reported-by: "Orlando, Noah" <Noah.Orlando@deshaw.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> (cherry picked from commit 12f147d) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira VULN-38750 jira VULN-38751 cve CVE-2024-42281 commit-author Fred Li <dracodingfly@gmail.com> commit fa5ef65 Linearize the skb when downgrading gso_size because it may trigger a BUG_ON() later when the skb is segmented as described in [1,2]. Fixes: 2be7e21 ("bpf: add bpf_skb_adjust_room helper") Signed-off-by: Fred Li <dracodingfly@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Willem de Bruijn <willemb@google.com> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/all/20240626065555.35460-2-dracodingfly@gmail.com [1] Link: https://lore.kernel.org/all/668d5cf1ec330_1c18c32947@willemb.c.googlers.com.notmuch [2] Link: https://lore.kernel.org/bpf/20240719024653.77006-1-dracodingfly@gmail.com (cherry picked from commit fa5ef65) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira VULN-156444 jira VULN-156445 cve CVE-2025-38124 commit-author Shiming Cheng <shiming.cheng@mediatek.com> commit 3382a1e Commit a1e40ac ("net: gso: fix udp gso fraglist segmentation after pull from frag_list") detected invalid geometry in frag_list skbs and redirects them from skb_segment_list to more robust skb_segment. But some packets with modified geometry can also hit bugs in that code. We don't know how many such cases exist. Addressing each one by one also requires touching the complex skb_segment code, which risks introducing bugs for other types of skbs. Instead, linearize all these packets that fail the basic invariants on gso fraglist skbs. That is more robust. If only part of the fraglist payload is pulled into head_skb, it will always cause exception when splitting skbs by skb_segment. For detailed call stack information, see below. Valid SKB_GSO_FRAGLIST skbs - consist of two or more segments - the head_skb holds the protocol headers plus first gso_size - one or more frag_list skbs hold exactly one segment - all but the last must be gso_size Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can modify fraglist skbs, breaking these invariants. In extreme cases they pull one part of data into skb linear. For UDP, this causes three payloads with lengths of (11,11,10) bytes were pulled tail to become (12,10,10) bytes. The skbs no longer meets the above SKB_GSO_FRAGLIST conditions because payload was pulled into head_skb, it needs to be linearized before pass to regular skb_segment. skb_segment+0xcd0/0xd14 __udp_gso_segment+0x334/0x5f4 udp4_ufo_fragment+0x118/0x15c inet_gso_segment+0x164/0x338 skb_mac_gso_segment+0xc4/0x13c __skb_gso_segment+0xc4/0x124 validate_xmit_skb+0x9c/0x2c0 validate_xmit_skb_list+0x4c/0x80 sch_direct_xmit+0x70/0x404 __dev_queue_xmit+0x64c/0xe5c neigh_resolve_output+0x178/0x1c4 ip_finish_output2+0x37c/0x47c __ip_finish_output+0x194/0x240 ip_finish_output+0x20/0xf4 ip_output+0x100/0x1a0 NF_HOOK+0xc4/0x16c ip_forward+0x314/0x32c ip_rcv+0x90/0x118 __netif_receive_skb+0x74/0x124 process_backlog+0xe8/0x1a4 __napi_poll+0x5c/0x1f8 net_rx_action+0x154/0x314 handle_softirqs+0x154/0x4b8 [118.376811] [C201134] rxq0_pus: [name:bug&]kernel BUG at net/core/skbuff.c:4278! [118.376829] [C201134] rxq0_pus: [name:traps&]Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP [118.470774] [C201134] rxq0_pus: [name:mrdump&]Kernel Offset: 0x178cc00000 from 0xffffffc008000000 [118.470810] [C201134] rxq0_pus: [name:mrdump&]PHYS_OFFSET: 0x40000000 [118.470827] [C201134] rxq0_pus: [name:mrdump&]pstate: 60400005 (nZCv daif +PAN -UAO) [118.470848] [C201134] rxq0_pus: [name:mrdump&]pc : [0xffffffd79598aefc] skb_segment+0xcd0/0xd14 [118.470900] [C201134] rxq0_pus: [name:mrdump&]lr : [0xffffffd79598a5e8] skb_segment+0x3bc/0xd14 [118.470928] [C201134] rxq0_pus: [name:mrdump&]sp : ffffffc008013770 Fixes: a1e40ac ("gso: fix udp gso fraglist segmentation after pull from frag_list") Signed-off-by: Shiming Cheng <shiming.cheng@mediatek.com> Reviewed-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit 3382a1e) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira VULN-98606 jira VULN-98607 cve-bf CVE-2025-38498 commit-author Al Viro <viro@zeniv.linux.org.uk> commit cffd044 upstream-diff This is a partial backport due to missing 9ffb14e which introduces do_set_group(). This is where the below operation on diffferent aspects of the same thing is introduced. This change does however introduce some additional safety checks which should be considered. do_change_type() and do_set_group() are operating on different aspects of the same thing - propagation graph. The latter asks for mounts involved to be mounted in namespace(s) the caller has CAP_SYS_ADMIN for. The former is a mess - originally it didn't even check that mount *is* mounted. That got fixed, but the resulting check turns out to be too strict for userland - in effect, we check that mount is in our namespace, having already checked that we have CAP_SYS_ADMIN there. What we really need (in both cases) is * only touch mounts that are mounted. That's a must-have constraint - data corruption happens if it get violated. * don't allow to mess with a namespace unless you already have enough permissions to do so (i.e. CAP_SYS_ADMIN in its userns). That's an equivalent of what do_set_group() does; let's extract that into a helper (may_change_propagation()) and use it in both do_set_group() and do_change_type(). Fixes: 12f147d "do_change_type(): refuse to operate on unmounted/not ours mounts" Acked-by: Andrei Vagin <avagin@gmail.com> Reviewed-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com> Tested-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com> Reviewed-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> (cherry picked from commit cffd044) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

github-actions · 2025-09-26T19:34:22Z

🔍 Upstream Linux Kernel Commit Check

⚠️ PR commit 51deadb613fb (gso: fix udp gso fraglist segmentation after pull from frag_list) references upstream commit
a1e40ac5b5e9 which has been referenced by a Fixes: tag in the upstream
Linux kernel:

    3382a1ed7f77 net: fix udp gso skb_segment after pull from frag_list (Shiming Cheng)

⚠️ PR commit 07a50aedff30 (do_change_type(): refuse to operate on unmounted/not ours mounts) references upstream commit
12f147ddd6de which has been referenced by a Fixes: tag in the upstream
Linux kernel:

    cffd0441872e use uniform permission checks for all mount propagation changes (Al Viro)

This is an automated message from the kernel commit checker workflow.

PlaidCat · 2025-09-26T19:43:00Z

🔍 Upstream Linux Kernel Commit Check

* ⚠️ PR commit `51deadb613fb (gso: fix udp gso fraglist segmentation after pull from frag_list)` references upstream commit
  `a1e40ac5b5e9` which has been referenced by a `Fixes:` tag in the upstream
  Linux kernel:

    3382a1ed7f77 net: fix udp gso skb_segment after pull from frag_list (Shiming Cheng)

* ⚠️ PR commit `07a50aedff30 (do_change_type(): refuse to operate on unmounted/not ours mounts)` references upstream commit
  `12f147ddd6de` which has been referenced by a `Fixes:` tag in the upstream
  Linux kernel:

    cffd0441872e use uniform permission checks for all mount propagation changes (Al Viro)

This is an automated message from the kernel commit checker workflow.

These are already present.

bmastbergen

🥌

PlaidCat added 6 commits September 25, 2025 13:15

PlaidCat requested review from kerneltoast, bmastbergen, thefossguy-ciq and shreeya-patel98 September 26, 2025 19:24

PlaidCat self-assigned this Sep 26, 2025

shreeya-patel98 approved these changes Sep 29, 2025

View reviewed changes

bmastbergen approved these changes Sep 29, 2025

View reviewed changes

PlaidCat merged commit 106adb1 into fips-8-compliant/4.18.0-553.16.1 Sep 30, 2025
4 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[FIPS 8 Compliant] Many CVES #596

[FIPS 8 Compliant] Many CVES #596

Uh oh!

PlaidCat commented Sep 26, 2025

Uh oh!

github-actions bot commented Sep 26, 2025

Uh oh!

PlaidCat commented Sep 26, 2025

🔍 Upstream Linux Kernel Commit Check

Uh oh!

bmastbergen left a comment

Uh oh!

Uh oh!

Uh oh!

[FIPS 8 Compliant] Many CVES #596

[FIPS 8 Compliant] Many CVES #596

Uh oh!

Conversation

PlaidCat commented Sep 26, 2025

Commits

Build

KeslfTests

get_kselftest_diff.sh experimental script

Uh oh!

github-actions bot commented Sep 26, 2025

🔍 Upstream Linux Kernel Commit Check

Uh oh!

PlaidCat commented Sep 26, 2025

🔍 Upstream Linux Kernel Commit Check

Uh oh!

bmastbergen left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!