Skip to content

Conversation

bmastbergen
Copy link
Collaborator

tls: always refresh the queue when reading sock
jira VULN-89195
cve CVE-2025-38471
commit-author Jakub Kicinski <[email protected]>
commit 4ab26bce3969f8fd925fe6f6f551e4d1a508c68b
i2c/designware: Fix an initialization issue
jira VULN-79510
cve CVE-2025-38380
commit-author Michael J. Ruhl <[email protected]>
commit 3d30048958e0d43425f6d4e76565e6249fa71050

Build Log

/home/brett/kernel-src-tree
Running make mrproper...
[TIMER]{MRPROPER}: 10s
x86_64 architecture detected, copying config
'configs/kernel-x86_64-rhel.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-bmastbergen_ciqlts9_4_many-vulns-8-21-25-5c89329c35c9"
Making olddefconfig
--
  HOSTCC  scripts/kconfig/util.o
  HOSTLD  scripts/kconfig/conf
#
# configuration written to .config
#
Starting Build
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_32.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_64.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_x32.h
  SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_64_x32.h
--
  BTF [M] sound/x86/snd-hdmi-lpe-audio.ko
  LD [M]  sound/xen/snd_xen_front.ko
  BTF [M] sound/xen/snd_xen_front.ko
  LD [M]  virt/lib/irqbypass.ko
  BTF [M] virt/lib/irqbypass.ko
[TIMER]{BUILD}: 1258s
Making Modules
  INSTALL /lib/modules/5.14.0-bmastbergen_ciqlts9_4_many-vulns-8-21-25-5c89329c35c9+/kernel/arch/x86/crypto/blake2s-x86_64.ko
  INSTALL /lib/modules/5.14.0-bmastbergen_ciqlts9_4_many-vulns-8-21-25-5c89329c35c9+/kernel/arch/x86/crypto/blowfish-x86_64.ko
  INSTALL /lib/modules/5.14.0-bmastbergen_ciqlts9_4_many-vulns-8-21-25-5c89329c35c9+/kernel/arch/x86/crypto/camellia-aesni-avx-x86_64.ko
  INSTALL /lib/modules/5.14.0-bmastbergen_ciqlts9_4_many-vulns-8-21-25-5c89329c35c9+/kernel/arch/x86/crypto/camellia-aesni-avx2.ko
--
  STRIP   /lib/modules/5.14.0-bmastbergen_ciqlts9_4_many-vulns-8-21-25-5c89329c35c9+/kernel/virt/lib/irqbypass.ko
  SIGN    /lib/modules/5.14.0-bmastbergen_ciqlts9_4_many-vulns-8-21-25-5c89329c35c9+/kernel/sound/x86/snd-hdmi-lpe-audio.ko
  SIGN    /lib/modules/5.14.0-bmastbergen_ciqlts9_4_many-vulns-8-21-25-5c89329c35c9+/kernel/virt/lib/irqbypass.ko
  SIGN    /lib/modules/5.14.0-bmastbergen_ciqlts9_4_many-vulns-8-21-25-5c89329c35c9+/kernel/sound/xen/snd_xen_front.ko
  DEPMOD  /lib/modules/5.14.0-bmastbergen_ciqlts9_4_many-vulns-8-21-25-5c89329c35c9+
[TIMER]{MODULES}: 7s
Making Install
sh ./arch/x86/boot/install.sh 5.14.0-bmastbergen_ciqlts9_4_many-vulns-8-21-25-5c89329c35c9+ \
	arch/x86/boot/bzImage System.map "/boot"
[TIMER]{INSTALL}: 126s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-5.14.0-bmastbergen_ciqlts9_4_many-vulns-8-21-25-5c89329c35c9+ and Index to 0
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 10s
[TIMER]{BUILD}: 1258s
[TIMER]{MODULES}: 7s
[TIMER]{INSTALL}: 126s
[TIMER]{TOTAL} 1419s
Rebooting in 10 seconds

Testing

selftest-5.14.0-427.42.1.el9_4.94ciq_lts.6.2.x86_64.log

selftest-5.14.0-bmastbergen_ciqlts9_4_many-vulns-8-21-25-5c89329c35c9+.log

brett@lycia ~/ciq/many-vulns-94-8-21-25
 % grep ^ok selftest-5.14.0-427.42.1.el9_4.94ciq_lts.6.2.x86_64.log | wc -l
336
brett@lycia ~/ciq/many-vulns-94-8-21-25
 % grep ^ok selftest-5.14.0-bmastbergen_ciqlts9_4_many-vulns-8-21-25-5c89329c35c9+.log | wc -l
336

jira VULN-89195
cve CVE-2025-38471
commit-author Jakub Kicinski <[email protected]>
commit 4ab26bc

After recent changes in net-next TCP compacts skbs much more
aggressively. This unearthed a bug in TLS where we may try
to operate on an old skb when checking if all skbs in the
queue have matching decrypt state and geometry.

    BUG: KASAN: slab-use-after-free in tls_strp_check_rcv+0x898/0x9a0 [tls]
    (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544)
    Read of size 4 at addr ffff888013085750 by task tls/13529

    CPU: 2 UID: 0 PID: 13529 Comm: tls Not tainted 6.16.0-rc5-virtme
    Call Trace:
     kasan_report+0xca/0x100
     tls_strp_check_rcv+0x898/0x9a0 [tls]
     tls_rx_rec_wait+0x2c9/0x8d0 [tls]
     tls_sw_recvmsg+0x40f/0x1aa0 [tls]
     inet_recvmsg+0x1c3/0x1f0

Always reload the queue, fast path is to have the record in the queue
when we wake, anyway (IOW the path going down "if !strp->stm.full_len").

Fixes: 0d87bbd ("tls: strp: make sure the TCP skbs do not have overlapping data")
Link: https://patch.msgid.link/[email protected]
	Signed-off-by: Jakub Kicinski <[email protected]>
(cherry picked from commit 4ab26bc)
	Signed-off-by: Brett Mastbergen <[email protected]>
jira VULN-79510
cve CVE-2025-38380
commit-author Michael J. Ruhl <[email protected]>
commit 3d30048

The i2c_dw_xfer_init() function requires msgs and msg_write_idx from the
dev context to be initialized.

amd_i2c_dw_xfer_quirk() inits msgs and msgs_num, but not msg_write_idx.

This could allow an out of bounds access (of msgs).

Initialize msg_write_idx before calling i2c_dw_xfer_init().

	Reviewed-by: Andy Shevchenko <[email protected]>
Fixes: 17631e8 ("i2c: designware: Add driver support for AMD NAVI GPU")
	Cc: <[email protected]> # v5.13+
	Signed-off-by: Michael J. Ruhl <[email protected]>
	Signed-off-by: Andi Shyti <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
(cherry picked from commit 3d30048)
	Signed-off-by: Brett Mastbergen <[email protected]>
Copy link

@thefossguy-ciq thefossguy-ciq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚤

@bmastbergen bmastbergen merged commit efe5591 into ciqlts9_4 Aug 22, 2025
5 checks passed
@bmastbergen bmastbergen deleted the bmastbergen_ciqlts9_4/many-vulns-8-21-25 branch August 22, 2025 17:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

3 participants