Skip to content

[cbr79] Multiple VULNs 8-22-25 #522

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: ciqcbr7_9
Choose a base branch
from
Open

[cbr79] Multiple VULNs 8-22-25 #522

wants to merge 6 commits into from

Conversation

bmastbergen
Copy link
Collaborator

@bmastbergen bmastbergen commented Aug 22, 2025
edited
Loading

Summary

Besides a handful of VULNs this PR also switches the build check github action to use a centos:7 container since the previous rinse/chroot method has mysteriously stopped working 🤷‍♂️

Commit Summaries

    ALSA: usb-audio: Fix a DMA to stack memory bug

    jira VULN-46737
    cve-bf CVE-2024-53197
    commit-author Dan Carpenter <[email protected]>
    commit f7d306b47a24367302bd4fe846854e07752ffcd9
    upstream-diff Use 5.10 LT commit e7c1fcdda47b0633c4b2b5d0db73d442ac35c071
                  This kernel doesn't have snd_usb_mbox3_boot_quirk(),
                  so that change hunk from the upstream commit isn't
                  necessary.  Also this kernel doesn't have the __free
                  annotation, so this version calls kfree the good
                  old fashioned way


    ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices

    jira VULN-46737
    cve CVE-2024-53197
    commit-author Benoît Sevens <[email protected]>
    commit b909df18ce2a998afef81d58bbd1a05dc0788c40
    upstream-diff This kernel doesn't have snd_usb_mbox3_boot_quirk(),
                  so that change hunk from the upstream commit isn't
                  necessary.


    fuse: fix pipe buffer lifetime for direct_io

    jira VULN-7917
    cve CVE-2022-1011
    commit-author Miklos Szeredi <[email protected]>
    commit 0c4bcfdecb1ac0967619ee7ff44871d93c08c909
    upstream-diff Used 4.19 LT commit 99db28212be68030c1db3a525f6bbdce39b039e9
                  because page info is in fuse_req in this kernel as opposed
                  to fuse_args in upstream


    HID: core: zero-initialize the report buffer

    jira VULN-40845
    cve CVE-2024-50302
    commit-author Jiri Kosina <[email protected]>
    commit 177f25d1292c7e16e1199b39c85480f7f8815552


    net: atm: fix use after free in lec_send()

    jira VULN-56261
    cve CVE-2025-22004
    commit-author Dan Carpenter <[email protected]>
    commit f3009d0d6ab78053117f8857b921a8237f4d17b3

Build Log

/home/brett/kernel-src-tree
Running make mrproper...
[TIMER]{MRPROPER}: 8s
x86_64 architecture detected, copying config
‘configs/kernel-3.10.0-x86_64.config’ -> ‘.config’
Setting Local Version for build
CONFIG_LOCALVERSION="-bmastbergen_ciqcbr7_9_many-vulns-8-22-25-07d158c"
Making olddefconfig
--
  HOSTLD  scripts/kconfig/conf
scripts/kconfig/conf --olddefconfig Kconfig
#
# configuration written to .config
#
Starting Build
scripts/kconfig/conf --silentoldconfig Kconfig
  SYSHDR  arch/x86/syscalls/../include/generated/uapi/asm/unistd_32.h
  SYSHDR  arch/x86/syscalls/../include/generated/uapi/asm/unistd_64.h
  SYSHDR  arch/x86/syscalls/../include/generated/uapi/asm/unistd_x32.h
  SYSTBL  arch/x86/syscalls/../include/generated/asm/syscalls_32.h
--
  H16TOFW firmware/edgeport/down2.fw
  IHEX2FW firmware/whiteheat_loader.fw
  IHEX2FW firmware/whiteheat.fw
  IHEX2FW firmware/keyspan_pda/keyspan_pda.fw
  IHEX2FW firmware/keyspan_pda/xircom_pgs.fw
[TIMER]{BUILD}: 516s
Making Modules
  INSTALL arch/x86/crypto/ablk_helper.ko
  INSTALL arch/x86/crypto/aesni-intel.ko
  INSTALL arch/x86/crypto/blowfish-x86_64.ko
  INSTALL arch/x86/crypto/camellia-aesni-avx-x86_64.ko
--
  INSTALL /lib/firmware/whiteheat.fw
  INSTALL /lib/firmware/whiteheat_loader.fw
  INSTALL /lib/firmware/keyspan_pda/keyspan_pda.fw
  INSTALL /lib/firmware/keyspan_pda/xircom_pgs.fw
  DEPMOD  3.10.0-bmastbergen_ciqcbr7_9_many-vulns-8-22-25-07d158c+
[TIMER]{MODULES}: 13s
Making Install
sh ./arch/x86/boot/install.sh 3.10.0-bmastbergen_ciqcbr7_9_many-vulns-8-22-25-07d158c+ arch/x86/boot/bzImage \
	System.map "/boot"
[TIMER]{INSTALL}: 42s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-3.10.0-bmastbergen_ciqcbr7_9_many-vulns-8-22-25-07d158c+ and Index to 0
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 8s
[TIMER]{BUILD}: 516s
[TIMER]{MODULES}: 13s
[TIMER]{INSTALL}: 42s
[TIMER]{TOTAL} 586s
Rebooting in 10 seconds

Testing

selftest-3.10.0-1160.119.1.el7_9.ciqcbr.7.1.x86_64.log

selftest-3.10.0-bmastbergen_ciqcbr7_9_many-vulns-8-22-25-8b93ba8+.log

brett@lycia ~/ciq/many-79-vulns-8-22-25
 % grep ^ok selftest-3.10.0-1160.119.1.el7_9.ciqcbr.7.1.x86_64.log | wc -l
2
brett@lycia ~/ciq/many-79-vulns-8-22-25
 % grep ^ok selftest-3.10.0-bmastbergen_ciqcbr7_9_many-vulns-8-22-25-8b93ba8+.log | wc -l
2

@bmastbergen
net: atm: fix use after free in lec_send()
f96e41c 
jira VULN-56261
cve CVE-2025-22004
commit-author Dan Carpenter <[email protected]>
commit f3009d0

The ->send() operation frees skb so save the length before calling
->send() to avoid a use after free.

Fixes: 1da177e ("Linux-2.6.12-rc2")
	Signed-off-by: Dan Carpenter <[email protected]>
	Reviewed-by: Simon Horman <[email protected]>
Link: https://patch.msgid.link/[email protected]
	Signed-off-by: Paolo Abeni <[email protected]>

(cherry picked from commit f3009d0)
	Signed-off-by: Brett Mastbergen <[email protected]>
@bmastbergen
HID: core: zero-initialize the report buffer
a57a126 
jira VULN-40845
cve CVE-2024-50302
commit-author Jiri Kosina <[email protected]>
commit 177f25d

Since the report buffer is used by all kinds of drivers in various ways, let's
zero-initialize it during allocation to make sure that it can't be ever used
to leak kernel memory via specially-crafted report.

Fixes: 27ce405 ("HID: fix data access in implement()")
	Reported-by: Benoît Sevens <[email protected]>
	Acked-by: Benjamin Tissoires <[email protected]>
	Signed-off-by: Jiri Kosina <[email protected]>
(cherry picked from commit 177f25d)
	Signed-off-by: Brett Mastbergen <[email protected]>
@bmastbergen
fuse: fix pipe buffer lifetime for direct_io
49f9d93 
jira VULN-7917
cve CVE-2022-1011
commit-author Miklos Szeredi <[email protected]>
commit 0c4bcfd
upstream-diff Used 4.19 LT commit 99db282
              because page info is in fuse_req in this kernel as opposed
              to fuse_args in upstream

In FOPEN_DIRECT_IO mode, fuse_file_write_iter() calls
fuse_direct_write_iter(), which normally calls fuse_direct_io(), which then
imports the write buffer with fuse_get_user_pages(), which uses
iov_iter_get_pages() to grab references to userspace pages instead of
actually copying memory.

On the filesystem device side, these pages can then either be read to
userspace (via fuse_dev_read()), or splice()d over into a pipe using
fuse_dev_splice_read() as pipe buffers with &nosteal_pipe_buf_ops.

This is wrong because after fuse_dev_do_read() unlocks the FUSE request,
the userspace filesystem can mark the request as completed, causing write()
to return. At that point, the userspace filesystem should no longer have
access to the pipe buffer.

Fix by copying pages coming from the user address space to new pipe
buffers.

	Reported-by: Jann Horn <[email protected]>
Fixes: c302162 ("fuse: support splice() reading from fuse device")
	Cc: <[email protected]>
	Signed-off-by: Miklos Szeredi <[email protected]>
(cherry picked from commit 0c4bcfd)
	Signed-off-by: Brett Mastbergen <[email protected]>
@github-actions GitHub Actions
Copy link

🔍 Upstream Linux Kernel Commit Check

  • ⚠️ PR commit 07d158c23913 (ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices) references upstream commit
    b909df18ce2a which has been referenced by a Fixes: tag in the upstream
    Linux kernel:
    f7d306b47a24 ALSA: usb-audio: Fix a DMA to stack memory bug (Dan Carpenter)

This is an automated message from the kernel commit checker workflow.

@ctrliq ctrliq deleted a comment from github-actions bot Aug 22, 2025
@bmastbergen bmastbergen force-pushed the bmastbergen_ciqcbr7_9/many-vulns-8-22-25 branch from e256926 to 8b93ba8 Compare August 22, 2025 19:29
@ctrliq ctrliq deleted a comment from github-actions bot Aug 22, 2025
@bmastbergen bmastbergen force-pushed the bmastbergen_ciqcbr7_9/many-vulns-8-22-25 branch 2 times, most recently from 535c46d to 64aa322 Compare August 25, 2025 13:51
@github-actions GitHub Actions
Copy link

🔍 Upstream Linux Kernel Commit Check

  • ⚠️ PR commit 07d158c23913 (ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices) references upstream commit
    b909df18ce2a which has been referenced by a Fixes: tag in the upstream
    Linux kernel:
    f7d306b47a24 ALSA: usb-audio: Fix a DMA to stack memory bug (Dan Carpenter)

This is an automated message from the kernel commit checker workflow.

1 similar comment
@github-actions GitHub Actions
Copy link

🔍 Upstream Linux Kernel Commit Check

  • ⚠️ PR commit 07d158c23913 (ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices) references upstream commit
    b909df18ce2a which has been referenced by a Fixes: tag in the upstream
    Linux kernel:
    f7d306b47a24 ALSA: usb-audio: Fix a DMA to stack memory bug (Dan Carpenter)

This is an automated message from the kernel commit checker workflow.

@bmastbergen bmastbergen force-pushed the bmastbergen_ciqcbr7_9/many-vulns-8-22-25 branch 5 times, most recently from d9f19cb to c3d72d1 Compare August 25, 2025 16:25
@ctrliq ctrliq deleted a comment from github-actions bot Aug 25, 2025
@ctrliq ctrliq deleted a comment from github-actions bot Aug 25, 2025
@ctrliq ctrliq deleted a comment from github-actions bot Aug 25, 2025
@ctrliq ctrliq deleted a comment from github-actions bot Aug 25, 2025
@ctrliq ctrliq deleted a comment from github-actions bot Aug 25, 2025
@bmastbergen
Copy link
Collaborator Author

🔍 Upstream Linux Kernel Commit Check

  • ⚠️ PR commit 07d158c23913 (ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices) references upstream commit
    b909df18ce2a which has been referenced by a Fixes: tag in the upstream
    Linux kernel:
    f7d306b47a24 ALSA: usb-audio: Fix a DMA to stack memory bug (Dan Carpenter)

This is an automated message from the kernel commit checker workflow.

This upstream fix has been added to the PR 👍

@ctrliq ctrliq deleted a comment from github-actions bot Aug 25, 2025
@ctrliq ctrliq deleted a comment from github-actions bot Aug 25, 2025
@ctrliq ctrliq deleted a comment from github-actions bot Aug 25, 2025
@ctrliq ctrliq deleted a comment from github-actions bot Aug 25, 2025
thefossguy-ciq
thefossguy-ciq approved these changes Aug 26, 2025
View reviewed changes
Copy link

@thefossguy-ciq thefossguy-ciq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚤

kerneltoast
kerneltoast reviewed Aug 26, 2025
View reviewed changes
.github/workflows/build-check_x86_64.yml Outdated
Comment on lines 43 to 46
git clone --branch c7 --single-branch https://git.centos.org/rpms/kernel.git kernel-dist-git
cd kernel-dist-git
git reset --hard imports/c7/kernel-3.10.0-1160.119.1.el7
cd ..
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tags are syntactically equivalent to branches, so these four lines can be simplified into:

git clone --branch imports/c7/kernel-3.10.0-1160.119.1.el7 --depth 1 https://git.centos.org/rpms/kernel.git kernel-dist-git

And using --depth 1 instead of --single-branch produces an even smaller clone because it won't fetch any history at all. (and --depth implies --single-branch)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea, but then you are left in a yucky detached head state. j/k. It is better as a one liner. Changed. Thanks!

kerneltoast
kerneltoast reviewed Aug 26, 2025
View reviewed changes
sound/usb/quirks.c Outdated
@@ -1010,7 +1020,6 @@ static int snd_usb_axefx3_boot_quirk(struct usb_device *dev)
return 0;
}


Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stray newline deletion; the upstream patch doesn't have this.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. Fixed.

@bmastbergen
ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and M…
663bd76 
…box devices

jira VULN-46737
cve CVE-2024-53197
commit-author Benoît Sevens <[email protected]>
commit b909df1
upstream-diff This kernel doesn't have snd_usb_mbox3_boot_quirk(),
              so that change hunk from the upstream commit isn't
              necessary.

A bogus device can provide a bNumConfigurations value that exceeds the
initial value used in usb_get_configuration for allocating dev->config.

This can lead to out-of-bounds accesses later, e.g. in
usb_destroy_configuration.

	Signed-off-by: Benoît Sevens <[email protected]>
Fixes: 1da177e ("Linux-2.6.12-rc2")
	Cc: [email protected]
Link: https://patch.msgid.link/[email protected]
	Signed-off-by: Takashi Iwai <[email protected]>
(cherry picked from commit b909df1)
	Signed-off-by: Brett Mastbergen <[email protected]>
@bmastbergen
ALSA: usb-audio: Fix a DMA to stack memory bug
774c834 
jira VULN-46737
cve-bf CVE-2024-53197
commit-author Dan Carpenter <[email protected]>
commit f7d306b
upstream-diff Use 5.10 LT commit e7c1fcd
              This kernel doesn't have snd_usb_mbox3_boot_quirk(),
              so that change hunk from the upstream commit isn't
              necessary.  Also this kernel doesn't have the __free
              annotation, so this version calls kfree the good
              old fashioned way

The usb_get_descriptor() function does DMA so we're not allowed
to use a stack buffer for that.  Doing DMA to the stack is not portable
all architectures.  Move the "new_device_descriptor" from being stored
on the stack and allocate it with kmalloc() instead.

Fixes: b909df1 ("ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices")
	Cc: [email protected]
	Signed-off-by: Dan Carpenter <[email protected]>
Link: https://patch.msgid.link/[email protected]
	Signed-off-by: Takashi Iwai <[email protected]>
(cherry picked from commit f7d306b)
	Signed-off-by: Brett Mastbergen <[email protected]>
@bmastbergen
github actions: Switch to centos 7 container
1f96054 
For some reason creating a centos-7 chroot with rinse has
stopped working.  Switch to a centos-7 container, which actually
brings this build check more in line with all of the other branches.

Note: We are checking out the code manually because centos-7 is too
old to work properly with actions/checkout@v4
@bmastbergen bmastbergen force-pushed the bmastbergen_ciqcbr7_9/many-vulns-8-22-25 branch from c3d72d1 to 1f96054 Compare August 27, 2025 13:25
@ctrliq ctrliq deleted a comment from github-actions bot Aug 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thefossguy-ciq thefossguy-ciq thefossguy-ciq approved these changes

@PlaidCat PlaidCat Awaiting requested review from PlaidCat

@shreeya-patel98 shreeya-patel98 Awaiting requested review from shreeya-patel98

@kerneltoast kerneltoast Awaiting requested review from kerneltoast

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bmastbergen @kerneltoast @thefossguy-ciq