[fips-legacy-8] Many VULNs 9-9-25 #566

bmastbergen · 2025-09-10T14:37:29Z

Commits

    KVM: x86: do not report a vCPU as preempted outside instruction boundaries

    jira VULN-8766
    cve CVE-2022-39189
    commit-author Paolo Bonzini <[email protected]>
    commit 6cd88243c7e03845a450795e134b488fc2afb736

    devlink: Fix use-after-free after a failed reload

    jira VULN-8764
    cve CVE-2022-3625
    commit-author Ido Schimmel <[email protected]>
    commit 6b4db2e528f650c7fb712961aac36455468d5902

    nfp: fix use-after-free in area_cache_get()

    jira VULN-8757
    cve CVE-2022-3545
    commit-author Jialiang Wang <[email protected]>
    commit 02e1a114fdb71e59ee6770294166c30d437bf86a

    media: em28xx: initialize refcount before kref_get

    jira VULN-8755
    cve CVE-2022-3239
    commit-author Dongliang Mu <[email protected]>
    commit c08eadca1bdfa099e20a32f8fa4b52b2f672236d

    igmp: Add ip_mc_list lock in ip_check_mc_rcu

    jira VULN-8753
    cve CVE-2022-20141
    commit-author Liu Jian <[email protected]>
    commit 23d2b94043ca8835bd1e67749020e839f396a1c2

    can: peak_usb: fix use after free bugs

    jira VULN-64820
    cve CVE-2021-47670
    commit-author Vincent Mailhol <[email protected]>
    commit 50aca891d7a554db0901b245167cd653d73aaa71

    net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send

    jira VULN-8741
    cve CVE-2021-47013
    commit-author Lv Yunlong <[email protected]>
    commit 6d72e7c767acbbdd44ebc7d89c6690b405b32b57

    posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()

    jira VULN-136691
    cve CVE-2025-38352
    commit-author Oleg Nesterov <[email protected]>
    commit f90fff1e152dedf52b932240ebbd670d83330eca
    upstream-diff Used 5.4 LT 78a4b8e3795b31dae58762bc091bb0f4f74a2200 version

Build Log

/home/brett/kernel-src-tree
Running make mrproper...
[TIMER]{MRPROPER}: 12s
x86_64 architecture detected, copying config
'configs/kernel-x86_64.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-bmastbergen_fips-legacy-8-compliant_4.18.0-425.13.1_m"
Making olddefconfig
--
  HOSTLD  scripts/kconfig/conf
scripts/kconfig/conf  --olddefconfig Kconfig
#
# configuration written to .config
#
Starting Build
scripts/kconfig/conf  --syncconfig Kconfig
  SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_32_ia32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_64_x32.h
  SYSTBL  arch/x86/include/generated/asm/syscalls_64.h
--
  LD [M]  sound/usb/usx2y/snd-usb-usx2y.ko
  LD [M]  sound/x86/snd-hdmi-lpe-audio.ko
  LD [M]  sound/virtio/virtio_snd.ko
  LD [M]  sound/xen/snd_xen_front.ko
  LD [M]  virt/lib/irqbypass.ko
[TIMER]{BUILD}: 997s
Making Modules
  INSTALL arch/x86/crypto/camellia-aesni-avx-x86_64.ko
  INSTALL arch/x86/crypto/blowfish-x86_64.ko
  INSTALL arch/x86/crypto/camellia-aesni-avx2.ko
  INSTALL arch/x86/crypto/camellia-x86_64.ko
--
  INSTALL sound/usb/usx2y/snd-usb-usx2y.ko
  INSTALL sound/xen/snd_xen_front.ko
  INSTALL sound/x86/snd-hdmi-lpe-audio.ko
  INSTALL virt/lib/irqbypass.ko
  DEPMOD  4.18.0-bmastbergen_fips-legacy-8-compliant_4.18.0-425.13.1_m+
[TIMER]{MODULES}: 12s
Making Install
sh ./arch/x86/boot/install.sh 4.18.0-bmastbergen_fips-legacy-8-compliant_4.18.0-425.13.1_m+ arch/x86/boot/bzImage \
	System.map "/boot"
[TIMER]{INSTALL}: 85s
Checking kABI
kABI check passed
Setting Default Kernel to  and Index to 0
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 12s
[TIMER]{BUILD}: 997s
[TIMER]{MODULES}: 12s
[TIMER]{INSTALL}: 85s
[TIMER]{TOTAL} 1119s
Rebooting in 10 seconds

Testing

selftest-4.18.0-425.13.1.el8.ciqfipscompliant.43.1.x86_64.log

selftest-4.18.0-bmastbergen_fips-legacy-8-compliant_4.18.0-425.13.1_m+.log

brett@lycia ~/ciq/many-fl8-vulns-9-9-25
 % grep ^ok selftest-4.18.0-425.13.1.el8.ciqfipscompliant.43.1.x86_64.log | wc -l
224
brett@lycia ~/ciq/many-fl8-vulns-9-9-25
 % grep ^ok selftest-4.18.0-bmastbergen_fips-legacy-8-compliant_4.18.0-425.13.1_m+.log | wc -l
224

…x_cpu_timer_del() jira VULN-136691 cve CVE-2025-38352 commit-author Oleg Nesterov <[email protected]> commit f90fff1 upstream-diff Used 5.4 LT 78a4b8e3795b31dae58762bc091bb0f4f74a2200 version If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger right after unlock_task_sighand(). If a concurrent posix_cpu_timer_del() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or lock_task_sighand() will fail. Add the tsk->exit_state check into run_posix_cpu_timers() to fix this. This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because exit_task_work() is called before exit_notify(). But the check still makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail anyway in this case. Cc: [email protected] Reported-by: Benoît Sevens <[email protected]> Fixes: 0bdd2ed ("sched: run_posix_cpu_timers: Don't check ->exit_state, use lock_task_sighand()") Signed-off-by: Oleg Nesterov <[email protected]> Signed-off-by: Linus Torvalds <[email protected]> (cherry picked from commit f90fff1) Signed-off-by: Brett Mastbergen <[email protected]>

jira VULN-8741 cve CVE-2021-47013 commit-author Lv Yunlong <[email protected]> commit 6d72e7c In emac_mac_tx_buf_send, it calls emac_tx_fill_tpd(..,skb,..). If some error happens in emac_tx_fill_tpd(), the skb will be freed via dev_kfree_skb(skb) in error branch of emac_tx_fill_tpd(). But the freed skb is still used via skb->len by netdev_sent_queue(,skb->len). As i observed that emac_tx_fill_tpd() haven't modified the value of skb->len, thus my patch assigns skb->len to 'len' before the possible free and use 'len' instead of skb->len later. Fixes: b9b17de ("net: emac: emac gigabit ethernet controller driver") Signed-off-by: Lv Yunlong <[email protected]> Signed-off-by: David S. Miller <[email protected]> (cherry picked from commit 6d72e7c) Signed-off-by: Brett Mastbergen <[email protected]>

jira VULN-64820 cve CVE-2021-47670 commit-author Vincent Mailhol <[email protected]> commit 50aca89 After calling peak_usb_netif_rx_ni(skb), dereferencing skb is unsafe. Especially, the can_frame cf which aliases skb memory is accessed after the peak_usb_netif_rx_ni(). Reordering the lines solves the issue. Fixes: 0a25e1f ("can: peak_usb: add support for PEAK new CANFD USB adapters") Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Vincent Mailhol <[email protected]> Signed-off-by: Marc Kleine-Budde <[email protected]> (cherry picked from commit 50aca89) Signed-off-by: Brett Mastbergen <[email protected]>

jira VULN-8753 cve CVE-2022-20141 commit-author Liu Jian <[email protected]> commit 23d2b94 I got below panic when doing fuzz test: Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 4056 Comm: syz-executor.3 Tainted: G B 5.14.0-rc1-00195-gcff5c4254439-dirty #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0x7a/0x9b panic+0x2cd/0x5af end_report.cold+0x5a/0x5a kasan_report+0xec/0x110 ip_check_mc_rcu+0x556/0x5d0 __mkroute_output+0x895/0x1740 ip_route_output_key_hash_rcu+0x2d0/0x1050 ip_route_output_key_hash+0x182/0x2e0 ip_route_output_flow+0x28/0x130 udp_sendmsg+0x165d/0x2280 udpv6_sendmsg+0x121e/0x24f0 inet6_sendmsg+0xf7/0x140 sock_sendmsg+0xe9/0x180 ____sys_sendmsg+0x2b8/0x7a0 ___sys_sendmsg+0xf0/0x160 __sys_sendmmsg+0x17e/0x3c0 __x64_sys_sendmmsg+0x9e/0x100 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x462eb9 Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f3df5af1c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462eb9 RDX: 0000000000000312 RSI: 0000000020001700 RDI: 0000000000000007 RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3df5af26bc R13: 00000000004c372d R14: 0000000000700b10 R15: 00000000ffffffff It is one use-after-free in ip_check_mc_rcu. In ip_mc_del_src, the ip_sf_list of pmc has been freed under pmc->lock protection. But access to ip_sf_list in ip_check_mc_rcu is not protected by the lock. Signed-off-by: Liu Jian <[email protected]> Signed-off-by: David S. Miller <[email protected]> (cherry picked from commit 23d2b94) Signed-off-by: Brett Mastbergen <[email protected]>

jira VULN-8755 cve CVE-2022-3239 commit-author Dongliang Mu <[email protected]> commit c08eadc The commit 47677e5("[media] em28xx: Only deallocate struct em28xx after finishing all extensions") adds kref_get to many init functions (e.g., em28xx_audio_init). However, kref_init is called too late in em28xx_usb_probe, since em28xx_init_dev before will invoke those init functions and call kref_get function. Then refcount bug occurs in my local syzkaller instance. Fix it by moving kref_init before em28xx_init_dev. This issue occurs not only in dev but also dev->dev_next. Fixes: 47677e5 ("[media] em28xx: Only deallocate struct em28xx after finishing all extensions") Reported-by: syzkaller <[email protected]> Signed-off-by: Dongliang Mu <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> (cherry picked from commit c08eadc) Signed-off-by: Brett Mastbergen <[email protected]>

jira VULN-8757 cve CVE-2022-3545 commit-author Jialiang Wang <[email protected]> commit 02e1a11 area_cache_get() is used to distribute cache->area and set cache->id, and if cache->id is not 0 and cache->area->kref refcount is 0, it will release the cache->area by nfp_cpp_area_release(). area_cache_get() set cache->id before cpp->op->area_init() and nfp_cpp_area_acquire(). But if area_init() or nfp_cpp_area_acquire() fails, the cache->id is is already set but the refcount is not increased as expected. At this time, calling the nfp_cpp_area_release() will cause use-after-free. To avoid the use-after-free, set cache->id after area_init() and nfp_cpp_area_acquire() complete successfully. Note: This vulnerability is triggerable by providing emulated device equipped with specified configuration. BUG: KASAN: use-after-free in nfp6000_area_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:760) Write of size 4 at addr ffff888005b7f4a0 by task swapper/0/1 Call Trace: <TASK> nfp6000_area_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:760) area_cache_get.constprop.8 (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:884) Allocated by task 1: nfp_cpp_area_alloc_with_name (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:303) nfp_cpp_area_cache_add (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:802) nfp6000_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:1230) nfp_cpp_from_operations (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:1215) nfp_pci_probe (drivers/net/ethernet/netronome/nfp/nfp_main.c:744) Freed by task 1: kfree (mm/slub.c:4562) area_cache_get.constprop.8 (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:873) nfp_cpp_read (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:924 drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:973) nfp_cpp_readl (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cpplib.c:48) Signed-off-by: Jialiang Wang <[email protected]> Reviewed-by: Yinjun Zhang <[email protected]> Acked-by: Simon Horman <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit 02e1a11) Signed-off-by: Brett Mastbergen <[email protected]>

jira VULN-8764 cve CVE-2022-3625 commit-author Ido Schimmel <[email protected]> commit 6b4db2e After a failed devlink reload, devlink parameters are still registered, which means user space can set and get their values. In the case of the mlxsw "acl_region_rehash_interval" parameter, these operations will trigger a use-after-free [1]. Fix this by rejecting set and get operations while in the failed state. Return the "-EOPNOTSUPP" error code which does not abort the parameters dump, but instead causes it to skip over the problematic parameter. Another possible fix is to perform these checks in the mlxsw parameter callbacks, but other drivers might be affected by the same problem and I am not aware of scenarios where these stricter checks will cause a regression. [1] mlxsw_spectrum3 0000:00:10.0: Port 125: Failed to register netdev mlxsw_spectrum3 0000:00:10.0: Failed to create ports ================================================================== BUG: KASAN: use-after-free in mlxsw_sp_acl_tcam_vregion_rehash_intrvl_get+0xbd/0xd0 drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c:904 Read of size 4 at addr ffff8880099dcfd8 by task kworker/u4:4/777 CPU: 1 PID: 777 Comm: kworker/u4:4 Not tainted 5.19.0-rc7-custom-126601-gfe26f28c586d #1 Hardware name: QEMU MSN4700, BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: netns cleanup_net Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x92/0xbd lib/dump_stack.c:106 print_address_description mm/kasan/report.c:313 [inline] print_report.cold+0x5e/0x5cf mm/kasan/report.c:429 kasan_report+0xb9/0xf0 mm/kasan/report.c:491 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report_generic.c:306 mlxsw_sp_acl_tcam_vregion_rehash_intrvl_get+0xbd/0xd0 drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c:904 mlxsw_sp_acl_region_rehash_intrvl_get+0x49/0x60 drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c:1106 mlxsw_sp_params_acl_region_rehash_intrvl_get+0x33/0x80 drivers/net/ethernet/mellanox/mlxsw/spectrum.c:3854 devlink_param_get net/core/devlink.c:4981 [inline] devlink_nl_param_fill+0x238/0x12d0 net/core/devlink.c:5089 devlink_param_notify+0xe5/0x230 net/core/devlink.c:5168 devlink_ns_change_notify net/core/devlink.c:4417 [inline] devlink_ns_change_notify net/core/devlink.c:4396 [inline] devlink_reload+0x15f/0x700 net/core/devlink.c:4507 devlink_pernet_pre_exit+0x112/0x1d0 net/core/devlink.c:12272 ops_pre_exit_list net/core/net_namespace.c:152 [inline] cleanup_net+0x494/0xc00 net/core/net_namespace.c:582 process_one_work+0x9fc/0x1710 kernel/workqueue.c:2289 worker_thread+0x675/0x10b0 kernel/workqueue.c:2436 kthread+0x30c/0x3d0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 </TASK> The buggy address belongs to the physical page: page:ffffea0000267700 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99dc flags: 0x100000000000000(node=0|zone=1) raw: 0100000000000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880099dce80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8880099dcf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8880099dcf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8880099dd000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8880099dd080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== Fixes: 98bbf70 ("mlxsw: spectrum: add "acl_region_rehash_interval" devlink param") Signed-off-by: Ido Schimmel <[email protected]> Reviewed-by: Jiri Pirko <[email protected]> Signed-off-by: David S. Miller <[email protected]> (cherry picked from commit 6b4db2e) Signed-off-by: Brett Mastbergen <[email protected]>

…aries jira VULN-8766 cve CVE-2022-39189 commit-author Paolo Bonzini <[email protected]> commit 6cd8824 If a vCPU is outside guest mode and is scheduled out, it might be in the process of making a memory access. A problem occurs if another vCPU uses the PV TLB flush feature during the period when the vCPU is scheduled out, and a virtual address has already been translated but has not yet been accessed, because this is equivalent to using a stale TLB entry. To avoid this, only report a vCPU as preempted if sure that the guest is at an instruction boundary. A rescheduling request will be delivered to the host physical CPU as an external interrupt, so for simplicity consider any vmexit *not* instruction boundary except for external interrupts. It would in principle be okay to report the vCPU as preempted also if it is sleeping in kvm_vcpu_block(): a TLB flush IPI will incur the vmentry/vmexit overhead unnecessarily, and optimistic spinning is also unlikely to succeed. However, leave it for later because right now kvm_vcpu_check_block() is doing memory accesses. Even though the TLB flush issue only applies to virtual memory address, it's very much preferrable to be conservative. Reported-by: Jann Horn <[email protected]> Signed-off-by: Paolo Bonzini <[email protected]> (cherry picked from commit 6cd8824) Signed-off-by: Brett Mastbergen <[email protected]>

PlaidCat

bmastbergen added 8 commits September 9, 2025 16:02

bmastbergen requested review from kerneltoast, PlaidCat, thefossguy-ciq and shreeya-patel98 September 10, 2025 14:58

PlaidCat approved these changes Sep 10, 2025

View reviewed changes

shreeya-patel98 approved these changes Sep 11, 2025

View reviewed changes

bmastbergen merged commit fdf8efb into fips-legacy-8-compliant/4.18.0-425.13.1 Sep 11, 2025
2 checks passed

bmastbergen deleted the bmastbergen_fips-legacy-8-compliant/4.18.0-425.13.1/many-vulns-9-9-25 branch September 11, 2025 13:56

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[fips-legacy-8] Many VULNs 9-9-25 #566

[fips-legacy-8] Many VULNs 9-9-25 #566

Uh oh!

bmastbergen commented Sep 10, 2025

Uh oh!

PlaidCat left a comment

Uh oh!

Uh oh!

Uh oh!

[fips-legacy-8] Many VULNs 9-9-25 #566

[fips-legacy-8] Many VULNs 9-9-25 #566

Uh oh!

Conversation

bmastbergen commented Sep 10, 2025

Commits

Build Log

Testing

Uh oh!

PlaidCat left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!