Skip to content

[lts92] Many VULNs 9-29-25 #602

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Oct 3, 2025
Merged

[lts92] Many VULNs 9-29-25 #602

merged 7 commits into from
Oct 3, 2025

Conversation

bmastbergen
Copy link
Collaborator

Background

Clean cherry-picks except for 8bd67eb. The upstream change uses kfree_skb_reason which doesn't exist in this kernel and isn't a simple backport. So I used the 5.10 LT backport which just calls kfree_ksb. There were a couple of trivial prerequisites that were backported (2034d90 and 482ad2a) for this change.

Commits

    skbuff: skb_segment, Call zero copy functions before using skbuff frags

    jira VULN-155411
    cve CVE-2023-53354
    commit-author Mohamed Khalfella <[email protected]>
    commit 2ea35288c83b3d501a88bc17f2df8f176b5cc96f

    net: bridge: xmit: make sure we have at least eth header len bytes

    jira VULN-5468
    cve CVE-2024-38538
    commit-author Nikolay Aleksandrov <[email protected]>
    commit 8bd67ebb50c0145fd2ca8681ab65eb7e8cde1afc
    upstream-diff Use 5.10 LT 82090f94c723dab724b1c32db406091d40448a17
                  because this kernel doesn't have kfree_skb_reason

    net: treat possible_net_t net pointer as an RCU one and add read_pnet_rcu()

    jira VULN-54026
    cve-pre CVE-2025-21764
    commit-author Jiri Pirko <[email protected]>
    commit 2034d90ae41ae93e30d492ebcf1f06f97a9cfba6

    net: add dev_net_rcu() helper

    jira VULN-54026
    cve-pre CVE-2025-21764
    commit-author Eric Dumazet <[email protected]>
    commit 482ad2a4ace2740ca0ff1cbc8f3c7f862f3ab507

    ndisc: use RCU protection in ndisc_alloc_skb()

    jira VULN-54026
    cve CVE-2025-21764
    commit-author Eric Dumazet <[email protected]>
    commit 628e6d18930bbd21f2d4562228afe27694f66da9

    i2c/designware: Fix an initialization issue

    jira VULN-79509
    cve CVE-2025-38380
    commit-author Michael J. Ruhl <[email protected]>
    commit 3d30048958e0d43425f6d4e76565e6249fa71050

    tls: always refresh the queue when reading sock

    jira VULN-89194
    cve CVE-2025-38471
    commit-author Jakub Kicinski <[email protected]>
    commit 4ab26bce3969f8fd925fe6f6f551e4d1a508c68b

Build Log

/home/brett/kernel-src-tree
Running make mrproper...
[TIMER]{MRPROPER}: 12s
x86_64 architecture detected, copying config
'configs/kernel-x86_64-rhel.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-bmastbergen_ciqlts9_2_many-vulns-9-29-25-d2412ebce8ab"
Making olddefconfig
--
  HOSTCC  scripts/kconfig/util.o
  HOSTLD  scripts/kconfig/conf
#
# configuration written to .config
#
Starting Build
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_32.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_64.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_x32.h
  SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_32_ia32.h
--
  BTF [M] sound/x86/snd-hdmi-lpe-audio.ko
  LD [M]  virt/lib/irqbypass.ko
  BTF [M] virt/lib/irqbypass.ko
  BTF [M] sound/virtio/virtio_snd.ko
  BTF [M] sound/xen/snd_xen_front.ko
[TIMER]{BUILD}: 944s
Making Modules
  INSTALL /lib/modules/5.14.0-bmastbergen_ciqlts9_2_many-vulns-9-29-25-d2412ebce8ab+/kernel/arch/x86/crypto/blowfish-x86_64.ko
  INSTALL /lib/modules/5.14.0-bmastbergen_ciqlts9_2_many-vulns-9-29-25-d2412ebce8ab+/kernel/arch/x86/crypto/blake2s-x86_64.ko
  INSTALL /lib/modules/5.14.0-bmastbergen_ciqlts9_2_many-vulns-9-29-25-d2412ebce8ab+/kernel/arch/x86/crypto/camellia-aesni-avx2.ko
  INSTALL /lib/modules/5.14.0-bmastbergen_ciqlts9_2_many-vulns-9-29-25-d2412ebce8ab+/kernel/arch/x86/crypto/camellia-aesni-avx-x86_64.ko
--
  SIGN    /lib/modules/5.14.0-bmastbergen_ciqlts9_2_many-vulns-9-29-25-d2412ebce8ab+/kernel/sound/virtio/virtio_snd.ko
  SIGN    /lib/modules/5.14.0-bmastbergen_ciqlts9_2_many-vulns-9-29-25-d2412ebce8ab+/kernel/sound/xen/snd_xen_front.ko
  SIGN    /lib/modules/5.14.0-bmastbergen_ciqlts9_2_many-vulns-9-29-25-d2412ebce8ab+/kernel/sound/x86/snd-hdmi-lpe-audio.ko
  SIGN    /lib/modules/5.14.0-bmastbergen_ciqlts9_2_many-vulns-9-29-25-d2412ebce8ab+/kernel/virt/lib/irqbypass.ko
  DEPMOD  /lib/modules/5.14.0-bmastbergen_ciqlts9_2_many-vulns-9-29-25-d2412ebce8ab+
[TIMER]{MODULES}: 7s
Making Install
sh ./arch/x86/boot/install.sh \
	5.14.0-bmastbergen_ciqlts9_2_many-vulns-9-29-25-d2412ebce8ab+ arch/x86/boot/bzImage \
	System.map "/boot"
[TIMER]{INSTALL}: 57s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-5.14.0-bmastbergen_ciqlts9_2_many-vulns-9-29-25-d2412ebce8ab+ and Index to 2
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 12s
[TIMER]{BUILD}: 944s
[TIMER]{MODULES}: 7s
[TIMER]{INSTALL}: 57s
[TIMER]{TOTAL} 1040s
Rebooting in 10 seconds

Testing

selftest-5.14.0-284.30.1.el9_2.92ciq_lts.11.1.x86_64-1.log

selftest-5.14.0-bmastbergen_ciqlts9_2_many-vulns-9-29-25-d2412ebce8ab+-1.log

brett@lycia ~/ciq/many-92-vulns-9-29-25
 % grep ^ok selftest-5.14.0-284.30.1.el9_2.92ciq_lts.11.1.x86_64-1.log | wc -l
343
brett@lycia ~/ciq/many-92-vulns-9-29-25
 % grep ^ok selftest-5.14.0-bmastbergen_ciqlts9_2_many-vulns-9-29-25-d2412ebce8ab+-1.log | wc -l
344
brett@lycia ~/ciq/many-92-vulns-9-29-25
 % grep ok <(diff -adU0 <(grep ^ok selftest-5.14.0-284.30.1.el9_2.92ciq_lts.11.1.x86_64-1.log | sort -h) <(grep ^ok selftest-5.14.0-bmastbergen_ciqlts9_2_many-vulns-9-29-25-d2412ebce8ab+-1.log | sort -h))
-ok 1 selftests: livepatch: test-livepatch.sh # SKIP
+ok 1 selftests: livepatch: test-livepatch.sh
-ok 1 selftests: vm: run_vmtests.sh # SKIP
-ok 1 selftests: zram: zram.sh # SKIP
+ok 1 selftests: zram: zram.sh
-ok 2 selftests: livepatch: test-callbacks.sh # SKIP
+ok 2 selftests: livepatch: test-callbacks.sh
+ok 32 selftests: net: l2tp.sh
-ok 3 selftests: livepatch: test-shadow-vars.sh # SKIP
+ok 3 selftests: livepatch: test-shadow-vars.sh
+ok 47 selftests: net: drop_monitor_tests.sh
-ok 4 selftests: livepatch: test-state.sh # SKIP
+ok 4 selftests: livepatch: test-state.sh
-ok 58 selftests: kvm: max_guest_memory_test
-ok 5 selftests: livepatch: test-ftrace.sh # SKIP
+ok 5 selftests: livepatch: test-ftrace.sh
+ok 9 selftests: net: test_bpf.sh
brett@lycia ~/ciq/many-92-vulns-9-29-25
 %

@bmastbergen
skbuff: skb_segment, Call zero copy functions before using skbuff frags
761c509 
jira VULN-155411
cve CVE-2023-53354
commit-author Mohamed Khalfella <[email protected]>
commit 2ea3528

Commit bf5c25d ("skbuff: in skb_segment, call zerocopy functions
once per nskb") added the call to zero copy functions in skb_segment().
The change introduced a bug in skb_segment() because skb_orphan_frags()
may possibly change the number of fragments or allocate new fragments
altogether leaving nrfrags and frag to point to the old values. This can
cause a panic with stacktrace like the one below.

[  193.894380] BUG: kernel NULL pointer dereference, address: 00000000000000bc
[  193.895273] CPU: 13 PID: 18164 Comm: vh-net-17428 Kdump: loaded Tainted: G           O      5.15.123+ #26
[  193.903919] RIP: 0010:skb_segment+0xb0e/0x12f0
[  194.021892] Call Trace:
[  194.027422]  <TASK>
[  194.072861]  tcp_gso_segment+0x107/0x540
[  194.082031]  inet_gso_segment+0x15c/0x3d0
[  194.090783]  skb_mac_gso_segment+0x9f/0x110
[  194.095016]  __skb_gso_segment+0xc1/0x190
[  194.103131]  netem_enqueue+0x290/0xb10 [sch_netem]
[  194.107071]  dev_qdisc_enqueue+0x16/0x70
[  194.110884]  __dev_queue_xmit+0x63b/0xb30
[  194.121670]  bond_start_xmit+0x159/0x380 [bonding]
[  194.128506]  dev_hard_start_xmit+0xc3/0x1e0
[  194.131787]  __dev_queue_xmit+0x8a0/0xb30
[  194.138225]  macvlan_start_xmit+0x4f/0x100 [macvlan]
[  194.141477]  dev_hard_start_xmit+0xc3/0x1e0
[  194.144622]  sch_direct_xmit+0xe3/0x280
[  194.147748]  __dev_queue_xmit+0x54a/0xb30
[  194.154131]  tap_get_user+0x2a8/0x9c0 [tap]
[  194.157358]  tap_sendmsg+0x52/0x8e0 [tap]
[  194.167049]  handle_tx_zerocopy+0x14e/0x4c0 [vhost_net]
[  194.173631]  handle_tx+0xcd/0xe0 [vhost_net]
[  194.176959]  vhost_worker+0x76/0xb0 [vhost]
[  194.183667]  kthread+0x118/0x140
[  194.190358]  ret_from_fork+0x1f/0x30
[  194.193670]  </TASK>

In this case calling skb_orphan_frags() updated nr_frags leaving nrfrags
local variable in skb_segment() stale. This resulted in the code hitting
i >= nrfrags prematurely and trying to move to next frag_skb using
list_skb pointer, which was NULL, and caused kernel panic. Move the call
to zero copy functions before using frags and nr_frags.

Fixes: bf5c25d ("skbuff: in skb_segment, call zerocopy functions once per nskb")
	Signed-off-by: Mohamed Khalfella <[email protected]>
	Reported-by: Amit Goyal <[email protected]>
	Cc: [email protected]
	Reviewed-by: Eric Dumazet <[email protected]>
	Signed-off-by: David S. Miller <[email protected]>
(cherry picked from commit 2ea3528)
	Signed-off-by: Brett Mastbergen <[email protected]>
@bmastbergen
net: bridge: xmit: make sure we have at least eth header len bytes
245a185 
jira VULN-5468
cve CVE-2024-38538
commit-author Nikolay Aleksandrov <[email protected]>
commit 8bd67eb
upstream-diff Use 5.10 LT 82090f9
              because this kernel doesn't have kfree_skb_reason

syzbot triggered an uninit value[1] error in bridge device's xmit path
by sending a short (less than ETH_HLEN bytes) skb. To fix it check if
we can actually pull that amount instead of assuming.

Tested with dropwatch:
 drop at: br_dev_xmit+0xb93/0x12d0 [bridge] (0xffffffffc06739b3)
 origin: software
 timestamp: Mon May 13 11:31:53 2024 778214037 nsec
 protocol: 0x88a8
 length: 2
 original length: 2
 drop reason: PKT_TOO_SMALL

[1]
BUG: KMSAN: uninit-value in br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65
 br_dev_xmit+0x61d/0x1cb0 net/bridge/br_device.c:65
 __netdev_start_xmit include/linux/netdevice.h:4903 [inline]
 netdev_start_xmit include/linux/netdevice.h:4917 [inline]
 xmit_one net/core/dev.c:3531 [inline]
 dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547
 __dev_queue_xmit+0x34db/0x5350 net/core/dev.c:4341
 dev_queue_xmit include/linux/netdevice.h:3091 [inline]
 __bpf_tx_skb net/core/filter.c:2136 [inline]
 __bpf_redirect_common net/core/filter.c:2180 [inline]
 __bpf_redirect+0x14a6/0x1620 net/core/filter.c:2187
 ____bpf_clone_redirect net/core/filter.c:2460 [inline]
 bpf_clone_redirect+0x328/0x470 net/core/filter.c:2432
 ___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997
 __bpf_prog_run512+0xb5/0xe0 kernel/bpf/core.c:2238
 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
 __bpf_prog_run include/linux/filter.h:657 [inline]
 bpf_prog_run include/linux/filter.h:664 [inline]
 bpf_test_run+0x499/0xc30 net/bpf/test_run.c:425
 bpf_prog_test_run_skb+0x14ea/0x1f20 net/bpf/test_run.c:1058
 bpf_prog_test_run+0x6b7/0xad0 kernel/bpf/syscall.c:4269
 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5678
 __do_sys_bpf kernel/bpf/syscall.c:5767 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5765 [inline]
 __x64_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5765
 x64_sys_call+0x96b/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:322
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Fixes: 1da177e ("Linux-2.6.12-rc2")
	Reported-by: [email protected]
Closes: https://syzkaller.appspot.com/bug?extid=a63a1f6a062033cf0f40
	Signed-off-by: Nikolay Aleksandrov <[email protected]>
	Signed-off-by: David S. Miller <[email protected]>
(cherry picked from commit 8bd67eb)
	Signed-off-by: Brett Mastbergen <[email protected]>

Revert "net: bridge: xmit: make sure we have at least eth header len bytes"

This reverts commit 0f91f77.
@bmastbergen
net: treat possible_net_t net pointer as an RCU one and add read_pnet…
a3b244a 
…_rcu()

jira VULN-54026
cve-pre CVE-2025-21764
commit-author Jiri Pirko <[email protected]>
commit 2034d90

Make the net pointer stored in possible_net_t structure annotated as
an RCU pointer. Change the access helpers to treat it as such.
Introduce read_pnet_rcu() helper to allow caller to dereference
the net pointer under RCU read lock.

	Signed-off-by: Jiri Pirko <[email protected]>
	Reviewed-by: Simon Horman <[email protected]>
	Signed-off-by: David S. Miller <[email protected]>
(cherry picked from commit 2034d90)
	Signed-off-by: Brett Mastbergen <[email protected]>
@bmastbergen
net: add dev_net_rcu() helper
39fe564 
jira VULN-54026
cve-pre CVE-2025-21764
commit-author Eric Dumazet <[email protected]>
commit 482ad2a

dev->nd_net can change, readers should either
use rcu_read_lock() or RTNL.

We currently use a generic helper, dev_net() with
no debugging support. We probably have many hidden bugs.

Add dev_net_rcu() helper for callers using rcu_read_lock()
protection.

	Signed-off-by: Eric Dumazet <[email protected]>
	Reviewed-by: Kuniyuki Iwashima <[email protected]>
Link: https://patch.msgid.link/[email protected]
	Signed-off-by: Jakub Kicinski <[email protected]>
(cherry picked from commit 482ad2a)
	Signed-off-by: Brett Mastbergen <[email protected]>
@bmastbergen
ndisc: use RCU protection in ndisc_alloc_skb()
d95b44a 
jira VULN-54026
cve CVE-2025-21764
commit-author Eric Dumazet <[email protected]>
commit 628e6d1

ndisc_alloc_skb() can be called without RTNL or RCU being held.

Add RCU protection to avoid possible UAF.

Fixes: de09334 ("ndisc: Introduce ndisc_alloc_skb() helper.")
	Signed-off-by: Eric Dumazet <[email protected]>
	Reviewed-by: David Ahern <[email protected]>
	Reviewed-by: Kuniyuki Iwashima <[email protected]>
Link: https://patch.msgid.link/[email protected]
	Signed-off-by: Jakub Kicinski <[email protected]>
(cherry picked from commit 628e6d1)
	Signed-off-by: Brett Mastbergen <[email protected]>
@bmastbergen
i2c/designware: Fix an initialization issue
bc01358 
jira VULN-79509
cve CVE-2025-38380
commit-author Michael J. Ruhl <[email protected]>
commit 3d30048

The i2c_dw_xfer_init() function requires msgs and msg_write_idx from the
dev context to be initialized.

amd_i2c_dw_xfer_quirk() inits msgs and msgs_num, but not msg_write_idx.

This could allow an out of bounds access (of msgs).

Initialize msg_write_idx before calling i2c_dw_xfer_init().

	Reviewed-by: Andy Shevchenko <[email protected]>
Fixes: 17631e8 ("i2c: designware: Add driver support for AMD NAVI GPU")
	Cc: <[email protected]> # v5.13+
	Signed-off-by: Michael J. Ruhl <[email protected]>
	Signed-off-by: Andi Shyti <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
(cherry picked from commit 3d30048)
	Signed-off-by: Brett Mastbergen <[email protected]>
@bmastbergen
tls: always refresh the queue when reading sock
d2412eb 
jira VULN-89194
cve CVE-2025-38471
commit-author Jakub Kicinski <[email protected]>
commit 4ab26bc

After recent changes in net-next TCP compacts skbs much more
aggressively. This unearthed a bug in TLS where we may try
to operate on an old skb when checking if all skbs in the
queue have matching decrypt state and geometry.

    BUG: KASAN: slab-use-after-free in tls_strp_check_rcv+0x898/0x9a0 [tls]
    (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544)
    Read of size 4 at addr ffff888013085750 by task tls/13529

    CPU: 2 UID: 0 PID: 13529 Comm: tls Not tainted 6.16.0-rc5-virtme
    Call Trace:
     kasan_report+0xca/0x100
     tls_strp_check_rcv+0x898/0x9a0 [tls]
     tls_rx_rec_wait+0x2c9/0x8d0 [tls]
     tls_sw_recvmsg+0x40f/0x1aa0 [tls]
     inet_recvmsg+0x1c3/0x1f0

Always reload the queue, fast path is to have the record in the queue
when we wake, anyway (IOW the path going down "if !strp->stm.full_len").

Fixes: 0d87bbd ("tls: strp: make sure the TCP skbs do not have overlapping data")
Link: https://patch.msgid.link/[email protected]
	Signed-off-by: Jakub Kicinski <[email protected]>
(cherry picked from commit 4ab26bc)
	Signed-off-by: Brett Mastbergen <[email protected]>
@bmastbergen bmastbergen requested a review from a team October 1, 2025 14:18
kerneltoast
kerneltoast approved these changes Oct 1, 2025
View reviewed changes
Copy link
Collaborator

@kerneltoast kerneltoast left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚢

PlaidCat
PlaidCat approved these changes Oct 3, 2025
View reviewed changes
Copy link
Collaborator

@PlaidCat PlaidCat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@bmastbergen bmastbergen merged commit f8658ad into ciqlts9_2 Oct 3, 2025
4 checks passed
@bmastbergen bmastbergen deleted the bmastbergen_ciqlts9_2/many-vulns-9-29-25 branch October 3, 2025 15:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kerneltoast kerneltoast kerneltoast approved these changes

@PlaidCat PlaidCat PlaidCat approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bmastbergen @kerneltoast @PlaidCat