From 104675413a08679c530a36ace52f34886668e049 Mon Sep 17 00:00:00 2001 From: Jonathan Maple Date: Wed, 8 Oct 2025 23:43:45 -0400 Subject: [PATCH 01/10] net_sched: hfsc: Fix a UAF vulnerability in class handling jira VULN-67698 jira VULN-67697 cve CVE-2025-37797 commit-author Cong Wang commit 3df275ef0a6ae181e8428a6589ef5d5231e58b5c This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class handling. The issue occurs due to a time-of-check/time-of-use condition in hfsc_change_class() when working with certain child qdiscs like netem or codel. The vulnerability works as follows: 1. hfsc_change_class() checks if a class has packets (q.qlen != 0) 2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g., codel, netem) might drop packets and empty the queue 3. The code continues assuming the queue is still non-empty, adding the class to vttree 4. This breaks HFSC scheduler assumptions that only non-empty classes are in vttree 5. Later, when the class is destroyed, this can lead to a Use-After-Free The fix adds a second queue length check after qdisc_peek_len() to verify the queue wasn't emptied. Fixes: 21f4d5cc25ec ("net_sched/hfsc: fix curve activation in hfsc_change_class()") Reported-by: Gerrard Tai Reviewed-by: Konstantin Khlebnikov Signed-off-by: Cong Wang Reviewed-by: Jamal Hadi Salim Link: https://patch.msgid.link/20250417184732.943057-2-xiyou.wangcong@gmail.com Signed-off-by: Jakub Kicinski (cherry picked from commit 3df275ef0a6ae181e8428a6589ef5d5231e58b5c) Signed-off-by: Jonathan Maple --- net/sched/sch_hfsc.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c index c0883fa3d3bda..593757852564b 100644 --- a/net/sched/sch_hfsc.c +++ b/net/sched/sch_hfsc.c @@ -964,6 +964,7 @@ hfsc_change_class(struct Qdisc *sch, u32 classid, u32 parentid, if (cl != NULL) { int old_flags; + int len = 0; if (parentid) { if (cl->cl_parent && @@ -994,9 +995,13 @@ hfsc_change_class(struct Qdisc *sch, u32 classid, u32 parentid, if (usc != NULL) hfsc_change_usc(cl, usc, cur_time); + if (cl->qdisc->q.qlen != 0) + len = qdisc_peek_len(cl->qdisc); + /* Check queue length again since some qdisc implementations + * (e.g., netem/codel) might empty the queue during the peek + * operation. + */ if (cl->qdisc->q.qlen != 0) { - int len = qdisc_peek_len(cl->qdisc); - if (cl->cl_flags & HFSC_RSC) { if (old_flags & HFSC_RSC) update_ed(cl, len); From f631fe5b7fff17a175912723438cbb3a3c6ced87 Mon Sep 17 00:00:00 2001 From: Jonathan Maple Date: Wed, 8 Oct 2025 23:45:11 -0400 Subject: [PATCH 02/10] sctp: linearize cloned gso packets in sctp_rcv jira VULN-136339 jira VULN-136338 cve CVE-2025-38718 commit-author Xin Long commit fd60d8a086191fe33c2d719732d2482052fa6805 A cloned head skb still shares these frag skbs in fraglist with the original head skb. It's not safe to access these frag skbs. syzbot reported two use-of-uninitialized-memory bugs caused by this: BUG: KMSAN: uninit-value in sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_assoc_bh_rcv+0x1a7/0xc50 net/sctp/associola.c:998 sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88 sctp_backlog_rcv+0x397/0xdb0 net/sctp/input.c:331 sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1122 __release_sock+0x1da/0x330 net/core/sock.c:3106 release_sock+0x6b/0x250 net/core/sock.c:3660 sctp_wait_for_connect+0x487/0x820 net/sctp/socket.c:9360 sctp_sendmsg_to_asoc+0x1ec1/0x1f00 net/sctp/socket.c:1885 sctp_sendmsg+0x32b9/0x4a80 net/sctp/socket.c:2031 inet_sendmsg+0x25a/0x280 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:718 [inline] and BUG: KMSAN: uninit-value in sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987 sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987 sctp_inq_push+0x2a3/0x350 net/sctp/inqueue.c:88 sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331 sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148 __release_sock+0x1d3/0x330 net/core/sock.c:3213 release_sock+0x6b/0x270 net/core/sock.c:3767 sctp_wait_for_connect+0x458/0x820 net/sctp/socket.c:9367 sctp_sendmsg_to_asoc+0x223a/0x2260 net/sctp/socket.c:1886 sctp_sendmsg+0x3910/0x49f0 net/sctp/socket.c:2032 inet_sendmsg+0x269/0x2a0 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline] This patch fixes it by linearizing cloned gso packets in sctp_rcv(). Fixes: 90017accff61 ("sctp: Add GSO support") Reported-by: syzbot+773e51afe420baaf0e2b@syzkaller.appspotmail.com Reported-by: syzbot+70a42f45e76bede082be@syzkaller.appspotmail.com Signed-off-by: Xin Long Reviewed-by: Marcelo Ricardo Leitner Link: https://patch.msgid.link/dd7dc337b99876d4132d0961f776913719f7d225.1754595611.git.lucien.xin@gmail.com Signed-off-by: Jakub Kicinski (cherry picked from commit fd60d8a086191fe33c2d719732d2482052fa6805) Signed-off-by: Jonathan Maple --- net/sctp/input.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/sctp/input.c b/net/sctp/input.c index 892028ce5891a..1aa32f5cd0f8c 100644 --- a/net/sctp/input.c +++ b/net/sctp/input.c @@ -129,7 +129,7 @@ int sctp_rcv(struct sk_buff *skb) * it's better to just linearize it otherwise crc computing * takes longer. */ - if ((!is_gso && skb_linearize(skb)) || + if (((!is_gso || skb_cloned(skb)) && skb_linearize(skb)) || !pskb_may_pull(skb, sizeof(struct sctphdr))) goto discard_it; From 2621a890be52a4d8482f7ccbd6cfb735ed7c85b8 Mon Sep 17 00:00:00 2001 From: Jonathan Maple Date: Wed, 8 Oct 2025 23:45:17 -0400 Subject: [PATCH 03/10] NFS: Fix filehandle bounds checking in nfs_fh_to_dentry() jira VULN-136575 jira VULN-136574 jira VULN-136573 cve CVE-2025-39730 cve CVE-2025-1234556789 cve-bf CVE-2025-39730 commit-author Trond Myklebust commit ef93a685e01a281b5e2a25ce4e3428cf9371a205 The function needs to check the minimal filehandle length before it can access the embedded filehandle. Reported-by: zhangjian Fixes: 20fa19027286 ("nfs: add export operations") Signed-off-by: Trond Myklebust (cherry picked from commit ef93a685e01a281b5e2a25ce4e3428cf9371a205) Signed-off-by: Jonathan Maple --- fs/nfs/export.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/fs/nfs/export.c b/fs/nfs/export.c index fd67dc0b13a51..ceeeb0f7bd2da 100644 --- a/fs/nfs/export.c +++ b/fs/nfs/export.c @@ -66,14 +66,21 @@ nfs_fh_to_dentry(struct super_block *sb, struct fid *fid, { struct nfs_fattr *fattr = NULL; struct nfs_fh *server_fh = nfs_exp_embedfh(fid->raw); - size_t fh_size = offsetof(struct nfs_fh, data) + server_fh->size; + size_t fh_size = offsetof(struct nfs_fh, data); const struct nfs_rpc_ops *rpc_ops; struct dentry *dentry; struct inode *inode; - int len = EMBED_FH_OFF + XDR_QUADLEN(fh_size); + int len = EMBED_FH_OFF; u32 *p = fid->raw; int ret; + /* Initial check of bounds */ + if (fh_len < len + XDR_QUADLEN(fh_size) || + fh_len > XDR_QUADLEN(NFS_MAXFHSIZE)) + return NULL; + /* Calculate embedded filehandle size */ + fh_size += server_fh->size; + len += XDR_QUADLEN(fh_size); /* NULL translates to ESTALE */ if (fh_len < len || fh_type != len) return NULL; From 5cca1846281b4d7502da88ecaf327aca4f3557d4 Mon Sep 17 00:00:00 2001 From: Jonathan Maple Date: Thu, 9 Oct 2025 19:02:10 -0400 Subject: [PATCH 04/10] github actions: rename upstream-commit-check for generalization We are going to use this github action to do all the PR git commit processing. Since the kernel-src-tree is so large we need to minimize the wasted cycles on common checkout actions. --- .../{upstream-commit-check.yml => pr-commit-processing.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{upstream-commit-check.yml => pr-commit-processing.yml} (100%) diff --git a/.github/workflows/upstream-commit-check.yml b/.github/workflows/pr-commit-processing.yml similarity index 100% rename from .github/workflows/upstream-commit-check.yml rename to .github/workflows/pr-commit-processing.yml From 487b0da2ef4e1ce667aed72166d1884dc26d9d7b Mon Sep 17 00:00:00 2001 From: Jonathan Maple Date: Thu, 9 Oct 2025 19:07:34 -0400 Subject: [PATCH 05/10] githbub actions: Initial commit for checking JIRA We will be reaching into our JIRA to check the state of each commits jira. In this we want to ensure that the target branch matches the defined branch for that product and validate that the CVE ID is also correct for the ticket. It will also check to confirm that the tickets are in progress and have time logged, if either are untrue then it will produce a warning. In the event there are Product or CVE mis matches it will block the PR and request changes. --- .github/workflows/pr-commit-processing.yml | 137 +++++++++++++++++++-- 1 file changed, 124 insertions(+), 13 deletions(-) diff --git a/.github/workflows/pr-commit-processing.yml b/.github/workflows/pr-commit-processing.yml index e95c4e904f8e4..de86c41249c8b 100644 --- a/.github/workflows/pr-commit-processing.yml +++ b/.github/workflows/pr-commit-processing.yml @@ -1,4 +1,4 @@ -name: Check Kernel Commits for Upstream Fixes +name: PR Commit Processing on: pull_request: @@ -9,21 +9,40 @@ permissions: pull-requests: write jobs: - check-upstream-fixes: + commit-validation: runs-on: ubuntu-latest steps: - - name: Checkout PR branch + - name: Checkout kernel-src-tree uses: actions/checkout@v4 with: - repository: ${{ github.event.pull_request.head.repo.full_name }} fetch-depth: 0 ref: ${{ github.head_ref }} - - name: Checkout base branch + - name: Fetch base branch run: | - git remote add base_repo https://github.com/${{ github.repository }}.git - git fetch base_repo ${{ github.base_ref }}:${{ github.base_ref }} + git fetch origin ${{ github.base_ref }}:${{ github.base_ref }} + + - name: Checkout kernel-src-tree-tools + uses: actions/checkout@v4 + with: + repository: ctrliq/kernel-src-tree-tools + ref: '{jmaple}_pr_jira_test' + path: kernel-src-tree-tools + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: '3.x' + + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install jira + + # ============================================================ + # Step 1: Upstream Commit Check + # ============================================================ - name: Download check_kernel_commits.py run: | @@ -32,11 +51,6 @@ jobs: -o check_kernel_commits.py chmod +x check_kernel_commits.py - - name: Set up Python - uses: actions/setup-python@v5 - with: - python-version: '3.x' - - name: Run upstream fixes check id: checkkernel run: | @@ -46,7 +60,7 @@ jobs: echo "has_findings=true" >> $GITHUB_OUTPUT fi - - name: Comment on PR if issues found + - name: Comment on PR if upstream issues found if: steps.checkkernel.outputs.has_findings == 'true' env: GH_TOKEN: ${{ github.token }} @@ -54,3 +68,100 @@ jobs: gh pr comment ${{ github.event.pull_request.number }} \ --body "$(cat result.txt)" \ --repo ${{ github.repository }} + + # ============================================================ + # Step 2: JIRA PR Check + # ============================================================ + + - name: Mask JIRA credentials + run: | + echo "::add-mask::${{ secrets.JIRA_API_USER }}" + echo "::add-mask::${{ secrets.JIRA_API_TOKEN }}" + + - name: Run JIRA PR Check + id: jira_check + continue-on-error: true + env: + JIRA_URL: ${{ secrets.JIRA_URL }} + JIRA_API_USER: ${{ secrets.JIRA_API_USER }} + JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }} + run: | + cd kernel-src-tree-tools + + # Run script and capture output, ensuring credentials are never echoed + set +x # Disable command echo to prevent credential exposure + set +e # Don't exit on error, we want to capture the output + OUTPUT=$(python3 jira_pr_check.py \ + --jira-url "${JIRA_URL}" \ + --jira-user "${JIRA_API_USER}" \ + --jira-key "${JIRA_API_TOKEN}" \ + --kernel-src-tree .. \ + --merge-target ${{ github.base_ref }} \ + --pr-branch ${{ github.head_ref }} 2>&1) + EXIT_CODE=$? + + # Filter out any potential credential leaks from output + FILTERED_OUTPUT=$(echo "$OUTPUT" | grep -v "jira-user\|jira-key\|basic_auth\|Authorization" || true) + + echo "$FILTERED_OUTPUT" + echo "output<> $GITHUB_OUTPUT + echo "$FILTERED_OUTPUT" >> $GITHUB_OUTPUT + echo "EOF" >> $GITHUB_OUTPUT + + # Check if there are any issues based on output patterns + if echo "$FILTERED_OUTPUT" | grep -q "❌ Errors:"; then + echo "has_issues=true" >> $GITHUB_OUTPUT + + # Check specifically for LTS mismatch errors + if echo "$FILTERED_OUTPUT" | grep -q "expects branch"; then + echo "has_lts_mismatch=true" >> $GITHUB_OUTPUT + else + echo "has_lts_mismatch=false" >> $GITHUB_OUTPUT + fi + elif echo "$FILTERED_OUTPUT" | grep -q "⚠️ Warnings:"; then + echo "has_issues=true" >> $GITHUB_OUTPUT + echo "has_lts_mismatch=false" >> $GITHUB_OUTPUT + else + echo "has_issues=false" >> $GITHUB_OUTPUT + echo "has_lts_mismatch=false" >> $GITHUB_OUTPUT + fi + + # Exit with the script's exit code + exit $EXIT_CODE + + - name: Comment PR with JIRA issues + if: steps.jira_check.outputs.has_issues == 'true' + uses: actions/github-script@v7 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const output = process.env.CHECK_OUTPUT; + + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: output + }); + env: + CHECK_OUTPUT: ${{ steps.jira_check.outputs.output }} + + - name: Request changes if LTS mismatch + if: steps.jira_check.outputs.has_lts_mismatch == 'true' + uses: actions/github-script@v7 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + github.rest.pulls.createReview({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: context.issue.number, + event: 'REQUEST_CHANGES', + body: '⚠️ This PR contains VULN tickets that do not match the target LTS product. Please review the JIRA ticket assignments and ensure they match the merge target branch.' + }); + + - name: Fail workflow if JIRA errors found + if: steps.jira_check.outcome == 'failure' + run: | + echo "❌ JIRA PR check failed - errors were found in one or more commits" + exit 1 From 4c854209e16050e50bf1287d042705b1c03abbf0 Mon Sep 17 00:00:00 2001 From: Jonathan Maple Date: Mon, 20 Oct 2025 18:19:39 -0400 Subject: [PATCH 06/10] KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0 jira VULN-70726 jira VULN-70725 cve CVE-2022-50228 commit-author Maciej S. Szmigiero commit f17c31c48e5cde9895a491d91c424eeeada3e134 Don't BUG/WARN on interrupt injection due to GIF being cleared, since it's trivial for userspace to force the situation via KVM_SET_VCPU_EVENTS (even if having at least a WARN there would be correct for KVM internally generated injections). kernel BUG at arch/x86/kvm/svm/svm.c:3386! invalid opcode: 0000 [#1] SMP CPU: 15 PID: 926 Comm: smm_test Not tainted 5.17.0-rc3+ #264 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:svm_inject_irq+0xab/0xb0 [kvm_amd] Code: <0f> 0b 0f 1f 00 0f 1f 44 00 00 80 3d ac b3 01 00 00 55 48 89 f5 53 RSP: 0018:ffffc90000b37d88 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88810a234ac0 RCX: 0000000000000006 RDX: 0000000000000000 RSI: ffffc90000b37df7 RDI: ffff88810a234ac0 RBP: ffffc90000b37df7 R08: ffff88810a1fa410 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff888109571000 R14: ffff88810a234ac0 R15: 0000000000000000 FS: 0000000001821380(0000) GS:ffff88846fdc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f74fc550008 CR3: 000000010a6fe000 CR4: 0000000000350ea0 Call Trace: inject_pending_event+0x2f7/0x4c0 [kvm] kvm_arch_vcpu_ioctl_run+0x791/0x17a0 [kvm] kvm_vcpu_ioctl+0x26d/0x650 [kvm] __x64_sys_ioctl+0x82/0xb0 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: 219b65dcf6c0 ("KVM: SVM: Improve nested interrupt injection") Cc: stable@vger.kernel.org Co-developed-by: Sean Christopherson Signed-off-by: Sean Christopherson Signed-off-by: Maciej S. Szmigiero Message-Id: <35426af6e123cbe91ec7ce5132ce72521f02b1b5.1651440202.git.maciej.szmigiero@oracle.com> Signed-off-by: Paolo Bonzini (cherry picked from commit f17c31c48e5cde9895a491d91c424eeeada3e134) Signed-off-by: Jonathan Maple --- arch/x86/kvm/svm/svm.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c index 33aa34a0bff34..98f5634917702 100644 --- a/arch/x86/kvm/svm/svm.c +++ b/arch/x86/kvm/svm/svm.c @@ -3431,8 +3431,6 @@ static void svm_inject_irq(struct kvm_vcpu *vcpu) { struct vcpu_svm *svm = to_svm(vcpu); - BUG_ON(!(gif_set(svm))); - trace_kvm_inj_virq(vcpu->arch.interrupt.nr); ++vcpu->stat.irq_injections; From fe3dacef2d4e9225ffeed6929e5aa5a9ee080935 Mon Sep 17 00:00:00 2001 From: Jonathan Maple Date: Mon, 20 Oct 2025 18:19:40 -0400 Subject: [PATCH 07/10] Bluetooth: L2CAP: Fix use-after-free jira VULN-155018 jira VULN-155017 cve CVE-2023-53305 commit-author Zhengping Jiang commit f752a0b334bb95fe9b42ecb511e0864e2768046f Fix potential use-after-free in l2cap_le_command_rej. Signed-off-by: Zhengping Jiang Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Jakub Kicinski (cherry picked from commit f752a0b334bb95fe9b42ecb511e0864e2768046f) Signed-off-by: Jonathan Maple --- net/bluetooth/l2cap_core.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index c77f80c58086b..8ad66fc28941c 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -6336,9 +6336,14 @@ static inline int l2cap_le_command_rej(struct l2cap_conn *conn, if (!chan) goto done; + chan = l2cap_chan_hold_unless_zero(chan); + if (!chan) + goto done; + l2cap_chan_lock(chan); l2cap_chan_del(chan, ECONNREFUSED); l2cap_chan_unlock(chan); + l2cap_chan_put(chan); done: mutex_unlock(&conn->chan_lock); From 0a6d91dd748653f748236aacafefbe78cd082ae7 Mon Sep 17 00:00:00 2001 From: Jonathan Maple Date: Mon, 20 Oct 2025 18:19:40 -0400 Subject: [PATCH 08/10] crypto: seqiv - Handle EBUSY correctly jira VULN-155734 jira VULN-155733 cve CVE-2023-53373 commit-author Herbert Xu commit 32e62025e5e52fbe4812ef044759de7010b15dbc As it is seqiv only handles the special return value of EINPROGERSS, which means that in all other cases it will free data related to the request. However, as the caller of seqiv may specify MAY_BACKLOG, we also need to expect EBUSY and treat it in the same way. Otherwise backlogged requests will trigger a use-after-free. Fixes: 0a270321dbf9 ("[CRYPTO] seqiv: Add Sequence Number IV Generator") Signed-off-by: Herbert Xu (cherry picked from commit 32e62025e5e52fbe4812ef044759de7010b15dbc) Signed-off-by: Jonathan Maple --- crypto/seqiv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/seqiv.c b/crypto/seqiv.c index e80959ef32dce..1ee6f6cd285ca 100644 --- a/crypto/seqiv.c +++ b/crypto/seqiv.c @@ -30,7 +30,7 @@ static void seqiv_aead_encrypt_complete2(struct aead_request *req, int err) struct aead_request *subreq = aead_request_ctx(req); struct crypto_aead *geniv; - if (err == -EINPROGRESS) + if (err == -EINPROGRESS || err == -EBUSY) return; if (err) From 346b76270991981c8ff101a6e26470f973f86cd6 Mon Sep 17 00:00:00 2001 From: Jonathan Maple Date: Mon, 20 Oct 2025 18:19:44 -0400 Subject: [PATCH 09/10] ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control jira VULN-152896 jira VULN-152895 cve CVE-2025-39751 commit-author Lucy Thrun commit a409c60111e6bb98fcabab2aeaa069daa9434ca0 The 'sprintf' call in 'add_tuning_control' may exceed the 44-byte buffer if either string argument is too long. This triggers a compiler warning. Replaced 'sprintf' with 'snprintf' to limit string lengths to prevent overflow. Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202506100642.95jpuMY1-lkp@intel.com/ Signed-off-by: Lucy Thrun Link: https://patch.msgid.link/20250610175012.918-3-lucy.thrun@digital-rabbithole.de Signed-off-by: Takashi Iwai (cherry picked from commit a409c60111e6bb98fcabab2aeaa069daa9434ca0) Signed-off-by: Jonathan Maple --- sound/pci/hda/patch_ca0132.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c index 748a3c40966e9..c19164089ae4e 100644 --- a/sound/pci/hda/patch_ca0132.c +++ b/sound/pci/hda/patch_ca0132.c @@ -4399,7 +4399,7 @@ static int add_tuning_control(struct hda_codec *codec, } knew.private_value = HDA_COMPOSE_AMP_VAL(nid, 1, 0, type); - sprintf(namestr, "%s %s Volume", name, dirstr[dir]); + snprintf(namestr, sizeof(namestr), "%s %s Volume", name, dirstr[dir]); return snd_hda_ctl_add(codec, nid, snd_ctl_new1(&knew, codec)); } From a0db3bb4c1c4b92b69857a3d1dc138f0f2888335 Mon Sep 17 00:00:00 2001 From: Jonathan Maple Date: Mon, 20 Oct 2025 18:19:45 -0400 Subject: [PATCH 10/10] ALSA: usb-audio: Validate UAC3 cluster segment descriptors jira VULN-152934 jira VULN-152933 cve CVE-2025-39757 commit-author Takashi Iwai commit ecfd41166b72b67d3bdeb88d224ff445f6163869 UAC3 class segment descriptors need to be verified whether their sizes match with the declared lengths and whether they fit with the allocated buffer sizes, too. Otherwise malicious firmware may lead to the unexpected OOB accesses. Fixes: 11785ef53228 ("ALSA: usb-audio: Initial Power Domain support") Reported-and-tested-by: Youngjun Lee Cc: Link: https://patch.msgid.link/20250814081245.8902-2-tiwai@suse.de Signed-off-by: Takashi Iwai (cherry picked from commit ecfd41166b72b67d3bdeb88d224ff445f6163869) Signed-off-by: Jonathan Maple --- sound/usb/stream.c | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/sound/usb/stream.c b/sound/usb/stream.c index e9227751cf7ea..de08132c745c7 100644 --- a/sound/usb/stream.c +++ b/sound/usb/stream.c @@ -336,20 +336,28 @@ snd_pcm_chmap_elem *convert_chmap_v3(struct uac3_cluster_header_descriptor len = le16_to_cpu(cluster->wLength); c = 0; - p += sizeof(struct uac3_cluster_header_descriptor); + p += sizeof(*cluster); + len -= sizeof(*cluster); - while (((p - (void *)cluster) < len) && (c < channels)) { + while (len > 0 && (c < channels)) { struct uac3_cluster_segment_descriptor *cs_desc = p; u16 cs_len; u8 cs_type; + if (len < sizeof(*p)) + break; cs_len = le16_to_cpu(cs_desc->wLength); + if (len < cs_len) + break; cs_type = cs_desc->bSegmentType; if (cs_type == UAC3_CHANNEL_INFORMATION) { struct uac3_cluster_information_segment_descriptor *is = p; unsigned char map; + if (cs_len < sizeof(*is)) + break; + /* * TODO: this conversion is not complete, update it * after adding UAC3 values to asound.h @@ -451,6 +459,7 @@ snd_pcm_chmap_elem *convert_chmap_v3(struct uac3_cluster_header_descriptor chmap->map[c++] = map; } p += cs_len; + len -= cs_len; } if (channels < c) @@ -871,7 +880,7 @@ snd_usb_get_audioformat_uac3(struct snd_usb_audio *chip, u64 badd_formats = 0; unsigned int num_channels; struct audioformat *fp; - u16 cluster_id, wLength; + u16 cluster_id, wLength, cluster_wLength; int clock = 0; int err; @@ -998,6 +1007,16 @@ snd_usb_get_audioformat_uac3(struct snd_usb_audio *chip, return ERR_PTR(-EIO); } + cluster_wLength = le16_to_cpu(cluster->wLength); + if (cluster_wLength < sizeof(*cluster) || + cluster_wLength > wLength) { + dev_err(&dev->dev, + "%u:%d : invalid Cluster Descriptor size\n", + iface_no, altno); + kfree(cluster); + return ERR_PTR(-EIO); + } + num_channels = cluster->bNrChannels; chmap = convert_chmap_v3(cluster); kfree(cluster);