[ciqlts8 6] Easy(sh) vulns #763
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jira VULN-152932 cve CVE-2025-39757 commit-author Takashi Iwai <tiwai@suse.de> commit ecfd411 UAC3 class segment descriptors need to be verified whether their sizes match with the declared lengths and whether they fit with the allocated buffer sizes, too. Otherwise malicious firmware may lead to the unexpected OOB accesses. Fixes: 11785ef ("ALSA: usb-audio: Initial Power Domain support") Reported-and-tested-by: Youngjun Lee <yjjuny.lee@samsung.com> Cc: <stable@vger.kernel.org> Link: https://patch.msgid.link/20250814081245.8902-2-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> (cherry picked from commit ecfd411) Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
jira VULN-152932 cve-bf CVE-2025-39757 commit-author Dan Carpenter <dan.carpenter@linaro.org> commit 89f0add The "p" pointer is void so sizeof(*p) is 1. The intent was to check sizeof(*cs_desc), which is 3, instead. Fixes: ecfd411 ("ALSA: usb-audio: Validate UAC3 cluster segment descriptors") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Link: https://patch.msgid.link/aKL5kftC1qGt6lpv@stanley.mountain Signed-off-by: Takashi Iwai <tiwai@suse.de> (cherry picked from commit 89f0add) Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
jira VULN-155239 cve-pre CVE-2022-50356 commit-author Zhengchao Shao <shaozhengchao@huawei.com> commit c19d893 qdisc_reset() is clearing qdisc->q.qlen and qdisc->qstats.backlog _after_ calling qdisc->ops->reset. There is no need to clear them again in the specific reset function. Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com> Link: https://lore.kernel.org/r/20220824005231.345727-1-shaozhengchao@huawei.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> (cherry picked from commit c19d893) Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
jira VULN-155239 cve CVE-2022-50356 commit-author Zhengchao Shao <shaozhengchao@huawei.com> commit 2a3fc78 When the default qdisc is sfb, if the qdisc of dev_queue fails to be inited during mqprio_init(), sfb_reset() is invoked to clear resources. In this case, the q->qdisc is NULL, and it will cause gpf issue. The process is as follows: qdisc_create_dflt() sfb_init() tcf_block_get() --->failed, q->qdisc is NULL ... qdisc_put() ... sfb_reset() qdisc_reset(q->qdisc) --->q->qdisc is NULL ops = qdisc->ops The following is the Call Trace information: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] RIP: 0010:qdisc_reset+0x2b/0x6f0 Call Trace: <TASK> sfb_reset+0x37/0xd0 qdisc_reset+0xed/0x6f0 qdisc_destroy+0x82/0x4c0 qdisc_put+0x9e/0xb0 qdisc_create_dflt+0x2c3/0x4a0 mqprio_init+0xa71/0x1760 qdisc_create+0x3eb/0x1000 tc_modify_qdisc+0x408/0x1720 rtnetlink_rcv_msg+0x38e/0xac0 netlink_rcv_skb+0x12d/0x3a0 netlink_unicast+0x4a2/0x740 netlink_sendmsg+0x826/0xcc0 sock_sendmsg+0xc5/0x100 ____sys_sendmsg+0x583/0x690 ___sys_sendmsg+0xe8/0x160 __sys_sendmsg+0xbf/0x160 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7f2164122d04 </TASK> Fixes: e13e02a ("net_sched: SFB flow scheduler") Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit 2a3fc78) Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
jira VULN-70476 cve-pre CVE-2022-50030 commit-author Dan Carpenter <dan.carpenter@oracle.com> commit 9020be1 The "mybuf" string comes from the user, so we need to ensure that it is NUL terminated. Link: https://lore.kernel.org/r/20211214070527.GA27934@kili Fixes: bd2cdd5 ("scsi: lpfc: NVME Initiator: Add debugfs support") Reviewed-by: James Smart <jsmart2021@gmail.com> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> (cherry picked from commit 9020be1) Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
… user input jira VULN-70476 cve CVE-2022-50030 commit-author James Smart <jsmart2021@gmail.com> commit f8191d4 Malformed user input to debugfs results in buffer overflow crashes. Adapt input string lengths to fit within internal buffers, leaving space for NULL terminators. Link: https://lore.kernel.org/r/20220701211425.2708-3-jsmart2021@gmail.com Co-developed-by: Justin Tee <justin.tee@broadcom.com> Signed-off-by: Justin Tee <justin.tee@broadcom.com> Signed-off-by: James Smart <jsmart2021@gmail.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> (cherry picked from commit f8191d4) Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
jira VULN-70503 cve-pre CVE-2022-50050 commit-author Ranjani Sridharan <ranjani.sridharan@linux.intel.com> commit 71778f7 Add the rom_status_reg field to struct sof_intel_dsp_desc and define it for HDA platforms. This will be used to check the ROM status during FW boot. Signed-off-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com> Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com> Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com> Link: https://lore.kernel.org/r/20220414184817.362215-14-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown <broonie@kernel.org> (cherry picked from commit 71778f7) Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
jira VULN-70503 cve CVE-2022-50050 commit-author Takashi Iwai <tiwai@suse.de> commit 94c1ceb snprintf() returns the would-be-filled size when the string overflows the given buffer size, hence using this value may result in the buffer overflow (although it's unrealistic). This patch replaces with a safer version, scnprintf() for papering over such a potential issue. Fixes: 29c8e43 ("ASoC: SOF: Intel: hda: add extended rom status dump to error log") Signed-off-by: Takashi Iwai <tiwai@suse.de> Link: https://lore.kernel.org/r/20220801165420.25978-4-tiwai@suse.de Signed-off-by: Mark Brown <broonie@kernel.org> (cherry picked from commit 94c1ceb) Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
jira VULN-70082 cve-pre CVE-2022-50087 commit-author Greg Kroah-Hartman <gregkh@linuxfoundation.org> commit 43b9ac9 Platform drivers now have the option to have the platform core create and remove any needed sysfs attribute files. So take advantage of that and do not register "by hand" a sysfs group of attributes. Acked-by: Sudeep Holla <sudeep.holla@arm.com> Cc: linux-arm-kernel@lists.infradead.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Link: https://lore.kernel.org/r/20190731124349.4474-6-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 43b9ac9) Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
jira VULN-70082 cve CVE-2022-50087 commit-author Sudeep Holla <sudeep.holla@arm.com> commit 689640e When scpi probe fails, at any point, we need to ensure that the scpi_info is not set and will remain NULL until the probe succeeds. If it is not taken care, then it could result use-after-free as the value is exported via get_scpi_ops() and could refer to a memory allocated via devm_kzalloc() but freed when the probe fails. Link: https://lore.kernel.org/r/20220701160310.148344-1-sudeep.holla@arm.com Cc: stable@vger.kernel.org # 4.19+ Reported-by: huhai <huhai@kylinos.cn> Reviewed-by: Jackie Liu <liuyun01@kylinos.cn> Signed-off-by: Sudeep Holla <sudeep.holla@arm.com> (cherry picked from commit 689640e) Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
jira VULN-155283 cve CVE-2022-50367 commit-author Dongliang Mu <mudongliangabcd@gmail.com> commit 2e488f1 upstream-diff | Adjusted context in inode_init_always to due rh specific variable rh_reserved2 being initialized to 0 added in commit: dbb05b7 ("Rebuild centos8 with kernel-4.18.0-80.el8") In alloc_inode, inode_init_always() could return -ENOMEM if security_inode_alloc() fails, which causes inode->i_private uninitialized. Then nilfs_is_metadata_file_inode() returns true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(), which frees the uninitialized inode->i_private and leads to crashes(e.g., UAF/GPF). Fix this by moving security_inode_alloc just prior to this_cpu_inc(nr_inodes) Link: https://lkml.kernel.org/r/CAFcO6XOcf1Jj2SeGt=jJV59wmhESeSKpfR0omdFRq+J9nD1vfQ@mail.gmail.com Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com> Reported-by: Hao Sun <sunhao.th@gmail.com> Reported-by: Jiacheng Xu <stitch@zju.edu.cn> Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org> Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> (cherry picked from commit 2e488f1) Signed-off-by: Roxana Nicolescu <rnicolescu@ciq.com>
🔍 Interdiff Analysis
diff -u b/sound/usb/stream.c b/sound/usb/stream.c
--- b/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -355,6 +360,9 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
struct uac3_cluster_information_segment_descriptor *is = p;
unsigned char map;
+ if (cs_len < sizeof(*is))
+ break;
+
/*
* TODO: this conversion is not complete, update it
* after adding UAC3 values to asound.h
@@ -360,6 +365,9 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
struct uac3_cluster_information_segment_descriptor *is = p;
unsigned char map;
+ if (cs_len < sizeof(*is))
+ break;
+
/*
* TODO: this conversion is not complete, update it
* after adding UAC3 values to asound.h
diff -u b/sound/soc/sof/intel/hda.c b/sound/soc/sof/intel/hda.c
--- b/sound/soc/sof/intel/hda.c
+++ b/sound/soc/sof/intel/hda.c
@@ -543,4 +543,4 @@
len += scnprintf(msg + len, sizeof(msg) - len, " 0x%x", value);
}
- dev_printk(level, sdev->dev, "extended rom status: %s", msg);
+ dev_err(sdev->dev, "extended rom status: %s", msg);
diff -u b/fs/inode.c b/fs/inode.c
--- b/fs/inode.c
+++ b/fs/inode.c
@@ -165,5 +165,5 @@
- inode->i_wb_frn_history = 0;
-#endif
+
+ inode->rh_reserved2 = 0;
spin_lock_init(&inode->i_lock);
lockdep_set_class(&inode->i_lock, &sb->s_type->i_lock_key);This is an automated interdiff check for backported commits. |
Contributor
Author
This is a bug in interdiff, the patch looks fine. Check colordiff log
This is due to missing commit 34bfba9 ("ASoC: SOF: Intel: hda: Use DEBUG log level for optional prints").
This is expected since inode->rh_reserved2 = 0 is red hat specific.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
DESCRIPTION
These are commits that were pretty easy to backport.
Some were applied cleanly, some required only a prereq.
The last one had to be manually fix since the context is slightly changed due
to internal red hat kabi fix.
Otherwise, it should be straightforward to review.
Notes
COMMITS
TESTING
BUILD
Kselftests
Check_kernel_commits
Run jira_pr_check