Skip to content

[cbr79] Many VULNs 9-9-25 #560

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 9, 2025
Merged

[cbr79] Many VULNs 9-9-25 #560

merged 3 commits into from
Sep 9, 2025

Conversation

bmastbergen
Copy link
Collaborator

@bmastbergen bmastbergen commented Sep 9, 2025
edited
Loading

Commits

    crypto: algif_hash - fix double free in hash_accept

    jira VULN-72165
    cve CVE-2025-38079
    commit-author Ivan Pravdin <ipravdin.official@gmail.com>
    commit b2df03ed4052e97126267e8c13ad4204ea6ba9b6

    drivers:md:fix a potential use-after-free bug

    jira VULN-135015
    cve CVE-2022-50022
    commit-author Wentao_Liang <Wentao_Liang_g@163.com>
    commit 104212471b1c1817b311771d817fb692af983173

    posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()

    jira VULN-136687
    cve CVE-2025-38352
    commit-author Oleg Nesterov <oleg@redhat.com>
    commit f90fff1e152dedf52b932240ebbd670d83330eca
    upstream-diff Applying to kernel/posix-cpu-timers.c instead of
                  kernel/time/posix-cpu-timers.c in upstream.  There were
                  minor merge conflicts due to differences in surrounding
                  code but the code added is the same.

Build Log

/home/brett/kernel-src-tree
Running make mrproper...
[TIMER]{MRPROPER}: 8s
x86_64 architecture detected, copying config
‘configs/kernel-3.10.0-x86_64.config’ -> ‘.config’
Setting Local Version for build
CONFIG_LOCALVERSION="-bmastbergen_ciqcbr7_9_many-vulns-9-9-25-e3ad0fc"
Making olddefconfig
--
  HOSTLD  scripts/kconfig/conf
scripts/kconfig/conf --olddefconfig Kconfig
#
# configuration written to .config
#
Starting Build
scripts/kconfig/conf --silentoldconfig Kconfig
  SYSHDR  arch/x86/syscalls/../include/generated/uapi/asm/unistd_64.h
  SYSHDR  arch/x86/syscalls/../include/generated/uapi/asm/unistd_x32.h
  SYSTBL  arch/x86/syscalls/../include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/syscalls/../include/generated/uapi/asm/unistd_32.h
--
  H16TOFW firmware/edgeport/down2.fw
  IHEX2FW firmware/whiteheat_loader.fw
  IHEX2FW firmware/keyspan_pda/keyspan_pda.fw
  IHEX2FW firmware/whiteheat.fw
  IHEX2FW firmware/keyspan_pda/xircom_pgs.fw
[TIMER]{BUILD}: 750s
Making Modules
  INSTALL arch/x86/crypto/aesni-intel.ko
  INSTALL arch/x86/crypto/ablk_helper.ko
  INSTALL arch/x86/crypto/blowfish-x86_64.ko
  INSTALL arch/x86/crypto/camellia-aesni-avx2.ko
--
  INSTALL /lib/firmware/whiteheat_loader.fw
  INSTALL /lib/firmware/whiteheat.fw
  INSTALL /lib/firmware/keyspan_pda/keyspan_pda.fw
  INSTALL /lib/firmware/keyspan_pda/xircom_pgs.fw
  DEPMOD  3.10.0-bmastbergen_ciqcbr7_9_many-vulns-9-9-25-e3ad0fc+
[TIMER]{MODULES}: 18s
Making Install
sh ./arch/x86/boot/install.sh 3.10.0-bmastbergen_ciqcbr7_9_many-vulns-9-9-25-e3ad0fc+ arch/x86/boot/bzImage \
	System.map "/boot"
[TIMER]{INSTALL}: 30s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-3.10.0-bmastbergen_ciqcbr7_9_many-vulns-9-9-25-e3ad0fc+ and Index to 0
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 8s
[TIMER]{BUILD}: 750s
[TIMER]{MODULES}: 18s
[TIMER]{INSTALL}: 30s
[TIMER]{TOTAL} 812s
Rebooting in 10 seconds

Testing

selftest-3.10.0-1160.119.1.el7_9.ciqcbr.7.1.x86_64.log

selftest-3.10.0-bmastbergen_ciqcbr7_9_many-vulns-9-9-25-e3ad0fc+.log

brett@lycia ~/ciq/many-79-vulns-9-9-25
 % grep ^ok selftest-3.10.0-1160.119.1.el7_9.ciqcbr.7.1.x86_64.log | wc -l
2
brett@lycia ~/ciq/many-79-vulns-9-9-25
 % grep ^ok selftest-3.10.0-bmastbergen_ciqcbr7_9_many-vulns-9-9-25-e3ad0fc+.log | wc -l
2

@bmastbergen bmastbergen changed the title Bmastbergen ciqcbr7 9/many vulns 9 9 25 [cbr79] Many VULNs 9-9-25 Sep 9, 2025
PlaidCat
PlaidCat approved these changes Sep 9, 2025
View reviewed changes
Copy link
Collaborator

@PlaidCat PlaidCat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is clearly some code drift between upstream and this kernel for the comment adjustment but the core seems good

kerneltoast
kerneltoast requested changes Sep 9, 2025
View reviewed changes
@bmastbergen
posix-cpu-timers: fix race between handle_posix_cpu_timers() and posi…
920f2be 
…x_cpu_timer_del()

jira VULN-136687
cve CVE-2025-38352
commit-author Oleg Nesterov <oleg@redhat.com>
commit f90fff1
upstream-diff Applying to kernel/posix-cpu-timers.c instead of
              kernel/time/posix-cpu-timers.c in upstream.  There were
              minor merge conflicts due to differences in surrounding
              code but the code added is the same.

If an exiting non-autoreaping task has already passed exit_notify() and
calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent
or debugger right after unlock_task_sighand().

If a concurrent posix_cpu_timer_del() runs at that moment, it won't be
able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or
lock_task_sighand() will fail.

Add the tsk->exit_state check into run_posix_cpu_timers() to fix this.

This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because
exit_task_work() is called before exit_notify(). But the check still
makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail
anyway in this case.

	Cc: stable@vger.kernel.org
	Reported-by: Benoît Sevens <bsevens@google.com>
Fixes: 0bdd2ed ("sched: run_posix_cpu_timers: Don't check ->exit_state, use lock_task_sighand()")
	Signed-off-by: Oleg Nesterov <oleg@redhat.com>
	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit f90fff1)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>

fixup
@bmastbergen
drivers:md:fix a potential use-after-free bug
c04f19e 
jira VULN-135015
cve CVE-2022-50022
commit-author Wentao_Liang <Wentao_Liang_g@163.com>
commit 1042124

In line 2884, "raid5_release_stripe(sh);" drops the reference to sh and
may cause sh to be released. However, sh is subsequently used in lines
2886 "if (sh->batch_head && sh != sh->batch_head)". This may result in an
use-after-free bug.

It can be fixed by moving "raid5_release_stripe(sh);" to the bottom of
the function.

	Signed-off-by: Wentao_Liang <Wentao_Liang_g@163.com>
	Signed-off-by: Song Liu <song@kernel.org>
	Signed-off-by: Jens Axboe <axboe@kernel.dk>
(cherry picked from commit 1042124)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
@bmastbergen
crypto: algif_hash - fix double free in hash_accept
a963322 
jira VULN-72165
cve CVE-2025-38079
commit-author Ivan Pravdin <ipravdin.official@gmail.com>
commit b2df03e

If accept(2) is called on socket type algif_hash with
MSG_MORE flag set and crypto_ahash_import fails,
sk2 is freed. However, it is also freed in af_alg_release,
leading to slab-use-after-free error.

Fixes: fe869cd ("crypto: algif_hash - User-space interface for hash operations")
	Cc: <stable@vger.kernel.org>
	Signed-off-by: Ivan Pravdin <ipravdin.official@gmail.com>
	Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit b2df03e)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
@bmastbergen bmastbergen force-pushed the bmastbergen_ciqcbr7_9/many-vulns-9-9-25 branch from e3ad0fc to a963322 Compare September 9, 2025 19:04
kerneltoast
kerneltoast approved these changes Sep 9, 2025
View reviewed changes
Copy link
Collaborator

@kerneltoast kerneltoast left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚢

@PlaidCat PlaidCat mentioned this pull request Sep 9, 2025
Merged
@bmastbergen bmastbergen merged commit 7d0da91 into ciqcbr7_9 Sep 9, 2025
2 checks passed
@bmastbergen bmastbergen deleted the bmastbergen_ciqcbr7_9/many-vulns-9-9-25 branch September 9, 2025 20:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kerneltoast kerneltoast kerneltoast approved these changes

@PlaidCat PlaidCat PlaidCat approved these changes

@thefossguy-ciq thefossguy-ciq Awaiting requested review from thefossguy-ciq

@shreeya-patel98 shreeya-patel98 Awaiting requested review from shreeya-patel98

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bmastbergen @kerneltoast @PlaidCat