[cbr79] Many VULNS 2025-12-23 #792

bmastbergen · 2025-12-24T14:20:47Z

Commits

    ext4: fix undefined behavior in bit shift for ext4_check_flag_values

    jira VULN-155614
    cve CVE-2022-50403
    commit-author Gaosheng Cui <cuigaosheng1@huawei.com>
    commit 3bf678a0f9c017c9ba7c581541dbc8453452a7ae

    scsi: qla2xxx: Wait for io return on terminate rport

    jira VULN-155082
    cve CVE-2023-53322
    commit-author Quinn Tran <qutran@marvell.com>
    commit fc0cba0c7be8261a1625098bd1d695077ec621c9

    ALSA: usb-audio: Validate UAC3 power domain descriptors, too

    jira VULN-136367
    cve CVE-2025-38729
    commit-author Takashi Iwai <tiwai@suse.de>
    commit d832ccbc301fbd9e5a1d691bdcf461cdb514595f

    ALSA: usb-audio: Validate UAC3 cluster segment descriptors

    jira VULN-152931
    cve CVE-2025-39757
    commit-author Takashi Iwai <tiwai@suse.de>
    commit ecfd41166b72b67d3bdeb88d224ff445f6163869

    ALSA: usb-audio: Fix size validation in convert_chmap_v3()

    jira VULN-152931
    cve-bf CVE-2025-39757
    commit-author Dan Carpenter <dan.carpenter@linaro.org>
    commit 89f0addeee3cb2dc49837599330ed9c4612f05b0

Build Log

/home/brett/kernel-src-tree
Running make mrproper...
[TIMER]{MRPROPER}: 8s
x86_64 architecture detected, copying config
‘configs/kernel-3.10.0-x86_64.config’ -> ‘.config’
Setting Local Version for build
CONFIG_LOCALVERSION="-bmastbergen_ciqcbr7_9_many-vulns-2025-12-23-9d751aa"
Making olddefconfig
--
  HOSTLD  scripts/kconfig/conf
scripts/kconfig/conf --olddefconfig Kconfig
#
# configuration written to .config
#
Starting Build
scripts/kconfig/conf --silentoldconfig Kconfig
  SYSHDR  arch/x86/syscalls/../include/generated/uapi/asm/unistd_32.h
  SYSHDR  arch/x86/syscalls/../include/generated/uapi/asm/unistd_64.h
  SYSHDR  arch/x86/syscalls/../include/generated/uapi/asm/unistd_x32.h
  SYSTBL  arch/x86/syscalls/../include/generated/asm/syscalls_32.h
--
  H16TOFW firmware/edgeport/down2.fw
  IHEX2FW firmware/whiteheat_loader.fw
  IHEX2FW firmware/whiteheat.fw
  IHEX2FW firmware/keyspan_pda/keyspan_pda.fw
  IHEX2FW firmware/keyspan_pda/xircom_pgs.fw
[TIMER]{BUILD}: 493s
Making Modules
  INSTALL arch/x86/crypto/ablk_helper.ko
  INSTALL arch/x86/crypto/aesni-intel.ko
  INSTALL arch/x86/crypto/blowfish-x86_64.ko
  INSTALL arch/x86/crypto/camellia-aesni-avx-x86_64.ko
--
  INSTALL /lib/firmware/whiteheat_loader.fw
  INSTALL /lib/firmware/whiteheat.fw
  INSTALL /lib/firmware/keyspan_pda/keyspan_pda.fw
  INSTALL /lib/firmware/keyspan_pda/xircom_pgs.fw
  DEPMOD  3.10.0-bmastbergen_ciqcbr7_9_many-vulns-2025-12-23-9d751aa+
[TIMER]{MODULES}: 13s
Making Install
sh ./arch/x86/boot/install.sh 3.10.0-bmastbergen_ciqcbr7_9_many-vulns-2025-12-23-9d751aa+ arch/x86/boot/bzImage \
	System.map "/boot"
[TIMER]{INSTALL}: 43s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-3.10.0-bmastbergen_ciqcbr7_9_many-vulns-2025-12-23-9d751aa+ and Index to 0
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 8s
[TIMER]{BUILD}: 493s
[TIMER]{MODULES}: 13s
[TIMER]{INSTALL}: 43s
[TIMER]{TOTAL} 564s
Rebooting in 10 seconds

Testing

selftest-3.10.0-1160.119.1.el7_9.ciqcbr.10.1.x86_64-1.log

selftest-3.10.0-bmastbergen_ciqcbr7_9_many-vulns-2025-12-23-9d751aa+-1.log

brett@lycia ~/ciq/many-79-vulns-2025-12-23/kselftest-logs
 % grep ^ok selftest-3.10.0-1160.119.1.el7_9.ciqcbr.10.1.x86_64-1.log | wc -l
4
brett@lycia ~/ciq/many-79-vulns-2025-12-23/kselftest-logs
 % grep ^ok selftest-3.10.0-bmastbergen_ciqcbr7_9_many-vulns-2025-12-23-9d751aa+-1.log | wc -l
4
brett@lycia ~/ciq/many-79-vulns-2025-12-23/kselftest-logs
 % grep ok <(diff -adU0 <(grep ^ok selftest-3.10.0-1160.119.1.el7_9.ciqcbr.10.1.x86_64-1.log | sort -h) <(grep ^ok selftest-3.10.0-bmastbergen_ciqcbr7_9_many-vulns-2025-12-23-9d751aa+-1.log | sort -h))

brett@lycia ~/ciq/many-79-vulns-2025-12-23/kselftest-logs
 %

jira VULN-155614 cve CVE-2022-50403 commit-author Gaosheng Cui <cuigaosheng1@huawei.com> commit 3bf678a Shifting signed 32-bit value by 31 bits is undefined, so changing significant bit to unsigned. The UBSAN warning calltrace like below: UBSAN: shift-out-of-bounds in fs/ext4/ext4.h:591:2 left shift of 1 by 31 places cannot be represented in type 'int' Call Trace: <TASK> dump_stack_lvl+0x7d/0xa5 dump_stack+0x15/0x1b ubsan_epilogue+0xe/0x4e __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c ext4_init_fs+0x5a/0x277 do_one_initcall+0x76/0x430 kernel_init_freeable+0x3b3/0x422 kernel_init+0x24/0x1e0 ret_from_fork+0x1f/0x30 </TASK> Fixes: 9a4c801 ("ext4: ensure Inode flags consistency are checked at build time") Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> Link: https://lore.kernel.org/r/20221031055833.3966222-1-cuigaosheng1@huawei.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@kernel.org (cherry picked from commit 3bf678a) Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>

jira VULN-155082 cve CVE-2023-53322 commit-author Quinn Tran <qutran@marvell.com> commit fc0cba0 System crash due to use after free. Current code allows terminate_rport_io to exit before making sure all IOs has returned. For FCP-2 device, IO's can hang on in HW because driver has not tear down the session in FW at first sign of cable pull. When dev_loss_tmo timer pops, terminate_rport_io is called and upper layer is about to free various resources. Terminate_rport_io trigger qla to do the final cleanup, but the cleanup might not be fast enough where it leave qla still holding on to the same resource. Wait for IO's to return to upper layer before resources are freed. Cc: stable@vger.kernel.org Signed-off-by: Quinn Tran <qutran@marvell.com> Signed-off-by: Nilesh Javali <njavali@marvell.com> Link: https://lore.kernel.org/r/20230428075339.32551-7-njavali@marvell.com Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> (cherry picked from commit fc0cba0) Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>

jira VULN-136367 cve CVE-2025-38729 commit-author Takashi Iwai <tiwai@suse.de> commit d832ccb UAC3 power domain descriptors need to be verified with its variable bLength for avoiding the unexpected OOB accesses by malicious firmware, too. Fixes: 9a2fe9b ("ALSA: usb: initial USB Audio Device Class 3.0 support") Reported-and-tested-by: Youngjun Lee <yjjuny.lee@samsung.com> Cc: <stable@vger.kernel.org> Link: https://patch.msgid.link/20250814081245.8902-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> (cherry picked from commit d832ccb) Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>

jira VULN-152931 cve CVE-2025-39757 commit-author Takashi Iwai <tiwai@suse.de> commit ecfd411 UAC3 class segment descriptors need to be verified whether their sizes match with the declared lengths and whether they fit with the allocated buffer sizes, too. Otherwise malicious firmware may lead to the unexpected OOB accesses. Fixes: 11785ef ("ALSA: usb-audio: Initial Power Domain support") Reported-and-tested-by: Youngjun Lee <yjjuny.lee@samsung.com> Cc: <stable@vger.kernel.org> Link: https://patch.msgid.link/20250814081245.8902-2-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> (cherry picked from commit ecfd411) Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>

jira VULN-152931 cve-bf CVE-2025-39757 commit-author Dan Carpenter <dan.carpenter@linaro.org> commit 89f0add The "p" pointer is void so sizeof(*p) is 1. The intent was to check sizeof(*cs_desc), which is 3, instead. Fixes: ecfd411 ("ALSA: usb-audio: Validate UAC3 cluster segment descriptors") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Link: https://patch.msgid.link/aKL5kftC1qGt6lpv@stanley.mountain Signed-off-by: Takashi Iwai <tiwai@suse.de> (cherry picked from commit 89f0add) Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>

github-actions · 2025-12-24T14:52:30Z

🔍 Interdiff Analysis

⚠️ PR commit e146c47b3ce3 (scsi: qla2xxx: Wait for io return on terminate rport) → upstream fc0cba0c7be8
Differences found:

diff -u b/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c
--- b/drivers/scsi/qla2xxx/qla_attr.c
+++ b/drivers/scsi/qla2xxx/qla_attr.c
@@ -2583,5 +2583,5 @@
+		else
 			qla2x00_port_logout(fcport->vha, fcport);
-		}
 	}
 
 	/* check for any straggling io left behind */

⚠️ PR commit fe6dae154f10 (ALSA: usb-audio: Validate UAC3 cluster segment descriptors) → upstream ecfd41166b72
Differences found:

diff -u b/sound/usb/stream.c b/sound/usb/stream.c
--- b/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -360,6 +365,9 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
 			struct uac3_cluster_information_segment_descriptor *is = p;
 			unsigned char map;
 
+			if (cs_len < sizeof(*is))
+				break;
+
 			/*
 			 * TODO: this conversion is not complete, update it
 			 * after adding UAC3 values to asound.h
@@ -367,6 +372,9 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
 			struct uac3_cluster_information_segment_descriptor *is = p;
 			unsigned char map;
 
+			if (cs_len < sizeof(*is))
+				break;
+
 			/*
 			 * TODO: this conversion is not complete, update it
 			 * after adding UAC3 values to asound.h

This is an automated interdiff check for backported commits.

bmastbergen · 2025-12-24T15:06:33Z

🔍 Interdiff Analysis

⚠️ PR commit e146c47b3ce3 (scsi: qla2xxx: Wait for io return on terminate rport) → upstream fc0cba0c7be8
Differences found:
diff -u b/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c
--- b/drivers/scsi/qla2xxx/qla_attr.c
+++ b/drivers/scsi/qla2xxx/qla_attr.c
@@ -2583,5 +2583,5 @@
+		else
 			qla2x00_port_logout(fcport->vha, fcport);
-		}
 	}
 
 	/* check for any straggling io left behind */

Context difference expected due to missing 7a8ff7d

⚠️ PR commit fe6dae154f10 (ALSA: usb-audio: Validate UAC3 cluster segment descriptors) → upstream ecfd41166b72
Differences found:

diff -u b/sound/usb/stream.c b/sound/usb/stream.c
--- b/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -360,6 +365,9 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
 			struct uac3_cluster_information_segment_descriptor *is = p;
 			unsigned char map;
 
+			if (cs_len < sizeof(*is))
+				break;
+
 			/*
 			 * TODO: this conversion is not complete, update it
 			 * after adding UAC3 values to asound.h
@@ -367,6 +372,9 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
 			struct uac3_cluster_information_segment_descriptor *is = p;
 			unsigned char map;
 
+			if (cs_len < sizeof(*is))
+				break;
+
 			/*
 			 * TODO: this conversion is not complete, update it
 			 * after adding UAC3 values to asound.h

No real difference here

This is an automated interdiff check for backported commits.

PlaidCat · 2025-12-24T17:37:01Z

This comment though

 *
 * It's not paranoia if the Murphy's Law really *is* out to get you.  :-)
 */

PlaidCat

bmastbergen added 4 commits December 23, 2025 11:20

This comment was marked as outdated.

Sign in to view

bmastbergen requested a review from a team December 24, 2025 15:06

shreeya-patel98 approved these changes Dec 24, 2025

View reviewed changes

PlaidCat approved these changes Dec 24, 2025

View reviewed changes

bmastbergen merged commit af6f1ac into ciqcbr7_9 Dec 24, 2025
2 checks passed

bmastbergen deleted the {bmastbergen}_ciqcbr7_9/many-vulns-2025-12-23 branch December 24, 2025 18:57

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[cbr79] Many VULNS 2025-12-23 #792

[cbr79] Many VULNS 2025-12-23 #792

bmastbergen commented Dec 24, 2025 •

edited

Loading

Uh oh!

This comment was marked as outdated.

This comment was marked as outdated.

This comment was marked as outdated.

github-actions bot commented Dec 24, 2025

Uh oh!

bmastbergen commented Dec 24, 2025

🔍 Interdiff Analysis

Uh oh!

PlaidCat commented Dec 24, 2025

Uh oh!

PlaidCat left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

4 participants

[cbr79] Many VULNS 2025-12-23 #792

[cbr79] Many VULNS 2025-12-23 #792

Conversation

bmastbergen commented Dec 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Commits

Build Log

Testing

Uh oh!

This comment was marked as outdated.

This comment was marked as outdated.

This comment was marked as outdated.

github-actions bot commented Dec 24, 2025

🔍 Interdiff Analysis

Uh oh!

bmastbergen commented Dec 24, 2025

🔍 Interdiff Analysis

Uh oh!

PlaidCat commented Dec 24, 2025

Uh oh!

PlaidCat left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

4 participants

bmastbergen commented Dec 24, 2025 •

edited

Loading