[cbr79] Multiple VULNs 8-22-25 #522
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jira VULN-56261 cve CVE-2025-22004 commit-author Dan Carpenter <[email protected]> commit f3009d0 The ->send() operation frees skb so save the length before calling ->send() to avoid a use after free. Fixes: 1da177e ("Linux-2.6.12-rc2") Signed-off-by: Dan Carpenter <[email protected]> Reviewed-by: Simon Horman <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Paolo Abeni <[email protected]> (cherry picked from commit f3009d0) Signed-off-by: Brett Mastbergen <[email protected]>
jira VULN-40845 cve CVE-2024-50302 commit-author Jiri Kosina <[email protected]> commit 177f25d Since the report buffer is used by all kinds of drivers in various ways, let's zero-initialize it during allocation to make sure that it can't be ever used to leak kernel memory via specially-crafted report. Fixes: 27ce405 ("HID: fix data access in implement()") Reported-by: Benoît Sevens <[email protected]> Acked-by: Benjamin Tissoires <[email protected]> Signed-off-by: Jiri Kosina <[email protected]> (cherry picked from commit 177f25d) Signed-off-by: Brett Mastbergen <[email protected]>
jira VULN-7917 cve CVE-2022-1011 commit-author Miklos Szeredi <[email protected]> commit 0c4bcfd upstream-diff Used 4.19 LT commit 99db282 because page info is in fuse_req in this kernel as opposed to fuse_args in upstream In FOPEN_DIRECT_IO mode, fuse_file_write_iter() calls fuse_direct_write_iter(), which normally calls fuse_direct_io(), which then imports the write buffer with fuse_get_user_pages(), which uses iov_iter_get_pages() to grab references to userspace pages instead of actually copying memory. On the filesystem device side, these pages can then either be read to userspace (via fuse_dev_read()), or splice()d over into a pipe using fuse_dev_splice_read() as pipe buffers with &nosteal_pipe_buf_ops. This is wrong because after fuse_dev_do_read() unlocks the FUSE request, the userspace filesystem can mark the request as completed, causing write() to return. At that point, the userspace filesystem should no longer have access to the pipe buffer. Fix by copying pages coming from the user address space to new pipe buffers. Reported-by: Jann Horn <[email protected]> Fixes: c302162 ("fuse: support splice() reading from fuse device") Cc: <[email protected]> Signed-off-by: Miklos Szeredi <[email protected]> (cherry picked from commit 0c4bcfd) Signed-off-by: Brett Mastbergen <[email protected]>
…box devices jira VULN-46737 cve CVE-2024-53197 commit-author Benoît Sevens <[email protected]> commit b909df1 upstream-diff This kernel doesn't have snd_usb_mbox3_boot_quirk(), so that change hunk from the upstream commit isn't necessary. A bogus device can provide a bNumConfigurations value that exceeds the initial value used in usb_get_configuration for allocating dev->config. This can lead to out-of-bounds accesses later, e.g. in usb_destroy_configuration. Signed-off-by: Benoît Sevens <[email protected]> Fixes: 1da177e ("Linux-2.6.12-rc2") Cc: [email protected] Link: https://patch.msgid.link/[email protected] Signed-off-by: Takashi Iwai <[email protected]> (cherry picked from commit b909df1) Signed-off-by: Brett Mastbergen <[email protected]>
🔍 Upstream Linux Kernel Commit Check
This is an automated message from the kernel commit checker workflow. |
jira VULN-46737 cve-bf CVE-2024-53197 commit-author Dan Carpenter <[email protected]> commit f7d306b upstream-diff Use 5.10 LT commit e7c1fcd This kernel doesn't have snd_usb_mbox3_boot_quirk(), so that change hunk from the upstream commit isn't necessary. Also this kernel doesn't have the __free annotation, so this version calls kfree the good old fashioned way The usb_get_descriptor() function does DMA so we're not allowed to use a stack buffer for that. Doing DMA to the stack is not portable all architectures. Move the "new_device_descriptor" from being stored on the stack and allocate it with kmalloc() instead. Fixes: b909df1 ("ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices") Cc: [email protected] Signed-off-by: Dan Carpenter <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Takashi Iwai <[email protected]> (cherry picked from commit f7d306b) Signed-off-by: Brett Mastbergen <[email protected]>
bmastbergen
force-pushed
the
bmastbergen_ciqcbr7_9/many-vulns-8-22-25
branch
from
e256926 to
8b93ba8
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Commit Summaries
Build Log
Testing
selftest-3.10.0-1160.119.1.el7_9.ciqcbr.7.1.x86_64.log
selftest-3.10.0-bmastbergen_ciqcbr7_9_many-vulns-8-22-25-8b93ba8+.log