[cbr79] Multiple VULNs 8-22-25

.github/workflows/build-check_x86_64.yml

@@ -9,46 +9,39 @@ jobs:
   kernel-build-job:
     runs-on:
       labels: kernel-build
+    container:
+      image: centos:7
+      options: --cpus 8
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          ref: "${{ github.event.pull_request.head.sha }}"
-          fetch-depth: 0
-          path: kernel-src-tree
-
-      - name: Install rinse
-        run: |
-          sudo apt-get install rinse
-
-      - name: Build centos7 chroot
-        run: |
-          sudo rinse --distribution centos-7 \
-                --mirror http://dl.rockylinux.org/vault/centos/7/os/x86_64/Packages \
-                --arch amd64 \
-                --directory centos-7-chroot
-
-      - name: Point yum to vault (in chroot)
+      - name: Point yum to vault
         run: |
-          sudo sed -e '/mirrorlist=.*/d' \
+          sed -e '/mirrorlist=.*/d' \
               -e 's/#baseurl=/baseurl=/' \
               -e "s/\$releasever/7.9.2009/g" \
               -e "s/mirror.centos.org/dl.rockylinux.org\/vault/g" \
-              -i centos-7-chroot/etc/yum.repos.d/CentOS-Base.repo
+              -i /etc/yum.repos.d/CentOS-Base.repo
 
       - name: Install tools and Libraries (in chroot)
         run: |
-          sudo chroot centos-7-chroot yum groupinstall 'Development Tools' -y
-          sudo chroot centos-7-chroot yum install bc dwarves git glibc-devel hostname kernel-devel mpfr openssl openssl-devel elfutils-libelf-devel -y
+          yum groupinstall 'Development Tools' -y
+          yum install bc dwarves git glibc-devel hostname kernel-devel mpfr openssl openssl-devel elfutils-libelf-devel -y
 
-      - name: Build the Kernel (in chroot)
+      - name: Checkout code
         run: |
-          sudo mv kernel-src-tree centos-7-chroot
-          sudo chroot centos-7-chroot sh -c "cd kernel-src-tree && cp configs/kernel-3.10.0-x86_64.config .config"
-          sudo chroot centos-7-chroot sh -c "cd kernel-src-tree && make olddefconfig"
-          sudo chroot centos-7-chroot sh -c "cd kernel-src-tree && make -j$(nproc)"
+          git clone --branch ${{ github.head_ref }} "https://oauth2:[email protected]/ctrliq/kernel-src-tree"
+
+      - name: Build the Kernel
+        working-directory: kernel-src-tree
+        run: |
+          cp configs/kernel-3.10.0-x86_64.config .config
+          make olddefconfig
+          make -j$(nproc)
+
       - name: Check kabi
+        working-directory: kernel-src-tree
         run: |
-          sudo chroot centos-7-chroot sh -c "git clone --branch c7 --single-branch https://git.centos.org/rpms/kernel.git kernel-dist-git"
-          sudo chroot centos-7-chroot sh -c "cd kernel-dist-git && git reset --hard imports/c7/kernel-3.10.0-1160.119.1.el7"
-          sudo chroot centos-7-chroot sh -c "./kernel-dist-git/SOURCES/check-kabi -k ./kernel-dist-git/SOURCES/Module.kabi_x86_64 -s ./kernel-src-tree/Module.symvers"
+          git clone --branch c7 --single-branch https://git.centos.org/rpms/kernel.git kernel-dist-git
+          cd kernel-dist-git
+          git reset --hard imports/c7/kernel-3.10.0-1160.119.1.el7
+          cd ..
+          ./kernel-dist-git/SOURCES/check-kabi -k ./kernel-dist-git/SOURCES/Module.kabi_x86_64 -s Module.symvers

drivers/hid/hid-core.c

@@ -1353,7 +1353,7 @@ u8 *hid_alloc_report_buf(struct hid_report *report, gfp_t flags)
 
 	u32 len = hid_report_len(report) + 7;
 
-	return kmalloc(len, flags);
+	return kzalloc(len, flags);
 }
 EXPORT_SYMBOL_GPL(hid_alloc_report_buf);
 

fs/fuse/dev.c

@@ -932,7 +932,17 @@ static int fuse_copy_page(struct fuse_copy_state *cs, struct page **pagep,
 
 	while (count) {
 		if (cs->write && cs->pipebufs && page) {
-			return fuse_ref_page(cs, page, offset, count);
+			/*
+			 * Can't control lifetime of pipe buffers, so always
+			 * copy user pages.
+			 */
+			if (cs->req->user_pages) {
+				err = fuse_copy_fill(cs);
+				if (err)
+					return err;
+			} else {
+				return fuse_ref_page(cs, page, offset, count);
+			}
 		} else if (!cs->len) {
 			if (cs->move_pages && page &&
 			    offset == 0 && count == PAGE_SIZE) {

fs/fuse/file.c

@@ -1386,6 +1386,7 @@ static int fuse_get_user_pages(struct fuse_req *req, struct iov_iter *ii,
 		nbytes += frag_size;
 	}
 
+	req->user_pages = true;
 	if (write)
 		req->in.argpages = 1;
 	else

fs/fuse/fuse_i.h

@@ -267,6 +267,8 @@ struct fuse_req {
 	/** refcount */
 	atomic_t count;
 
+	bool user_pages;
+
 	/** Unique ID for the interrupt request */
 	u64 intr_unique;
 

net/atm/lec.c

@@ -180,6 +180,7 @@ static void
 lec_send(struct atm_vcc *vcc, struct sk_buff *skb)
 {
 	struct net_device *dev = skb->dev;
+	unsigned int len = skb->len;
 
 	ATM_SKB(skb)->vcc = vcc;
 	ATM_SKB(skb)->atm_options = vcc->atm_options;
@@ -191,7 +192,7 @@ lec_send(struct atm_vcc *vcc, struct sk_buff *skb)
 	}
 
 	dev->stats.tx_packets++;
-	dev->stats.tx_bytes += skb->len;
+	dev->stats.tx_bytes += len;
 }
 
 static void lec_tx_timeout(struct net_device *dev)

sound/usb/quirks.c

@@ -577,6 +577,7 @@ int snd_usb_create_quirk(struct snd_usb_audio *chip,
 static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interface *intf)
 {
 	struct usb_host_config *config = dev->actconfig;
+	struct usb_device_descriptor *new_device_descriptor = NULL;
 	int err;
 
 	if (le16_to_cpu(get_cfg_desc(config)->wTotalLength) == EXTIGY_FIRMWARE_SIZE_OLD ||
@@ -587,11 +588,20 @@ static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interfac
 				      0x10, 0x43, 0x0001, 0x000a, NULL, 0);
 		if (err < 0)
 			dev_dbg(&dev->dev, "error sending boot message: %d\n", err);
+
+		new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL);
+		if (!new_device_descriptor)
+			return -ENOMEM;
 		err = usb_get_descriptor(dev, USB_DT_DEVICE, 0,
-				&dev->descriptor, sizeof(dev->descriptor));
-		config = dev->actconfig;
+				new_device_descriptor, sizeof(*new_device_descriptor));
 		if (err < 0)
 			dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err);
+		if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations)
+			dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n",
+				new_device_descriptor->bNumConfigurations);
+		else
+			memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor));
+		kfree(new_device_descriptor);
 		err = usb_reset_configuration(dev);
 		if (err < 0)
 			dev_dbg(&dev->dev, "error usb_reset_configuration: %d\n", err);
@@ -925,6 +935,7 @@ static void mbox2_setup_48_24_magic(struct usb_device *dev)
 static int snd_usb_mbox2_boot_quirk(struct usb_device *dev)
 {
 	struct usb_host_config *config = dev->actconfig;
+	struct usb_device_descriptor *new_device_descriptor = NULL;
 	int err;
 	u8 bootresponse[0x12];
 	int fwsize;
@@ -959,11 +970,21 @@ static int snd_usb_mbox2_boot_quirk(struct usb_device *dev)
 
 	dev_dbg(&dev->dev, "device initialised!\n");
 
+	new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL);
+	if (!new_device_descriptor)
+		return -ENOMEM;
+
 	err = usb_get_descriptor(dev, USB_DT_DEVICE, 0,
-		&dev->descriptor, sizeof(dev->descriptor));
-	config = dev->actconfig;
+		new_device_descriptor, sizeof(*new_device_descriptor));
 	if (err < 0)
 		dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err);
+	if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations)
+		dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n",
+			new_device_descriptor->bNumConfigurations);
+	else
+		memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor));
+
+	kfree(new_device_descriptor);
 
 	err = usb_reset_configuration(dev);
 	if (err < 0)
@@ -1010,7 +1031,6 @@ static int snd_usb_axefx3_boot_quirk(struct usb_device *dev)
 	return 0;
 }
 
-
 #define MICROBOOK_BUF_SIZE 128
 
 static int snd_usb_motu_microbookii_communicate(struct usb_device *dev, u8 *buf,