Skip to content

[lts92] Many VULNs 10-30-25#660

Merged
bmastbergen merged 4 commits intociqlts9_2from
bmastbergen_ciqlts9_2/10-30-25
Oct 31, 2025
Merged

[lts92] Many VULNs 10-30-25#660
bmastbergen merged 4 commits intociqlts9_2from
bmastbergen_ciqlts9_2/10-30-25

Conversation

@bmastbergen
Copy link
Collaborator

@bmastbergen bmastbergen commented Oct 30, 2025

Commits

    net: usb: smsc75xx: Limit packet length to skb->len

    jira VULN-67489
    cve CVE-2023-53125
    commit-author Szymon Heidrich <szymon.heidrich@gmail.com>
    commit d8b228318935044dafe3a5bc07ee71a1f1424b8d

    net: usb: smsc75xx: Move packet length check to prevent kernel panic in skb_pull

    jira VULN-67489
    cve-bf CVE-2023-53125
    commit-author Szymon Heidrich <szymon.heidrich@gmail.com>
    commit 43ffe6caccc7a1bb9d7442fbab521efbf6c1378c

    ipv6: mcast: Delay put pmc->idev in mld_del_delrec()

    jira VULN-131123
    cve CVE-2025-38550
    commit-author Yue Haibing <yuehaibing@huawei.com>
    commit ae3264a25a4635531264728859dbe9c659fad554

    ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control

    jira VULN-152898
    cve CVE-2025-39751
    commit-author Lucy Thrun <lucy.thrun@digital-rabbithole.de>
    commit a409c60111e6bb98fcabab2aeaa069daa9434ca0

Build Log

/home/brett/kernel-src-tree
Running make mrproper...
[TIMER]{MRPROPER}: 12s
x86_64 architecture detected, copying config
'configs/kernel-x86_64-rhel.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-bmastbergen_ciqlts9_2_10-30-25-473d923f4df5"
Making olddefconfig
--
  HOSTCC  scripts/kconfig/util.o
  HOSTLD  scripts/kconfig/conf
#
# configuration written to .config
#
Starting Build
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_32.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_64.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_x32.h
  SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_64_x32.h
--
  LD [M]  sound/xen/snd_xen_front.ko
  BTF [M] sound/virtio/virtio_snd.ko
  BTF [M] sound/xen/snd_xen_front.ko
  LD [M]  virt/lib/irqbypass.ko
  BTF [M] virt/lib/irqbypass.ko
[TIMER]{BUILD}: 909s
Making Modules
  INSTALL /lib/modules/5.14.0-bmastbergen_ciqlts9_2_10-30-25-473d923f4df5+/kernel/arch/x86/crypto/blake2s-x86_64.ko
  INSTALL /lib/modules/5.14.0-bmastbergen_ciqlts9_2_10-30-25-473d923f4df5+/kernel/arch/x86/crypto/blowfish-x86_64.ko
  INSTALL /lib/modules/5.14.0-bmastbergen_ciqlts9_2_10-30-25-473d923f4df5+/kernel/arch/x86/crypto/camellia-aesni-avx-x86_64.ko
  INSTALL /lib/modules/5.14.0-bmastbergen_ciqlts9_2_10-30-25-473d923f4df5+/kernel/arch/x86/crypto/camellia-aesni-avx2.ko
--
  SIGN    /lib/modules/5.14.0-bmastbergen_ciqlts9_2_10-30-25-473d923f4df5+/kernel/sound/x86/snd-hdmi-lpe-audio.ko
  SIGN    /lib/modules/5.14.0-bmastbergen_ciqlts9_2_10-30-25-473d923f4df5+/kernel/sound/virtio/virtio_snd.ko
  SIGN    /lib/modules/5.14.0-bmastbergen_ciqlts9_2_10-30-25-473d923f4df5+/kernel/virt/lib/irqbypass.ko
  SIGN    /lib/modules/5.14.0-bmastbergen_ciqlts9_2_10-30-25-473d923f4df5+/kernel/sound/xen/snd_xen_front.ko
  DEPMOD  /lib/modules/5.14.0-bmastbergen_ciqlts9_2_10-30-25-473d923f4df5+
[TIMER]{MODULES}: 7s
Making Install
sh ./arch/x86/boot/install.sh \
	5.14.0-bmastbergen_ciqlts9_2_10-30-25-473d923f4df5+ arch/x86/boot/bzImage \
	System.map "/boot"
[TIMER]{INSTALL}: 42s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-5.14.0-bmastbergen_ciqlts9_2_10-30-25-473d923f4df5+ and Index to 0
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 12s
[TIMER]{BUILD}: 909s
[TIMER]{MODULES}: 7s
[TIMER]{INSTALL}: 42s
[TIMER]{TOTAL} 987s
Rebooting in 10 seconds

Testing

selftest-5.14.0-284.30.1.el9_2.92ciq_lts.12.1.x86_64-1.log

selftest-5.14.0-bmastbergen_ciqlts9_2_10-30-25-473d923f4df5+-1.log

brett@lycia ~/ciq/many-92-vulns-10-30-25
 % grep ^ok selftest-5.14.0-284.30.1.el9_2.92ciq_lts.12.1.x86_64-1.log | wc -l
331
brett@lycia ~/ciq/many-92-vulns-10-30-25
 % grep ^ok selftest-5.14.0-bmastbergen_ciqlts9_2_10-30-25-473d923f4df5+-1.log | wc -l
333
brett@lycia ~/ciq/many-92-vulns-10-30-25
 % grep ok <(diff -adU0 <(grep ^ok selftest-5.14.0-284.30.1.el9_2.92ciq_lts.12.1.x86_64-1.log | sort -h) <(grep ^ok selftest-5.14.0-bmastbergen_ciqlts9_2_10-30-25-473d923f4df5+-1.log | sort -h))
-ok 18 selftests: net: ip_defrag.sh
-ok 1 selftests: livepatch: test-livepatch.sh # SKIP
+ok 1 selftests: livepatch: test-livepatch.sh
-ok 1 selftests: zram: zram.sh # SKIP
+ok 1 selftests: zram: zram.sh
-ok 2 selftests: livepatch: test-callbacks.sh # SKIP
+ok 2 selftests: livepatch: test-callbacks.sh
+ok 32 selftests: net: l2tp.sh
-ok 3 selftests: livepatch: test-shadow-vars.sh # SKIP
+ok 3 selftests: livepatch: test-shadow-vars.sh
+ok 43 selftests: net: txtimestamp.sh
+ok 47 selftests: net: drop_monitor_tests.sh
-ok 4 selftests: livepatch: test-state.sh # SKIP
+ok 4 selftests: livepatch: test-state.sh
-ok 5 selftests: livepatch: test-ftrace.sh # SKIP
+ok 5 selftests: livepatch: test-ftrace.sh
-ok 6 selftests: net: tls
+ok 9 selftests: net: test_bpf.sh
brett@lycia ~/ciq/many-92-vulns-10-30-25
 %

@bmastbergen
net: usb: smsc75xx: Limit packet length to skb->len
562511c 
jira VULN-67489
cve CVE-2023-53125
commit-author Szymon Heidrich <szymon.heidrich@gmail.com>
commit d8b2283

Packet length retrieved from skb data may be larger than
the actual socket buffer length (up to 9026 bytes). In such
case the cloned skb passed up the network stack will leak
kernel memory contents.

Fixes: d0cad87 ("smsc75xx: SMSC LAN75xx USB gigabit ethernet adapter driver")
	Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit d8b2283)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
@bmastbergen
net: usb: smsc75xx: Move packet length check to prevent kernel panic …
52c8f46 
…in skb_pull

jira VULN-67489
cve-bf CVE-2023-53125
commit-author Szymon Heidrich <szymon.heidrich@gmail.com>
commit 43ffe6c

Packet length check needs to be located after size and align_count
calculation to prevent kernel panic in skb_pull() in case
rx_cmd_a & RX_CMD_A_RED evaluates to true.

Fixes: d8b2283 ("net: usb: smsc75xx: Limit packet length to skb->len")
	Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Link: https://lore.kernel.org/r/20230316110540.77531-1-szymon.heidrich@gmail.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 43ffe6c)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
@bmastbergen
ipv6: mcast: Delay put pmc->idev in mld_del_delrec()
3b5b1a2 
jira VULN-131123
cve CVE-2025-38550
commit-author Yue Haibing <yuehaibing@huawei.com>
commit ae3264a

pmc->idev is still used in ip6_mc_clear_src(), so as mld_clear_delrec()
does, the reference should be put after ip6_mc_clear_src() return.

Fixes: 63ed8de ("mld: add mc_lock for protecting per-interface mld data")
	Signed-off-by: Yue Haibing <yuehaibing@huawei.com>
Link: https://patch.msgid.link/20250714141957.3301871-1-yuehaibing@huawei.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit ae3264a)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
@bmastbergen
ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control
473d923 
jira VULN-152898
cve CVE-2025-39751
commit-author Lucy Thrun <lucy.thrun@digital-rabbithole.de>
commit a409c60

The 'sprintf' call in 'add_tuning_control' may exceed the 44-byte
buffer if either string argument is too long. This triggers a compiler
warning.
Replaced 'sprintf' with 'snprintf' to limit string lengths to prevent
overflow.

	Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202506100642.95jpuMY1-lkp@intel.com/
	Signed-off-by: Lucy Thrun <lucy.thrun@digital-rabbithole.de>
Link: https://patch.msgid.link/20250610175012.918-3-lucy.thrun@digital-rabbithole.de
	Signed-off-by: Takashi Iwai <tiwai@suse.de>
(cherry picked from commit a409c60)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
PlaidCat
PlaidCat approved these changes Oct 30, 2025
View reviewed changes
Copy link
Collaborator

@PlaidCat PlaidCat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@bmastbergen bmastbergen merged commit 9f30757 into ciqlts9_2 Oct 31, 2025
4 checks passed
@bmastbergen bmastbergen deleted the bmastbergen_ciqlts9_2/10-30-25 branch October 31, 2025 16:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@roxanan1996 roxanan1996 roxanan1996 approved these changes

@PlaidCat PlaidCat PlaidCat approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bmastbergen @roxanan1996 @PlaidCat