[LTS 8.8] arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array #251
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jira VULN-54126 cve CVE-2025-21785 commit-author Radu Rendec <rrendec@redhat.com> commit 875d742 The loop that detects/populates cache information already has a bounds check on the array size but does not account for cache levels with separate data/instructions cache. Fix this by incrementing the index for any populated leaf (instead of any populated level). Fixes: 5d425c1 ("arm64: kernel: add support for cpu cache information") Signed-off-by: Radu Rendec <rrendec@redhat.com> Link: https://lore.kernel.org/r/20250206174420.2178724-1-rrendec@redhat.com Signed-off-by: Will Deacon <will@kernel.org> (cherry picked from commit 875d742) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
PlaidCat
requested review from
kerneltoast,
PlaidCat,
bmastbergen and
thefossguy-ciq
bmastbergen
pushed a commit
to bmastbergen/kernel-src-tree
that referenced
this pull request
Aug 29, 2025
jira LE-1907 Rebuild_History Non-Buildable kernel-5.14.0-427.18.1.el9_4 commit-author Daniel Borkmann <daniel@iogearbox.net> commit cd13c91 Add a big batch of test coverage to assert all aspects of the tcx opts attach, detach and query API: # ./vmtest.sh -- ./test_progs -t tc_opts [...] ctrliq#238 tc_opts_after:OK ctrliq#239 tc_opts_append:OK ctrliq#240 tc_opts_basic:OK ctrliq#241 tc_opts_before:OK ctrliq#242 tc_opts_chain_classic:OK ctrliq#243 tc_opts_demixed:OK ctrliq#244 tc_opts_detach:OK ctrliq#245 tc_opts_detach_after:OK ctrliq#246 tc_opts_detach_before:OK ctrliq#247 tc_opts_dev_cleanup:OK ctrliq#248 tc_opts_invalid:OK ctrliq#249 tc_opts_mixed:OK ctrliq#250 tc_opts_prepend:OK ctrliq#251 tc_opts_replace:OK ctrliq#252 tc_opts_revision:OK Summary: 15/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/r/20230719140858.13224-8-daniel@iogearbox.net Signed-off-by: Alexei Starovoitov <ast@kernel.org> (cherry picked from commit cd13c91) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
bmastbergen
pushed a commit
to bmastbergen/kernel-src-tree
that referenced
this pull request
Aug 29, 2025
jira LE-1907 Rebuild_History Non-Buildable kernel-5.14.0-427.18.1.el9_4 commit-author Daniel Borkmann <daniel@iogearbox.net> commit 21ce6ab Add a detachment test case with miniq present to assert that with and without the miniq we get the same error. # ./test_progs -t tc_opts ctrliq#244 tc_opts_after:OK ctrliq#245 tc_opts_append:OK ctrliq#246 tc_opts_basic:OK ctrliq#247 tc_opts_before:OK ctrliq#248 tc_opts_chain_classic:OK ctrliq#249 tc_opts_delete_empty:OK ctrliq#250 tc_opts_demixed:OK ctrliq#251 tc_opts_detach:OK ctrliq#252 tc_opts_detach_after:OK ctrliq#253 tc_opts_detach_before:OK ctrliq#254 tc_opts_dev_cleanup:OK ctrliq#255 tc_opts_invalid:OK ctrliq#256 tc_opts_mixed:OK ctrliq#257 tc_opts_prepend:OK ctrliq#258 tc_opts_replace:OK ctrliq#259 tc_opts_revision:OK Summary: 16/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/r/20230804131112.11012-2-daniel@iogearbox.net Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org> (cherry picked from commit 21ce6ab) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
bmastbergen
pushed a commit
to bmastbergen/kernel-src-tree
that referenced
this pull request
Aug 29, 2025
jira LE-1907 Rebuild_History Non-Buildable kernel-5.14.0-427.18.1.el9_4 commit-author Daniel Borkmann <daniel@iogearbox.net> commit ccd9a8b Add several new tcx test cases to improve test coverage. This also includes a few new tests with ingress instead of clsact qdisc, to cover the fix from commit dc644b5 ("tcx: Fix splat in ingress_destroy upon tcx_entry_free"). # ./test_progs -t tc [...] ctrliq#234 tc_links_after:OK ctrliq#235 tc_links_append:OK ctrliq#236 tc_links_basic:OK ctrliq#237 tc_links_before:OK ctrliq#238 tc_links_chain_classic:OK ctrliq#239 tc_links_chain_mixed:OK ctrliq#240 tc_links_dev_cleanup:OK ctrliq#241 tc_links_dev_mixed:OK ctrliq#242 tc_links_ingress:OK ctrliq#243 tc_links_invalid:OK ctrliq#244 tc_links_prepend:OK ctrliq#245 tc_links_replace:OK ctrliq#246 tc_links_revision:OK ctrliq#247 tc_opts_after:OK ctrliq#248 tc_opts_append:OK ctrliq#249 tc_opts_basic:OK ctrliq#250 tc_opts_before:OK ctrliq#251 tc_opts_chain_classic:OK ctrliq#252 tc_opts_chain_mixed:OK ctrliq#253 tc_opts_delete_empty:OK ctrliq#254 tc_opts_demixed:OK ctrliq#255 tc_opts_detach:OK ctrliq#256 tc_opts_detach_after:OK ctrliq#257 tc_opts_detach_before:OK ctrliq#258 tc_opts_dev_cleanup:OK ctrliq#259 tc_opts_invalid:OK ctrliq#260 tc_opts_mixed:OK ctrliq#261 tc_opts_prepend:OK ctrliq#262 tc_opts_replace:OK ctrliq#263 tc_opts_revision:OK [...] Summary: 44/38 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/r/8699efc284b75ccdc51ddf7062fa2370330dc6c0.1692029283.git.daniel@iogearbox.net Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org> (cherry picked from commit ccd9a8b) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[LTS 8.8]
CVE-2025-21785
VULN-54126
Problem
https://www.cve.org/CVERecord?id=CVE-2025-21785
Solution
The official fix in the mainline kernel is provided in the 875d742 commit
kABI check: passed
Boot test: passed
boot-test.log
Kselftests: passed relative
Methodology
The tests were run using the rocky-patching framework (qemu-kvm virtualization of Rocky base cloud aarch64 images) ported to the local WHLE-LS1046A machine, based on the NXP Layerscape LS1046A arm64 processor.
The selftests were source-compiled from the recent
ciqlts8_8branch (commit f10433c).The tests were run using an explicit list of tests to run which omitted certain tests known to give inconsistent results. Details in https://gitlab.conclusive.pl/devices/rocky-patching/-/blob/master/src/run-kselftests.sh?ref_type=heads
Coverage
android,bpf(excepttest_progs,test_progs-no_alu32,test_xsk.sh,test_kmod.sh,test_sockmap),breakpoints,capabilities,cgroup,core,cpu-hotplug,cpufreq,drivers/net/bonding,drivers/net/team,efivarfs,exec,firmware,fpu,ftrace,futex,gpio,intel_pstate,ipc,kcmp,kvm,lib,livepatch,membarrier,memfd,memory-hotplug,mount,mqueue,net/forwarding(exceptsch_tbf_ets.sh,sch_ets.sh,sch_tbf_prio.sh,ipip_hier_gre_keys.sh,sch_tbf_root.sh,tc_actions.sh),net/mptcp(exceptsimult_flows.sh),net(exceptgro.sh,xfrm_policy.sh,ip_defrag.sh,reuseport_addr_any.sh,txtimestamp.sh,reuseaddr_conflict,udpgso_bench.sh),netfilter(exceptnft_trans_stress.sh),nsfs,proc,pstore,ptrace,rseq(exceptbasic_test,basic_percpu_ops_test,param_test_compare_twice,param_test_benchmark,param_test),sgx,sigaltstack,size,splice,static_keys,sync,sysctl,tc-testing,tdx,timens,timers(exceptraw_skew),tpm2,user,vm,zram.Reference
kselftests–mix–ciqlts8_8–run1.log
kselftests–mix–ciqlts8_8–run2.log
kselftests–mix–ciqlts8_8–run3.log
kselftests–mix–ciqlts8_8–run4.log
kselftests–mix–ciqlts8_8–run5.log
Patch
kselftests–mix–ciqlts8_8-CVE-2025-21785–run1.log
kselftests–mix–ciqlts8_8-CVE-2025-21785–run2.log
Comparison
All test results are the same.
Specific tests: skipped
To be done on demand