Skip to content

[cbr79] Many VULNs 2025-11-20 #711

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Nov 21, 2025
Merged

[cbr79] Many VULNs 2025-11-20 #711

merged 6 commits into from
Nov 21, 2025

Conversation

@bmastbergen
Copy link
Collaborator

@bmastbergen bmastbergen commented Nov 20, 2025

Commits

    net_sched: hfsc: Fix a UAF vulnerability in class handling

    jira VULN-67694
    cve CVE-2025-37797
    commit-author Cong Wang <xiyou.wangcong@gmail.com>
    commit 3df275ef0a6ae181e8428a6589ef5d5231e58b5c

    ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control

    jira VULN-152893
    cve CVE-2025-39751
    commit-author Lucy Thrun <lucy.thrun@digital-rabbithole.de>
    commit a409c60111e6bb98fcabab2aeaa069daa9434ca0

    crypto: seqiv - Handle EBUSY correctly

    jira VULN-155731
    cve CVE-2023-53373
    commit-author Herbert Xu <herbert@gondor.apana.org.au>
    commit 32e62025e5e52fbe4812ef044759de7010b15dbc

    HID: core: detect and skip invalid inputs to snto32()

    jira VULN-33524
    cve-pre CVE-2022-48978
    commit-author Randy Dunlap <rdunlap@infradead.org>
    commit a0312af1f94d13800e63a7d0a66e563582e39aec

    HID: core: fix shift-out-of-bounds in hid_report_raw_event

    jira VULN-33524
    cve CVE-2022-48978
    commit-author ZhangPeng <zhangpeng362@huawei.com>
    commit ec61b41918587be530398b0d1c9a0d16619397e5

    HID: core: Harden s32ton() against conversion to 0 bits

    jira VULN-131254
    cve CVE-2025-38556
    commit-author Alan Stern <stern@rowland.harvard.edu>
    commit a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd
    upstream-diff This function is in a different place in this
                  kernel, so there was a conflict.  Also, when
                  this function was moved in the upstream kernel,
                  a newline was added afer 's32 a = value....'.
                  Since that newline doesn't exist in this kernel
                  this commit adds it.

Build Log

/home/brett/kernel-src-tree
Running make mrproper...
[TIMER]{MRPROPER}: 7s
x86_64 architecture detected, copying config
‘configs/kernel-3.10.0-x86_64.config’ -> ‘.config’
Setting Local Version for build
CONFIG_LOCALVERSION="-bmastbergen_ciqcbr7_9_many-vulns-2025-11-20-e65251e"
Making olddefconfig
--
  HOSTLD  scripts/kconfig/conf
scripts/kconfig/conf --olddefconfig Kconfig
#
# configuration written to .config
#
Starting Build
scripts/kconfig/conf --silentoldconfig Kconfig
  SYSHDR  arch/x86/syscalls/../include/generated/uapi/asm/unistd_32.h
  SYSHDR  arch/x86/syscalls/../include/generated/uapi/asm/unistd_64.h
  SYSHDR  arch/x86/syscalls/../include/generated/uapi/asm/unistd_x32.h
  SYSTBL  arch/x86/syscalls/../include/generated/asm/syscalls_32.h
--
  IHEX2FW firmware/whiteheat_loader.fw
  H16TOFW firmware/edgeport/down2.fw
  IHEX2FW firmware/whiteheat.fw
  IHEX2FW firmware/keyspan_pda/xircom_pgs.fw
  IHEX2FW firmware/keyspan_pda/keyspan_pda.fw
[TIMER]{BUILD}: 496s
Making Modules
  INSTALL arch/x86/crypto/ablk_helper.ko
  INSTALL arch/x86/crypto/aesni-intel.ko
  INSTALL arch/x86/crypto/blowfish-x86_64.ko
  INSTALL arch/x86/crypto/camellia-aesni-avx-x86_64.ko
--
  INSTALL /lib/firmware/whiteheat_loader.fw
  INSTALL /lib/firmware/whiteheat.fw
  INSTALL /lib/firmware/keyspan_pda/keyspan_pda.fw
  INSTALL /lib/firmware/keyspan_pda/xircom_pgs.fw
  DEPMOD  3.10.0-bmastbergen_ciqcbr7_9_many-vulns-2025-11-20-e65251e+
[TIMER]{MODULES}: 13s
Making Install
sh ./arch/x86/boot/install.sh 3.10.0-bmastbergen_ciqcbr7_9_many-vulns-2025-11-20-e65251e+ arch/x86/boot/bzImage \
	System.map "/boot"
[TIMER]{INSTALL}: 42s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-3.10.0-bmastbergen_ciqcbr7_9_many-vulns-2025-11-20-e65251e+ and Index to 0
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 7s
[TIMER]{BUILD}: 496s
[TIMER]{MODULES}: 13s
[TIMER]{INSTALL}: 42s
[TIMER]{TOTAL} 566s
Rebooting in 10 seconds

Testing

selftest-3.10.0-1160.119.1.el7_9.ciqcbr.9.1.x86_64-1.log

selftest-3.10.0-bmastbergen_ciqcbr7_9_many-vulns-2025-11-20-e65251e+-1.log

brett@chewbacca ~/ciq/many-79-vulns-2025-11-20/kselftest-logs
 % grep ^ok selftest-3.10.0-1160.119.1.el7_9.ciqcbr.9.1.x86_64-1.log | wc -l
4
brett@chewbacca ~/ciq/many-79-vulns-2025-11-20/kselftest-logs
 % grep ^ok selftest-3.10.0-bmastbergen_ciqcbr7_9_many-vulns-2025-11-20-e65251e+-1.log | wc -l
4
brett@chewbacca ~/ciq/many-79-vulns-2025-11-20/kselftest-logs
 % grep ok <(diff -adU0 <(grep ^ok selftest-3.10.0-1160.119.1.el7_9.ciqcbr.9.1.x86_64-1.log | sort -h) <(grep ^ok selftest-3.10.0-bmastbergen_ciqcbr7_9_many-vulns-2025-11-20-e65251e+-1.log | sort -h))
brett@chewbacca ~/ciq/many-79-vulns-2025-11-20/kselftest-logs
 %

@bmastbergen
net_sched: hfsc: Fix a UAF vulnerability in class handling
42afea6 
jira VULN-67694
cve CVE-2025-37797
commit-author Cong Wang <xiyou.wangcong@gmail.com>
commit 3df275e

This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class
handling. The issue occurs due to a time-of-check/time-of-use condition
in hfsc_change_class() when working with certain child qdiscs like netem
or codel.

The vulnerability works as follows:
1. hfsc_change_class() checks if a class has packets (q.qlen != 0)
2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g.,
   codel, netem) might drop packets and empty the queue
3. The code continues assuming the queue is still non-empty, adding
   the class to vttree
4. This breaks HFSC scheduler assumptions that only non-empty classes
   are in vttree
5. Later, when the class is destroyed, this can lead to a Use-After-Free

The fix adds a second queue length check after qdisc_peek_len() to verify
the queue wasn't emptied.

Fixes: 21f4d5c ("net_sched/hfsc: fix curve activation in hfsc_change_class()")
	Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg>
	Reviewed-by: Konstantin Khlebnikov <koct9i@gmail.com>
	Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
	Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20250417184732.943057-2-xiyou.wangcong@gmail.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 3df275e)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
@bmastbergen
ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control
6042ea9 
jira VULN-152893
cve CVE-2025-39751
commit-author Lucy Thrun <lucy.thrun@digital-rabbithole.de>
commit a409c60

The 'sprintf' call in 'add_tuning_control' may exceed the 44-byte
buffer if either string argument is too long. This triggers a compiler
warning.
Replaced 'sprintf' with 'snprintf' to limit string lengths to prevent
overflow.

	Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202506100642.95jpuMY1-lkp@intel.com/
	Signed-off-by: Lucy Thrun <lucy.thrun@digital-rabbithole.de>
Link: https://patch.msgid.link/20250610175012.918-3-lucy.thrun@digital-rabbithole.de
	Signed-off-by: Takashi Iwai <tiwai@suse.de>
(cherry picked from commit a409c60)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
@bmastbergen
crypto: seqiv - Handle EBUSY correctly
f9593cf 
jira VULN-155731
cve CVE-2023-53373
commit-author Herbert Xu <herbert@gondor.apana.org.au>
commit 32e6202

As it is seqiv only handles the special return value of EINPROGERSS,
which means that in all other cases it will free data related to the
request.

However, as the caller of seqiv may specify MAY_BACKLOG, we also need
to expect EBUSY and treat it in the same way.  Otherwise backlogged
requests will trigger a use-after-free.

Fixes: 0a27032 ("[CRYPTO] seqiv: Add Sequence Number IV Generator")
	Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 32e6202)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
@bmastbergen
HID: core: detect and skip invalid inputs to snto32()
72701d3 
jira VULN-33524
cve-pre CVE-2022-48978
commit-author Randy Dunlap <rdunlap@infradead.org>
commit a0312af

Prevent invalid (0, 0) inputs to hid-core's snto32() function.

Maybe it is just the dummy device here that is causing this, but
there are hundreds of calls to snto32(0, 0). Having n (bits count)
of 0 is causing the current UBSAN trap with a shift value of
0xffffffff (-1, or n - 1 in this function).

Either of the value to shift being 0 or the bits count being 0 can be
handled by just returning 0 to the caller, avoiding the following
complex shift + OR operations:

	return value & (1 << (n - 1)) ? value | (~0U << n) : value;

Fixes: dde5845 ("[PATCH] Generic HID layer - code split")
	Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
	Reported-by: syzbot+1e911ad71dd4ea72e04a@syzkaller.appspotmail.com
	Cc: Jiri Kosina <jikos@kernel.org>
	Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
	Cc: linux-input@vger.kernel.org
	Signed-off-by: Jiri Kosina <jkosina@suse.cz>
(cherry picked from commit a0312af)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
@bmastbergen
HID: core: fix shift-out-of-bounds in hid_report_raw_event
dc74c70 
jira VULN-33524
cve CVE-2022-48978
commit-author ZhangPeng <zhangpeng362@huawei.com>
commit ec61b41

Syzbot reported shift-out-of-bounds in hid_report_raw_event.

microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) >
32! (swapper/0)
======================================================================
UBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20
shift exponent 127 is too large for 32-bit type 'int'
CPU: 0 PID: 0 Comm: swapper/0 Not tainted
6.1.0-rc4-syzkaller-00159-g4bbf3422df78 #0
Hardware name: Google Compute Engine/Google Compute Engine, BIOS
Google 10/26/2022
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 ubsan_epilogue lib/ubsan.c:151 [inline]
 __ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322
 snto32 drivers/hid/hid-core.c:1323 [inline]
 hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline]
 hid_process_report drivers/hid/hid-core.c:1665 [inline]
 hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998
 hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066
 hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284
 __usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671
 dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988
 call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474
 expire_timers kernel/time/timer.c:1519 [inline]
 __run_timers+0x76a/0x980 kernel/time/timer.c:1790
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803
 __do_softirq+0x277/0x75b kernel/softirq.c:571
 __irq_exit_rcu+0xec/0x170 kernel/softirq.c:650
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107
======================================================================

If the size of the integer (unsigned n) is bigger than 32 in snto32(),
shift exponent will be too large for 32-bit type 'int', resulting in a
shift-out-of-bounds bug.
Fix this by adding a check on the size of the integer (unsigned n) in
snto32(). To add support for n greater than 32 bits, set n to 32, if n
is greater than 32.

	Reported-by: syzbot+8b1641d2f14732407e23@syzkaller.appspotmail.com
Fixes: dde5845 ("[PATCH] Generic HID layer - code split")
	Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>
	Signed-off-by: Jiri Kosina <jkosina@suse.cz>
(cherry picked from commit ec61b41)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
@bmastbergen
HID: core: Harden s32ton() against conversion to 0 bits
e65251e 
jira VULN-131254
cve CVE-2025-38556
commit-author Alan Stern <stern@rowland.harvard.edu>
commit a6b87bf
upstream-diff This function is in a different place in this
              kernel, so there was a conflict.  Also, when
              this function was moved in the upstream kernel,
              a newline was added afer 's32 a = value....'.
              Since that newline doesn't exist in this kernel
              this commit adds it.

Testing by the syzbot fuzzer showed that the HID core gets a
shift-out-of-bounds exception when it tries to convert a 32-bit
quantity to a 0-bit quantity.  Ideally this should never occur, but
there are buggy devices and some might have a report field with size
set to zero; we shouldn't reject the report or the device just because
of that.

Instead, harden the s32ton() routine so that it returns a reasonable
result instead of crashing when it is called with the number of bits
set to 0 -- the same as what snto32() does.

	Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
	Reported-by: syzbot+b63d677d63bcac06cf90@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-usb/68753a08.050a0220.33d347.0008.GAE@google.com/
	Tested-by: syzbot+b63d677d63bcac06cf90@syzkaller.appspotmail.com
Fixes: dde5845 ("[PATCH] Generic HID layer - code split")
	Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/613a66cd-4309-4bce-a4f7-2905f9bce0c9@rowland.harvard.edu
	Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
(cherry picked from commit a6b87bf)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
@github-actions
Copy link

github-actions bot commented Nov 20, 2025

🔍 Interdiff Analysis

  • ⚠️ PR commit f9593cf8078a (crypto: seqiv - Handle EBUSY correctly) → upstream 32e62025e5e5
    Differences found:
diff -u b/crypto/seqiv.c b/crypto/seqiv.c
--- b/crypto/seqiv.c
+++ b/crypto/seqiv.c
@@ -57,4 +57,4 @@
-	struct aead_request *subreq = aead_request_ctx(req);
+	struct aead_request *subreq = aead_givcrypt_reqctx(req);
 	struct crypto_aead *geniv;
 
 	if (err == -EINPROGRESS || err == -EBUSY)
  • ⚠️ PR commit e65251e4d60d (HID: core: Harden s32ton() against conversion to 0 bits) → upstream a6b87bfc2ab5
    Differences found:
diff -u b/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
--- b/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -68,6 +68,10 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
 {
 	s32 a = value >> (n - 1);
 
+	if (!value || !n)
+		return 0;
+
+	a = value >> (n - 1);
 	if (a && a != -1)
 		return value < 0 ? 1 << (n - 1) : (1 << (n - 1)) - 1;
 	return value & ((1 << n) - 1);
@@ -1050,13 +1050,7 @@
 
-static u32 s32ton(__s32 value, unsigned int n)
+static u32 s32ton(__s32 value, unsigned n)
 {
 	s32 a;
-
-	if (!value || !n)
-		return 0;
-
-	a = value >> (n - 1);
-
 	if (a && a != -1)
 		return value < 0 ? 1 << (n - 1) : (1 << (n - 1)) - 1;
 	return value & ((1 << n) - 1);

This is an automated interdiff check for backported commits.

@bmastbergen bmastbergen requested a review from a team November 20, 2025 14:11
@roxanan1996 roxanan1996 mentioned this pull request Nov 21, 2025
Open
@bmastbergen bmastbergen merged commit ee704c4 into ciqcbr7_9 Nov 21, 2025
2 of 3 checks passed
@bmastbergen bmastbergen deleted the {bmastbergen}_ciqcbr7_9/many-vulns-2025-11-20 branch November 21, 2025 16:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@roxanan1996 roxanan1996 roxanan1996 approved these changes

@shreeya-patel98 shreeya-patel98 shreeya-patel98 approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@bmastbergen @roxanan1996 @shreeya-patel98