Skip to content

[FIPS 9.2] Multiple VULNS 28/11/25 #733

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
shreeya-patel98 merged 11 commits into from
Dec 1, 2025
Merged

[FIPS 9.2] Multiple VULNS 28/11/25 #733

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
e6e220a
crypto: seqiv - Handle EBUSY correctly
shreeya-patel98 Nov 28, 2025
b3810d9
Bluetooth: Fix potential use-after-free when clear keys
shreeya-patel98 Nov 28, 2025
2e93d67
mm: kmem: fix a NULL pointer dereference in obj_stock_flush_required()
shreeya-patel98 Nov 28, 2025
44fcf9c
crypto: xts - Handle EBUSY correctly
shreeya-patel98 Nov 28, 2025
5bbd5cd
nbd: fix incomplete validation of ioctl arg
shreeya-patel98 Nov 28, 2025
24c2fb6
ALSA: usb-audio: Validate UAC3 power domain descriptors, too
shreeya-patel98 Nov 28, 2025
83e7474
ipv6: sr: Fix MAC comparison to be constant-time
shreeya-patel98 Nov 28, 2025
e715f1b
NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()
shreeya-patel98 Nov 28, 2025
3e0e5b1
ALSA: usb-audio: Validate UAC3 cluster segment descriptors
shreeya-patel98 Nov 28, 2025
527502d
ALSA: usb-audio: Fix size validation in convert_chmap_v3()
shreeya-patel98 Nov 28, 2025
e2fb3a6
efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare
shreeya-patel98 Nov 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion crypto/seqiv.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ static void seqiv_aead_encrypt_complete2(struct aead_request *req, int err)
struct aead_request *subreq = aead_request_ctx(req);
struct crypto_aead *geniv;

if (err == -EINPROGRESS)
if (err == -EINPROGRESS || err == -EBUSY)
return;

if (err)
Expand Down
8 changes: 4 additions & 4 deletions crypto/xts.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -203,12 +203,12 @@ static void xts_encrypt_done(struct crypto_async_request *areq, int err)
if (!err) {
struct xts_request_ctx *rctx = skcipher_request_ctx(req);

rctx->subreq.base.flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP;
rctx->subreq.base.flags &= CRYPTO_TFM_REQ_MAY_BACKLOG;
err = xts_xor_tweak_post(req, true);

if (!err && unlikely(req->cryptlen % XTS_BLOCK_SIZE)) {
err = xts_cts_final(req, crypto_skcipher_encrypt);
if (err == -EINPROGRESS)
if (err == -EINPROGRESS || err == -EBUSY)
return;
}
}
Expand All @@ -223,12 +223,12 @@ static void xts_decrypt_done(struct crypto_async_request *areq, int err)
if (!err) {
struct xts_request_ctx *rctx = skcipher_request_ctx(req);

rctx->subreq.base.flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP;
rctx->subreq.base.flags &= CRYPTO_TFM_REQ_MAY_BACKLOG;
err = xts_xor_tweak_post(req, false);

if (!err && unlikely(req->cryptlen % XTS_BLOCK_SIZE)) {
err = xts_cts_final(req, crypto_skcipher_decrypt);
if (err == -EINPROGRESS)
if (err == -EINPROGRESS || err == -EBUSY)
return;
}
}
Expand Down
6 changes: 6 additions & 0 deletions drivers/block/nbd.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -327,6 +327,9 @@ static int nbd_set_size(struct nbd_device *nbd, loff_t bytesize,
if (blk_validate_block_size(blksize))
return -EINVAL;

if (bytesize < 0)
return -EINVAL;

nbd->config->bytesize = bytesize;
nbd->config->blksize_bits = __ffs(blksize);

Expand Down Expand Up @@ -1112,6 +1115,9 @@ static int nbd_add_socket(struct nbd_device *nbd, unsigned long arg,
struct nbd_sock *nsock;
int err;

/* Arg will be cast to int, check it to avoid overflow */
if (arg > INT_MAX)
return -EINVAL;
sock = nbd_get_socket(nbd, arg, &err);
if (!sock)
return err;
Expand Down
4 changes: 4 additions & 0 deletions fs/efivarfs/super.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,10 @@ static int efivarfs_d_compare(const struct dentry *dentry,
{
int guid = len - EFI_VARIABLE_GUID_LEN;

/* Parallel lookups may produce a temporary invalid filename */
if (guid <= 0)
return 1;

if (name->len != len)
return 1;

Expand Down
11 changes: 9 additions & 2 deletions fs/nfs/export.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,14 +66,21 @@ nfs_fh_to_dentry(struct super_block *sb, struct fid *fid,
{
struct nfs_fattr *fattr = NULL;
struct nfs_fh *server_fh = nfs_exp_embedfh(fid->raw);
size_t fh_size = offsetof(struct nfs_fh, data) + server_fh->size;
size_t fh_size = offsetof(struct nfs_fh, data);
const struct nfs_rpc_ops *rpc_ops;
struct dentry *dentry;
struct inode *inode;
int len = EMBED_FH_OFF + XDR_QUADLEN(fh_size);
int len = EMBED_FH_OFF;
u32 *p = fid->raw;
int ret;

/* Initial check of bounds */
if (fh_len < len + XDR_QUADLEN(fh_size) ||
fh_len > XDR_QUADLEN(NFS_MAXFHSIZE))
return NULL;
/* Calculate embedded filehandle size */
fh_size += server_fh->size;
len += XDR_QUADLEN(fh_size);
/* NULL translates to ESTALE */
if (fh_len < len || fh_type != len)
return NULL;
Expand Down
19 changes: 10 additions & 9 deletions mm/memcontrol.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3142,12 +3142,12 @@ void mod_objcg_state(struct obj_cgroup *objcg, struct pglist_data *pgdat,
* accumulating over a page of vmstat data or when pgdat or idx
* changes.
*/
if (stock->cached_objcg != objcg) {
if (READ_ONCE(stock->cached_objcg) != objcg) {
old = drain_obj_stock(stock);
obj_cgroup_get(objcg);
stock->nr_bytes = atomic_read(&objcg->nr_charged_bytes)
? atomic_xchg(&objcg->nr_charged_bytes, 0) : 0;
stock->cached_objcg = objcg;
WRITE_ONCE(stock->cached_objcg, objcg);
stock->cached_pgdat = pgdat;
} else if (stock->cached_pgdat != pgdat) {
/* Flush the existing cached vmstat data */
Expand Down Expand Up @@ -3201,7 +3201,7 @@ static bool consume_obj_stock(struct obj_cgroup *objcg, unsigned int nr_bytes)
local_lock_irqsave(&memcg_stock.stock_lock, flags);

stock = this_cpu_ptr(&memcg_stock);
if (objcg == stock->cached_objcg && stock->nr_bytes >= nr_bytes) {
if (objcg == READ_ONCE(stock->cached_objcg) && stock->nr_bytes >= nr_bytes) {
stock->nr_bytes -= nr_bytes;
ret = true;
}
Expand All @@ -3213,7 +3213,7 @@ static bool consume_obj_stock(struct obj_cgroup *objcg, unsigned int nr_bytes)

static struct obj_cgroup *drain_obj_stock(struct memcg_stock_pcp *stock)
{
struct obj_cgroup *old = stock->cached_objcg;
struct obj_cgroup *old = READ_ONCE(stock->cached_objcg);

if (!old)
return NULL;
Expand Down Expand Up @@ -3266,7 +3266,7 @@ static struct obj_cgroup *drain_obj_stock(struct memcg_stock_pcp *stock)
stock->cached_pgdat = NULL;
}

stock->cached_objcg = NULL;
WRITE_ONCE(stock->cached_objcg, NULL);
/*
* The `old' objects needs to be released by the caller via
* obj_cgroup_put() outside of memcg_stock_pcp::stock_lock.
Expand All @@ -3277,10 +3277,11 @@ static struct obj_cgroup *drain_obj_stock(struct memcg_stock_pcp *stock)
static bool obj_stock_flush_required(struct memcg_stock_pcp *stock,
struct mem_cgroup *root_memcg)
{
struct obj_cgroup *objcg = READ_ONCE(stock->cached_objcg);
struct mem_cgroup *memcg;

if (stock->cached_objcg) {
memcg = obj_cgroup_memcg(stock->cached_objcg);
if (objcg) {
memcg = obj_cgroup_memcg(objcg);
if (memcg && mem_cgroup_is_descendant(memcg, root_memcg))
return true;
}
Expand All @@ -3299,10 +3300,10 @@ static void refill_obj_stock(struct obj_cgroup *objcg, unsigned int nr_bytes,
local_lock_irqsave(&memcg_stock.stock_lock, flags);

stock = this_cpu_ptr(&memcg_stock);
if (stock->cached_objcg != objcg) { /* reset if necessary */
if (READ_ONCE(stock->cached_objcg) != objcg) { /* reset if necessary */
old = drain_obj_stock(stock);
obj_cgroup_get(objcg);
stock->cached_objcg = objcg;
WRITE_ONCE(stock->cached_objcg, objcg);
stock->nr_bytes = atomic_read(&objcg->nr_charged_bytes)
? atomic_xchg(&objcg->nr_charged_bytes, 0) : 0;
allow_uncharge = true; /* Allow uncharge when objcg changes */
Expand Down
16 changes: 8 additions & 8 deletions net/bluetooth/hci_core.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1074,39 +1074,39 @@ void hci_uuids_clear(struct hci_dev *hdev)

void hci_link_keys_clear(struct hci_dev *hdev)
{
struct link_key *key;
struct link_key *key, *tmp;

list_for_each_entry(key, &hdev->link_keys, list) {
list_for_each_entry_safe(key, tmp, &hdev->link_keys, list) {
list_del_rcu(&key->list);
kfree_rcu(key, rcu);
}
}

void hci_smp_ltks_clear(struct hci_dev *hdev)
{
struct smp_ltk *k;
struct smp_ltk *k, *tmp;

list_for_each_entry(k, &hdev->long_term_keys, list) {
list_for_each_entry_safe(k, tmp, &hdev->long_term_keys, list) {
list_del_rcu(&k->list);
kfree_rcu(k, rcu);
}
}

void hci_smp_irks_clear(struct hci_dev *hdev)
{
struct smp_irk *k;
struct smp_irk *k, *tmp;

list_for_each_entry(k, &hdev->identity_resolving_keys, list) {
list_for_each_entry_safe(k, tmp, &hdev->identity_resolving_keys, list) {
list_del_rcu(&k->list);
kfree_rcu(k, rcu);
}
}

void hci_blocked_keys_clear(struct hci_dev *hdev)
{
struct blocked_key *b;
struct blocked_key *b, *tmp;

list_for_each_entry(b, &hdev->blocked_keys, list) {
list_for_each_entry_safe(b, tmp, &hdev->blocked_keys, list) {
list_del_rcu(&b->list);
kfree_rcu(b, rcu);
}
Expand Down
3 changes: 2 additions & 1 deletion net/ipv6/seg6_hmac.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
#include <net/xfrm.h>

#include <crypto/hash.h>
#include <crypto/utils.h>
#include <net/seg6.h>
#include <net/genetlink.h>
#include <net/seg6_hmac.h>
Expand Down Expand Up @@ -269,7 +270,7 @@ bool seg6_hmac_validate_skb(struct sk_buff *skb)
if (seg6_hmac_compute(hinfo, srh, &ipv6_hdr(skb)->saddr, hmac_output))
return false;

if (memcmp(hmac_output, tlv->hmac, SEG6_HMAC_FIELD_LEN) != 0)
if (crypto_memneq(hmac_output, tlv->hmac, SEG6_HMAC_FIELD_LEN))
return false;

return true;
Expand Down
25 changes: 22 additions & 3 deletions sound/usb/stream.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -338,20 +338,28 @@ snd_pcm_chmap_elem *convert_chmap_v3(struct uac3_cluster_header_descriptor

len = le16_to_cpu(cluster->wLength);
c = 0;
p += sizeof(struct uac3_cluster_header_descriptor);
p += sizeof(*cluster);
len -= sizeof(*cluster);

while (((p - (void *)cluster) < len) && (c < channels)) {
while (len > 0 && (c < channels)) {
struct uac3_cluster_segment_descriptor *cs_desc = p;
u16 cs_len;
u8 cs_type;

if (len < sizeof(*cs_desc))
break;
cs_len = le16_to_cpu(cs_desc->wLength);
if (len < cs_len)
break;
cs_type = cs_desc->bSegmentType;

if (cs_type == UAC3_CHANNEL_INFORMATION) {
struct uac3_cluster_information_segment_descriptor *is = p;
unsigned char map;

if (cs_len < sizeof(*is))
break;

/*
* TODO: this conversion is not complete, update it
* after adding UAC3 values to asound.h
Expand Down Expand Up @@ -453,6 +461,7 @@ snd_pcm_chmap_elem *convert_chmap_v3(struct uac3_cluster_header_descriptor
chmap->map[c++] = map;
}
p += cs_len;
len -= cs_len;
}

if (channels < c)
Expand Down Expand Up @@ -873,7 +882,7 @@ snd_usb_get_audioformat_uac3(struct snd_usb_audio *chip,
u64 badd_formats = 0;
unsigned int num_channels;
struct audioformat *fp;
u16 cluster_id, wLength;
u16 cluster_id, wLength, cluster_wLength;
int clock = 0;
int err;

Expand Down Expand Up @@ -1000,6 +1009,16 @@ snd_usb_get_audioformat_uac3(struct snd_usb_audio *chip,
return ERR_PTR(-EIO);
}

cluster_wLength = le16_to_cpu(cluster->wLength);
if (cluster_wLength < sizeof(*cluster) ||
cluster_wLength > wLength) {
dev_err(&dev->dev,
"%u:%d : invalid Cluster Descriptor size\n",
iface_no, altno);
kfree(cluster);
return ERR_PTR(-EIO);
}

num_channels = cluster->bNrChannels;
chmap = convert_chmap_v3(cluster);
kfree(cluster);
Expand Down
12 changes: 12 additions & 0 deletions sound/usb/validate.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -221,6 +221,17 @@ static bool validate_uac3_feature_unit(const void *p,
return d->bLength >= sizeof(*d) + 4 + 2;
}

static bool validate_uac3_power_domain_unit(const void *p,
const struct usb_desc_validator *v)
{
const struct uac3_power_domain_descriptor *d = p;

if (d->bLength < sizeof(*d))
return false;
/* baEntities[] + wPDomainDescrStr */
return d->bLength >= sizeof(*d) + d->bNrEntities + 2;
}

static bool validate_midi_out_jack(const void *p,
const struct usb_desc_validator *v)
{
Expand Down Expand Up @@ -285,6 +296,7 @@ static const struct usb_desc_validator audio_validators[] = {
struct uac3_clock_multiplier_descriptor),
/* UAC_VERSION_3, UAC3_SAMPLE_RATE_CONVERTER: not implemented yet */
/* UAC_VERSION_3, UAC3_CONNECTORS: not implemented yet */
FUNC(UAC_VERSION_3, UAC3_POWER_DOMAIN, validate_uac3_power_domain_unit),
{ } /* terminator */
};

Expand Down