[ciqlts8 6] Easy(sh) vulns #763
Open
+37
−58
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
🔍 Interdiff Analysis
diff -u b/sound/usb/stream.c b/sound/usb/stream.c
--- b/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -355,6 +360,9 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
struct uac3_cluster_information_segment_descriptor *is = p;
unsigned char map;
+ if (cs_len < sizeof(*is))
+ break;
+
/*
* TODO: this conversion is not complete, update it
* after adding UAC3 values to asound.h
@@ -360,6 +365,9 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
struct uac3_cluster_information_segment_descriptor *is = p;
unsigned char map;
+ if (cs_len < sizeof(*is))
+ break;
+
/*
* TODO: this conversion is not complete, update it
* after adding UAC3 values to asound.h
diff -u b/sound/soc/sof/intel/hda.c b/sound/soc/sof/intel/hda.c
--- b/sound/soc/sof/intel/hda.c
+++ b/sound/soc/sof/intel/hda.c
@@ -543,4 +543,4 @@
len += scnprintf(msg + len, sizeof(msg) - len, " 0x%x", value);
}
- dev_printk(level, sdev->dev, "extended rom status: %s", msg);
+ dev_err(sdev->dev, "extended rom status: %s", msg);
diff -u b/fs/inode.c b/fs/inode.c
--- b/fs/inode.c
+++ b/fs/inode.c
@@ -165,5 +165,5 @@
- inode->i_wb_frn_history = 0;
-#endif
+
+ inode->rh_reserved2 = 0;
spin_lock_init(&inode->i_lock);
lockdep_set_class(&inode->i_lock, &sb->s_type->i_lock_key);This is an automated interdiff check for backported commits. |
Contributor
Author
This is a bug in interdiff, the patch looks fine. Check colordiff log
This is due to missing commit 34bfba9 ("ASoC: SOF: Intel: hda: Use DEBUG log level for optional prints").
This is expected since inode->rh_reserved2 = 0 is red hat specific.
|
PlaidCat
requested changes
Dec 17, 2025
Collaborator
PlaidCat
left a comment
PlaidCat
left a comment
There was a problem hiding this comment.
Please Revert and manually deal with the changes for cve-2022-50087
30254c3 firmware: arm_scpi: convert platform driver to use dev_groups
We can't take this change in the event that some actually uses this driver.
this is a part of a larger change set that actually implements in another place the code that is referenced being dropped
We need this commit to take this change
torvalds/linux@23b6904
which is a part of a larger fix up
https://lore.kernel.org/all/[email protected]/t/#u
roxanan1996
force-pushed
the
{rnicolescu}_ciqlts8_6_easy_vulns
branch
from
a3868bc to
8dca1e0
Compare
Contributor
Author
I thought I checked that. Great catch. I did the same for "ASoC: SOF: Intel: hda: Define rom_status_reg in sof_intel_dsp_desc" as the prereq is patch from a bigger patchset. |
jira VULN-152932 cve CVE-2025-39757 commit-author Takashi Iwai <[email protected]> commit ecfd411 UAC3 class segment descriptors need to be verified whether their sizes match with the declared lengths and whether they fit with the allocated buffer sizes, too. Otherwise malicious firmware may lead to the unexpected OOB accesses. Fixes: 11785ef ("ALSA: usb-audio: Initial Power Domain support") Reported-and-tested-by: Youngjun Lee <[email protected]> Cc: <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Takashi Iwai <[email protected]> (cherry picked from commit ecfd411) Signed-off-by: Roxana Nicolescu <[email protected]>
jira VULN-152932 cve-bf CVE-2025-39757 commit-author Dan Carpenter <[email protected]> commit 89f0add The "p" pointer is void so sizeof(*p) is 1. The intent was to check sizeof(*cs_desc), which is 3, instead. Fixes: ecfd411 ("ALSA: usb-audio: Validate UAC3 cluster segment descriptors") Signed-off-by: Dan Carpenter <[email protected]> Link: https://patch.msgid.link/[email protected] Signed-off-by: Takashi Iwai <[email protected]> (cherry picked from commit 89f0add) Signed-off-by: Roxana Nicolescu <[email protected]>
jira VULN-155239 cve-pre CVE-2022-50356 commit-author Zhengchao Shao <[email protected]> commit c19d893 qdisc_reset() is clearing qdisc->q.qlen and qdisc->qstats.backlog _after_ calling qdisc->ops->reset. There is no need to clear them again in the specific reset function. Signed-off-by: Zhengchao Shao <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Paolo Abeni <[email protected]> (cherry picked from commit c19d893) Signed-off-by: Roxana Nicolescu <[email protected]>
jira VULN-155239 cve CVE-2022-50356 commit-author Zhengchao Shao <[email protected]> commit 2a3fc78 When the default qdisc is sfb, if the qdisc of dev_queue fails to be inited during mqprio_init(), sfb_reset() is invoked to clear resources. In this case, the q->qdisc is NULL, and it will cause gpf issue. The process is as follows: qdisc_create_dflt() sfb_init() tcf_block_get() --->failed, q->qdisc is NULL ... qdisc_put() ... sfb_reset() qdisc_reset(q->qdisc) --->q->qdisc is NULL ops = qdisc->ops The following is the Call Trace information: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] RIP: 0010:qdisc_reset+0x2b/0x6f0 Call Trace: <TASK> sfb_reset+0x37/0xd0 qdisc_reset+0xed/0x6f0 qdisc_destroy+0x82/0x4c0 qdisc_put+0x9e/0xb0 qdisc_create_dflt+0x2c3/0x4a0 mqprio_init+0xa71/0x1760 qdisc_create+0x3eb/0x1000 tc_modify_qdisc+0x408/0x1720 rtnetlink_rcv_msg+0x38e/0xac0 netlink_rcv_skb+0x12d/0x3a0 netlink_unicast+0x4a2/0x740 netlink_sendmsg+0x826/0xcc0 sock_sendmsg+0xc5/0x100 ____sys_sendmsg+0x583/0x690 ___sys_sendmsg+0xe8/0x160 __sys_sendmsg+0xbf/0x160 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7f2164122d04 </TASK> Fixes: e13e02a ("net_sched: SFB flow scheduler") Signed-off-by: Zhengchao Shao <[email protected]> Signed-off-by: David S. Miller <[email protected]> (cherry picked from commit 2a3fc78) Signed-off-by: Roxana Nicolescu <[email protected]>
jira VULN-70476 cve-pre CVE-2022-50030 commit-author Dan Carpenter <[email protected]> commit 9020be1 The "mybuf" string comes from the user, so we need to ensure that it is NUL terminated. Link: https://lore.kernel.org/r/20211214070527.GA27934@kili Fixes: bd2cdd5 ("scsi: lpfc: NVME Initiator: Add debugfs support") Reviewed-by: James Smart <[email protected]> Signed-off-by: Dan Carpenter <[email protected]> Signed-off-by: Martin K. Petersen <[email protected]> (cherry picked from commit 9020be1) Signed-off-by: Roxana Nicolescu <[email protected]>
… user input jira VULN-70476 cve CVE-2022-50030 commit-author James Smart <[email protected]> commit f8191d4 Malformed user input to debugfs results in buffer overflow crashes. Adapt input string lengths to fit within internal buffers, leaving space for NULL terminators. Link: https://lore.kernel.org/r/[email protected] Co-developed-by: Justin Tee <[email protected]> Signed-off-by: Justin Tee <[email protected]> Signed-off-by: James Smart <[email protected]> Signed-off-by: Martin K. Petersen <[email protected]> (cherry picked from commit f8191d4) Signed-off-by: Roxana Nicolescu <[email protected]>
jira VULN-155283 cve CVE-2022-50367 commit-author Dongliang Mu <[email protected]> commit 2e488f1 upstream-diff | Adjusted context in inode_init_always to due rh specific variable rh_reserved2 being initialized to 0 added in commit: dbb05b7 ("Rebuild centos8 with kernel-4.18.0-80.el8") In alloc_inode, inode_init_always() could return -ENOMEM if security_inode_alloc() fails, which causes inode->i_private uninitialized. Then nilfs_is_metadata_file_inode() returns true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(), which frees the uninitialized inode->i_private and leads to crashes(e.g., UAF/GPF). Fix this by moving security_inode_alloc just prior to this_cpu_inc(nr_inodes) Link: https://lkml.kernel.org/r/CAFcO6XOcf1Jj2SeGt=jJV59wmhESeSKpfR0omdFRq+J9nD1vfQ@mail.gmail.com Reported-by: butt3rflyh4ck <[email protected]> Reported-by: Hao Sun <[email protected]> Reported-by: Jiacheng Xu <[email protected]> Reviewed-by: Christian Brauner (Microsoft) <[email protected]> Signed-off-by: Dongliang Mu <[email protected]> Cc: Al Viro <[email protected]> Cc: [email protected] Signed-off-by: Al Viro <[email protected]> (cherry picked from commit 2e488f1) Signed-off-by: Roxana Nicolescu <[email protected]>
roxanan1996
force-pushed
the
{rnicolescu}_ciqlts8_6_easy_vulns
branch
from
8dca1e0 to
db64e8e
Compare
🔍 Interdiff Analysis
diff -u b/sound/usb/stream.c b/sound/usb/stream.c
--- b/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -355,6 +360,9 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
struct uac3_cluster_information_segment_descriptor *is = p;
unsigned char map;
+ if (cs_len < sizeof(*is))
+ break;
+
/*
* TODO: this conversion is not complete, update it
* after adding UAC3 values to asound.h
@@ -360,6 +365,9 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
struct uac3_cluster_information_segment_descriptor *is = p;
unsigned char map;
+ if (cs_len < sizeof(*is))
+ break;
+
/*
* TODO: this conversion is not complete, update it
* after adding UAC3 values to asound.h
diff -u b/fs/inode.c b/fs/inode.c
--- b/fs/inode.c
+++ b/fs/inode.c
@@ -165,5 +165,5 @@
- inode->i_wb_frn_history = 0;
-#endif
+
+ inode->rh_reserved2 = 0;
spin_lock_init(&inode->i_lock);
lockdep_set_class(&inode->i_lock, &sb->s_type->i_lock_key);This is an automated interdiff check for backported commits. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
DESCRIPTION
These are commits that were pretty easy to backport.
Some were applied cleanly, some required only a prereq.
The last one had to be manually fix since the context is slightly changed due
to internal red hat kabi fix.
Otherwise, it should be straightforward to review.
Notes
COMMITS
TESTING
BUILD
Kselftests
Check_kernel_commits
Run jira_pr_check