[fips-legacy-8-compliant] Many VULNS 2026-01-14#811
Merged
PlaidCat merged 5 commits intoctrliq:fips-legacy-8-compliant/4.18.0-425.13.1from Jan 15, 2026
Conversation
jira VULN-157130 cve CVE-2023-53513 commit-author Zhong Jinghua <zhongjinghua@huawei.com> commit 55793ea We tested and found an alarm caused by nbd_ioctl arg without verification. The UBSAN warning calltrace like below: UBSAN: Undefined behaviour in fs/buffer.c:1709:35 signed integer overflow: -9223372036854775808 - 1 cannot be represented in type 'long long int' CPU: 3 PID: 2523 Comm: syz-executor.0 Not tainted 4.19.90 ctrliq#1 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x3f0 arch/arm64/kernel/time.c:78 show_stack+0x28/0x38 arch/arm64/kernel/traps.c:158 __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x170/0x1dc lib/dump_stack.c:118 ubsan_epilogue+0x18/0xb4 lib/ubsan.c:161 handle_overflow+0x188/0x1dc lib/ubsan.c:192 __ubsan_handle_sub_overflow+0x34/0x44 lib/ubsan.c:206 __block_write_full_page+0x94c/0xa20 fs/buffer.c:1709 block_write_full_page+0x1f0/0x280 fs/buffer.c:2934 blkdev_writepage+0x34/0x40 fs/block_dev.c:607 __writepage+0x68/0xe8 mm/page-writeback.c:2305 write_cache_pages+0x44c/0xc70 mm/page-writeback.c:2240 generic_writepages+0xdc/0x148 mm/page-writeback.c:2329 blkdev_writepages+0x2c/0x38 fs/block_dev.c:2114 do_writepages+0xd4/0x250 mm/page-writeback.c:2344 The reason for triggering this warning is __block_write_full_page() -> i_size_read(inode) - 1 overflow. inode->i_size is assigned in __nbd_ioctl() -> nbd_set_size() -> bytesize. We think it is necessary to limit the size of arg to prevent errors. Moreover, __nbd_ioctl() -> nbd_add_socket(), arg will be cast to int. Assuming the value of arg is 0x80000000000000001) (on a 64-bit machine), it will become 1 after the coercion, which will return unexpected results. Fix it by adding checks to prevent passing in too large numbers. Signed-off-by: Zhong Jinghua <zhongjinghua@huawei.com> Reviewed-by: Yu Kuai <yukuai3@huawei.com> Reviewed-by: Josef Bacik <josef@toxicpanda.com> Link: https://lore.kernel.org/r/20230206145805.2645671-1-zhongjinghua@huawei.com Signed-off-by: Jens Axboe <axboe@kernel.dk> (cherry picked from commit 55793ea) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira VULN-158438 cve CVE-2023-53675 commit-author Tomas Henzl <thenzl@redhat.com> commit 801ab13 Sanitize possible desc_ptr out-of-bounds accesses in ses_enclosure_data_process(). Link: https://lore.kernel.org/r/20230202162451.15346-4-thenzl@redhat.com Cc: stable@vger.kernel.org Signed-off-by: Tomas Henzl <thenzl@redhat.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> (cherry picked from commit 801ab13) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira VULN-158470 cve CVE-2023-53680 commit-author Chuck Lever <chuck.lever@oracle.com> commit 804d8e0 OPDESC() simply indexes into nfsd4_ops[] by the op's operation number, without range checking that value. It assumes callers are careful to avoid calling it with an out-of-bounds opnum value. nfsd4_decode_compound() is not so careful, and can invoke OPDESC() with opnum set to OP_ILLEGAL, which is 10044 -- well beyond the end of nfsd4_ops[]. Reported-by: Jeff Layton <jlayton@kernel.org> Fixes: f4f9ef4 ("nfsd4: opdesc will be useful outside nfs4proc.c") Signed-off-by: Chuck Lever <chuck.lever@oracle.com> (cherry picked from commit 804d8e0) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira VULN-159017 cve CVE-2023-53705 commit-author Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru> commit 878ecb0 optlen is fetched without checking whether there is more than one byte to parse. It can lead to out-of-bounds access. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE. Fixes: c61a404 ("[IPV6]: Find option offset by type.") Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru> Reviewed-by: Jiri Pirko <jiri@nvidia.com> Reviewed-by: David Ahern <dsahern@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit 878ecb0) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira VULN-170012 cve CVE-2025-68285 commit-author Ilya Dryomov <idryomov@gmail.com> commit 076381c The wait loop in __ceph_open_session() can race with the client receiving a new monmap or osdmap shortly after the initial map is received. Both ceph_monc_handle_map() and handle_one_map() install a new map immediately after freeing the old one kfree(monc->monmap); monc->monmap = monmap; ceph_osdmap_destroy(osdc->osdmap); osdc->osdmap = newmap; under client->monc.mutex and client->osdc.lock respectively, but because neither is taken in have_mon_and_osd_map() it's possible for client->monc.monmap->epoch and client->osdc.osdmap->epoch arms in client->monc.monmap && client->monc.monmap->epoch && client->osdc.osdmap && client->osdc.osdmap->epoch; condition to dereference an already freed map. This happens to be reproducible with generic/395 and generic/397 with KASAN enabled: BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70 Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305 CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266 ... Call Trace: <TASK> have_mon_and_osd_map+0x56/0x70 ceph_open_session+0x182/0x290 ceph_get_tree+0x333/0x680 vfs_get_tree+0x49/0x180 do_new_mount+0x1a3/0x2d0 path_mount+0x6dd/0x730 do_mount+0x99/0xe0 __do_sys_mount+0x141/0x180 do_syscall_64+0x9f/0x100 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> Allocated by task 13305: ceph_osdmap_alloc+0x16/0x130 ceph_osdc_init+0x27a/0x4c0 ceph_create_client+0x153/0x190 create_fs_client+0x50/0x2a0 ceph_get_tree+0xff/0x680 vfs_get_tree+0x49/0x180 do_new_mount+0x1a3/0x2d0 path_mount+0x6dd/0x730 do_mount+0x99/0xe0 __do_sys_mount+0x141/0x180 do_syscall_64+0x9f/0x100 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 9475: kfree+0x212/0x290 handle_one_map+0x23c/0x3b0 ceph_osdc_handle_map+0x3c9/0x590 mon_dispatch+0x655/0x6f0 ceph_con_process_message+0xc3/0xe0 ceph_con_v1_try_read+0x614/0x760 ceph_con_workfn+0x2de/0x650 process_one_work+0x486/0x7c0 process_scheduled_works+0x73/0x90 worker_thread+0x1c8/0x2a0 kthread+0x2ec/0x300 ret_from_fork+0x24/0x40 ret_from_fork_asm+0x1a/0x30 Rewrite the wait loop to check the above condition directly with client->monc.mutex and client->osdc.lock taken as appropriate. While at it, improve the timeout handling (previously mount_timeout could be exceeded in case wait_event_interruptible_timeout() slept more than once) and access client->auth_err under client->monc.mutex to match how it's set in finish_auth(). monmap_show() and osdmap_show() now take the respective lock before accessing the map as well. Cc: stable@vger.kernel.org Reported-by: David Howells <dhowells@redhat.com> Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com> (cherry picked from commit 076381c) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
There was a problem hiding this comment.
Pull request overview
This PR applies security vulnerability fixes to the kernel, addressing 5 CVEs (CVE-2025-68285, CVE-2023-53705, CVE-2023-53680, CVE-2023-53675, CVE-2023-53513) related to use-after-free, buffer overflows, and incomplete input validation issues.
Changes:
- Fixed potential use-after-free in ceph mon/osd map access by adding proper locking
- Fixed out-of-bounds access in IPv6 TLV parsing
- Fixed NFSD out-of-bounds array access with OP_ILLEGAL opcodes
- Fixed SCSI SES descriptor pointer bounds checking
- Added validation for negative bytesize and large file descriptor values in NBD driver
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| net/ipv6/exthdrs_core.c | Added bounds check before accessing option length in TLV parsing to prevent buffer overrun |
| net/ceph/debugfs.c | Added mutex/lock protection when accessing monmap and osdmap to prevent use-after-free |
| net/ceph/ceph_common.c | Refactored session opening to use proper locking around monmap/osdmap access checks |
| fs/nfsd/nfs4xdr.c | Fixed timing of OPDESC assignment to avoid accessing invalid array index with OP_ILLEGAL |
| drivers/scsi/ses.c | Enhanced bounds checking for SES descriptor parsing to prevent out-of-bounds reads |
| drivers/block/nbd.c | Added validation for negative bytesize and overflow prevention for large fd values |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/21002446374 |
🔍 Interdiff Analysis
diff -u b/drivers/block/nbd.c b/drivers/block/nbd.c
--- b/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -317,9 +317,9 @@
- if (blk_validate_block_size(blksize))
+ if (blksize < 512 || blksize > PAGE_SIZE || !is_power_of_2(blksize))
return -EINVAL;
if (bytesize < 0)
return -EINVAL;
nbd->config->bytesize = bytesize;
- nbd->config->blksize_bits = __ffs(blksize);
+ nbd->config->blksize = blksize;
diff -u b/drivers/scsi/ses.c b/drivers/scsi/ses.c
--- b/drivers/scsi/ses.c
+++ b/drivers/scsi/ses.c
@@ -572,4 +572,4 @@
- int max_desc_len;
+ struct enclosure_component *ecomp;
if (desc_ptr) {
if (desc_ptr + 3 >= buf + page7_len) {This is an automated interdiff check for backported commits. |
|
✅ Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/21002446374 |
roxanan1996
approved these changes
Jan 15, 2026
Contributor
@PlaidCat you may consider backporting db95d4d
|
Collaborator
Author
There are several complaints about interdiff in this and they're all contextual with no bearing on the code backported. I also never actually responded to the interdiff when I should have. WRT CVE-2023-7324 Red Hat is not addressing this https://access.redhat.com/security/cve/cve-2023-7324 along with its an unscored CVE https://nvd.nist.gov/vuln/detail/CVE-2023-7324 (note RedHat Defaults ALL kernel CVEs to 5.5 for their internal systems until they actually evaluate it). I appreciate the digging though, we should likely take the CVE you mentioned on our kernel not on the active path to EOL. |
Contributor
True, forgot about that. I just investigated because I ran into that for lts8.6. There I did backport this CVE. |
Collaborator
Author
Great thats the correct course of action for that kernel, I'll go head and merge this then. |
PlaidCat
merged commit 6f0e948
into
ctrliq:fips-legacy-8-compliant/4.18.0-425.13.1
8 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Utilized ctrliq/kernel-src-tree-tools#53 as a part of this update.
Commits
BUILD
KSelfTests