Skip to content

[FIPS Legacy 8] CVES: CVE-2023-52922, CVE-2023-45871, CVE-2024-0646 #423

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: fips-legacy-8-compliant/4.18.0-425.13.1
Choose a base branch
from
Open

[FIPS Legacy 8] CVES: CVE-2023-52922, CVE-2023-45871, CVE-2024-0646 #423

wants to merge 3 commits into from

Conversation

PlaidCat
Copy link
Collaborator

Related CVEs Commits since this is the 8.7 kernel we need to check versus 8.6 and 8.8.

Build

[jmaple@devbox code]$ egrep -B 5 -A 5 "\[TIMER\]|^Starting Build" $(ls -t kbuild* | head -n1)
  CLEAN   scripts/selinux/genheaders
  CLEAN   scripts/selinux/mdp
  CLEAN   scripts
  CLEAN   include/config usr/include include/generated arch/x86/include/generated
  CLEAN   .config .config.old .version Module.symvers
[TIMER]{MRPROPER}: 9s
x86_64 architecture detected, copying config
'configs/kernel-x86_64.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="jmaple_fips-legacy-8-compliant_4.18.0-425.13.1"
Making olddefconfig
--
  HOSTLD  scripts/kconfig/conf
scripts/kconfig/conf  --olddefconfig Kconfig
#
# configuration written to .config
#
Starting Build
scripts/kconfig/conf  --syncconfig Kconfig
  SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_32_ia32.h
  SYSTBL  arch/x86/include/generated/asm/syscalls_64.h
  SYSHDR  arch/x86/include/generated/asm/unistd_64_x32.h
--
  LD [M]  sound/usb/usx2y/snd-usb-usx2y.ko
  LD [M]  sound/virtio/virtio_snd.ko
  LD [M]  sound/x86/snd-hdmi-lpe-audio.ko
  LD [M]  sound/xen/snd_xen_front.ko
  LD [M]  virt/lib/irqbypass.ko
[TIMER]{BUILD}: 1846s
Making Modules
  INSTALL arch/x86/crypto/blowfish-x86_64.ko
  INSTALL arch/x86/crypto/camellia-aesni-avx-x86_64.ko
  INSTALL arch/x86/crypto/camellia-aesni-avx2.ko
  INSTALL arch/x86/crypto/camellia-x86_64.ko
--
  INSTALL sound/virtio/virtio_snd.ko
  INSTALL sound/x86/snd-hdmi-lpe-audio.ko
  INSTALL sound/xen/snd_xen_front.ko
  INSTALL virt/lib/irqbypass.ko
  DEPMOD  4.18.0jmaple_fips-legacy-8-compliant_4.18.0-425.13.1+
[TIMER]{MODULES}: 12s
Making Install
sh ./arch/x86/boot/install.sh 4.18.0jmaple_fips-legacy-8-compliant_4.18.0-425.13.1+ arch/x86/boot/bzImage \
        System.map "/boot"
[TIMER]{INSTALL}: 19s
Checking kABI
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-4.18.0jmaple_fips-legacy-8-compliant_4.18.0-425.13.1+ and Index to 0
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 9s
[TIMER]{BUILD}: 1846s
[TIMER]{MODULES}: 12s
[TIMER]{INSTALL}: 19s
[TIMER]{TOTAL} 1890s
Rebooting in 10 seconds

KSelfTests

[jmaple@devbox code]$ ls -rt kselftest.* | tail -n2 | while read line; do echo $line; grep '^ok ' $line | wc -l ; done
kselftest.4.18.0-425.13.1.el8.ciqfipscompliant.41.1.x86_64.log
195
kselftest.4.18.0jmaple_fips-legacy-8-compliant_4.18.0-425.13.1+.log
195

thefossguy-ciq and others added 3 commits July 16, 2025 14:57
@thefossguy-ciq @PlaidCat
can: bcm: Fix UAF in bcm_proc_show()
b3cd367 
jira VULN-36335
cve CVE-2023-52922
commit-author YueHaibing <[email protected]>
commit 55c3b96

BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80
Read of size 8 at addr ffff888155846230 by task cat/7862

CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0xd5/0x150
 print_report+0xc1/0x5e0
 kasan_report+0xba/0xf0
 bcm_proc_show+0x969/0xa80
 seq_read_iter+0x4f6/0x1260
 seq_read+0x165/0x210
 proc_reg_read+0x227/0x300
 vfs_read+0x1d5/0x8d0
 ksys_read+0x11e/0x240
 do_syscall_64+0x35/0xb0
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Allocated by task 7846:
 kasan_save_stack+0x1e/0x40
 kasan_set_track+0x21/0x30
 __kasan_kmalloc+0x9e/0xa0
 bcm_sendmsg+0x264b/0x44e0
 sock_sendmsg+0xda/0x180
 ____sys_sendmsg+0x735/0x920
 ___sys_sendmsg+0x11d/0x1b0
 __sys_sendmsg+0xfa/0x1d0
 do_syscall_64+0x35/0xb0
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 7846:
 kasan_save_stack+0x1e/0x40
 kasan_set_track+0x21/0x30
 kasan_save_free_info+0x27/0x40
 ____kasan_slab_free+0x161/0x1c0
 slab_free_freelist_hook+0x119/0x220
 __kmem_cache_free+0xb4/0x2e0
 rcu_core+0x809/0x1bd0

bcm_op is freed before procfs entry be removed in bcm_release(),
this lead to bcm_proc_show() may read the freed bcm_op.

Fixes: ffd980f ("[CAN]: Add broadcast manager (bcm) protocol")
	Signed-off-by: YueHaibing <[email protected]>
	Reviewed-by: Oliver Hartkopp <[email protected]>
	Acked-by: Oliver Hartkopp <[email protected]>
Link: https://lore.kernel.org/all/[email protected]
	Cc: [email protected]
	Signed-off-by: Marc Kleine-Budde <[email protected]>
(cherry picked from commit 55c3b96)
	Signed-off-by: Pratham Patel <[email protected]>
Signed-off-by: Jonathan Maple <[email protected]>
@pvts-mat @PlaidCat
igb: set max size RX buffer when store bad packet is enabled
a0b0a67 
jira VULN-8852
cve CVE-2023-45871
commit-author Radoslaw Tyl <[email protected]>
commit bb5ed01

Increase the RX buffer size to 3K when the SBP bit is on. The size of
the RX buffer determines the number of pages allocated which may not
be sufficient for receive frames larger than the set MTU size.

	Cc: [email protected]
Fixes: 89eaefb ("igb: Support RX-ALL feature flag.")
	Reported-by: Manfred Rudigier <[email protected]>
	Signed-off-by: Radoslaw Tyl <[email protected]>
	Tested-by: Arpana Arland <[email protected]> (A Contingent worker at Intel)
	Signed-off-by: Tony Nguyen <[email protected]>
	Signed-off-by: David S. Miller <[email protected]>
(cherry picked from commit bb5ed01)
	Signed-off-by: Marcin Wcisło <[email protected]>
Signed-off-by: Jonathan Maple <[email protected]>
@pvts-mat @PlaidCat
net: tls, update curr on splice as well
dbe9eb7 
jira VULN-42285
cve CVE-2024-0646
commit-author John Fastabend <[email protected]>
commit c5a5950
upstream-diff used linux-stable LT-5.15 sha ba5efd8

commit c5a5950 upstream.

The curr pointer must also be updated on the splice similar to how
we do this for other copy types.

Fixes: d829e9c ("tls: convert to generic sk_msg interface")
	Signed-off-by: John Fastabend <[email protected]>
	Reported-by: Jann Horn <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
	Signed-off-by: Jakub Kicinski <[email protected]>
	Signed-off-by: Greg Kroah-Hartman <[email protected]>
(cherry picked from commit ba5efd8)
	Signed-off-by: Marcin Wcisło <[email protected]>
Signed-off-by: Jonathan Maple <[email protected]>
@PlaidCat PlaidCat self-assigned this Jul 17, 2025
thefossguy-ciq
thefossguy-ciq approved these changes Jul 18, 2025
View reviewed changes
Copy link

@thefossguy-ciq thefossguy-ciq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚤

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thefossguy-ciq thefossguy-ciq thefossguy-ciq approved these changes

@kerneltoast kerneltoast Awaiting requested review from kerneltoast

@jainanmol84 jainanmol84 Awaiting requested review from jainanmol84

@bmastbergen bmastbergen Awaiting requested review from bmastbergen

@shreeya-patel98 shreeya-patel98 Awaiting requested review from shreeya-patel98

At least 2 approving reviews are required to merge this pull request.

Assignees

@PlaidCat PlaidCat

Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@PlaidCat @thefossguy-ciq @pvts-mat