[LTS 9.4] CVE-2025-38129, CVE-2024-47727, CVE-2026-31402#1153
Open
pvts-mat wants to merge 3 commits intoctrliq:ciqlts9_4from
Open
[LTS 9.4] CVE-2025-38129, CVE-2024-47727, CVE-2026-31402#1153pvts-mat wants to merge 3 commits intoctrliq:ciqlts9_4from
pvts-mat wants to merge 3 commits intoctrliq:ciqlts9_4from
Conversation
jira VULN-180164 cve CVE-2026-31402 commit-author Jeff Layton <jlayton@kernel.org> commit 5133b61 upstream-diff Used `post_err_offset' instead of `op_status_offset + XDR_UNIT' in the `read_bytes_from_xdr_buf()' call, as the LTS 9.4 version is missing ef3675b ("NFSD: Encode COMPOUND operation status on page boundaries") The NFSv4.0 replay cache uses a fixed 112-byte inline buffer (rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses. This size was calculated based on OPEN responses and does not account for LOCK denied responses, which include the conflicting lock owner as a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT). When a LOCK operation is denied due to a conflict with an existing lock that has a large owner, nfsd4_encode_operation() copies the full encoded response into the undersized replay buffer via read_bytes_from_xdr_buf() with no bounds check. This results in a slab-out-of-bounds write of up to 944 bytes past the end of the buffer, corrupting adjacent heap memory. This can be triggered remotely by an unauthenticated attacker with two cooperating NFSv4.0 clients: one sets a lock with a large owner string, then the other requests a conflicting lock to provoke the denial. We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full opaque, but that would increase the size of every stateowner, when most lockowners are not that large. Instead, fix this by checking the encoded response length against NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the response is too large, set rp_buflen to 0 to skip caching the replay payload. The status is still cached, and the client already received the correct response on the original request. Fixes: 1da177e ("Linux-2.6.12-rc2") Cc: stable@kernel.org Reported-by: Nicholas Carlini <npc@anthropic.com> Tested-by: Nicholas Carlini <npc@anthropic.com> Signed-off-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> (cherry picked from commit 5133b61) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-8574 cve CVE-2024-47727 commit-author Alexey Gladkov (Intel) <legion@kernel.org> commit d4fc4d0 upstream-diff Context conflicts in header files inclusion only TDX only supports kernel-initiated MMIO operations. The handle_mmio() function checks if the #VE exception occurred in the kernel and rejects the operation if it did not. However, userspace can deceive the kernel into performing MMIO on its behalf. For example, if userspace can point a syscall to an MMIO address, syscall does get_user() or put_user() on it, triggering MMIO #VE. The kernel will treat the #VE as in-kernel MMIO. Ensure that the target MMIO address is within the kernel before decoding instruction. Fixes: 31d58c4 ("x86/tdx: Handle in-kernel MMIO") Signed-off-by: Alexey Gladkov (Intel) <legion@kernel.org> Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Reviewed-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Acked-by: Dave Hansen <dave.hansen@linux.intel.com> Cc:stable@vger.kernel.org Link: https://lore.kernel.org/all/565a804b80387970460a4ebc67c88d1380f61ad1.1726237595.git.legion%40kernel.org (cherry picked from commit d4fc4d0) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-71839 cve CVE-2025-38129 commit-author Dong Chenchen <dongchenchen2@huawei.com> commit 271683b upstream-diff | page_pool_recycle_in_ring() Accounted for the non-backported 4dec64c ("page_pool: convert to use netmem") page_pool_release() (The following were the context conflicts, no actual diffs from the upstream in the strict sense) - Retained the single-argument `page_pool_inflight()' call instead of passing additional `true' as it is in the upstream. The boolean argument relates to the reporting feature introduced in the non-backported commit 7aee842 ("net: page_pool: report amount of memory held by page pools"). - LTS 9.4 lacks the backport of de97502 ("page_pool: introduce page_pool_alloc() API"). Without it the `__page_pool_destroy()' call in upstream is equivalent to `page_pool_free()' in ciqlts9_4. Retained the ciqlts9_4-native `page_pool_free()' call. syzbot reported a uaf in page_pool_recycle_in_ring: BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 Read of size 8 at addr ffff8880286045a0 by task syz.0.284/6943 CPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline] _raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210 spin_unlock_bh include/linux/spinlock.h:396 [inline] ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline] page_pool_recycle_in_ring net/core/page_pool.c:707 [inline] page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826 page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline] page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline] napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036 skb_pp_recycle net/core/skbuff.c:1047 [inline] skb_free_head net/core/skbuff.c:1094 [inline] skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1263 [inline] __skb_queue_purge_reason include/linux/skbuff.h:3343 [inline] root cause is: page_pool_recycle_in_ring ptr_ring_produce spin_lock(&r->producer_lock); WRITE_ONCE(r->queue[r->producer++], ptr) //recycle last page to pool page_pool_release page_pool_scrub page_pool_empty_ring ptr_ring_consume page_pool_return_page //release all page __page_pool_destroy free_percpu(pool->recycle_stats); free(pool) //free spin_unlock(&r->producer_lock); //pool->ring uaf read recycle_stat_inc(pool, ring); page_pool can be free while page pool recycle the last page in ring. Add producer-lock barrier to page_pool_release to prevent the page pool from being free before all pages have been recycled. recycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not enabled, which will trigger Wempty-body build warning. Add definition for pool stat macro to fix warning. Suggested-by: Jakub Kicinski <kuba@kernel.org> Link: https://lore.kernel.org/netdev/20250513083123.3514193-1-dongchenchen2@huawei.com Fixes: ff7d6b2 ("page_pool: refurbish version of page_pool code") Reported-by: syzbot+204a4382fcb3311f3858@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=204a4382fcb3311f3858 Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com> Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com> Reviewed-by: Mina Almasry <almasrymina@google.com> Link: https://patch.msgid.link/20250527114152.3119109-1-dongchenchen2@huawei.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit 271683b) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
pvts-mat
force-pushed
the
ciqlts9_4-CVE-batch-30
branch
from
edba3df to
466298b
Compare
|
🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/25021761943 |
🔍 Interdiff Analysis
================================================================================
* DELTA DIFFERENCES - code changes that differ between the patches *
================================================================================
--- b/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -5441,10 +5441,8 @@
int len = xdr->buf->len - post_err_offset;
so->so_replay.rp_status = op->status;
- if (len <= NFSD4_REPLAY_ISIZE) {
- so->so_replay.rp_buflen = len;
- read_bytes_from_xdr_buf(xdr->buf,
- post_err_offset,
+ so->so_replay.rp_buflen = len;
+ read_bytes_from_xdr_buf(xdr->buf, post_err_offset,
so->so_replay.rp_buf, len);
} else {
so->so_replay.rp_buflen = 0;
################################################################################
! REJECTED PATCH2 HUNKS - could not be compared; manual review needed !
################################################################################
--- b/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -6281,8 +6281,10 @@
int len = xdr->buf->len - (op_status_offset + XDR_UNIT);
so->so_replay.rp_status = op->status;
- so->so_replay.rp_buflen = len;
- read_bytes_from_xdr_buf(xdr->buf, op_status_offset + XDR_UNIT,
+ if (len <= NFSD4_REPLAY_ISIZE) {
+ so->so_replay.rp_buflen = len;
+ read_bytes_from_xdr_buf(xdr->buf,
+ op_status_offset + XDR_UNIT,
so->so_replay.rp_buf, len);
}
status:
================================================================================
* CONTEXT DIFFERENCES - surrounding code differences between the patches *
================================================================================
--- b/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -5438,8 +5439,8 @@
so->so_replay.rp_status = op->status;
so->so_replay.rp_buflen = len;
- read_bytes_from_xdr_buf(xdr->buf, post_err_offset,
+ read_bytes_from_xdr_buf(xdr->buf, op_status_offset + XDR_UNIT,
so->so_replay.rp_buf, len);
}
status:
- *p = op->status;
+ op->status = nfsd4_map_status(op->status,
################################################################################
! REJECTED PATCH2 HUNKS - could not be compared; manual review needed !
################################################################################
--- b/arch/x86/coco/tdx/tdx.c
+++ b/arch/x86/coco/tdx/tdx.c
@@ -16,6 +16,7 @@
#include <asm/insn-eval.h>
#include <asm/pgtable.h>
#include <asm/set_memory.h>
+#include <asm/traps.h>
/* MMIO direction */
#define EPT_READ 0
================================================================================
* CONTEXT DIFFERENCES - surrounding code differences between the patches *
================================================================================
--- b/arch/x86/coco/tdx/tdx.c
+++ b/arch/x86/coco/tdx/tdx.c
@@ -12,5 +11,6 @@
#include <asm/insn-eval.h>
#include <asm/pgtable.h>
+#include <asm/set_memory.h>
/* MMIO direction */
#define EPT_READ 0
================================================================================
* DELTA DIFFERENCES - code changes that differ between the patches *
================================================================================
--- b/net/core/page_pool.c
+++ b/net/core/page_pool.c
@@ -553,11 +553,16 @@
static bool page_pool_recycle_in_ring(struct page_pool *pool, struct page *page)
{
- bool in_softirq, ret;
+ int ret;
+ /* BH protection not needed if current is softirq */
+ if (in_softirq())
+ ret = ptr_ring_produce(&pool->ring, page);
+ else
+ ret = ptr_ring_produce_bh(&pool->ring, page);
/* BH protection not needed if current is softirq */
in_softirq = page_pool_producer_lock(pool);
- ret = !__ptr_ring_produce(&pool->ring, page);
+ ret = !__ptr_ring_produce(&pool->ring, (__force void *)netmem);
if (ret)
recycle_stat_inc(pool, ring);
page_pool_producer_unlock(pool, in_softirq);
################################################################################
! REJECTED PATCH2 HUNKS - could not be compared; manual review needed !
################################################################################
--- b/net/core/page_pool.c
+++ b/net/core/page_pool.c
@@ -741,12 +741,7 @@
static bool page_pool_recycle_in_ring(struct page_pool *pool, netmem_ref netmem)
{
- int ret;
- /* BH protection not needed if current is softirq */
- if (in_softirq())
- ret = ptr_ring_produce(&pool->ring, (__force void *)netmem);
- else
- ret = ptr_ring_produce_bh(&pool->ring, (__force void *)netmem);
+ bool in_softirq, ret;
if (!ret) {
recycle_stat_inc(pool, ring);
@@ -1156,6 +1154,9 @@
page_pool_scrub(pool);
inflight = page_pool_inflight(pool, true);
+ /* Acquire producer lock to make sure producers have exited. */
+ in_softirq = page_pool_producer_lock(pool);
+ page_pool_producer_unlock(pool, in_softirq);
if (!inflight)
__page_pool_destroy(pool);
================================================================================
* CONTEXT DIFFERENCES - surrounding code differences between the patches *
================================================================================
--- b/net/core/page_pool.c
+++ b/net/core/page_pool.c
@@ -550,12 +563,12 @@
-static bool page_pool_recycle_in_ring(struct page_pool *pool, struct page *page)
+static bool page_pool_recycle_in_ring(struct page_pool *pool, netmem_ref netmem)
{
int ret;
/* BH protection not needed if current is softirq */
if (in_softirq())
- ret = ptr_ring_produce(&pool->ring, page);
+ ret = ptr_ring_produce(&pool->ring, (__force void *)netmem);
else
- ret = ptr_ring_produce_bh(&pool->ring, page);
+ ret = ptr_ring_produce_bh(&pool->ring, (__force void *)netmem);
if (!ret) {
recycle_stat_inc(pool, ring);
@@ -856,5 +1044,5 @@
page_pool_scrub(pool);
- inflight = page_pool_inflight(pool);
+ inflight = page_pool_inflight(pool, true);
if (!inflight)
- page_pool_free(pool);
+ __page_pool_destroy(pool);This is an automated interdiff check for backported commits. |
JIRA PR Check Results3 commit(s) with issues found: Commit
|
|
❌ Validation checks completed with issues View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/25021761943 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
[LTS 9.4]
Commits
CVE-2025-38129
To see that
netmem_refequalsstruct page *refer to the docstring ofnetmem_refat the time of 271683b fix:kernel-src-tree/include/net/netmem.h
Lines 88 to 97 in 271683b
CVE-2024-47727
CVE-2026-31402
The non-backported commit ef3675b made some changes to the core, buffer length-related variables used in the fix, so the lack of it may raise some doubts whether the LTS 9.4 adaptation could have been made in such a straightforward manner. It could, because
(Here the
=sign should be understood as mathematical equality, not C assignement. Similarly in the code comments below)To see why, take into account that the
xdr_reserve_space(xdr, N)call, if successfull, increasesxdr->buf->lenbyN. Seekernel-src-tree/net/sunrpc/xdr.c
Line 1069 in d0d2f24
and
kernel-src-tree/net/sunrpc/xdr.c
Line 1036 in d0d2f24
Also that the
xdr_stream_encode_u32(xdr, X)call increasesxdr->buf->lenbysizeof(X), through thexdr_reserve_space(xdr, N)call inside:kernel-src-tree/include/linux/sunrpc/xdr.h
Line 470 in d0d2f24
In the upstream-fixed affected function
nfsd4_encode_operation()we have:kernel-src-tree/fs/nfsd/nfs4xdr.c
Lines 6231 to 6238 in 5133b61
Tracking the
op_status_offsetvalue:The last step comes from:
kernel-src-tree/fs/nfsd/xdr4.h
Line 635 in d0d2f24
In the LTS 9.4 version the
nfsd4_encode_operation()function starts with:kernel-src-tree/fs/nfsd/nfs4xdr.c
Lines 5389 to 5397 in d0d2f24
Tracking the
post_err_offsetvalue:The last step is because of
kernel-src-tree/include/linux/sunrpc/xdr.h
Line 27 in d0d2f24
This means that neither the
lenvalue used in the special-case-catching condition nor thebaseargument for theread_bytes_from_xdr_buf()call differ between the upstream fix and the LTS 9.4 backport.kABI check: passed
Boot test: passed
boot-test.log
Kselftests: passed relative
Reference
kselftests–ciqlts9_4–run1.log
Patch
kselftests–ciqlts9_4-CVE-batch-30–run1.log
kselftests–ciqlts9_4-CVE-batch-30–run2.log
Comparison
The tests results for the reference and the patch are the same.