[FIPS 9.2] CVES: CVE-2023-52922, CVE-2023-45871, CVE-2025-37803 #417

PlaidCat · 2025-07-15T23:12:00Z

These are previously done CVEs from the 9.2 LTS kernel

CVE-2025-37803 [LTS 9.2] udmabuf: fix a buf size overflow issue during udmabuf creation #389
CVE-2023-45871 [LTS 9.2] igb: set max size RX buffer when store bad packet is enabled #297
CVE-2023-52922 [ciqlts9_2] can: bcm: Fix UAF in bcm_proc_show() #160

BUILD

[jmaple@devbox code]$ egrep -B 5 -A 5 "\[TIMER\]|^Starting Build" $(ls -t kbuild* | head -n1)
/mnt/code/kernel-src-tree-build
no .config file found, moving on
[TIMER]{MRPROPER}: 0s
x86_64 architecture detected, copying config
'configs/kernel-x86_64-rhel.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-_jmaple__fips-9-compliant_5.14.0-284.30.1-f298ec762bf8"
Making olddefconfig
--
  HOSTCC  scripts/kconfig/util.o
  HOSTLD  scripts/kconfig/conf
#
# configuration written to .config
#
Starting Build
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_32.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_64.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_x32.h
  SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_32_ia32.h
--
  BTF [M] sound/x86/snd-hdmi-lpe-audio.ko
  LD [M]  sound/xen/snd_xen_front.ko
  BTF [M] sound/xen/snd_xen_front.ko
  LD [M]  virt/lib/irqbypass.ko
  BTF [M] virt/lib/irqbypass.ko
[TIMER]{BUILD}: 1353s
Making Modules
  INSTALL /lib/modules/5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-f298ec762bf8+/kernel/arch/x86/crypto/blake2s-x86_64.ko
  INSTALL /lib/modules/5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-f298ec762bf8+/kernel/arch/x86/crypto/blowfish-x86_64.ko
  INSTALL /lib/modules/5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-f298ec762bf8+/kernel/arch/x86/crypto/camellia-aesni-avx-x86_64.ko
  INSTALL /lib/modules/5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-f298ec762bf8+/kernel/arch/x86/crypto/camellia-aesni-avx2.ko
--
  SIGN    /lib/modules/5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-f298ec762bf8+/kernel/sound/usb/usx2y/snd-usb-usx2y.ko
  SIGN    /lib/modules/5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-f298ec762bf8+/kernel/sound/virtio/virtio_snd.ko
  SIGN    /lib/modules/5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-f298ec762bf8+/kernel/sound/x86/snd-hdmi-lpe-audio.ko
  SIGN    /lib/modules/5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-f298ec762bf8+/kernel/sound/xen/snd_xen_front.ko
  DEPMOD  /lib/modules/5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-f298ec762bf8+
[TIMER]{MODULES}: 8s
Making Install
sh ./arch/x86/boot/install.sh \
        5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-f298ec762bf8+ arch/x86/boot/bzImage \
        System.map "/boot"
[TIMER]{INSTALL}: 22s
Checking kABI
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-f298ec762bf8+ and Index to 2
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 0s
[TIMER]{BUILD}: 1353s
[TIMER]{MODULES}: 8s
[TIMER]{INSTALL}: 22s
[TIMER]{TOTAL} 1388s
Rebooting in 10 seconds

KselfTest

[jmaple@devbox code]$ ls -rt kselftest.* | tail -n2 | while read line; do echo $line; grep '^ok ' $line | wc -l ; done
kselftest.5.14.0-284.30.1.el9_2.ciqfips.0.14.1.x86_64.log
314
kselftest.5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-f298ec762bf8+.log
313

jira VULN-36338 cve CVE-2023-52922 commit-author YueHaibing <[email protected]> commit 55c3b96 BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80 Read of size 8 at addr ffff888155846230 by task cat/7862 CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xd5/0x150 print_report+0xc1/0x5e0 kasan_report+0xba/0xf0 bcm_proc_show+0x969/0xa80 seq_read_iter+0x4f6/0x1260 seq_read+0x165/0x210 proc_reg_read+0x227/0x300 vfs_read+0x1d5/0x8d0 ksys_read+0x11e/0x240 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Allocated by task 7846: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x9e/0xa0 bcm_sendmsg+0x264b/0x44e0 sock_sendmsg+0xda/0x180 ____sys_sendmsg+0x735/0x920 ___sys_sendmsg+0x11d/0x1b0 __sys_sendmsg+0xfa/0x1d0 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 7846: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x27/0x40 ____kasan_slab_free+0x161/0x1c0 slab_free_freelist_hook+0x119/0x220 __kmem_cache_free+0xb4/0x2e0 rcu_core+0x809/0x1bd0 bcm_op is freed before procfs entry be removed in bcm_release(), this lead to bcm_proc_show() may read the freed bcm_op. Fixes: ffd980f ("[CAN]: Add broadcast manager (bcm) protocol") Signed-off-by: YueHaibing <[email protected]> Reviewed-by: Oliver Hartkopp <[email protected]> Acked-by: Oliver Hartkopp <[email protected]> Link: https://lore.kernel.org/all/[email protected] Cc: [email protected] Signed-off-by: Marc Kleine-Budde <[email protected]> (cherry picked from commit 55c3b96) Signed-off-by: Pratham Patel <[email protected]> Signed-off-by: Jonathan Maple <[email protected]>

jira VULN-8853 cve CVE-2023-45871 commit-author Radoslaw Tyl <[email protected]> commit bb5ed01 Increase the RX buffer size to 3K when the SBP bit is on. The size of the RX buffer determines the number of pages allocated which may not be sufficient for receive frames larger than the set MTU size. Cc: [email protected] Fixes: 89eaefb ("igb: Support RX-ALL feature flag.") Reported-by: Manfred Rudigier <[email protected]> Signed-off-by: Radoslaw Tyl <[email protected]> Tested-by: Arpana Arland <[email protected]> (A Contingent worker at Intel) Signed-off-by: Tony Nguyen <[email protected]> Signed-off-by: David S. Miller <[email protected]> (cherry picked from commit bb5ed01) Signed-off-by: Marcin Wcisło <[email protected]> Signed-off-by: Jonathan Maple <[email protected]>

jira VULN-67675 cve CVE-2025-37803 commit-author Xiaogang Chen <[email protected]> commit 021ba7f by casting size_limit_mb to u64 when calculate pglimit. Signed-off-by: Xiaogang Chen<[email protected]> Link: https://patchwork.freedesktop.org/patch/msgid/[email protected] Signed-off-by: Christian König <[email protected]> (cherry picked from commit 021ba7f) Signed-off-by: Marcin Wcisło <[email protected]> Signed-off-by: Jonathan Maple <[email protected]>

thefossguy-ciq · 2025-07-16T07:51:18Z

Maple, a review is not required to merge this PR. Might want to change that.

thefossguy-ciq

🚤

PlaidCat · 2025-07-16T15:12:30Z

Maple, a review is not required to merge this PR. Might want to change that.

Was it not requiring approves?
I didn't check after the Build Checks ran

thefossguy-ciq and others added 3 commits July 15, 2025 17:48

PlaidCat requested review from kerneltoast, jainanmol84, bmastbergen, thefossguy-ciq and shreeya-patel98 July 15, 2025 23:12

PlaidCat self-assigned this Jul 15, 2025

thefossguy-ciq approved these changes Jul 16, 2025

View reviewed changes

shreeya-patel98 approved these changes Jul 16, 2025

View reviewed changes

PlaidCat merged commit f644d6a into fips-9-compliant/5.14.0-284.30.1 Jul 16, 2025
2 checks passed

PlaidCat deleted the {jmaple}_fips-9-compliant/5.14.0-284.30.1 branch July 16, 2025 15:49

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[FIPS 9.2] CVES: CVE-2023-52922, CVE-2023-45871, CVE-2025-37803 #417

[FIPS 9.2] CVES: CVE-2023-52922, CVE-2023-45871, CVE-2025-37803 #417

Uh oh!

PlaidCat commented Jul 15, 2025

Uh oh!

thefossguy-ciq commented Jul 16, 2025

Uh oh!

thefossguy-ciq left a comment

Uh oh!

PlaidCat commented Jul 16, 2025

Uh oh!

Uh oh!

Uh oh!

[FIPS 9.2] CVES: CVE-2023-52922, CVE-2023-45871, CVE-2025-37803 #417

[FIPS 9.2] CVES: CVE-2023-52922, CVE-2023-45871, CVE-2025-37803 #417

Uh oh!

Conversation

PlaidCat commented Jul 15, 2025

BUILD

KselfTest

Uh oh!

thefossguy-ciq commented Jul 16, 2025

Uh oh!

thefossguy-ciq left a comment

Choose a reason for hiding this comment

Uh oh!

PlaidCat commented Jul 16, 2025

Uh oh!

Uh oh!

Uh oh!