Skip to content

[FIPS 9.2 Compliant] CVEs: CVE-2023-4623, CVE-2025-21785 #239

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: fips-9-compliant/5.14.0-284.30.1
Choose a base branch
from
Open

[FIPS 9.2 Compliant] CVEs: CVE-2023-4623, CVE-2025-21785 #239

wants to merge 3 commits into from

Conversation

PlaidCat
Copy link
Collaborator

@PlaidCat PlaidCat commented May 1, 2025

Based off previous CVEs on standard CIQ LTS kernel:

BUILD

$ egrep -B 5 -A 5 "\[TIMER\]|^Starting Build" kbuild.{jmaple}_fips-9-compliant_5.14.0-284.30.1.log
/mnt/code/kernel-src-tree-build
no .config file found, moving on
[TIMER]{MRPROPER}: 0s
x86_64 architecture detected, copying config
'configs/kernel-x86_64-rhel.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-_jmaple__fips-9-compliant_5.14.0-284.30.1-1766fca34c70"
Making olddefconfig
--
  HOSTCC  scripts/kconfig/util.o
  HOSTLD  scripts/kconfig/conf
#
# configuration written to .config
#
Starting Build
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_32.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_64.h
  SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_x32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_64_x32.h
--
  BTF [M] sound/x86/snd-hdmi-lpe-audio.ko
  BTF [M] sound/virtio/virtio_snd.ko
  BTF [M] sound/xen/snd_xen_front.ko
  LD [M]  virt/lib/irqbypass.ko
  BTF [M] virt/lib/irqbypass.ko
[TIMER]{BUILD}: 1305s
Making Modules
  INSTALL /lib/modules/5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-1766fca34c70+/kernel/arch/x86/crypto/blake2s-x86_64.ko
  INSTALL /lib/modules/5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-1766fca34c70+/kernel/arch/x86/crypto/blowfish-x86_64.ko
  INSTALL /lib/modules/5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-1766fca34c70+/kernel/arch/x86/crypto/camellia-aesni-avx-x86_64.ko
  INSTALL /lib/modules/5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-1766fca34c70+/kernel/arch/x86/crypto/camellia-aesni-avx2.ko
--
  STRIP   /lib/modules/5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-1766fca34c70+/kernel/sound/xen/snd_xen_front.ko
  SIGN    /lib/modules/5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-1766fca34c70+/kernel/virt/lib/irqbypass.ko
  SIGN    /lib/modules/5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-1766fca34c70+/kernel/sound/x86/snd-hdmi-lpe-audio.ko
  SIGN    /lib/modules/5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-1766fca34c70+/kernel/sound/xen/snd_xen_front.ko
  DEPMOD  /lib/modules/5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-1766fca34c70+
[TIMER]{MODULES}: 9s
Making Install
sh ./arch/x86/boot/install.sh \
	5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-1766fca34c70+ arch/x86/boot/bzImage \
	System.map "/boot"
[TIMER]{INSTALL}: 24s
Checking kABI
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-1766fca34c70+ and Index to 1
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 0s
[TIMER]{BUILD}: 1305s
[TIMER]{MODULES}: 9s
[TIMER]{INSTALL}: 24s
[TIMER]{TOTAL} 1343s
Rebooting in 10 seconds

Kernel SelfTests

Change in Kselftests, I'm no longer using the RPM but the last one was with the RPM.

 ls kernel_5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-9165dab32241+_iteration_2.log kselftest.5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-1766fca34c70+.log | while read line ; do echo $line; grep '^ok ' $line | wc -l ; done
kernel_5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-9165dab32241+_iteration_2.log
205
kselftest.5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-1766fca34c70+.log
314

PlaidCat added 3 commits April 30, 2025 17:48
@PlaidCat
net/sched: sch_hfsc: Ensure inner classes have fsc curve
3b7c8b1 
jira VULN-8855
cve CVE-2023-4623
commit-author Budimir Markovic <[email protected]>
commit b3d26c5

HFSC assumes that inner classes have an fsc curve, but it is currently
possible for classes without an fsc curve to become parents. This leads
to bugs including a use-after-free.

Don't allow non-root classes without HFSC_FSC to become parents.

Fixes: 1da177e ("Linux-2.6.12-rc2")
	Reported-by: Budimir Markovic <[email protected]>
	Signed-off-by: Budimir Markovic <[email protected]>
	Acked-by: Jamal Hadi Salim <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
	Signed-off-by: Jakub Kicinski <[email protected]>
(cherry picked from commit b3d26c5)
	Signed-off-by: Jonathan Maple <[email protected]>
@PlaidCat
net/sched: sch_hfsc: upgrade 'rt' to 'sc' when it becomes a inner curve
0caa155 
jira VULN-8855
cve CVE-2023-4623
commit-author Pedro Tammela <[email protected]>
commit a13b67c

Christian Theune says:
   I upgraded from 6.1.38 to 6.1.55 this morning and it broke my traffic shaping script,
   leaving me with a non-functional uplink on a remote router.

A 'rt' curve cannot be used as a inner curve (parent class), but we were
allowing such configurations since the qdisc was introduced. Such
configurations would trigger a UAF as Budimir explains:
   The parent will have vttree_insert() called on it in init_vf(),
   but will not have vttree_remove() called on it in update_vf()
   because it does not have the HFSC_FSC flag set.

The qdisc always assumes that inner classes have the HFSC_FSC flag set.
This is by design as it doesn't make sense 'qdisc wise' for an 'rt'
curve to be an inner curve.

Budimir's original patch disallows users to add classes with a 'rt'
parent, but this is too strict as it breaks users that have been using
'rt' as a inner class. Another approach, taken by this patch, is to
upgrade the inner 'rt' into a 'sc', warning the user in the process.
It avoids the UAF reported by Budimir while also being more permissive
to bad scripts/users/code using 'rt' as a inner class.

Users checking the `tc class ls [...]` or `tc class get [...]` dumps would
observe the curve change and are potentially breaking with this change.

v1->v2: https://lore.kernel.org/all/[email protected]/
- Correct 'Fixes' tag and merge with revert (Jakub)

	Cc: Christian Theune <[email protected]>
	Cc: Budimir Markovic <[email protected]>
Fixes: b3d26c5 ("net/sched: sch_hfsc: Ensure inner classes have fsc curve")
	Signed-off-by: Pedro Tammela <[email protected]>
	Acked-by: Jamal Hadi Salim <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
	Signed-off-by: Jakub Kicinski <[email protected]>
(cherry picked from commit a13b67c)
	Signed-off-by: Jonathan Maple <[email protected]>
@PlaidCat
arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array
1766fca 
jira VULN-54132
cve CVE-2025-21785
commit-author Radu Rendec <[email protected]>
commit 875d742

The loop that detects/populates cache information already has a bounds
check on the array size but does not account for cache levels with
separate data/instructions cache. Fix this by incrementing the index
for any populated leaf (instead of any populated level).

Fixes: 5d425c1 ("arm64: kernel: add support for cpu cache information")

	Signed-off-by: Radu Rendec <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
	Signed-off-by: Will Deacon <[email protected]>
(cherry picked from commit 875d742)
	Signed-off-by: Jonathan Maple <[email protected]>
@PlaidCat PlaidCat self-assigned this May 1, 2025
@PlaidCat PlaidCat marked this pull request as ready for review May 1, 2025 16:45
bmastbergen
bmastbergen approved these changes May 1, 2025
View reviewed changes
Copy link
Collaborator

@bmastbergen bmastbergen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bmastbergen bmastbergen bmastbergen approved these changes

@kerneltoast kerneltoast Awaiting requested review from kerneltoast

@thefossguy-ciq thefossguy-ciq Awaiting requested review from thefossguy-ciq

Assignees

@PlaidCat PlaidCat

Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@PlaidCat @bmastbergen