[rocky8_10] History Rebuild through kernel-4.18.0-553.123.1.el8_10#1179
Open
[rocky8_10] History Rebuild through kernel-4.18.0-553.123.1.el8_10#1179
Conversation
jira KERNEL-949 cve CVE-2026-31402 Rebuild_History Non-Buildable kernel-4.18.0-553.123.1.el8_10 commit-author Jeff Layton <jlayton@kernel.org> commit 5133b61 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-4.18.0-553.123.1.el8_10/5133b61a.failed The NFSv4.0 replay cache uses a fixed 112-byte inline buffer (rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses. This size was calculated based on OPEN responses and does not account for LOCK denied responses, which include the conflicting lock owner as a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT). When a LOCK operation is denied due to a conflict with an existing lock that has a large owner, nfsd4_encode_operation() copies the full encoded response into the undersized replay buffer via read_bytes_from_xdr_buf() with no bounds check. This results in a slab-out-of-bounds write of up to 944 bytes past the end of the buffer, corrupting adjacent heap memory. This can be triggered remotely by an unauthenticated attacker with two cooperating NFSv4.0 clients: one sets a lock with a large owner string, then the other requests a conflicting lock to provoke the denial. We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full opaque, but that would increase the size of every stateowner, when most lockowners are not that large. Instead, fix this by checking the encoded response length against NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the response is too large, set rp_buflen to 0 to skip caching the replay payload. The status is still cached, and the client already received the correct response on the original request. Fixes: 1da177e ("Linux-2.6.12-rc2") Cc: stable@kernel.org Reported-by: Nicholas Carlini <npc@anthropic.com> Tested-by: Nicholas Carlini <npc@anthropic.com> Signed-off-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> (cherry picked from commit 5133b61) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # fs/nfsd/nfs4xdr.c
jira KERNEL-949 cve CVE-2025-40252 Rebuild_History Non-Buildable kernel-4.18.0-553.123.1.el8_10 commit-author Alejandro Colomar <alx@kernel.org> commit 3cd39bc Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-4.18.0-553.123.1.el8_10/3cd39bc3.failed Touching files so used for the kernel, forces 'make' to recompile most of the kernel. Having those definitions in more granular files helps avoid recompiling so much of the kernel. Signed-off-by: Alejandro Colomar <alx@kernel.org> Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com> Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com> Link: https://lore.kernel.org/r/20230817143352.132583-2-lucas.segarra.fernandez@intel.com [andy: reduced to cover only string.h for now] Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> (cherry picked from commit 3cd39bc) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # include/linux/kernel.h
… and qede_tpa_end() jira KERNEL-949 cve CVE-2025-40252 Rebuild_History Non-Buildable kernel-4.18.0-553.123.1.el8_10 commit-author Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com> commit 896f1a2 The loops in 'qede_tpa_cont()' and 'qede_tpa_end()', iterate over 'cqe->len_list[]' using only a zero-length terminator as the stopping condition. If the terminator was missing or malformed, the loop could run past the end of the fixed-size array. Add an explicit bound check using ARRAY_SIZE() in both loops to prevent a potential out-of-bounds access. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 55482ed ("qede: Add slowpath/fastpath support and enable hardware GRO") Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin@kaspersky.com> Link: https://patch.msgid.link/20251113112757.4166625-1-Pavel.Zhigulin@kaspersky.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> (cherry picked from commit 896f1a2) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-949 cve CVE-2025-68724 Rebuild_History Non-Buildable kernel-4.18.0-553.123.1.el8_10 commit-author Thorsten Blum <thorsten.blum@linux.dev> commit df0845c Use check_add_overflow() to guard against potential integer overflows when adding the binary blob lengths and the size of an asymmetric_key_id structure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a possible buffer overflow when copying data from potentially malicious X.509 certificate fields that can be arbitrarily large, such as ASN.1 INTEGER serial numbers, issuer names, etc. Fixes: 7901c1a ("KEYS: Implement binary asymmetric key ID handling") Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Reviewed-by: Lukas Wunner <lukas@wunner.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit df0845c) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-949 cve CVE-2024-41073 Rebuild_History Non-Buildable kernel-4.18.0-553.123.1.el8_10 commit-author Chunguang Xu <chunguang.xu@shopee.com> commit e5d574a Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-4.18.0-553.123.1.el8_10/e5d574ab.failed If a discard request needs to be retried, and that retry may fail before a new special payload is added, a double free will result. Clear the RQF_SPECIAL_LOAD when the request is cleaned. Signed-off-by: Chunguang Xu <chunguang.xu@shopee.com> Reviewed-by: Sagi Grimberg <sagi@grimberg.me> Reviewed-by: Max Gurtovoy <mgurtovoy@nvidia.com> Signed-off-by: Keith Busch <kbusch@kernel.org> (cherry picked from commit e5d574a) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # drivers/nvme/host/core.c
…IO SPTE jira KERNEL-949 cve CVE-2026-23401 Rebuild_History Non-Buildable kernel-4.18.0-553.123.1.el8_10 commit-author Sean Christopherson <seanjc@google.com> commit aad885e Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-4.18.0-553.123.1.el8_10/aad885e7.failed When installing an emulated MMIO SPTE, do so *after* dropping/zapping the existing SPTE (if it's shadow-present). While commit a54aa15 was right about it being impossible to convert a shadow-present SPTE to an MMIO SPTE due to a _guest_ write, it failed to account for writes to guest memory that are outside the scope of KVM. E.g. if host userspace modifies a shadowed gPTE to switch from a memslot to emulted MMIO and then the guest hits a relevant page fault, KVM will install the MMIO SPTE without first zapping the shadow-present SPTE. ------------[ cut here ]------------ is_shadow_present_pte(*sptep) WARNING: arch/x86/kvm/mmu/mmu.c:484 at mark_mmio_spte+0xb2/0xc0 [kvm], CPU#0: vmx_ept_stale_r/4292 Modules linked in: kvm_intel kvm irqbypass CPU: 0 UID: 1000 PID: 4292 Comm: vmx_ept_stale_r Not tainted 7.0.0-rc2-eafebd2d2ab0-sink-vm #319 PREEMPT Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:mark_mmio_spte+0xb2/0xc0 [kvm] Call Trace: <TASK> mmu_set_spte+0x237/0x440 [kvm] ept_page_fault+0x535/0x7f0 [kvm] kvm_mmu_do_page_fault+0xee/0x1f0 [kvm] kvm_mmu_page_fault+0x8d/0x620 [kvm] vmx_handle_exit+0x18c/0x5a0 [kvm_intel] kvm_arch_vcpu_ioctl_run+0xc55/0x1c20 [kvm] kvm_vcpu_ioctl+0x2d5/0x980 [kvm] __x64_sys_ioctl+0x8a/0xd0 do_syscall_64+0xb5/0x730 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x47fa3f </TASK> ---[ end trace 0000000000000000 ]--- Reported-by: Alexander Bulekov <bkov@amazon.com> Debugged-by: Alexander Bulekov <bkov@amazon.com> Suggested-by: Fred Griffoul <fgriffo@amazon.co.uk> Fixes: a54aa15 ("KVM: x86/mmu: Handle MMIO SPTEs directly in mmu_set_spte()") Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson <seanjc@google.com> (cherry picked from commit aad885e) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # arch/x86/kvm/mmu/mmu.c
jira KERNEL-949 Rebuild_History Non-Buildable kernel-4.18.0-553.123.1.el8_10 commit-author Norbert Szetei <norbert@doyensec.com> commit 62397b4 The AF_ALG interface fails to unmark the end of a Scatter/Gather List (SGL) when chaining a new af_alg_tsgl structure. If a sendmsg() fills an SGL exactly to MAX_SGL_ENTS, the last entry is marked as the end. A subsequent sendmsg() allocates a new SGL and chains it, but fails to clear the end marker on the previous SGL's last data entry. This causes the crypto scatterwalk to hit a premature end, returning NULL on sg_next() and leading to a kernel panic during dereference. Fix this by explicitly unmarking the end of the previous SGL when performing sg_chain() in af_alg_alloc_tsgl(). Fixes: 8ff5909 ("crypto: algif_skcipher - User-space interface for skcipher operations") Signed-off-by: Norbert Szetei <norbert@doyensec.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit 62397b4) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-949 cve CVE-2026-31431 Rebuild_History Non-Buildable kernel-4.18.0-553.123.1.el8_10 commit-author Herbert Xu <herbert@gondor.apana.org.au> commit a664bf3 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-4.18.0-553.123.1.el8_10/a664bf3d.failed This mostly reverts commit 72548b0 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly. Fixes: 72548b0 ("crypto: algif_aead - copy AAD from src to dst") Reported-by: Taeyang Lee <0wn@theori.io> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit a664bf3) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # crypto/af_alg.c # crypto/algif_aead.c # include/crypto/if_alg.h
jira KERNEL-949 cve CVE-2026-31677 Rebuild_History Non-Buildable kernel-4.18.0-553.123.1.el8_10 commit-author Douya Le <ldy3087146292@gmail.com> commit 8eceab1 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-4.18.0-553.123.1.el8_10/8eceab19.failed Make af_alg_get_rsgl() limit each RX scatterlist extraction to the remaining receive buffer budget. af_alg_get_rsgl() currently uses af_alg_readable() only as a gate before extracting data into the RX scatterlist. Limit each extraction to the remaining af_alg_rcvbuf(sk) budget so that receive-side accounting matches the amount of data attached to the request. If skcipher cannot obtain enough RX space for at least one chunk while more data remains to be processed, reject the recvmsg call instead of rounding the request length down to zero. Fixes: e870456 ("crypto: algif_skcipher - overhaul memory management") Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Co-developed-by: Yuan Tan <yuantan098@gmail.com> Signed-off-by: Yuan Tan <yuantan098@gmail.com> Suggested-by: Xin Liu <bird@lzu.edu.cn> Signed-off-by: Douya Le <ldy3087146292@gmail.com> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit 8eceab1) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # crypto/algif_skcipher.c
jira KERNEL-949 Rebuild_History Non-Buildable kernel-4.18.0-553.123.1.el8_10 commit-author Herbert Xu <herbert@gondor.apana.org.au> commit 31d0015 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-4.18.0-553.123.1.el8_10/31d00156.failed When page reassignment was added to af_alg_pull_tsgl the original loop wasn't updated so it may try to reassign one more page than necessary. Add the check to the reassignment so that this does not happen. Also update the comment which still refers to the obsolete offset argument. Reported-by: syzbot+d23888375c2737c17ba5@syzkaller.appspotmail.com Fixes: e870456 ("crypto: algif_skcipher - overhaul memory management") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit 31d0015) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # crypto/af_alg.c
…SN spec jira KERNEL-949 cve CVE-2026-23060 Rebuild_History Non-Buildable kernel-4.18.0-553.123.1.el8_10 commit-author Taeyang Lee <0wn@theori.io> commit 2397e92 authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than the minimum expected length, crypto_authenc_esn_decrypt() can advance past the end of the destination scatterlist and trigger a NULL pointer dereference in scatterwalk_map_and_copy(), leading to a kernel panic (DoS). Add a minimum AAD length check to fail fast on invalid inputs. Fixes: 104880a ("crypto: authencesn - Convert to new AEAD interface") Reported-By: Taeyang Lee <0wn@theori.io> Signed-off-by: Taeyang Lee <0wn@theori.io> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit 2397e92) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
…e decryption jira KERNEL-949 cve CVE-2026-31431 Rebuild_History Non-Buildable kernel-4.18.0-553.123.1.el8_10 commit-author Herbert Xu <herbert@gondor.apana.org.au> commit e024941 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-4.18.0-553.123.1.el8_10/e0249411.failed When decrypting data that is not in-place (src != dst), there is no need to save the high-order sequence bits in dst as it could simply be re-copied from the source. However, the data to be hashed need to be rearranged accordingly. Reported-by: Taeyang Lee <0wn@theori.io> Fixes: 104880a ("crypto: authencesn - Convert to new AEAD interface") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Thanks, Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit e024941) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # crypto/authencesn.c
jira KERNEL-949 Rebuild_History Non-Buildable kernel-4.18.0-553.123.1.el8_10 commit-author Herbert Xu <herbert@gondor.apana.org.au> commit 1f48ad3 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-4.18.0-553.123.1.el8_10/1f48ad3b.failed The src SG list offset wasn't set properly when decrypting in-place, fix it. Reported-by: Wolfgang Walter <linux@stwm.de> Fixes: e024941 ("crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit 1f48ad3) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # crypto/authencesn.c
jira KERNEL-949 Rebuild_History Non-Buildable kernel-4.18.0-553.123.1.el8_10 commit-author Yucheng Lu <kanolyc@gmail.com> commit 5db6ef9 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-4.18.0-553.123.1.el8_10/5db6ef98.failed authencesn requires either a zero authsize or an authsize of at least 4 bytes because the ESN encrypt/decrypt paths always move 4 bytes of high-order sequence number data at the end of the authenticated data. While crypto_authenc_esn_setauthsize() already rejects explicit non-zero authsizes in the range 1..3, crypto_authenc_esn_create() still copied auth->digestsize into inst->alg.maxauthsize without validating it. The AEAD core then initialized the tfm's default authsize from that value. As a result, selecting an ahash with digest size 1..3, such as cbcmac(cipher_null), exposed authencesn instances whose default authsize was invalid even though setauthsize() would have rejected the same value. AF_ALG could then trigger the ESN tail handling with a too-short tag and hit an out-of-bounds access. Reject authencesn instances whose ahash digest size is in the invalid non-zero range 1..3 so that no tfm can inherit an unsupported default authsize. Fixes: f15f05b ("crypto: ccm - switch to separate cbcmac driver") Cc: stable@kernel.org Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Co-developed-by: Yuan Tan <yuantan098@gmail.com> Signed-off-by: Yuan Tan <yuantan098@gmail.com> Suggested-by: Xin Liu <bird@lzu.edu.cn> Tested-by: Yuhang Zheng <z1652074432@gmail.com> Reviewed-by: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Yucheng Lu <kanolyc@gmail.com> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit 5db6ef9) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # crypto/authencesn.c
jira KERNEL-949 Rebuild_History Non-Buildable kernel-4.18.0-553.123.1.el8_10 commit-author Herbert Xu <herbert@gondor.apana.org.au> commit 3d14bd4 The check for the minimum receive buffer size did not take the tag size into account during decryption. Fix this by adding the required extra length. Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com Reported-by: Daniel Pouzzner <douzzer@mega.nu> Fixes: d887c52 ("crypto: algif_aead - overhaul memory management") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit 3d14bd4) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
jira KERNEL-949 Rebuild_History Non-Buildable kernel-4.18.0-553.123.1.el8_10 commit-author Douya Le <ldy3087146292@gmail.com> commit 5aa58c3 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-4.18.0-553.123.1.el8_10/5aa58c3a.failed AF_ALG AEAD AIO requests currently use the socket-wide IV buffer during request processing. For async requests, later socket activity can update that shared state before the original request has fully completed, which can lead to inconsistent IV handling. Snapshot the IV into per-request storage when preparing the AEAD request, so in-flight operations no longer depend on mutable socket state. Fixes: d887c52 ("crypto: algif_aead - overhaul memory management") Cc: stable@kernel.org Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Co-developed-by: Luxing Yin <tr0jan@lzu.edu.cn> Signed-off-by: Luxing Yin <tr0jan@lzu.edu.cn> Tested-by: Yucheng Lu <kanolyc@gmail.com> Signed-off-by: Douya Le <ldy3087146292@gmail.com> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit 5aa58c3) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # crypto/algif_aead.c
Rebuild_History BUILDABLE Rebuilding Kernel from rpm changelog with Fuzz Limit: 87.50% Number of commits in upstream range v4.18~1..kernel-mainline: 623624 Number of commits in rpm: 22 Number of commits matched with upstream: 16 (72.73%) Number of commits in upstream but not in rpm: 623608 Number of commits NOT found in upstream: 6 (27.27%) Rebuilding Kernel on Branch rocky8_10_rebuild_kernel-4.18.0-553.123.1.el8_10 for kernel-4.18.0-553.123.1.el8_10 Clean Cherry Picks: 5 (31.25%) Empty Cherry Picks: 11 (68.75%) _______________________________ Full Details Located here: ciq/ciq_backports/kernel-4.18.0-553.123.1.el8_10/rebuild.details.txt Includes: * git commit header above * Empty Commits with upstream SHA * RPM ChangeLog Entries that could not be matched Individual Empty Commit failures contained in the same containing directory. The git message for empty commits will have the path for the failed commit. File names are the first 8 characters of the upstream SHA
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated kernel history rebuild using cron and internal tooling. It follows the same process used for previous history rebuilds:
src.rpmpackagessrc.rpm:4.18.0-553)git cherry-pickrpmbuild -bpfor the correspondingsrc.rpmJIRA Tickets
Rebuild Splat Inspection
kernel-4.18.0-553.123.1.el8_10
BUILD
KSelfTests