[rocky8_10] History rebuild for kernel-4.18.0-553.85.1.el8_10

Makefile.rhelver

@@ -12,7 +12,7 @@ RHEL_MINOR = 10
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 553.83.1
+RHEL_RELEASE = 553.85.1
 
 #
 # ZSTREAM

ciq/ciq_backports/kernel-4.18.0-553.85.1.el8_10/0dab9248.failed

@@ -0,0 +1,86 @@
+vsock/virtio: Validate length in packet header before skb_put()
+
+jira KERNEL-186
+cve CVE-2025-39718
+Rebuild_History Non-Buildable kernel-4.18.0-553.85.1.el8_10
+commit-author Will Deacon <will@kernel.org>
+commit 0dab92484474587b82e8e0455839eaf5ac7bf894
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-4.18.0-553.85.1.el8_10/0dab9248.failed
+
+When receiving a vsock packet in the guest, only the virtqueue buffer
+size is validated prior to virtio_vsock_skb_rx_put(). Unfortunately,
+virtio_vsock_skb_rx_put() uses the length from the packet header as the
+length argument to skb_put(), potentially resulting in SKB overflow if
+the host has gone wonky.
+
+Validate the length as advertised by the packet header before calling
+virtio_vsock_skb_rx_put().
+
+	Cc: <stable@vger.kernel.org>
+Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")
+	Signed-off-by: Will Deacon <will@kernel.org>
+Message-Id: <20250717090116.11987-3-will@kernel.org>
+	Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+	Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+(cherry picked from commit 0dab92484474587b82e8e0455839eaf5ac7bf894)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	net/vmw_vsock/virtio_transport.c
+diff --cc net/vmw_vsock/virtio_transport.c
+index 5541194b9de5,eb08a393413d..000000000000
+--- a/net/vmw_vsock/virtio_transport.c
++++ b/net/vmw_vsock/virtio_transport.c
+@@@ -506,8 -624,9 +506,14 @@@ static void virtio_transport_rx_work(st
+  	do {
+  		virtqueue_disable_cb(vq);
+  		for (;;) {
+++<<<<<<< HEAD
+ +			struct virtio_vsock_pkt *pkt;
+ +			unsigned int len;
+++=======
++ 			unsigned int len, payload_len;
++ 			struct virtio_vsock_hdr *hdr;
++ 			struct sk_buff *skb;
+++>>>>>>> 0dab92484474 (vsock/virtio: Validate length in packet header before skb_put())
+
+  			if (!virtio_transport_more_replies(vsock)) {
+  				/* Stop rx until the device processes already
+@@@ -525,15 -643,22 +531,34 @@@
+  			vsock->rx_buf_nr--;
+
+  			/* Drop short/long packets */
+++<<<<<<< HEAD
+ +			if (unlikely(len < sizeof(pkt->hdr) ||
+ +				     len > sizeof(pkt->hdr) + pkt->len)) {
+ +				virtio_transport_free_pkt(pkt);
+ +				continue;
+ +			}
+ +
+ +			pkt->len = len - sizeof(pkt->hdr);
+ +			virtio_transport_deliver_tap_pkt(pkt);
+ +			virtio_transport_recv_pkt(&virtio_transport, pkt);
+++=======
++ 			if (unlikely(len < sizeof(*hdr) ||
++ 				     len > virtio_vsock_skb_len(skb))) {
++ 				kfree_skb(skb);
++ 				continue;
++ 			}
++ 
++ 			hdr = virtio_vsock_hdr(skb);
++ 			payload_len = le32_to_cpu(hdr->len);
++ 			if (unlikely(payload_len > len - sizeof(*hdr))) {
++ 				kfree_skb(skb);
++ 				continue;
++ 			}
++ 
++ 			virtio_vsock_skb_rx_put(skb);
++ 			virtio_transport_deliver_tap_pkt(skb);
++ 			virtio_transport_recv_pkt(&virtio_transport, skb);
+++>>>>>>> 0dab92484474 (vsock/virtio: Validate length in packet header before skb_put())
+  		}
+  	} while (!virtqueue_enable_cb(vq));
+
+* Unmerged path net/vmw_vsock/virtio_transport.c