[FIPS Legacy 8] CVES: CVE-2023-52922, CVE-2023-45871, CVE-2024-0646 #423

PlaidCat · 2025-07-17T16:16:18Z

Related CVEs Commits since this is the 8.7 kernel we need to check versus 8.6 and 8.8.

CVE-2023-52922
- [ciqlts8_8] can: bcm: Fix UAF in bcm_proc_show() #180
- [ciqlts8_6] can: bcm: Fix UAF in bcm_proc_show() #189
CVE-2023-45871
- [LTS 8.8] igb: set max size RX buffer when store bad packet is enabled #296
CVE-2024-0646
- [LTS 8.6] net: tls, update curr on splice as well #318
- [LTS 8.8] net: tls, update curr on splice as well #317

Build

[jmaple@devbox code]$ egrep -B 5 -A 5 "\[TIMER\]|^Starting Build" $(ls -t kbuild* | head -n1)
  CLEAN   scripts/selinux/genheaders
  CLEAN   scripts/selinux/mdp
  CLEAN   scripts
  CLEAN   include/config usr/include include/generated arch/x86/include/generated
  CLEAN   .config .config.old .version Module.symvers
[TIMER]{MRPROPER}: 9s
x86_64 architecture detected, copying config
'configs/kernel-x86_64.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="jmaple_fips-legacy-8-compliant_4.18.0-425.13.1"
Making olddefconfig
--
  HOSTLD  scripts/kconfig/conf
scripts/kconfig/conf  --olddefconfig Kconfig
#
# configuration written to .config
#
Starting Build
scripts/kconfig/conf  --syncconfig Kconfig
  SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_32_ia32.h
  SYSTBL  arch/x86/include/generated/asm/syscalls_64.h
  SYSHDR  arch/x86/include/generated/asm/unistd_64_x32.h
--
  LD [M]  sound/usb/usx2y/snd-usb-usx2y.ko
  LD [M]  sound/virtio/virtio_snd.ko
  LD [M]  sound/x86/snd-hdmi-lpe-audio.ko
  LD [M]  sound/xen/snd_xen_front.ko
  LD [M]  virt/lib/irqbypass.ko
[TIMER]{BUILD}: 1846s
Making Modules
  INSTALL arch/x86/crypto/blowfish-x86_64.ko
  INSTALL arch/x86/crypto/camellia-aesni-avx-x86_64.ko
  INSTALL arch/x86/crypto/camellia-aesni-avx2.ko
  INSTALL arch/x86/crypto/camellia-x86_64.ko
--
  INSTALL sound/virtio/virtio_snd.ko
  INSTALL sound/x86/snd-hdmi-lpe-audio.ko
  INSTALL sound/xen/snd_xen_front.ko
  INSTALL virt/lib/irqbypass.ko
  DEPMOD  4.18.0jmaple_fips-legacy-8-compliant_4.18.0-425.13.1+
[TIMER]{MODULES}: 12s
Making Install
sh ./arch/x86/boot/install.sh 4.18.0jmaple_fips-legacy-8-compliant_4.18.0-425.13.1+ arch/x86/boot/bzImage \
        System.map "/boot"
[TIMER]{INSTALL}: 19s
Checking kABI
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-4.18.0jmaple_fips-legacy-8-compliant_4.18.0-425.13.1+ and Index to 0
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 9s
[TIMER]{BUILD}: 1846s
[TIMER]{MODULES}: 12s
[TIMER]{INSTALL}: 19s
[TIMER]{TOTAL} 1890s
Rebooting in 10 seconds

KSelfTests

[jmaple@devbox code]$ ls -rt kselftest.* | tail -n2 | while read line; do echo $line; grep '^ok ' $line | wc -l ; done
kselftest.4.18.0-425.13.1.el8.ciqfipscompliant.41.1.x86_64.log
195
kselftest.4.18.0jmaple_fips-legacy-8-compliant_4.18.0-425.13.1+.log
195

jira VULN-36335 cve CVE-2023-52922 commit-author YueHaibing <yuehaibing@huawei.com> commit 55c3b96 BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80 Read of size 8 at addr ffff888155846230 by task cat/7862 CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xd5/0x150 print_report+0xc1/0x5e0 kasan_report+0xba/0xf0 bcm_proc_show+0x969/0xa80 seq_read_iter+0x4f6/0x1260 seq_read+0x165/0x210 proc_reg_read+0x227/0x300 vfs_read+0x1d5/0x8d0 ksys_read+0x11e/0x240 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Allocated by task 7846: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x9e/0xa0 bcm_sendmsg+0x264b/0x44e0 sock_sendmsg+0xda/0x180 ____sys_sendmsg+0x735/0x920 ___sys_sendmsg+0x11d/0x1b0 __sys_sendmsg+0xfa/0x1d0 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 7846: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x27/0x40 ____kasan_slab_free+0x161/0x1c0 slab_free_freelist_hook+0x119/0x220 __kmem_cache_free+0xb4/0x2e0 rcu_core+0x809/0x1bd0 bcm_op is freed before procfs entry be removed in bcm_release(), this lead to bcm_proc_show() may read the freed bcm_op. Fixes: ffd980f ("[CAN]: Add broadcast manager (bcm) protocol") Signed-off-by: YueHaibing <yuehaibing@huawei.com> Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net> Acked-by: Oliver Hartkopp <socketcan@hartkopp.net> Link: https://lore.kernel.org/all/20230715092543.15548-1-yuehaibing@huawei.com Cc: stable@vger.kernel.org Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> (cherry picked from commit 55c3b96) Signed-off-by: Pratham Patel <ppatel@ciq.com> Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira VULN-8852 cve CVE-2023-45871 commit-author Radoslaw Tyl <radoslawx.tyl@intel.com> commit bb5ed01 Increase the RX buffer size to 3K when the SBP bit is on. The size of the RX buffer determines the number of pages allocated which may not be sufficient for receive frames larger than the set MTU size. Cc: stable@vger.kernel.org Fixes: 89eaefb ("igb: Support RX-ALL feature flag.") Reported-by: Manfred Rudigier <manfred.rudigier@omicronenergy.com> Signed-off-by: Radoslaw Tyl <radoslawx.tyl@intel.com> Tested-by: Arpana Arland <arpanax.arland@intel.com> (A Contingent worker at Intel) Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit bb5ed01) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl> Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira VULN-42285 cve CVE-2024-0646 commit-author John Fastabend <john.fastabend@gmail.com> commit c5a5950 upstream-diff used linux-stable LT-5.15 sha ba5efd8 commit c5a5950 upstream. The curr pointer must also be updated on the splice similar to how we do this for other copy types. Fixes: d829e9c ("tls: convert to generic sk_msg interface") Signed-off-by: John Fastabend <john.fastabend@gmail.com> Reported-by: Jann Horn <jannh@google.com> Link: https://lore.kernel.org/r/20231206232706.374377-2-john.fastabend@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit ba5efd8) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl> Signed-off-by: Jonathan Maple <jmaple@ciq.com>

thefossguy-ciq

🚤

bmastbergen

🥌

thefossguy-ciq and others added 3 commits July 16, 2025 14:57

PlaidCat requested review from bmastbergen, jainanmol84, kerneltoast, shreeya-patel98 and thefossguy-ciq July 17, 2025 16:16

PlaidCat self-assigned this Jul 17, 2025

thefossguy-ciq approved these changes Jul 18, 2025

View reviewed changes

bmastbergen approved these changes Jul 28, 2025

View reviewed changes

PlaidCat merged commit e0f6bcb into fips-legacy-8-compliant/4.18.0-425.13.1 Jul 30, 2025
1 check passed

PlaidCat deleted the {jmaple}_fips-legacy-8-compliant/4.18.0-425.13.1 branch October 21, 2025 18:06

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[FIPS Legacy 8] CVES: CVE-2023-52922, CVE-2023-45871, CVE-2024-0646 #423

[FIPS Legacy 8] CVES: CVE-2023-52922, CVE-2023-45871, CVE-2024-0646 #423

Uh oh!

PlaidCat commented Jul 17, 2025

Uh oh!

thefossguy-ciq left a comment

Uh oh!

bmastbergen left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

5 participants

[FIPS Legacy 8] CVES: CVE-2023-52922, CVE-2023-45871, CVE-2024-0646 #423

[FIPS Legacy 8] CVES: CVE-2023-52922, CVE-2023-45871, CVE-2024-0646 #423

Uh oh!

Conversation

PlaidCat commented Jul 17, 2025

Build

KSelfTests

Uh oh!

thefossguy-ciq left a comment

Choose a reason for hiding this comment

Uh oh!

bmastbergen left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

5 participants