From 562511cc046af81ded15cf9a818bd404f387e6a4 Mon Sep 17 00:00:00 2001 From: Brett Mastbergen Date: Fri, 24 Oct 2025 15:49:49 -0400 Subject: [PATCH 1/4] net: usb: smsc75xx: Limit packet length to skb->len jira VULN-67489 cve CVE-2023-53125 commit-author Szymon Heidrich commit d8b228318935044dafe3a5bc07ee71a1f1424b8d Packet length retrieved from skb data may be larger than the actual socket buffer length (up to 9026 bytes). In such case the cloned skb passed up the network stack will leak kernel memory contents. Fixes: d0cad871703b ("smsc75xx: SMSC LAN75xx USB gigabit ethernet adapter driver") Signed-off-by: Szymon Heidrich Signed-off-by: David S. Miller (cherry picked from commit d8b228318935044dafe3a5bc07ee71a1f1424b8d) Signed-off-by: Brett Mastbergen --- drivers/net/usb/smsc75xx.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c index 76f7af1613139..705bd31b18787 100644 --- a/drivers/net/usb/smsc75xx.c +++ b/drivers/net/usb/smsc75xx.c @@ -2211,7 +2211,8 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb) dev->net->stats.rx_frame_errors++; } else { /* MAX_SINGLE_PACKET_SIZE + 4(CRC) + 2(COE) + 4(Vlan) */ - if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12))) { + if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12) || + size > skb->len)) { netif_dbg(dev, rx_err, dev->net, "size err rx_cmd_a=0x%08x\n", rx_cmd_a); From 52c8f46bab1cf0e8b12d9d90f5cbd930477ca912 Mon Sep 17 00:00:00 2001 From: Brett Mastbergen Date: Fri, 24 Oct 2025 15:54:24 -0400 Subject: [PATCH 2/4] net: usb: smsc75xx: Move packet length check to prevent kernel panic in skb_pull jira VULN-67489 cve-bf CVE-2023-53125 commit-author Szymon Heidrich commit 43ffe6caccc7a1bb9d7442fbab521efbf6c1378c Packet length check needs to be located after size and align_count calculation to prevent kernel panic in skb_pull() in case rx_cmd_a & RX_CMD_A_RED evaluates to true. Fixes: d8b228318935 ("net: usb: smsc75xx: Limit packet length to skb->len") Signed-off-by: Szymon Heidrich Link: https://lore.kernel.org/r/20230316110540.77531-1-szymon.heidrich@gmail.com Signed-off-by: Jakub Kicinski (cherry picked from commit 43ffe6caccc7a1bb9d7442fbab521efbf6c1378c) Signed-off-by: Brett Mastbergen --- drivers/net/usb/smsc75xx.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/net/usb/smsc75xx.c b/drivers/net/usb/smsc75xx.c index 705bd31b18787..7c3e866514199 100644 --- a/drivers/net/usb/smsc75xx.c +++ b/drivers/net/usb/smsc75xx.c @@ -2199,6 +2199,13 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb) size = (rx_cmd_a & RX_CMD_A_LEN) - RXW_PADDING; align_count = (4 - ((size + RXW_PADDING) % 4)) % 4; + if (unlikely(size > skb->len)) { + netif_dbg(dev, rx_err, dev->net, + "size err rx_cmd_a=0x%08x\n", + rx_cmd_a); + return 0; + } + if (unlikely(rx_cmd_a & RX_CMD_A_RED)) { netif_dbg(dev, rx_err, dev->net, "Error rx_cmd_a=0x%08x\n", rx_cmd_a); @@ -2211,8 +2218,7 @@ static int smsc75xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb) dev->net->stats.rx_frame_errors++; } else { /* MAX_SINGLE_PACKET_SIZE + 4(CRC) + 2(COE) + 4(Vlan) */ - if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12) || - size > skb->len)) { + if (unlikely(size > (MAX_SINGLE_PACKET_SIZE + ETH_HLEN + 12))) { netif_dbg(dev, rx_err, dev->net, "size err rx_cmd_a=0x%08x\n", rx_cmd_a); From 3b5b1a29673b55c3d873253b15b79fbceb15191b Mon Sep 17 00:00:00 2001 From: Brett Mastbergen Date: Fri, 24 Oct 2025 15:49:49 -0400 Subject: [PATCH 3/4] ipv6: mcast: Delay put pmc->idev in mld_del_delrec() jira VULN-131123 cve CVE-2025-38550 commit-author Yue Haibing commit ae3264a25a4635531264728859dbe9c659fad554 pmc->idev is still used in ip6_mc_clear_src(), so as mld_clear_delrec() does, the reference should be put after ip6_mc_clear_src() return. Fixes: 63ed8de4be81 ("mld: add mc_lock for protecting per-interface mld data") Signed-off-by: Yue Haibing Link: https://patch.msgid.link/20250714141957.3301871-1-yuehaibing@huawei.com Signed-off-by: Jakub Kicinski (cherry picked from commit ae3264a25a4635531264728859dbe9c659fad554) Signed-off-by: Brett Mastbergen --- net/ipv6/mcast.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c index ce4e6db8d923d..f547134c3055c 100644 --- a/net/ipv6/mcast.c +++ b/net/ipv6/mcast.c @@ -803,8 +803,8 @@ static void mld_del_delrec(struct inet6_dev *idev, struct ifmcaddr6 *im) } else { im->mca_crcount = idev->mc_qrv; } - in6_dev_put(pmc->idev); ip6_mc_clear_src(pmc); + in6_dev_put(pmc->idev); kfree_rcu(pmc, rcu); } } From 473d923f4df58e694da4ec944c9325fbe511f6d5 Mon Sep 17 00:00:00 2001 From: Brett Mastbergen Date: Wed, 29 Oct 2025 13:38:47 -0400 Subject: [PATCH 4/4] ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control jira VULN-152898 cve CVE-2025-39751 commit-author Lucy Thrun commit a409c60111e6bb98fcabab2aeaa069daa9434ca0 The 'sprintf' call in 'add_tuning_control' may exceed the 44-byte buffer if either string argument is too long. This triggers a compiler warning. Replaced 'sprintf' with 'snprintf' to limit string lengths to prevent overflow. Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202506100642.95jpuMY1-lkp@intel.com/ Signed-off-by: Lucy Thrun Link: https://patch.msgid.link/20250610175012.918-3-lucy.thrun@digital-rabbithole.de Signed-off-by: Takashi Iwai (cherry picked from commit a409c60111e6bb98fcabab2aeaa069daa9434ca0) Signed-off-by: Brett Mastbergen --- sound/pci/hda/patch_ca0132.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c index 801dd8d44953b..6813fd3a5fc59 100644 --- a/sound/pci/hda/patch_ca0132.c +++ b/sound/pci/hda/patch_ca0132.c @@ -4399,7 +4399,7 @@ static int add_tuning_control(struct hda_codec *codec, } knew.private_value = HDA_COMPOSE_AMP_VAL(nid, 1, 0, type); - sprintf(namestr, "%s %s Volume", name, dirstr[dir]); + snprintf(namestr, sizeof(namestr), "%s %s Volume", name, dirstr[dir]); return snd_hda_ctl_add(codec, nid, snd_ctl_new1(&knew, codec)); }