Skip to content

[ciqcbr7_9] Multiple patches tested (2 commits)#1344

Merged
roxanan1996 merged 2 commits into
ciqcbr7_9from
{ciq_kernel_automation}_ciqcbr7_9
Jun 16, 2026
Merged

[ciqcbr7_9] Multiple patches tested (2 commits)#1344
roxanan1996 merged 2 commits into
ciqcbr7_9from
{ciq_kernel_automation}_ciqcbr7_9

Conversation

@ciq-kernel-automation

Copy link
Copy Markdown

Summary

This PR has been automatically created after successful completion of all CI stages.

Commit Message(s)

usbip: validate number_of_packets in usbip_pack_ret_submit()

jira VULN-183083
cve CVE-2026-31607
commit-author Nathan Rebello <nathan.c.rebello@gmail.com>
commit 2ab833a16a825373aad2ba7d54b572b277e95b71
netfilter: ip6t_eui64: reject invalid MAC header for all packets

jira VULN-183033
cve CVE-2026-31685
commit-author Zhengchuan Liang <zcliangcn@gmail.com>
commit fdce0b3590f724540795b874b4c8850c90e6b0a8

Test Results

✅ Build Stage

  • Status: Passed (x86_64)

  • Build Time: 12m 39s

  • Total Time: 13m 46s

  • View build logs

✅ Boot Verification


🤖 This PR was automatically generated by GitHub Actions
Run ID: 27532679407

CIQ Kernel Automation added 2 commits June 15, 2026 08:04
jira VULN-183083
cve CVE-2026-31607
commit-author Nathan Rebello <nathan.c.rebello@gmail.com>
commit 2ab833a

When a USB/IP client receives a RET_SUBMIT response,
usbip_pack_ret_submit() unconditionally overwrites
urb->number_of_packets from the network PDU. This value is
subsequently used as the loop bound in usbip_recv_iso() and
usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible
array whose size was fixed at URB allocation time based on the
*original* number_of_packets from the CMD_SUBMIT.

A malicious USB/IP server can set number_of_packets in the response
to a value larger than what was originally submitted, causing a heap
out-of-bounds write when usbip_recv_iso() writes to
urb->iso_frame_desc[i] beyond the allocated region.

KASAN confirmed this with kernel 7.0.0-rc5:

  BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640
  Write of size 4 at addr ffff888106351d40 by task vhci_rx/69

  The buggy address is located 0 bytes to the right of
   allocated 320-byte region [ffff888106351c00, ffff888106351d40)

The server side (stub_rx.c) and gadget side (vudc_rx.c) already
validate number_of_packets in the CMD_SUBMIT path since commits
c6688ef ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle
malicious input") and b78d830 ("usbip: fix vudc_rx: harden
CMD_SUBMIT path to handle malicious input"). The server side validates
against USBIP_MAX_ISO_PACKETS because no URB exists yet at that point.
On the client side we have the original URB, so we can use the tighter
bound: the response must not exceed the original number_of_packets.

This mirrors the existing validation of actual_length against
transfer_buffer_length in usbip_recv_xbuff(), which checks the
response value against the original allocation size.

Kelvin Mbogo's series ("usb: usbip: fix integer overflow in
usbip_recv_iso()", v2) hardens the receive-side functions themselves;
this patch complements that work by catching the bad value at its
source -- in usbip_pack_ret_submit() before the overwrite -- and
using the tighter per-URB allocation bound rather than the global
USBIP_MAX_ISO_PACKETS limit.

Fix this by checking rpdu->number_of_packets against
urb->number_of_packets in usbip_pack_ret_submit() before the
overwrite. On violation, clamp to zero so that usbip_recv_iso() and
usbip_pad_iso() safely return early.

Fixes: 1325f85 ("staging: usbip: bugfix add number of packets for isochronous frames")
	Cc: stable <stable@kernel.org>
	Acked-by: Shuah Khan <skhan@linuxfoundation.org>
	Signed-off-by: Nathan Rebello <nathan.c.rebello@gmail.com>
Link: https://patch.msgid.link/20260402085259.234-1-nathan.c.rebello@gmail.com
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 2ab833a)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-183033
cve CVE-2026-31685
commit-author Zhengchuan Liang <zcliangcn@gmail.com>
commit fdce0b3

`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address
and compares it with the low 64 bits of the IPv6 source address.

The existing guard only rejects an invalid MAC header when
`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()`
can still reach `eth_hdr(skb)` even when the MAC header is not valid.

Fix this by removing the `par->fragoff != 0` condition so that packets
with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.

Fixes: 1da177e ("Linux-2.6.12-rc2")
	Reported-by: Yifan Wu <yifanwucs@gmail.com>
	Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
	Signed-off-by: Yuan Tan <yuantan098@gmail.com>
	Suggested-by: Xin Liu <bird@lzu.edu.cn>
	Tested-by: Ren Wei <enjou1224z@gmail.com>
	Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
	Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
	Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit fdce0b3)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
@ciq-kernel-automation ciq-kernel-automation Bot added the created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI) label Jun 15, 2026
@github-actions

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/27534681656

@github-actions

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/27534681656

@bmastbergen bmastbergen left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

@bmastbergen bmastbergen requested a review from a team June 15, 2026 16:43

@PlaidCat PlaidCat left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@roxanan1996 roxanan1996 merged commit f4bdd07 into ciqcbr7_9 Jun 16, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI)

Development

Successfully merging this pull request may close these issues.

3 participants