Skip to content

[ciqlts9_2] Multiple patches tested (3 commits)#1395

Merged
bmastbergen merged 3 commits into
ciqlts9_2from
{ciq_kernel_automation}_ciqlts9_2
Jul 1, 2026
Merged

[ciqlts9_2] Multiple patches tested (3 commits)#1395
bmastbergen merged 3 commits into
ciqlts9_2from
{ciq_kernel_automation}_ciqlts9_2

Conversation

@ciq-kernel-automation

Copy link
Copy Markdown

Summary

This PR has been automatically created after successful completion of all CI stages.

Commit Message(s)

netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()

jira VULN-179956
cve CVE-2026-23455
commit-author Jenny Guanni Qu <qguanni@gmail.com>
commit f173d0f4c0f689173f8cdac79991043a4a89bf66
netfilter: ip6t_eui64: reject invalid MAC header for all packets

jira VULN-183036
cve CVE-2026-31685
commit-author Zhengchuan Liang <zcliangcn@gmail.com>
commit fdce0b3590f724540795b874b4c8850c90e6b0a8
sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL

jira VULN-186967
cve CVE-2026-46227
commit-author Ben Morris <bmorris@anthropic.com>
commit abb5f36771cc4c05899b34000829a787572a8817

Test Results

✅ Build Stage

Architecture Build Time Total Time
x86_64 24m 35s 25m 21s
aarch64 12m 18s 12m 49s

✅ Boot Verification

✅ Kernel Selftests

Architecture Passed Failed Compared Against Status
x86_64 175 23 ciqlts9_2 ✅ No regressions
aarch64 140 28 ciqlts9_2 ✅ No regressions

✅ LTP Results

Architecture Passed Failed Compared Against Status
x86_64 1439 81 ciqlts9_2 ✅ No regressions
aarch64 1409 83 ciqlts9_2 ✅ No regressions

🤖 This PR was automatically generated by GitHub Actions
Run ID: 28503291011

CIQ Kernel Automation added 3 commits July 1, 2026 08:07
jira VULN-179956
cve CVE-2026-23455
commit-author Jenny Guanni Qu <qguanni@gmail.com>
commit f173d0f

In DecodeQ931(), the UserUserIE code path reads a 16-bit length from
the packet, then decrements it by 1 to skip the protocol discriminator
byte before passing it to DecodeH323_UserInformation(). If the encoded
length is 0, the decrement wraps to -1, which is then passed as a
large value to the decoder, leading to an out-of-bounds read.

Add a check to ensure len is positive after the decrement.

Fixes: 5e35941 ("[NETFILTER]: Add H.323 conntrack/NAT helper")
	Reported-by: Klaudia Kloc <klaudia@vidocsecurity.com>
	Reported-by: Dawid Moczadło <dawid@vidocsecurity.com>
	Tested-by: Jenny Guanni Qu <qguanni@gmail.com>
	Signed-off-by: Jenny Guanni Qu <qguanni@gmail.com>
	Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit f173d0f)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
jira VULN-183036
cve CVE-2026-31685
commit-author Zhengchuan Liang <zcliangcn@gmail.com>
commit fdce0b3

`eui64_mt6()` derives a modified EUI-64 from the Ethernet source address
and compares it with the low 64 bits of the IPv6 source address.

The existing guard only rejects an invalid MAC header when
`par->fragoff != 0`. For packets with `par->fragoff == 0`, `eui64_mt6()`
can still reach `eth_hdr(skb)` even when the MAC header is not valid.

Fix this by removing the `par->fragoff != 0` condition so that packets
with an invalid MAC header are rejected before accessing `eth_hdr(skb)`.

Fixes: 1da177e ("Linux-2.6.12-rc2")
	Reported-by: Yifan Wu <yifanwucs@gmail.com>
	Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
	Signed-off-by: Yuan Tan <yuantan098@gmail.com>
	Suggested-by: Xin Liu <bird@lzu.edu.cn>
	Tested-by: Ren Wei <enjou1224z@gmail.com>
	Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com>
	Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
	Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit fdce0b3)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
…DALL

jira VULN-186967
cve CVE-2026-46227
commit-author Ben Morris <bmorris@anthropic.com>
commit abb5f36

The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with
list_for_each_entry_safe(), which caches the next entry in @tmp before
the loop body runs.  The body calls sctp_sendmsg_to_asoc(), which may
drop the socket lock inside sctp_wait_for_sndbuf().

While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the
association cached in @tmp, migrating it to a new endpoint via
sctp_sock_migrate() (list_del_init() + list_add_tail() to
newep->asocs), and optionally close the new socket which frees the
association via kfree_rcu().  The cached @tmp can also be freed by a
network ABORT for that association, processed in softirq while the
lock is dropped.

sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock
via the "sk != asoc->base.sk" and "asoc->base.dead" checks, but nothing
revalidates @tmp.  After a successful return, the iterator advances to
the stale @tmp, yielding either a use-after-free (if the peeled socket
was closed) or a list-walk onto the new endpoint's list head (type
confusion of &newep->asocs as a struct sctp_association *).

Both are reachable from CapEff=0; the type-confusion path gives
controlled indirect call via the outqueue.sched->init_sid pointer.

Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()
returns.  @asoc is known to still be on ep->asocs at that point: the
only callers that list_del an association from ep->asocs are
sctp_association_free() (which sets asoc->base.dead) and
sctp_assoc_migrate() (which changes asoc->base.sk), and
sctp_wait_for_sndbuf() checks both under the lock before any
successful return; a tripped check propagates as err < 0 and the loop
bails before the re-derive.

The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the
loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so
the @tmp cached by list_for_each_entry_safe() still covers the
lock-held free that ba59fb0 ("sctp: walk the list of asoc
safely") was added for.

Fixes: 4910280 ("sctp: add support for snd flag SCTP_SENDALL process in sendmsg")
	Cc: stable@vger.kernel.org
	Signed-off-by: Ben Morris <bmorris@anthropic.com>
	Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20260508001455.3137-1-joycathacker@gmail.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit abb5f36)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
@ciq-kernel-automation ciq-kernel-automation Bot added the created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI) label Jul 1, 2026
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/28517417717

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/28517417717

@bmastbergen bmastbergen self-requested a review July 1, 2026 16:13

@bmastbergen bmastbergen left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

@bmastbergen bmastbergen merged commit ce60197 into ciqlts9_2 Jul 1, 2026
5 checks passed
@bmastbergen bmastbergen deleted the {ciq_kernel_automation}_ciqlts9_2 branch July 1, 2026 17:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI)

Development

Successfully merging this pull request may close these issues.

2 participants