Skip to content

[LTS 7.9] net: mdio: fix undefined behavior in bit shift for __mdiobus_register #374

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 30, 2025

Conversation

pvts-mat
Copy link
Contributor

@pvts-mat pvts-mat commented Jun 26, 2025

[CBR 7.9]
CVE-2022-49907
VULN-66410

Problem

https://www.cve.org/CVERecord?id=CVE-2022-49907

In the Linux kernel, the following vulnerability has been resolved:

net: mdio: fix undefined behavior in bit shift for __mdiobus_register

Shifting signed 32-bit value by 31 bits is undefined, so changing
significant bit to unsigned. The UBSAN warning calltrace like below:

UBSAN: shift-out-of-bounds in drivers/net/phy/mdio_bus.c:586:27
left shift of 1 by 31 places cannot be represented in type 'int'
Call Trace:
 <TASK>
 dump_stack_lvl+0x7d/0xa5
 dump_stack+0x15/0x1b
 ubsan_epilogue+0xe/0x4e
 __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c
 __mdiobus_register+0x49d/0x4e0
 fixed_mdio_bus_init+0xd8/0x12d
 do_one_initcall+0x76/0x430
 kernel_init_freeable+0x3b3/0x422
 kernel_init+0x24/0x1e0
 ret_from_fork+0x1f/0x30
 </TASK>

Applicability: yes (similar as in #358)

The bug applies to CBR 7.9: the affected MDIO bus driver is central to the control of any ethernet interface device. The patch 40e4eb3 is not backported onto CBR 7.9. The commit 4fd5f81 marked in 40e4eb3 as introducing the bug is present in ciqcbr7_9's history.

Solution (same as in #358)

The solution in 40e4eb3 involves using the BIT(i) macro instead of the raw bit shift 1 << i to obtain an int with i -th bit set. The fully expanded BIT(i) macro boils down to 1UL << i construct operating on unsigned type where the left shit is defined for the full range of the type's bits (see include/vdso/bits.h, include/uapi/linux/const.h, include/linux/bits.h).

kABI check: passed

[pvts@ciqcbr-7-9 kernel-dist-git-el-7.9]$ SOURCES/check-kabi -k SOURCES/Module.kabi_x86_64 -s /mnt/build_files/kernel-src-tree-ciqcbr7_9-CVE-2022-49907/Module.symvers
[pvts@ciqcbr-7-9 kernel-dist-git-el-7.9]$ echo $? 

0

Boot test: passed

boot-test.log

Kselftests: passed relative

Reference

kselftests–ciqcbr7_9–run1.log

Patch

kselftests–ciqcbr7_9-CVE-2022-49907–run1.log

Manual comparison

The logs of the CBR 7.9 selftests don't conform to the unified TAP 13 format of the versions ≥ LTS 8.6 and as such they can't be parsed in an automated way. The results must be assessed manually.

The test results for the reference and patched kernel are the same.

  Reference Patch Comment
breakpoints pass pass  
cpu-hotplug unknown result unknown result Neither errors nor explicit "ok" reported
efivarfs skipped skipped Requires some EFI partition to mount
kcmp skipped skipped Unresolved compilation errors
livepatch:test-livepatch.sh skipped skipped Requires CONFIG_TEST_LIVEPATCH option
livepatch:test-callbacks.sh skipped skipped Requires CONFIG_TEST_LIVEPATCH option
livepatch:test-shadow-vars.sh skipped skipped Requires CONFIG_TEST_LIVEPATCH option
livepatch:test-ftrace.sh skipped skipped Requires CONFIG_TEST_LIVEPATCH option
memory-hotplug unknown result unknown result Neither errors nor explicit "ok" reported
mqueue pass pass  
net:run_netsocktests pass pass  
net:run_afpackettests pass pass  
ptrace pass pass  
vm:run_vmtests pass pass  
x86:sigreturn_64 fail fail  
x86:single_step_syscall_64 pass pass  

Specific tests: skipped

jira VULN-66410
cve CVE-2022-49907
commit-author Gaosheng Cui <cuigaosheng1@huawei.com>
commit 40e4eb3

Shifting signed 32-bit value by 31 bits is undefined, so changing
significant bit to unsigned. The UBSAN warning calltrace like below:

UBSAN: shift-out-of-bounds in drivers/net/phy/mdio_bus.c:586:27
left shift of 1 by 31 places cannot be represented in type 'int'
Call Trace:
 <TASK>
 dump_stack_lvl+0x7d/0xa5
 dump_stack+0x15/0x1b
 ubsan_epilogue+0xe/0x4e
 __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c
 __mdiobus_register+0x49d/0x4e0
 fixed_mdio_bus_init+0xd8/0x12d
 do_one_initcall+0x76/0x430
 kernel_init_freeable+0x3b3/0x422
 kernel_init+0x24/0x1e0
 ret_from_fork+0x1f/0x30
 </TASK>

Fixes: 4fd5f81 ("phylib: allow incremental scanning of an mii bus")
	Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
	Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://lore.kernel.org/r/20221031132645.168421-1-cuigaosheng1@huawei.com
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 40e4eb3)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
Copy link
Collaborator

@PlaidCat PlaidCat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

Copy link
Collaborator

@bmastbergen bmastbergen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

@PlaidCat PlaidCat merged commit ba92bd2 into ctrliq:ciqcbr7_9 Jun 30, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

3 participants