From 8de46e212e15a7487be0821fcf869994b9d7767e Mon Sep 17 00:00:00 2001 From: KaraZajac Date: Sat, 23 May 2026 00:58:04 -0400 Subject: [PATCH] =?UTF-8?q?kernel=5Frange:=20refresh=20tables=20from=20Deb?= =?UTF-8?q?ian=20tracker=20=E2=80=94=205=20MISSING=20adds=20+=204=20off-by?= =?UTF-8?q?-one=20harmonisations?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit First batch of fixes surfaced by tools/refresh-kernel-ranges.py. Drift drops from 18 actionable findings (5 MISSING + 13 TOO_TIGHT) to 13 (now only 1 MISSING + 12 TOO_TIGHT). The remaining TOO_TIGHT findings all involve threshold-version drops of 2+ patch versions; those need per-commit verification against git.kernel.org/linus before applying (saving for a follow-up). MISSING adds — branches Debian has fixed that we had no entry for: af_unix_gc (CVE-2023-4622): + {6, 4, 13} stable 6.4.x (forky/sid/trixie all at this version) dirtydecrypt (CVE-2026-31635): + {6, 19, 13} stable 6.19.x (forky/sid) — our previous table only listed mainline 7.0.0; Debian is shipping the fix on the 6.19 branch ahead of 7.0 release. overlayfs_setuid (CVE-2023-0386): + {5, 10, 179} stable 5.10.x (bullseye) vmwgfx (CVE-2023-2008): + {5, 10, 127} stable 5.10.x (bullseye) + {5, 18, 14} stable 5.18.x (bookworm/forky/sid/trixie) TOO_TIGHT harmonisations — single-patch-version differences, almost certainly off-by-one curation errors on our side: nf_tables (CVE-2024-1086): {5, 10, 210} -> {5, 10, 209} (Debian bullseye) nft_payload (CVE-2023-0179): {5, 10, 163} -> {5, 10, 162} (Debian bullseye) nft_set_uaf (CVE-2023-32233): {5, 10, 180} -> {5, 10, 179} (Debian bullseye) {6, 1, 28} -> {6, 1, 27} (Debian bookworm) Larger TOO_TIGHT diffs deferred: - cgroup_release_agent (5.16.9 -> 5.16.7, diff 2) - cls_route4 (5.18.18 -> 5.18.16, diff 2; 5.10.143 -> 5.10.136, diff 7) - dirty_cow (4.7.10 -> 4.7.8, diff 2) - dirty_pipe (5.10.102 -> 5.10.92, diff 10) - netfilter_xtcompat (5.10.46 -> 5.10.38, diff 8) - overlayfs_setuid (6.1.27 -> 6.1.11, diff 16) - ptrace_traceme (4.19.58 -> 4.19.37, diff 21) - sequoia (5.10.52 -> 5.10.46, diff 6) These need per-commit confirmation against the upstream-stable kernel changelog before lowering our threshold. Conservatively keeping the current (more strict) values until each is verified. Verification: - Linux (docker gcc:latest + libglib2.0-dev + sudo): 44/44 tests pass, full build clean. - macOS (local): 31-module build clean. - tools/refresh-kernel-ranges.py rerun: drift reduced 18 -> 13. --- modules/af_unix_gc_cve_2023_4622/skeletonkey_modules.c | 1 + modules/dirtydecrypt_cve_2026_31635/skeletonkey_modules.c | 3 ++- modules/nf_tables_cve_2024_1086/skeletonkey_modules.c | 2 +- modules/nft_payload_cve_2023_0179/skeletonkey_modules.c | 2 +- modules/nft_set_uaf_cve_2023_32233/skeletonkey_modules.c | 4 ++-- .../overlayfs_setuid_cve_2023_0386/skeletonkey_modules.c | 1 + modules/vmwgfx_cve_2023_2008/skeletonkey_modules.c | 8 +++++--- 7 files changed, 13 insertions(+), 8 deletions(-) diff --git a/modules/af_unix_gc_cve_2023_4622/skeletonkey_modules.c b/modules/af_unix_gc_cve_2023_4622/skeletonkey_modules.c index d6692ca..80e7cb9 100644 --- a/modules/af_unix_gc_cve_2023_4622/skeletonkey_modules.c +++ b/modules/af_unix_gc_cve_2023_4622/skeletonkey_modules.c @@ -105,6 +105,7 @@ static const struct kernel_patched_from af_unix_gc_patched_branches[] = { {5, 10, 197}, {5, 15, 130}, {6, 1, 51}, /* 6.1 LTS */ + {6, 4, 13}, /* 6.4.x stable (per Debian tracker — forky/sid/trixie) */ {6, 5, 0}, /* mainline fix landed in 6.5 (technically 6.6-rc1 but stable 6.5.x carries the patch) */ }; diff --git a/modules/dirtydecrypt_cve_2026_31635/skeletonkey_modules.c b/modules/dirtydecrypt_cve_2026_31635/skeletonkey_modules.c index 48ee0f1..9d6323c 100644 --- a/modules/dirtydecrypt_cve_2026_31635/skeletonkey_modules.c +++ b/modules/dirtydecrypt_cve_2026_31635/skeletonkey_modules.c @@ -673,7 +673,8 @@ static int dd_active_probe(void) * or weird distro rebuilds the version check missed) */ static const struct kernel_patched_from dirtydecrypt_patched_branches[] = { - {7, 0, 0}, /* mainline fix commit a2567217 landed in Linux 7.0 */ + {6, 19, 13}, /* 6.19.x stable backport (per Debian tracker — forky/sid) */ + {7, 0, 0}, /* mainline fix commit a2567217 landed in Linux 7.0 */ }; static const struct kernel_range dirtydecrypt_range = { .patched_from = dirtydecrypt_patched_branches, diff --git a/modules/nf_tables_cve_2024_1086/skeletonkey_modules.c b/modules/nf_tables_cve_2024_1086/skeletonkey_modules.c index 8cd22a9..b7ba6ff 100644 --- a/modules/nf_tables_cve_2024_1086/skeletonkey_modules.c +++ b/modules/nf_tables_cve_2024_1086/skeletonkey_modules.c @@ -95,7 +95,7 @@ static const struct kernel_patched_from nf_tables_patched_branches[] = { {5, 4, 269}, /* 5.4.x */ - {5, 10, 210}, /* 5.10.x */ + {5, 10, 209}, /* 5.10.x (harmonised with Debian bullseye fix-version) */ {5, 15, 149}, /* 5.15.x */ {6, 1, 74}, /* 6.1.x */ {6, 6, 13}, /* 6.6.x */ diff --git a/modules/nft_payload_cve_2023_0179/skeletonkey_modules.c b/modules/nft_payload_cve_2023_0179/skeletonkey_modules.c index fa4c354..1d460db 100644 --- a/modules/nft_payload_cve_2023_0179/skeletonkey_modules.c +++ b/modules/nft_payload_cve_2023_0179/skeletonkey_modules.c @@ -89,7 +89,7 @@ static const struct kernel_patched_from nft_payload_patched_branches[] = { {4, 14, 302}, /* 4.14.x */ {4, 19, 269}, /* 4.19.x */ {5, 4, 229}, /* 5.4.x */ - {5, 10, 163}, /* 5.10.x */ + {5, 10, 162}, /* 5.10.x (harmonised with Debian bullseye fix-version) */ {5, 15, 88}, /* 5.15.x */ {6, 1, 6}, /* 6.1.x */ {6, 2, 0}, /* mainline fix in 6.2-rc4 */ diff --git a/modules/nft_set_uaf_cve_2023_32233/skeletonkey_modules.c b/modules/nft_set_uaf_cve_2023_32233/skeletonkey_modules.c index d894616..082235e 100644 --- a/modules/nft_set_uaf_cve_2023_32233/skeletonkey_modules.c +++ b/modules/nft_set_uaf_cve_2023_32233/skeletonkey_modules.c @@ -97,9 +97,9 @@ static const struct kernel_patched_from nft_set_uaf_patched_branches[] = { {4, 19, 283}, /* 4.19.x safety patch (bug never reached this branch) */ {5, 4, 243}, /* 5.4.x */ - {5, 10, 180}, /* 5.10.x */ + {5, 10, 179}, /* 5.10.x (harmonised with Debian bullseye fix-version) */ {5, 15, 111}, /* 5.15.x */ - {6, 1, 28}, /* 6.1.x */ + {6, 1, 27}, /* 6.1.x (harmonised with Debian bookworm fix-version) */ {6, 2, 15}, /* 6.2.x */ {6, 3, 2}, /* 6.3.x */ {6, 4, 0}, /* mainline 6.4-rc4 */ diff --git a/modules/overlayfs_setuid_cve_2023_0386/skeletonkey_modules.c b/modules/overlayfs_setuid_cve_2023_0386/skeletonkey_modules.c index 66d8cfc..2428a9e 100644 --- a/modules/overlayfs_setuid_cve_2023_0386/skeletonkey_modules.c +++ b/modules/overlayfs_setuid_cve_2023_0386/skeletonkey_modules.c @@ -60,6 +60,7 @@ #include static const struct kernel_patched_from overlayfs_setuid_patched_branches[] = { + {5, 10, 179}, /* 5.10.x stable backport (per Debian tracker — bullseye) */ {5, 15, 110}, {6, 1, 27}, {6, 2, 13}, diff --git a/modules/vmwgfx_cve_2023_2008/skeletonkey_modules.c b/modules/vmwgfx_cve_2023_2008/skeletonkey_modules.c index 034f026..7a944e1 100644 --- a/modules/vmwgfx_cve_2023_2008/skeletonkey_modules.c +++ b/modules/vmwgfx_cve_2023_2008/skeletonkey_modules.c @@ -119,9 +119,11 @@ union drm_vmw_alloc_dmabuf_arg { /* ---- kernel range ------------------------------------------------- */ static const struct kernel_patched_from vmwgfx_patched_branches[] = { - {6, 1, 23}, /* 6.1 LTS backport */ - {6, 2, 10}, /* 6.2.x stable backport */ - {6, 3, 0}, /* mainline (6.3-rc6) */ + {5, 10, 127}, /* 5.10.x stable (per Debian tracker — bullseye) */ + {5, 18, 14}, /* 5.18.x stable (per Debian tracker — bookworm/forky/sid/trixie) */ + {6, 1, 23}, /* 6.1 LTS backport */ + {6, 2, 10}, /* 6.2.x stable backport */ + {6, 3, 0}, /* mainline (6.3-rc6) */ }; static const struct kernel_range vmwgfx_range = {