Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs<br /> <br /> When shrinking the number of real tx queues,<br /> netif_set_real_num_tx_queues() calls qdisc_reset_all_tx_gt() to flush<br /> qdiscs for queues which will no longer be used.<br /> <br /> qdisc_reset_all_tx_gt() currently serializes qdisc_reset() with<br /> qdisc_lock(). However, for lockless qdiscs, the dequeue path is<br /> serialized by qdisc_run_begin/end() using qdisc-&gt;seqlock instead, so<br /> qdisc_reset() can run concurrently with __qdisc_run() and free skbs<br /> while they are still being dequeued, leading to UAF.<br /> <br /> This can easily be reproduced on e.g. virtio-net by imposing heavy<br /> traffic while frequently changing the number of queue pairs:<br /> <br /> iperf3 -ub0 -c $peer -t 0 &amp;<br /> while :; do<br /> ethtool -L eth0 combined 1<br /> ethtool -L eth0 combined 2<br /> done<br /> <br /> With KASAN enabled, this leads to reports like:<br /> <br /> BUG: KASAN: slab-use-after-free in __qdisc_run+0x133f/0x1760<br /> ...<br /> Call Trace:<br /> <br /> ...<br /> __qdisc_run+0x133f/0x1760<br /> __dev_queue_xmit+0x248f/0x3550<br /> ip_finish_output2+0xa42/0x2110<br /> ip_output+0x1a7/0x410<br /> ip_send_skb+0x2e6/0x480<br /> udp_send_skb+0xb0a/0x1590<br /> udp_sendmsg+0x13c9/0x1fc0<br /> ...<br /> <br /> <br /> Allocated by task 1270 on cpu 5 at 44.558414s:<br /> ...<br /> alloc_skb_with_frags+0x84/0x7c0<br /> sock_alloc_send_pskb+0x69a/0x830<br /> __ip_append_data+0x1b86/0x48c0<br /> ip_make_skb+0x1e8/0x2b0<br /> udp_sendmsg+0x13a6/0x1fc0<br /> ...<br /> <br /> Freed by task 1306 on cpu 3 at 44.558445s:<br /> ...<br /> kmem_cache_free+0x117/0x5e0<br /> pfifo_fast_reset+0x14d/0x580<br /> qdisc_reset+0x9e/0x5f0<br /> netif_set_real_num_tx_queues+0x303/0x840<br /> virtnet_set_channels+0x1bf/0x260 [virtio_net]<br /> ethnl_set_channels+0x684/0xae0<br /> ethnl_default_set_doit+0x31a/0x890<br /> ...<br /> <br /> Serialize qdisc_reset_all_tx_gt() against the lockless dequeue path by<br /> taking qdisc-&gt;seqlock for TCQ_F_NOLOCK qdiscs, matching the<br /> serialization model already used by dev_reset_queue().<br /> <br /> Additionally clear QDISC_STATE_NON_EMPTY after reset so the qdisc state<br /> reflects an empty queue, avoiding needless re-scheduling.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfc: nci: free skb on nci_transceive early error paths<br /> <br /> nci_transceive() takes ownership of the skb passed by the caller,<br /> but the -EPROTO, -EINVAL, and -EBUSY error paths return without<br /> freeing it.<br /> <br /> Due to issues clearing NCI_DATA_EXCHANGE fixed by subsequent changes<br /> the nci/nci_dev selftest hits the error path occasionally in NIPA,<br /> and kmemleak detects leaks:<br /> <br /> unreferenced object 0xff11000015ce6a40 (size 640):<br /> comm "nci_dev", pid 3954, jiffies 4295441246<br /> hex dump (first 32 bytes):<br /> 6b 6b 6b 6b 00 a4 00 0c 02 e1 03 6b 6b 6b 6b 6b kkkk.......kkkkk<br /> 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk<br /> backtrace (crc 7c40cc2a):<br /> kmem_cache_alloc_node_noprof+0x492/0x630<br /> __alloc_skb+0x11e/0x5f0<br /> alloc_skb_with_frags+0xc6/0x8f0<br /> sock_alloc_send_pskb+0x326/0x3f0<br /> nfc_alloc_send_skb+0x94/0x1d0<br /> rawsock_sendmsg+0x162/0x4c0<br /> do_syscall_64+0x117/0xfc0

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu/userq: Do not allow userspace to trivially triger kernel warnings<br /> <br /> Userspace can either deliberately pass in the too small num_fences, or the<br /> required number can legitimately grow between the two calls to the userq<br /> wait ioctl. In both cases we do not want the emit the kernel warning<br /> backtrace since nothing is wrong with the kernel and userspace will simply<br /> get an errno reported back. So lets simply drop the WARN_ONs.<br /> <br /> (cherry picked from commit 2c333ea579de6cc20ea7bc50e9595ef72863e65c)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pinctrl: pinconf-generic: Fix memory leak in pinconf_generic_parse_dt_config()<br /> <br /> In pinconf_generic_parse_dt_config(), if parse_dt_cfg() fails, it returns<br /> directly. This bypasses the cleanup logic and results in a memory leak of<br /> the cfg buffer.<br /> <br /> Fix this by jumping to the out label on failure, ensuring kfree(cfg) is<br /> called before returning.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfc: nci: complete pending data exchange on device close<br /> <br /> In nci_close_device(), complete any pending data exchange before<br /> closing. The data exchange callback (e.g.<br /> rawsock_data_exchange_complete) holds a socket reference.<br /> <br /> NIPA occasionally hits this leak:<br /> <br /> unreferenced object 0xff1100000f435000 (size 2048):<br /> comm "nci_dev", pid 3954, jiffies 4295441245<br /> hex dump (first 32 bytes):<br /> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> 27 00 01 40 00 00 00 00 00 00 00 00 00 00 00 00 &amp;#39;..@............<br /> backtrace (crc ec2b3c5):<br /> __kmalloc_noprof+0x4db/0x730<br /> sk_prot_alloc.isra.0+0xe4/0x1d0<br /> sk_alloc+0x36/0x760<br /> rawsock_create+0xd1/0x540<br /> nfc_sock_create+0x11f/0x280<br /> __sock_create+0x22d/0x630<br /> __sys_socket+0x115/0x1d0<br /> __x64_sys_socket+0x72/0xd0<br /> do_syscall_64+0x117/0xfc0<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libie: don&amp;#39;t unroll if fwlog isn&amp;#39;t supported<br /> <br /> The libie_fwlog_deinit() function can be called during driver unload<br /> even when firmware logging was never properly initialized. This led to call<br /> trace:<br /> <br /> [ 148.576156] Oops: Oops: 0000 [#1] SMP NOPTI<br /> [ 148.576167] CPU: 80 UID: 0 PID: 12843 Comm: rmmod Kdump: loaded Not tainted 6.17.0-rc7next-queue-3oct-01915-g06d79d51cf51 #1 PREEMPT(full)<br /> [ 148.576177] Hardware name: HPE ProLiant DL385 Gen10 Plus/ProLiant DL385 Gen10 Plus, BIOS A42 07/18/2020<br /> [ 148.576182] RIP: 0010:__dev_printk+0x16/0x70<br /> [ 148.576196] Code: 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 41 55 41 54 49 89 d4 55 48 89 fd 53 48 85 f6 74 3c 8b 6e 50 48 89 f3 4d 85 ed 75 03 4c 8b 2e 48 89 df e8 f3 27 98<br /> [ 148.576204] RSP: 0018:ffffd2fd7ea17a48 EFLAGS: 00010202<br /> [ 148.576211] RAX: ffffd2fd7ea17aa0 RBX: ffff8eb288ae2000 RCX: 0000000000000000<br /> [ 148.576217] RDX: ffffd2fd7ea17a70 RSI: 00000000000000c8 RDI: ffffffffb68d3d88<br /> [ 148.576222] RBP: ffffffffb68d3d88 R08: 0000000000000000 R09: 0000000000000000<br /> [ 148.576227] R10: 00000000000000c8 R11: ffff8eb2b1a49400 R12: ffffd2fd7ea17a70<br /> [ 148.576231] R13: ffff8eb3141fb000 R14: ffffffffc1215b48 R15: ffffffffc1215bd8<br /> [ 148.576236] FS: 00007f5666ba6740(0000) GS:ffff8eb2472b9000(0000) knlGS:0000000000000000<br /> [ 148.576242] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 148.576247] CR2: 0000000000000118 CR3: 000000011ad17000 CR4: 0000000000350ef0<br /> [ 148.576252] Call Trace:<br /> [ 148.576258] <br /> [ 148.576269] _dev_warn+0x7c/0x96<br /> [ 148.576290] libie_fwlog_deinit+0x112/0x117 [libie_fwlog]<br /> [ 148.576303] ixgbe_remove+0x63/0x290 [ixgbe]<br /> [ 148.576342] pci_device_remove+0x42/0xb0<br /> [ 148.576354] device_release_driver_internal+0x19c/0x200<br /> [ 148.576365] driver_detach+0x48/0x90<br /> [ 148.576372] bus_remove_driver+0x6d/0xf0<br /> [ 148.576383] pci_unregister_driver+0x2e/0xb0<br /> [ 148.576393] ixgbe_exit_module+0x1c/0xd50 [ixgbe]<br /> [ 148.576430] __do_sys_delete_module.isra.0+0x1bc/0x2e0<br /> [ 148.576446] do_syscall_64+0x7f/0x980<br /> <br /> It can be reproduced by trying to unload ixgbe driver in recovery mode.<br /> <br /> Fix that by checking if fwlog is supported before doing unroll.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: usb: f81604: handle short interrupt urb messages properly<br /> <br /> If an interrupt urb is received that is not the correct length, properly<br /> detect it and don&amp;#39;t attempt to treat the data as valid.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cpufreq: intel_pstate: Fix crash during turbo disable<br /> <br /> When the system is booted with kernel command line argument "nosmt" or<br /> "maxcpus" to limit the number of CPUs, disabling turbo via:<br /> <br /> echo 1 &gt; /sys/devices/system/cpu/intel_pstate/no_turbo<br /> <br /> results in a crash:<br /> <br /> PF: supervisor read access in kernel mode<br /> PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> Oops: Oops: 0000 [#1] SMP PTI<br /> ...<br /> RIP: 0010:store_no_turbo+0x100/0x1f0<br /> ...<br /> <br /> This occurs because for_each_possible_cpu() returns CPUs even if they<br /> are not online. For those CPUs, all_cpu_data[] will be NULL. Since<br /> commit 973207ae3d7c ("cpufreq: intel_pstate: Rearrange max frequency<br /> updates handling code"), all_cpu_data[] is dereferenced even for CPUs<br /> which are not online, causing the NULL pointer dereference.<br /> <br /> To fix that, pass CPU number to intel_pstate_update_max_freq() and use<br /> all_cpu_data[] for those CPUs for which there is a valid cpufreq policy.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> udp: Unhash auto-bound connected sk from 4-tuple hash table when disconnected.<br /> <br /> Let&amp;#39;s say we bind() an UDP socket to the wildcard address with a<br /> non-zero port, connect() it to an address, and disconnect it from<br /> the address.<br /> <br /> bind() sets SOCK_BINDPORT_LOCK on sk-&gt;sk_userlocks (but not<br /> SOCK_BINDADDR_LOCK), and connect() calls udp_lib_hash4() to put<br /> the socket into the 4-tuple hash table.<br /> <br /> Then, __udp_disconnect() calls sk-&gt;sk_prot-&gt;rehash(sk).<br /> <br /> It computes a new hash based on the wildcard address and moves<br /> the socket to a new slot in the 4-tuple hash table, leaving a<br /> garbage in the chain that no packet hits.<br /> <br /> Let&amp;#39;s remove such a socket from 4-tuple hash table when disconnected.<br /> <br /> Note that udp_sk(sk)-&gt;udp_portaddr_hash needs to be udpated after<br /> udp_hash4_dec(hslot2) in udp_unhash4().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: usb: etas_es58x: correctly anchor the urb in the read bulk callback<br /> <br /> When submitting an urb, that is using the anchor pattern, it needs to be<br /> anchored before submitting it otherwise it could be leaked if<br /> usb_kill_anchored_urbs() is called. This logic is correctly done<br /> elsewhere in the driver, except in the read bulk callback so do that<br /> here also.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hwmon: (macsmc) Fix regressions in Apple Silicon SMC hwmon driver<br /> <br /> The recently added macsmc-hwmon driver contained several critical<br /> bugs in its sensor population logic and float conversion routines.<br /> <br /> Specifically:<br /> - The voltage sensor population loop used the wrong prefix ("volt-"<br /> instead of "voltage-") and incorrectly assigned sensors to the<br /> temperature sensor array (hwmon-&gt;temp.sensors) instead of the<br /> voltage sensor array (hwmon-&gt;volt.sensors). This would lead to<br /> out-of-bounds memory access or data corruption when both temperature<br /> and voltage sensors were present.<br /> - The float conversion in macsmc_hwmon_write_f32() had flawed exponent<br /> logic for values &gt;= 2^24 and lacked masking for the mantissa, which<br /> could lead to incorrect values being written to the SMC.<br /> <br /> Fix these issues to ensure correct sensor registration and reliable<br /> manual fan control.<br /> <br /> Confirm that the reported overflow in FIELD_PREP is fixed by declaring<br /> macsmc_hwmon_write_f32() as __always_inline for a compile test.