Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors<br /> <br /> Uprobes always use bpf_prog_run_array_uprobe() under tasks-trace-RCU<br /> protection. But it is possible to attach a non-sleepable BPF program to a<br /> uprobe, and non-sleepable BPF programs are freed via normal RCU (see<br /> __bpf_prog_put_noref()). This leads to UAF of the bpf_prog because a normal<br /> RCU grace period does not imply a tasks-trace-RCU grace period.<br /> <br /> Fix it by explicitly waiting for a tasks-trace-RCU grace period after<br /> removing the attachment of a bpf_prog to a perf_event.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdkfd: Dereference null return value<br /> <br /> In the function pqm_uninit there is a call-assignment of "pdd =<br /> kfd_get_process_device_data" which could be null, and this value was<br /> later dereferenced without checking.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/i915: Fix NULL pointer dereference in capture_engine<br /> <br /> When the intel_context structure contains NULL,<br /> it raises a NULL pointer dereference error in drm_info().<br /> <br /> (cherry picked from commit 754302a5bc1bd8fd3b7d85c168b0a1af6d4bba4d)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/vt-d: Fix qi_batch NULL pointer with nested parent domain<br /> <br /> The qi_batch is allocated when assigning cache tag for a domain. While<br /> for nested parent domain, it is missed. Hence, when trying to map pages<br /> to the nested parent, NULL dereference occurred. Also, there is potential<br /> memleak since there is no lock around domain-&gt;qi_batch allocation.<br /> <br /> To solve it, add a helper for qi_batch allocation, and call it in both<br /> the __cache_tag_assign_domain() and __cache_tag_assign_parent_domain().<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000200<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 8104795067 P4D 0<br /> Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 223 UID: 0 PID: 4357 Comm: qemu-system-x86 Not tainted 6.13.0-rc1-00028-g4b50c3c3b998-dirty #2632<br /> Call Trace:<br /> ? __die+0x24/0x70<br /> ? page_fault_oops+0x80/0x150<br /> ? do_user_addr_fault+0x63/0x7b0<br /> ? exc_page_fault+0x7c/0x220<br /> ? asm_exc_page_fault+0x26/0x30<br /> ? cache_tag_flush_range_np+0x13c/0x260<br /> intel_iommu_iotlb_sync_map+0x1a/0x30<br /> iommu_map+0x61/0xf0<br /> batch_to_domain+0x188/0x250<br /> iopt_area_fill_domains+0x125/0x320<br /> ? rcu_is_watching+0x11/0x50<br /> iopt_map_pages+0x63/0x100<br /> iopt_map_common.isra.0+0xa7/0x190<br /> iopt_map_user_pages+0x6a/0x80<br /> iommufd_ioas_map+0xcd/0x1d0<br /> iommufd_fops_ioctl+0x118/0x1c0<br /> __x64_sys_ioctl+0x93/0xc0<br /> do_syscall_64+0x71/0x140<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/vt-d: Remove cache tags before disabling ATS<br /> <br /> The current implementation removes cache tags after disabling ATS,<br /> leading to potential memory leaks and kernel crashes. Specifically,<br /> CACHE_TAG_DEVTLB type cache tags may still remain in the list even<br /> after the domain is freed, causing a use-after-free condition.<br /> <br /> This issue really shows up when multiple VFs from different PFs<br /> passed through to a single user-space process via vfio-pci. In such<br /> cases, the kernel may crash with kernel messages like:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000014<br /> PGD 19036a067 P4D 1940a3067 PUD 136c9b067 PMD 0<br /> Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> CPU: 74 UID: 0 PID: 3183 Comm: testCli Not tainted 6.11.9 #2<br /> RIP: 0010:cache_tag_flush_range+0x9b/0x250<br /> Call Trace:<br /> <br /> ? __die+0x1f/0x60<br /> ? page_fault_oops+0x163/0x590<br /> ? exc_page_fault+0x72/0x190<br /> ? asm_exc_page_fault+0x22/0x30<br /> ? cache_tag_flush_range+0x9b/0x250<br /> ? cache_tag_flush_range+0x5d/0x250<br /> intel_iommu_tlb_sync+0x29/0x40<br /> intel_iommu_unmap_pages+0xfe/0x160<br /> __iommu_unmap+0xd8/0x1a0<br /> vfio_unmap_unpin+0x182/0x340 [vfio_iommu_type1]<br /> vfio_remove_dma+0x2a/0xb0 [vfio_iommu_type1]<br /> vfio_iommu_type1_ioctl+0xafa/0x18e0 [vfio_iommu_type1]<br /> <br /> Move cache_tag_unassign_domain() before iommu_disable_pci_caps() to fix<br /> it.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gpio: graniterapids: Fix vGPIO driver crash<br /> <br /> Move setting irq_chip.name from probe() function to the initialization<br /> of "irq_chip" struct in order to fix vGPIO driver crash during bootup.<br /> <br /> Crash was caused by unauthorized modification of irq_chip.name field<br /> where irq_chip struct was initialized as const.<br /> <br /> This behavior is a consequence of suboptimal implementation of<br /> gpio_irq_chip_set_chip(), which should be changed to avoid<br /> casting away const qualifier.<br /> <br /> Crash log:<br /> BUG: unable to handle page fault for address: ffffffffc0ba81c0<br /> /#PF: supervisor write access in kernel mode<br /> /#PF: error_code(0x0003) - permissions violation<br /> CPU: 33 UID: 0 PID: 1075 Comm: systemd-udevd Not tainted 6.12.0-rc6-00077-g2e1b3cc9d7f7 #1<br /> Hardware name: Intel Corporation Kaseyville RP/Kaseyville RP, BIOS KVLDCRB1.PGS.0026.D73.2410081258 10/08/2024<br /> RIP: 0010:gnr_gpio_probe+0x171/0x220 [gpio_graniterapids]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl<br /> <br /> Fix an issue detected by syzbot with KASAN:<br /> <br /> BUG: KASAN: vmalloc-out-of-bounds in cmd_to_func drivers/acpi/nfit/<br /> core.c:416 [inline]<br /> BUG: KASAN: vmalloc-out-of-bounds in acpi_nfit_ctl+0x20e8/0x24a0<br /> drivers/acpi/nfit/core.c:459<br /> <br /> The issue occurs in cmd_to_func when the call_pkg-&gt;nd_reserved2<br /> array is accessed without verifying that call_pkg points to a buffer<br /> that is appropriately sized as a struct nd_cmd_pkg. This can lead<br /> to out-of-bounds access and undefined behavior if the buffer does not<br /> have sufficient space.<br /> <br /> To address this, a check was added in acpi_nfit_ctl() to ensure that<br /> buf is not NULL and that buf_len is less than sizeof(*call_pkg)<br /> before accessing it. This ensures safe access to the members of<br /> call_pkg, including the nd_reserved2 array.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one<br /> <br /> Since the netlink attribute range validation provides inclusive<br /> checking, the *max* of attribute NL80211_ATTR_MLO_LINK_ID should be<br /> IEEE80211_MLD_MAX_NUM_LINKS - 1 otherwise causing an off-by-one.<br /> <br /> One crash stack for demonstration:<br /> ==================================================================<br /> BUG: KASAN: wild-memory-access in ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939<br /> Read of size 6 at addr 001102080000000c by task fuzzer.386/9508<br /> <br /> CPU: 1 PID: 9508 Comm: syz.1.386 Not tainted 6.1.70 #2<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0x177/0x231 lib/dump_stack.c:106<br /> print_report+0xe0/0x750 mm/kasan/report.c:398<br /> kasan_report+0x139/0x170 mm/kasan/report.c:495<br /> kasan_check_range+0x287/0x290 mm/kasan/generic.c:189<br /> memcpy+0x25/0x60 mm/kasan/shadow.c:65<br /> ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939<br /> rdev_tx_control_port net/wireless/rdev-ops.h:761 [inline]<br /> nl80211_tx_control_port+0x7b3/0xc40 net/wireless/nl80211.c:15453<br /> genl_family_rcv_msg_doit+0x22e/0x320 net/netlink/genetlink.c:756<br /> genl_family_rcv_msg net/netlink/genetlink.c:833 [inline]<br /> genl_rcv_msg+0x539/0x740 net/netlink/genetlink.c:850<br /> netlink_rcv_skb+0x1de/0x420 net/netlink/af_netlink.c:2508<br /> genl_rcv+0x24/0x40 net/netlink/genetlink.c:861<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline]<br /> netlink_unicast+0x74b/0x8c0 net/netlink/af_netlink.c:1352<br /> netlink_sendmsg+0x882/0xb90 net/netlink/af_netlink.c:1874<br /> sock_sendmsg_nosec net/socket.c:716 [inline]<br /> __sock_sendmsg net/socket.c:728 [inline]<br /> ____sys_sendmsg+0x5cc/0x8f0 net/socket.c:2499<br /> ___sys_sendmsg+0x21c/0x290 net/socket.c:2553<br /> __sys_sendmsg net/socket.c:2582 [inline]<br /> __do_sys_sendmsg net/socket.c:2591 [inline]<br /> __se_sys_sendmsg+0x19e/0x270 net/socket.c:2589<br /> do_syscall_x64 arch/x86/entry/common.c:51 [inline]<br /> do_syscall_64+0x45/0x90 arch/x86/entry/common.c:81<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> Update the policy to ensure correct validation.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf, sockmap: Fix race between element replace and close()<br /> <br /> Element replace (with a socket different from the one stored) may race<br /> with socket&amp;#39;s close() link popping &amp; unlinking. __sock_map_delete()<br /> unconditionally unrefs the (wrong) element:<br /> <br /> // set map[0] = s0<br /> map_update_elem(map, 0, s0)<br /> <br /> // drop fd of s0<br /> close(s0)<br /> sock_map_close()<br /> lock_sock(sk) (s0!)<br /> sock_map_remove_links(sk)<br /> link = sk_psock_link_pop()<br /> sock_map_unlink(sk, link)<br /> sock_map_delete_from_link<br /> // replace map[0] with s1<br /> map_update_elem(map, 0, s1)<br /> sock_map_update_elem<br /> (s1!) lock_sock(sk)<br /> sock_map_update_common<br /> psock = sk_psock(sk)<br /> spin_lock(&amp;stab-&gt;lock)<br /> osk = stab-&gt;sks[idx]<br /> sock_map_add_link(..., &amp;stab-&gt;sks[idx])<br /> sock_map_unref(osk, &amp;stab-&gt;sks[idx])<br /> psock = sk_psock(osk)<br /> sk_psock_put(sk, psock)<br /> if (refcount_dec_and_test(&amp;psock))<br /> sk_psock_drop(sk, psock)<br /> spin_unlock(&amp;stab-&gt;lock)<br /> unlock_sock(sk)<br /> __sock_map_delete<br /> spin_lock(&amp;stab-&gt;lock)<br /> sk = *psk // s1 replaced s0; sk == s1<br /> if (!sk_test || sk_test == sk) // sk_test (s0) != sk (s1); no branch<br /> sk = xchg(psk, NULL)<br /> if (sk)<br /> sock_map_unref(sk, psk) // unref s1; sks[idx] will dangle<br /> psock = sk_psock(sk)<br /> sk_psock_put(sk, psock)<br /> if (refcount_dec_and_test())<br /> sk_psock_drop(sk, psock)<br /> spin_unlock(&amp;stab-&gt;lock)<br /> release_sock(sk)<br /> <br /> Then close(map) enqueues bpf_map_free_deferred, which finally calls<br /> sock_map_free(). This results in some refcount_t warnings along with<br /> a KASAN splat [1].<br /> <br /> Fix __sock_map_delete(), do not allow sock_map_unref() on elements that<br /> may have been replaced.<br /> <br /> [1]:<br /> BUG: KASAN: slab-use-after-free in sock_map_free+0x10e/0x330<br /> Write of size 4 at addr ffff88811f5b9100 by task kworker/u64:12/1063<br /> <br /> CPU: 14 UID: 0 PID: 1063 Comm: kworker/u64:12 Not tainted 6.12.0+ #125<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014<br /> Workqueue: events_unbound bpf_map_free_deferred<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x68/0x90<br /> print_report+0x174/0x4f6<br /> kasan_report+0xb9/0x190<br /> kasan_check_range+0x10f/0x1e0<br /> sock_map_free+0x10e/0x330<br /> bpf_map_free_deferred+0x173/0x320<br /> process_one_work+0x846/0x1420<br /> worker_thread+0x5b3/0xf80<br /> kthread+0x29e/0x360<br /> ret_from_fork+0x2d/0x70<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> <br /> Allocated by task 1202:<br /> kasan_save_stack+0x1e/0x40<br /> kasan_save_track+0x10/0x30<br /> __kasan_slab_alloc+0x85/0x90<br /> kmem_cache_alloc_noprof+0x131/0x450<br /> sk_prot_alloc+0x5b/0x220<br /> sk_alloc+0x2c/0x870<br /> unix_create1+0x88/0x8a0<br /> unix_create+0xc5/0x180<br /> __sock_create+0x241/0x650<br /> __sys_socketpair+0x1ce/0x420<br /> __x64_sys_socketpair+0x92/0x100<br /> do_syscall_64+0x93/0x180<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> Freed by task 46:<br /> kasan_save_stack+0x1e/0x40<br /> kasan_save_track+0x10/0x30<br /> kasan_save_free_info+0x37/0x60<br /> __kasan_slab_free+0x4b/0x70<br /> kmem_cache_free+0x1a1/0x590<br /> __sk_destruct+0x388/0x5a0<br /> sk_psock_destroy+0x73e/0xa50<br /> process_one_work+0x846/0x1420<br /> worker_thread+0x5b3/0xf80<br /> kthread+0x29e/0x360<br /> ret_from_fork+0x2d/0x70<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> The bu<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf,perf: Fix invalid prog_array access in perf_event_detach_bpf_prog<br /> <br /> Syzbot reported [1] crash that happens for following tracing scenario:<br /> <br /> - create tracepoint perf event with attr.inherit=1, attach it to the<br /> process and set bpf program to it<br /> - attached process forks -&gt; chid creates inherited event<br /> <br /> the new child event shares the parent&amp;#39;s bpf program and tp_event<br /> (hence prog_array) which is global for tracepoint<br /> <br /> - exit both process and its child -&gt; release both events<br /> - first perf_event_detach_bpf_prog call will release tp_event-&gt;prog_array<br /> and second perf_event_detach_bpf_prog will crash, because<br /> tp_event-&gt;prog_array is NULL<br /> <br /> The fix makes sure the perf_event_detach_bpf_prog checks prog_array<br /> is valid before it tries to remove the bpf program from it.<br /> <br /> [1] https://lore.kernel.org/bpf/Z1MR6dCIKajNS6nU@krava/T/#m91dbf0688221ec7a7fc95e896a7ef9ff93b0b8ad

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer<br /> <br /> Considering that in some extreme cases,<br /> when u_serial driver is accessed by multiple threads,<br /> Thread A is executing the open operation and calling the gs_open,<br /> Thread B is executing the disconnect operation and calling the<br /> gserial_disconnect function,The port-&gt;port_usb pointer will be set to NULL.<br /> <br /> E.g.<br /> Thread A Thread B<br /> gs_open() gadget_unbind_driver()<br /> gs_start_io() composite_disconnect()<br /> gs_start_rx() gserial_disconnect()<br /> ... ...<br /> spin_unlock(&amp;port-&gt;port_lock)<br /> status = usb_ep_queue() spin_lock(&amp;port-&gt;port_lock)<br /> spin_lock(&amp;port-&gt;port_lock) port-&gt;port_usb = NULL<br /> gs_free_requests(port-&gt;port_usb-&gt;in) spin_unlock(&amp;port-&gt;port_lock)<br /> Crash<br /> <br /> This causes thread A to access a null pointer (port-&gt;port_usb is null)<br /> when calling the gs_free_requests function, causing a crash.<br /> <br /> If port_usb is NULL, the release request will be skipped as it<br /> will be done by gserial_disconnect.<br /> <br /> So add a null pointer check to gs_start_io before attempting<br /> to access the value of the pointer port-&gt;port_usb.<br /> <br /> Call trace:<br /> gs_start_io+0x164/0x25c<br /> gs_open+0x108/0x13c<br /> tty_open+0x314/0x638<br /> chrdev_open+0x1b8/0x258<br /> do_dentry_open+0x2c4/0x700<br /> vfs_open+0x2c/0x3c<br /> path_openat+0xa64/0xc60<br /> do_filp_open+0xb8/0x164<br /> do_sys_openat2+0x84/0xf0<br /> __arm64_sys_openat+0x70/0x9c<br /> invoke_syscall+0x58/0x114<br /> el0_svc_common+0x80/0xe0<br /> do_el0_svc+0x1c/0x28<br /> el0_svc+0x38/0x68

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe/reg_sr: Remove register pool<br /> <br /> That pool implementation doesn&amp;#39;t really work: if the krealloc happens to<br /> move the memory and return another address, the entries in the xarray<br /> become invalid, leading to use-after-free later:<br /> <br /> BUG: KASAN: slab-use-after-free in xe_reg_sr_apply_mmio+0x570/0x760 [xe]<br /> Read of size 4 at addr ffff8881244b2590 by task modprobe/2753<br /> <br /> Allocated by task 2753:<br /> kasan_save_stack+0x39/0x70<br /> kasan_save_track+0x14/0x40<br /> kasan_save_alloc_info+0x37/0x60<br /> __kasan_kmalloc+0xc3/0xd0<br /> __kmalloc_node_track_caller_noprof+0x200/0x6d0<br /> krealloc_noprof+0x229/0x380<br /> <br /> Simplify the code to fix the bug. A better pooling strategy may be added<br /> back later if needed.<br /> <br /> (cherry picked from commit e5283bd4dfecbd3335f43b62a68e24dae23f59e4)