Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> virtio_net: Fix error unwinding of XDP initialization<br /> <br /> When initializing XDP in virtnet_open(), some rq xdp initialization<br /> may hit an error causing net device open failed. However, previous<br /> rqs have already initialized XDP and enabled NAPI, which is not the<br /> expected behavior. Need to roll back the previous rq initialization<br /> to avoid leaks in error unwinding of init code.<br /> <br /> Also extract helper functions of disable and enable queue pairs.<br /> Use newly introduced disable helper function in error unwinding and<br /> virtnet_close. Use enable helper function in virtnet_open.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/amd/iommu_v2: Fix pasid_state refcount dec hit 0 warning on pasid unbind<br /> <br /> When unbinding pasid - a race condition exists vs outstanding page faults.<br /> <br /> To prevent this, the pasid_state object contains a refcount.<br /> * set to 1 on pasid bind<br /> * incremented on each ppr notification start<br /> * decremented on each ppr notification done<br /> * decremented on pasid unbind<br /> <br /> Since refcount_dec assumes that refcount will never reach 0:<br /> the current implementation causes the following to be invoked on<br /> pasid unbind:<br /> REFCOUNT_WARN("decrement hit 0; leaking memory")<br /> <br /> Fix this issue by changing refcount_dec to refcount_dec_and_test<br /> to explicitly handle refcount=1.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xfrm: fix slab-use-after-free in decode_session6<br /> <br /> When the xfrm device is set to the qdisc of the sfb type, the cb field<br /> of the sent skb may be modified during enqueuing. Then,<br /> slab-use-after-free may occur when the xfrm device sends IPv6 packets.<br /> <br /> The stack information is as follows:<br /> BUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890<br /> Read of size 1 at addr ffff8881111458ef by task swapper/3/0<br /> CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.4.0-next-20230707 #409<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl+0xd9/0x150<br /> print_address_description.constprop.0+0x2c/0x3c0<br /> kasan_report+0x11d/0x130<br /> decode_session6+0x103f/0x1890<br /> __xfrm_decode_session+0x54/0xb0<br /> xfrmi_xmit+0x173/0x1ca0<br /> dev_hard_start_xmit+0x187/0x700<br /> sch_direct_xmit+0x1a3/0xc30<br /> __qdisc_run+0x510/0x17a0<br /> __dev_queue_xmit+0x2215/0x3b10<br /> neigh_connected_output+0x3c2/0x550<br /> ip6_finish_output2+0x55a/0x1550<br /> ip6_finish_output+0x6b9/0x1270<br /> ip6_output+0x1f1/0x540<br /> ndisc_send_skb+0xa63/0x1890<br /> ndisc_send_rs+0x132/0x6f0<br /> addrconf_rs_timer+0x3f1/0x870<br /> call_timer_fn+0x1a0/0x580<br /> expire_timers+0x29b/0x4b0<br /> run_timer_softirq+0x326/0x910<br /> __do_softirq+0x1d4/0x905<br /> irq_exit_rcu+0xb7/0x120<br /> sysvec_apic_timer_interrupt+0x97/0xc0<br /> <br /> <br /> asm_sysvec_apic_timer_interrupt+0x1a/0x20<br /> RIP: 0010:intel_idle_hlt+0x23/0x30<br /> Code: 1f 84 00 00 00 00 00 f3 0f 1e fa 41 54 41 89 d4 0f 1f 44 00 00 66 90 0f 1f 44 00 00 0f 00 2d c4 9f ab 00 0f 1f 44 00 00 fb f4 44 89 e0 41 5c c3 66 0f 1f 44 00 00 f3 0f 1e fa 41 54 41 89 d4<br /> RSP: 0018:ffffc90000197d78 EFLAGS: 00000246<br /> RAX: 00000000000a83c3 RBX: ffffe8ffffd09c50 RCX: ffffffff8a22d8e5<br /> RDX: 0000000000000001 RSI: ffffffff8d3f8080 RDI: ffffe8ffffd09c50<br /> RBP: ffffffff8d3f8080 R08: 0000000000000001 R09: ffffed1026ba6d9d<br /> R10: ffff888135d36ceb R11: 0000000000000001 R12: 0000000000000001<br /> R13: ffffffff8d3f8100 R14: 0000000000000001 R15: 0000000000000000<br /> cpuidle_enter_state+0xd3/0x6f0<br /> cpuidle_enter+0x4e/0xa0<br /> do_idle+0x2fe/0x3c0<br /> cpu_startup_entry+0x18/0x20<br /> start_secondary+0x200/0x290<br /> secondary_startup_64_no_verify+0x167/0x16b<br /> <br /> Allocated by task 939:<br /> kasan_save_stack+0x22/0x40<br /> kasan_set_track+0x25/0x30<br /> __kasan_slab_alloc+0x7f/0x90<br /> kmem_cache_alloc_node+0x1cd/0x410<br /> kmalloc_reserve+0x165/0x270<br /> __alloc_skb+0x129/0x330<br /> inet6_ifa_notify+0x118/0x230<br /> __ipv6_ifa_notify+0x177/0xbe0<br /> addrconf_dad_completed+0x133/0xe00<br /> addrconf_dad_work+0x764/0x1390<br /> process_one_work+0xa32/0x16f0<br /> worker_thread+0x67d/0x10c0<br /> kthread+0x344/0x440<br /> ret_from_fork+0x1f/0x30<br /> The buggy address belongs to the object at ffff888111145800<br /> which belongs to the cache skbuff_small_head of size 640<br /> The buggy address is located 239 bytes inside of<br /> freed 640-byte region [ffff888111145800, ffff888111145a80)<br /> <br /> As commit f855691975bb ("xfrm6: Fix the nexthdr offset in<br /> _decode_session6.") showed, xfrm_decode_session was originally intended<br /> only for the receive path. IP6CB(skb)-&gt;nhoff is not set during<br /> transmission. Therefore, set the cb field in the skb to 0 before<br /> sending packets.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: allow ext4_get_group_info() to fail<br /> <br /> Previously, ext4_get_group_info() would treat an invalid group number<br /> as BUG(), since in theory it should never happen. However, if a<br /> malicious attaker (or fuzzer) modifies the superblock via the block<br /> device while it is the file system is mounted, it is possible for<br /> s_first_data_block to get set to a very large number. In that case,<br /> when calculating the block group of some block number (such as the<br /> starting block of a preallocation region), could result in an<br /> underflow and very large block group number. Then the BUG_ON check in<br /> ext4_get_group_info() would fire, resutling in a denial of service<br /> attack that can be triggered by root or someone with write access to<br /> the block device.<br /> <br /> For a quality of implementation perspective, it&amp;#39;s best that even if<br /> the system administrator does something that they shouldn&amp;#39;t, that it<br /> will not trigger a BUG. So instead of BUG&amp;#39;ing, ext4_get_group_info()<br /> will call ext4_error and return NULL. We also add fallback code in<br /> all of the callers of ext4_get_group_info() that it might NULL.<br /> <br /> Also, since ext4_get_group_info() was already borderline to be an<br /> inline function, un-inline it. The results in a next reduction of the<br /> compiled text size of ext4 by roughly 2k.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: fix disconnect vs accept race<br /> <br /> Despite commit 0ad529d9fd2b ("mptcp: fix possible divide by zero in<br /> recvmsg()"), the mptcp protocol is still prone to a race between<br /> disconnect() (or shutdown) and accept.<br /> <br /> The root cause is that the mentioned commit checks the msk-level<br /> flag, but mptcp_stream_accept() does acquire the msk-level lock,<br /> as it can rely directly on the first subflow lock.<br /> <br /> As reported by Christoph than can lead to a race where an msk<br /> socket is accepted after that mptcp_subflow_queue_clean() releases<br /> the listener socket lock and just before it takes destructive<br /> actions leading to the following splat:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000012<br /> PGD 5a4ca067 P4D 5a4ca067 PUD 37d4c067 PMD 0<br /> Oops: 0000 [#1] PREEMPT SMP<br /> CPU: 2 PID: 10955 Comm: syz-executor.5 Not tainted 6.5.0-rc1-gdc7b257ee5dd #37<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014<br /> RIP: 0010:mptcp_stream_accept+0x1ee/0x2f0 include/net/inet_sock.h:330<br /> Code: 0a 09 00 48 8b 1b 4c 39 e3 74 07 e8 bc 7c 7f fe eb a1 e8 b5 7c 7f fe 4c 8b 6c 24 08 eb 05 e8 a9 7c 7f fe 49 8b 85 d8 09 00 00 b6 40 12 88 44 24 07 0f b6 6c 24 07 bf 07 00 00 00 89 ee e8 89<br /> RSP: 0018:ffffc90000d07dc0 EFLAGS: 00010293<br /> RAX: 0000000000000000 RBX: ffff888037e8d020 RCX: ffff88803b093300<br /> RDX: 0000000000000000 RSI: ffffffff833822c5 RDI: ffffffff8333896a<br /> RBP: 0000607f82031520 R08: ffff88803b093300 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000003e83 R12: ffff888037e8d020<br /> R13: ffff888037e8c680 R14: ffff888009af7900 R15: ffff888009af6880<br /> FS: 00007fc26d708640(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000012 CR3: 0000000066bc5001 CR4: 0000000000370ee0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> do_accept+0x1ae/0x260 net/socket.c:1872<br /> __sys_accept4+0x9b/0x110 net/socket.c:1913<br /> __do_sys_accept4 net/socket.c:1954 [inline]<br /> __se_sys_accept4 net/socket.c:1951 [inline]<br /> __x64_sys_accept4+0x20/0x30 net/socket.c:1951<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x47/0xa0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x6e/0xd8<br /> <br /> Address the issue by temporary removing the pending request socket<br /> from the accept queue, so that racing accept() can&amp;#39;t touch them.<br /> <br /> After depleting the msk - the ssk still exists, as plain TCP sockets,<br /> re-insert them into the accept queue, so that later inet_csk_listen_stop()<br /> will complete the tcp socket disposal.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: do not ignore genmask when looking up chain by id<br /> <br /> When adding a rule to a chain referring to its ID, if that chain had been<br /> deleted on the same batch, the rule might end up referring to a deleted<br /> chain.<br /> <br /> This will lead to a WARNING like following:<br /> <br /> [ 33.098431] ------------[ cut here ]------------<br /> [ 33.098678] WARNING: CPU: 5 PID: 69 at net/netfilter/nf_tables_api.c:2037 nf_tables_chain_destroy+0x23d/0x260<br /> [ 33.099217] Modules linked in:<br /> [ 33.099388] CPU: 5 PID: 69 Comm: kworker/5:1 Not tainted 6.4.0+ #409<br /> [ 33.099726] Workqueue: events nf_tables_trans_destroy_work<br /> [ 33.100018] RIP: 0010:nf_tables_chain_destroy+0x23d/0x260<br /> [ 33.100306] Code: 8b 7c 24 68 e8 64 9c ed fe 4c 89 e7 e8 5c 9c ed fe 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7 c3 cc cc cc cc 0b 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7<br /> [ 33.101271] RSP: 0018:ffffc900004ffc48 EFLAGS: 00010202<br /> [ 33.101546] RAX: 0000000000000001 RBX: ffff888006fc0a28 RCX: 0000000000000000<br /> [ 33.101920] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000<br /> [ 33.102649] RBP: ffffc900004ffc78 R08: 0000000000000000 R09: 0000000000000000<br /> [ 33.103018] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880135ef500<br /> [ 33.103385] R13: 0000000000000000 R14: dead000000000122 R15: ffff888006fc0a10<br /> [ 33.103762] FS: 0000000000000000(0000) GS:ffff888024c80000(0000) knlGS:0000000000000000<br /> [ 33.104184] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 33.104493] CR2: 00007fe863b56a50 CR3: 00000000124b0001 CR4: 0000000000770ee0<br /> [ 33.104872] PKRU: 55555554<br /> [ 33.104999] Call Trace:<br /> [ 33.105113] <br /> [ 33.105214] ? show_regs+0x72/0x90<br /> [ 33.105371] ? __warn+0xa5/0x210<br /> [ 33.105520] ? nf_tables_chain_destroy+0x23d/0x260<br /> [ 33.105732] ? report_bug+0x1f2/0x200<br /> [ 33.105902] ? handle_bug+0x46/0x90<br /> [ 33.106546] ? exc_invalid_op+0x19/0x50<br /> [ 33.106762] ? asm_exc_invalid_op+0x1b/0x20<br /> [ 33.106995] ? nf_tables_chain_destroy+0x23d/0x260<br /> [ 33.107249] ? nf_tables_chain_destroy+0x30/0x260<br /> [ 33.107506] nf_tables_trans_destroy_work+0x669/0x680<br /> [ 33.107782] ? mark_held_locks+0x28/0xa0<br /> [ 33.107996] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10<br /> [ 33.108294] ? _raw_spin_unlock_irq+0x28/0x70<br /> [ 33.108538] process_one_work+0x68c/0xb70<br /> [ 33.108755] ? lock_acquire+0x17f/0x420<br /> [ 33.108977] ? __pfx_process_one_work+0x10/0x10<br /> [ 33.109218] ? do_raw_spin_lock+0x128/0x1d0<br /> [ 33.109435] ? _raw_spin_lock_irq+0x71/0x80<br /> [ 33.109634] worker_thread+0x2bd/0x700<br /> [ 33.109817] ? __pfx_worker_thread+0x10/0x10<br /> [ 33.110254] kthread+0x18b/0x1d0<br /> [ 33.110410] ? __pfx_kthread+0x10/0x10<br /> [ 33.110581] ret_from_fork+0x29/0x50<br /> [ 33.110757] <br /> [ 33.110866] irq event stamp: 1651<br /> [ 33.111017] hardirqs last enabled at (1659): [] __up_console_sem+0x79/0xa0<br /> [ 33.111379] hardirqs last disabled at (1666): [] __up_console_sem+0x5e/0xa0<br /> [ 33.111740] softirqs last enabled at (1616): [] __irq_exit_rcu+0x9e/0xe0<br /> [ 33.112094] softirqs last disabled at (1367): [] __irq_exit_rcu+0x9e/0xe0<br /> [ 33.112453] ---[ end trace 0000000000000000 ]---<br /> <br /> This is due to the nft_chain_lookup_byid ignoring the genmask. After this<br /> change, adding the new rule will fail as it will not find the chain.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> accel/qaic: tighten bounds checking in decode_message()<br /> <br /> Copy the bounds checking from encode_message() to decode_message().<br /> <br /> This patch addresses the following concerns. Ensure that there is<br /> enough space for at least one header so that we don&amp;#39;t have a negative<br /> size later.<br /> <br /> if (msg_hdr_len data.<br /> <br /> if (msg_len &gt; msg_hdr_len - sizeof(*trans_hdr))<br /> return -EINVAL;<br /> <br /> Check that the trans_hdr-&gt;len is not below the minimum size:<br /> <br /> if (hdr_len data, in_trans-&gt;data, len - sizeof(in_trans-&gt;hdr));<br /> <br /> And finally, use size_add() to prevent an integer overflow:<br /> <br /> if (size_add(msg_len, hdr_len) &gt; msg_hdr_len)

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: xts - Handle EBUSY correctly<br /> <br /> As it is xts only handles the special return value of EINPROGRESS,<br /> which means that in all other cases it will free data related to the<br /> request.<br /> <br /> However, as the caller of xts may specify MAY_BACKLOG, we also need<br /> to expect EBUSY and treat it in the same way. Otherwise backlogged<br /> requests will trigger a use-after-free.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc()<br /> <br /> rules is allocated in ethtool_get_rxnfc and the size is determined by<br /> rule_cnt from user space. So rule_cnt needs to be check before using<br /> rules to avoid OOB writing or NULL pointer dereference.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/platform/uv: Use alternate source for socket to node data<br /> <br /> The UV code attempts to build a set of tables to allow it to do<br /> bidirectional socketnode lookups.<br /> <br /> But when nr_cpus is set to a smaller number than actually present, the<br /> cpu_to_node() mapping information for unused CPUs is not available to<br /> build_socket_tables(). This results in skipping some nodes or sockets<br /> when creating the tables and leaving some -1&amp;#39;s for later code to trip.<br /> over, causing oopses.<br /> <br /> The problem is that the socketnode lookups are created by doing a<br /> loop over all CPUs, then looking up the CPU&amp;#39;s APICID and socket. But<br /> if a CPU is not present, there is no way to start this lookup.<br /> <br /> Instead of looping over all CPUs, take CPUs out of the equation<br /> entirely. Loop over all APICIDs which are mapped to a valid NUMA node.<br /> Then just extract the socket-id from the APICID.<br /> <br /> This avoid tripping over disabled CPUs.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> start_kernel: Add __no_stack_protector function attribute<br /> <br /> Back during the discussion of<br /> commit a9a3ed1eff36 ("x86: Fix early boot crash on gcc-10, third try")<br /> we discussed the need for a function attribute to control the omission<br /> of stack protectors on a per-function basis; at the time Clang had<br /> support for no_stack_protector but GCC did not. This was fixed in<br /> gcc-11. Now that the function attribute is available, let&amp;#39;s start using<br /> it.<br /> <br /> Callers of boot_init_stack_canary need to use this function attribute<br /> unless they&amp;#39;re compiled with -fno-stack-protector, otherwise the canary<br /> stored in the stack slot of the caller will differ upon the call to<br /> boot_init_stack_canary. This will lead to a call to __stack_chk_fail()<br /> then panic.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/rtas_flash: allow user copy to flash block cache objects<br /> <br /> With hardened usercopy enabled (CONFIG_HARDENED_USERCOPY=y), using the<br /> /proc/powerpc/rtas/firmware_update interface to prepare a system<br /> firmware update yields a BUG():<br /> <br /> kernel BUG at mm/usercopy.c:102!<br /> Oops: Exception in kernel mode, sig: 5 [#1]<br /> LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries<br /> Modules linked in:<br /> CPU: 0 PID: 2232 Comm: dd Not tainted 6.5.0-rc3+ #2<br /> Hardware name: IBM,8408-E8E POWER8E (raw) 0x4b0201 0xf000004 of:IBM,FW860.50 (SV860_146) hv:phyp pSeries<br /> NIP: c0000000005991d0 LR: c0000000005991cc CTR: 0000000000000000<br /> REGS: c0000000148c76a0 TRAP: 0700 Not tainted (6.5.0-rc3+)<br /> MSR: 8000000000029033 CR: 24002242 XER: 0000000c<br /> CFAR: c0000000001fbd34 IRQMASK: 0<br /> [ ... GPRs omitted ... ]<br /> NIP usercopy_abort+0xa0/0xb0<br /> LR usercopy_abort+0x9c/0xb0<br /> Call Trace:<br /> usercopy_abort+0x9c/0xb0 (unreliable)<br /> __check_heap_object+0x1b4/0x1d0<br /> __check_object_size+0x2d0/0x380<br /> rtas_flash_write+0xe4/0x250<br /> proc_reg_write+0xfc/0x160<br /> vfs_write+0xfc/0x4e0<br /> ksys_write+0x90/0x160<br /> system_call_exception+0x178/0x320<br /> system_call_common+0x160/0x2c4<br /> <br /> The blocks of the firmware image are copied directly from user memory<br /> to objects allocated from flash_block_cache, so flash_block_cache must<br /> be created using kmem_cache_create_usercopy() to mark it safe for user<br /> access.<br /> <br /> [mpe: Trim and indent oops]