Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: avoid journaling sb update on error if journal is destroying<br /> <br /> Presently we always BUG_ON if trying to start a transaction on a journal marked<br /> with JBD2_UNMOUNT, since this should never happen. However, while ltp running<br /> stress tests, it was observed that in case of some error handling paths, it is<br /> possible for update_super_work to start a transaction after the journal is<br /> destroyed eg:<br /> <br /> (umount)<br /> ext4_kill_sb<br /> kill_block_super<br /> generic_shutdown_super<br /> sync_filesystem /* commits all txns */<br /> evict_inodes<br /> /* might start a new txn */<br /> ext4_put_super<br /> flush_work(&amp;sbi-&gt;s_sb_upd_work) /* flush the workqueue */<br /> jbd2_journal_destroy<br /> journal_kill_thread<br /> journal-&gt;j_flags |= JBD2_UNMOUNT;<br /> jbd2_journal_commit_transaction<br /> jbd2_journal_get_descriptor_buffer<br /> jbd2_journal_bmap<br /> ext4_journal_bmap<br /> ext4_map_blocks<br /> ...<br /> ext4_inode_error<br /> ext4_handle_error<br /> schedule_work(&amp;sbi-&gt;s_sb_upd_work)<br /> <br /> /* work queue kicks in */<br /> update_super_work<br /> jbd2_journal_start<br /> start_this_handle<br /> BUG_ON(journal-&gt;j_flags &amp;<br /> JBD2_UNMOUNT)<br /> <br /> Hence, introduce a new mount flag to indicate journal is destroying and only do<br /> a journaled (and deferred) update of sb if this flag is not set. Otherwise, just<br /> fallback to an un-journaled commit.<br /> <br /> Further, in the journal destroy path, we have the following sequence:<br /> <br /> 1. Set mount flag indicating journal is destroying<br /> 2. force a commit and wait for it<br /> 3. flush pending sb updates<br /> <br /> This sequence is important as it ensures that, after this point, there is no sb<br /> update that might be journaled so it is safe to update the sb outside the<br /> journal. (To avoid race discussed in 2d01ddc86606)<br /> <br /> Also, we don&amp;#39;t need a similar check in ext4_grp_locked_error since it is only<br /> called from mballoc and AFAICT it would be always valid to schedule work here.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nfnetlink_queue: Initialize ctx to avoid memory allocation error<br /> <br /> It is possible that ctx in nfqnl_build_packet_message() could be used<br /> before it is properly initialize, which is only initialized<br /> by nfqnl_get_sk_secctx().<br /> <br /> This patch corrects this problem by initializing the lsmctx to a safe<br /> value when it is declared.<br /> <br /> This is similar to the commit 35fcac7a7c25<br /> ("audit: Initialize lsmctx to avoid memory allocation error").

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ax25: Remove broken autobind<br /> <br /> Binding AX25 socket by using the autobind feature leads to memory leaks<br /> in ax25_connect() and also refcount leaks in ax25_release(). Memory<br /> leak was detected with kmemleak:<br /> <br /> ================================================================<br /> unreferenced object 0xffff8880253cd680 (size 96):<br /> backtrace:<br /> __kmalloc_node_track_caller_noprof (./include/linux/kmemleak.h:43)<br /> kmemdup_noprof (mm/util.c:136)<br /> ax25_rt_autobind (net/ax25/ax25_route.c:428)<br /> ax25_connect (net/ax25/af_ax25.c:1282)<br /> __sys_connect_file (net/socket.c:2045)<br /> __sys_connect (net/socket.c:2064)<br /> __x64_sys_connect (net/socket.c:2067)<br /> do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)<br /> ================================================================<br /> <br /> When socket is bound, refcounts must be incremented the way it is done<br /> in ax25_bind() and ax25_setsockopt() (SO_BINDTODEVICE). In case of<br /> autobind, the refcounts are not incremented.<br /> <br /> This bug leads to the following issue reported by Syzkaller:<br /> <br /> ================================================================<br /> ax25_connect(): syz-executor318 uses autobind, please contact jreuter@yaina.de<br /> ------------[ cut here ]------------<br /> refcount_t: decrement hit 0; leaking memory.<br /> WARNING: CPU: 0 PID: 5317 at lib/refcount.c:31 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31<br /> Modules linked in:<br /> CPU: 0 UID: 0 PID: 5317 Comm: syz-executor318 Not tainted 6.14.0-rc4-syzkaller-00278-gece144f151ac #0<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014<br /> RIP: 0010:refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:31<br /> ...<br /> Call Trace:<br /> <br /> __refcount_dec include/linux/refcount.h:336 [inline]<br /> refcount_dec include/linux/refcount.h:351 [inline]<br /> ref_tracker_free+0x6af/0x7e0 lib/ref_tracker.c:236<br /> netdev_tracker_free include/linux/netdevice.h:4302 [inline]<br /> netdev_put include/linux/netdevice.h:4319 [inline]<br /> ax25_release+0x368/0x960 net/ax25/af_ax25.c:1080<br /> __sock_release net/socket.c:647 [inline]<br /> sock_close+0xbc/0x240 net/socket.c:1398<br /> __fput+0x3e9/0x9f0 fs/file_table.c:464<br /> __do_sys_close fs/open.c:1580 [inline]<br /> __se_sys_close fs/open.c:1565 [inline]<br /> __x64_sys_close+0x7f/0x110 fs/open.c:1565<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> ...<br /> <br /> ================================================================<br /> <br /> Considering the issues above and the comments left in the code that say:<br /> "check if we can remove this feature. It is broken."; "autobinding in this<br /> may or may not work"; - it is better to completely remove this feature than<br /> to fix it because it is broken and leads to various kinds of memory bugs.<br /> <br /> Now calling connect() without first binding socket will result in an<br /> error (-EINVAL). Userspace software that relies on the autobind feature<br /> might get broken. However, this feature does not seem widely used with<br /> this specific driver as it was not reliable at any point of time, and it<br /> is already broken anyway. E.g. ax25-tools and ax25-apps packages for<br /> popular distributions do not use the autobind feature for AF_AX25.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bnxt_en: Mask the bd_cnt field in the TX BD properly<br /> <br /> The bd_cnt field in the TX BD specifies the total number of BDs for<br /> the TX packet. The bd_cnt field has 5 bits and the maximum number<br /> supported is 32 with the value 0.<br /> <br /> CONFIG_MAX_SKB_FRAGS can be modified and the total number of SKB<br /> fragments can approach or exceed the maximum supported by the chip.<br /> Add a macro to properly mask the bd_cnt field so that the value 32<br /> will be properly masked and set to 0 in the bd_cnd field.<br /> <br /> Without this patch, the out-of-range bd_cnt value will corrupt the<br /> TX BD and may cause TX timeout.<br /> <br /> The next patch will check for values exceeding 32.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> idpf: check error for register_netdev() on init<br /> <br /> Current init logic ignores the error code from register_netdev(),<br /> which will cause WARN_ON() on attempt to unregister it, if there was one,<br /> and there is no info for the user that the creation of the netdev failed.<br /> <br /> WARNING: CPU: 89 PID: 6902 at net/core/dev.c:11512 unregister_netdevice_many_notify+0x211/0x1a10<br /> ...<br /> [ 3707.563641] unregister_netdev+0x1c/0x30<br /> [ 3707.563656] idpf_vport_dealloc+0x5cf/0xce0 [idpf]<br /> [ 3707.563684] idpf_deinit_task+0xef/0x160 [idpf]<br /> [ 3707.563712] idpf_vc_core_deinit+0x84/0x320 [idpf]<br /> [ 3707.563739] idpf_remove+0xbf/0x780 [idpf]<br /> [ 3707.563769] pci_device_remove+0xab/0x1e0<br /> [ 3707.563786] device_release_driver_internal+0x371/0x530<br /> [ 3707.563803] driver_detach+0xbf/0x180<br /> [ 3707.563816] bus_remove_driver+0x11b/0x2a0<br /> [ 3707.563829] pci_unregister_driver+0x2a/0x250<br /> <br /> Introduce an error check and log the vport number and error code.<br /> On removal make sure to check VPORT_REG_NETDEV flag prior to calling<br /> unregister and free on the netdev.<br /> <br /> Add local variables for idx, vport_config and netdev for readability.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: fix using untrusted value of pkt_len in ice_vc_fdir_parse_raw()<br /> <br /> Fix using the untrusted value of proto-&gt;raw.pkt_len in function<br /> ice_vc_fdir_parse_raw() by verifying if it does not exceed the<br /> VIRTCHNL_MAX_SIZE_RAW_PACKET value.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: btnxpuart: Fix kernel panic during FW release<br /> <br /> This fixes a kernel panic seen during release FW in a stress test<br /> scenario where WLAN and BT FW download occurs simultaneously, and due to<br /> a HW bug, chip sends out only 1 bootloader signatures.<br /> <br /> When driver receives the bootloader signature, it enters FW download<br /> mode, but since no consequtive bootloader signatures seen, FW file is<br /> not requested.<br /> <br /> After 60 seconds, when FW download times out, release_firmware causes a<br /> kernel panic.<br /> <br /> [ 2601.949184] Unable to handle kernel paging request at virtual address 0000312e6f006573<br /> [ 2601.992076] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000111802000<br /> [ 2601.992080] [0000312e6f006573] pgd=0000000000000000, p4d=0000000000000000<br /> [ 2601.992087] Internal error: Oops: 0000000096000021 [#1] PREEMPT SMP<br /> [ 2601.992091] Modules linked in: algif_hash algif_skcipher af_alg btnxpuart(O) pciexxx(O) mlan(O) overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce snd_soc_fsl_easrc snd_soc_fsl_asoc_card imx8_media_dev(C) snd_soc_fsl_micfil polyval_generic snd_soc_fsl_xcvr snd_soc_fsl_sai snd_soc_imx_audmux snd_soc_fsl_asrc snd_soc_imx_card snd_soc_imx_hdmi snd_soc_fsl_aud2htx snd_soc_fsl_utils imx_pcm_dma dw_hdmi_cec flexcan can_dev<br /> [ 2602.001825] CPU: 2 PID: 20060 Comm: hciconfig Tainted: G C O 6.6.23-lts-next-06236-gb586a521770e #1<br /> [ 2602.010182] Hardware name: NXP i.MX8MPlus EVK board (DT)<br /> [ 2602.010185] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 2602.010191] pc : _raw_spin_lock+0x34/0x68<br /> [ 2602.010201] lr : free_fw_priv+0x20/0xfc<br /> [ 2602.020561] sp : ffff800089363b30<br /> [ 2602.020563] x29: ffff800089363b30 x28: ffff0000d0eb5880 x27: 0000000000000000<br /> [ 2602.020570] x26: 0000000000000000 x25: ffff0000d728b330 x24: 0000000000000000<br /> [ 2602.020577] x23: ffff0000dc856f38<br /> [ 2602.033797] x22: ffff800089363b70 x21: ffff0000dc856000<br /> [ 2602.033802] x20: ff00312e6f006573 x19: ffff0000d0d9ea80 x18: 0000000000000000<br /> [ 2602.033809] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaad80dd480<br /> [ 2602.083320] x14: 0000000000000000 x13: 00000000000001b9 x12: 0000000000000002<br /> [ 2602.083326] x11: 0000000000000000 x10: 0000000000000a60 x9 : ffff800089363a30<br /> [ 2602.083333] x8 : ffff0001793d75c0 x7 : ffff0000d6dbc400 x6 : 0000000000000000<br /> [ 2602.083339] x5 : 00000000410fd030 x4 : 0000000000000000 x3 : 0000000000000001<br /> [ 2602.083346] x2 : 0000000000000000 x1 : 0000000000000001 x0 : ff00312e6f006573<br /> [ 2602.083354] Call trace:<br /> [ 2602.083356] _raw_spin_lock+0x34/0x68<br /> [ 2602.083364] release_firmware+0x48/0x6c<br /> [ 2602.083370] nxp_setup+0x3c4/0x540 [btnxpuart]<br /> [ 2602.083383] hci_dev_open_sync+0xf0/0xa34<br /> [ 2602.083391] hci_dev_open+0xd8/0x178<br /> [ 2602.083399] hci_sock_ioctl+0x3b0/0x590<br /> [ 2602.083405] sock_do_ioctl+0x60/0x118<br /> [ 2602.083413] sock_ioctl+0x2f4/0x374<br /> [ 2602.091430] __arm64_sys_ioctl+0xac/0xf0<br /> [ 2602.091437] invoke_syscall+0x48/0x110<br /> [ 2602.091445] el0_svc_common.constprop.0+0xc0/0xe0<br /> [ 2602.091452] do_el0_svc+0x1c/0x28<br /> [ 2602.091457] el0_svc+0x40/0xe4<br /> [ 2602.091465] el0t_64_sync_handler+0x120/0x12c<br /> [ 2602.091470] el0t_64_sync+0x190/0x194

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: libwx: fix Tx L4 checksum<br /> <br /> The hardware only supports L4 checksum offload for TCP/UDP/SCTP protocol.<br /> There was a bug to set Tx checksum flag for the other protocol that results<br /> in Tx ring hang. Fix to compute software checksum for these packets.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/panthor: Fix race condition when gathering fdinfo group samples<br /> <br /> Commit e16635d88fa0 ("drm/panthor: add DRM fdinfo support") failed to<br /> protect access to groups with an xarray lock, which could lead to<br /> use-after-free errors.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm: xlnx: zynqmp_dpsub: Add NULL check in zynqmp_audio_init<br /> <br /> devm_kasprintf() calls can return null pointers on failure.<br /> But some return values were not checked in zynqmp_audio_init().<br /> <br /> Add NULL check in zynqmp_audio_init(), avoid referencing null<br /> pointers in the subsequent code.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm: zynqmp_dp: Fix a deadlock in zynqmp_dp_ignore_hpd_set()<br /> <br /> Instead of attempting the same mutex twice, lock and unlock it.<br /> <br /> This bug has been detected by the Clang thread-safety analyzer.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry()<br /> <br /> There are actually 2 problems:<br /> - deleting the last element doesn&amp;#39;t require the memmove of elements<br /> [i + 1, end) over it. Actually, element i+1 is out of bounds.<br /> - The memmove itself should move size - i - 1 elements, because the last<br /> element is out of bounds.<br /> <br /> The out-of-bounds element still remains out of bounds after being<br /> accessed, so the problem is only that we touch it, not that it becomes<br /> in active use. But I suppose it can lead to issues if the out-of-bounds<br /> element is part of an unmapped page.