Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr<br /> <br /> Although ipv6_get_ifaddr walks inet6_addr_lst under the RCU lock, it<br /> still means hlist_for_each_entry_rcu can return an item that got removed<br /> from the list. The memory itself of such item is not freed thanks to RCU<br /> but nothing guarantees the actual content of the memory is sane.<br /> <br /> In particular, the reference count can be zero. This can happen if<br /> ipv6_del_addr is called in parallel. ipv6_del_addr removes the entry<br /> from inet6_addr_lst (hlist_del_init_rcu(&amp;ifp-&gt;addr_lst)) and drops all<br /> references (__in6_ifa_put(ifp) + in6_ifa_put(ifp)). With bad enough<br /> timing, this can happen:<br /> <br /> 1. In ipv6_get_ifaddr, hlist_for_each_entry_rcu returns an entry.<br /> <br /> 2. Then, the whole ipv6_del_addr is executed for the given entry. The<br /> reference count drops to zero and kfree_rcu is scheduled.<br /> <br /> 3. ipv6_get_ifaddr continues and tries to increments the reference count<br /> (in6_ifa_hold).<br /> <br /> 4. The rcu is unlocked and the entry is freed.<br /> <br /> 5. The freed entry is returned.<br /> <br /> Prevent increasing of the reference count in such case. The name<br /> in6_ifa_hold_safe is chosen to mimic the existing fib6_info_hold_safe.<br /> <br /> [ 41.506330] refcount_t: addition on 0; use-after-free.<br /> [ 41.506760] WARNING: CPU: 0 PID: 595 at lib/refcount.c:25 refcount_warn_saturate+0xa5/0x130<br /> [ 41.507413] Modules linked in: veth bridge stp llc<br /> [ 41.507821] CPU: 0 PID: 595 Comm: python3 Not tainted 6.9.0-rc2.main-00208-g49563be82afa #14<br /> [ 41.508479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)<br /> [ 41.509163] RIP: 0010:refcount_warn_saturate+0xa5/0x130<br /> [ 41.509586] Code: ad ff 90 0f 0b 90 90 c3 cc cc cc cc 80 3d c0 30 ad 01 00 75 a0 c6 05 b7 30 ad 01 01 90 48 c7 c7 38 cc 7a 8c e8 cc 18 ad ff 90 0b 90 90 c3 cc cc cc cc 80 3d 98 30 ad 01 00 0f 85 75 ff ff ff<br /> [ 41.510956] RSP: 0018:ffffbda3c026baf0 EFLAGS: 00010282<br /> [ 41.511368] RAX: 0000000000000000 RBX: ffff9e9c46914800 RCX: 0000000000000000<br /> [ 41.511910] RDX: ffff9e9c7ec29c00 RSI: ffff9e9c7ec1c900 RDI: ffff9e9c7ec1c900<br /> [ 41.512445] RBP: ffff9e9c43660c9c R08: 0000000000009ffb R09: 00000000ffffdfff<br /> [ 41.512998] R10: 00000000ffffdfff R11: ffffffff8ca58a40 R12: ffff9e9c4339a000<br /> [ 41.513534] R13: 0000000000000001 R14: ffff9e9c438a0000 R15: ffffbda3c026bb48<br /> [ 41.514086] FS: 00007fbc4cda1740(0000) GS:ffff9e9c7ec00000(0000) knlGS:0000000000000000<br /> [ 41.514726] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 41.515176] CR2: 000056233b337d88 CR3: 000000000376e006 CR4: 0000000000370ef0<br /> [ 41.515713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [ 41.516252] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [ 41.516799] Call Trace:<br /> [ 41.517037] <br /> [ 41.517249] ? __warn+0x7b/0x120<br /> [ 41.517535] ? refcount_warn_saturate+0xa5/0x130<br /> [ 41.517923] ? report_bug+0x164/0x190<br /> [ 41.518240] ? handle_bug+0x3d/0x70<br /> [ 41.518541] ? exc_invalid_op+0x17/0x70<br /> [ 41.520972] ? asm_exc_invalid_op+0x1a/0x20<br /> [ 41.521325] ? refcount_warn_saturate+0xa5/0x130<br /> [ 41.521708] ipv6_get_ifaddr+0xda/0xe0<br /> [ 41.522035] inet6_rtm_getaddr+0x342/0x3f0<br /> [ 41.522376] ? __pfx_inet6_rtm_getaddr+0x10/0x10<br /> [ 41.522758] rtnetlink_rcv_msg+0x334/0x3d0<br /> [ 41.523102] ? netlink_unicast+0x30f/0x390<br /> [ 41.523445] ? __pfx_rtnetlink_rcv_msg+0x10/0x10<br /> [ 41.523832] netlink_rcv_skb+0x53/0x100<br /> [ 41.524157] netlink_unicast+0x23b/0x390<br /> [ 41.524484] netlink_sendmsg+0x1f2/0x440<br /> [ 41.524826] __sys_sendto+0x1d8/0x1f0<br /> [ 41.525145] __x64_sys_sendto+0x1f/0x30<br /> [ 41.525467] do_syscall_64+0xa5/0x1b0<br /> [ 41.525794] entry_SYSCALL_64_after_hwframe+0x72/0x7a<br /> [ 41.526213] RIP: 0033:0x7fbc4cfcea9a<br /> [ 41.526528] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89<br /> [ 41.527942] RSP: 002b:00007f<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> af_unix: Clear stale u-&gt;oob_skb.<br /> <br /> syzkaller started to report deadlock of unix_gc_lock after commit<br /> 4090fa373f0e ("af_unix: Replace garbage collection algorithm."), but<br /> it just uncovers the bug that has been there since commit 314001f0bf92<br /> ("af_unix: Add OOB support").<br /> <br /> The repro basically does the following.<br /> <br /> from socket import *<br /> from array import array<br /> <br /> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM)<br /> c1.sendmsg([b&amp;#39;a&amp;#39;], [(SOL_SOCKET, SCM_RIGHTS, array("i", [c2.fileno()]))], MSG_OOB)<br /> c2.recv(1) # blocked as no normal data in recv queue<br /> <br /> c2.close() # done async and unblock recv()<br /> c1.close() # done async and trigger GC<br /> <br /> A socket sends its file descriptor to itself as OOB data and tries to<br /> receive normal data, but finally recv() fails due to async close().<br /> <br /> The problem here is wrong handling of OOB skb in manage_oob(). When<br /> recvmsg() is called without MSG_OOB, manage_oob() is called to check<br /> if the peeked skb is OOB skb. In such a case, manage_oob() pops it<br /> out of the receive queue but does not clear unix_sock(sk)-&gt;oob_skb.<br /> This is wrong in terms of uAPI.<br /> <br /> Let&amp;#39;s say we send "hello" with MSG_OOB, and "world" without MSG_OOB.<br /> The &amp;#39;o&amp;#39; is handled as OOB data. When recv() is called twice without<br /> MSG_OOB, the OOB data should be lost.<br /> <br /> &gt;&gt;&gt; from socket import *<br /> &gt;&gt;&gt; c1, c2 = socketpair(AF_UNIX, SOCK_STREAM, 0)<br /> &gt;&gt;&gt; c1.send(b&amp;#39;hello&amp;#39;, MSG_OOB) # &amp;#39;o&amp;#39; is OOB data<br /> 5<br /> &gt;&gt;&gt; c1.send(b&amp;#39;world&amp;#39;)<br /> 5<br /> &gt;&gt;&gt; c2.recv(5) # OOB data is not received<br /> b&amp;#39;hell&amp;#39;<br /> &gt;&gt;&gt; c2.recv(5) # OOB date is skipped<br /> b&amp;#39;world&amp;#39;<br /> &gt;&gt;&gt; c2.recv(5, MSG_OOB) # This should return an error<br /> b&amp;#39;o&amp;#39;<br /> <br /> In the same situation, TCP actually returns -EINVAL for the last<br /> recv().<br /> <br /> Also, if we do not clear unix_sk(sk)-&gt;oob_skb, unix_poll() always set<br /> EPOLLPRI even though the data has passed through by previous recv().<br /> <br /> To avoid these issues, we must clear unix_sk(sk)-&gt;oob_skb when dequeuing<br /> it from recv queue.<br /> <br /> The reason why the old GC did not trigger the deadlock is because the<br /> old GC relied on the receive queue to detect the loop.<br /> <br /> When it is triggered, the socket with OOB data is marked as GC candidate<br /> because file refcount == inflight count (1). However, after traversing<br /> all inflight sockets, the socket still has a positive inflight count (1),<br /> thus the socket is excluded from candidates. Then, the old GC lose the<br /> chance to garbage-collect the socket.<br /> <br /> With the old GC, the repro continues to create true garbage that will<br /> never be freed nor detected by kmemleak as it&amp;#39;s linked to the global<br /> inflight list. That&amp;#39;s why we couldn&amp;#39;t even notice the issue.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ks8851: Handle softirqs at the end of IRQ thread to fix hang<br /> <br /> The ks8851_irq() thread may call ks8851_rx_pkts() in case there are<br /> any packets in the MAC FIFO, which calls netif_rx(). This netif_rx()<br /> implementation is guarded by local_bh_disable() and local_bh_enable().<br /> The local_bh_enable() may call do_softirq() to run softirqs in case<br /> any are pending. One of the softirqs is net_rx_action, which ultimately<br /> reaches the driver .start_xmit callback. If that happens, the system<br /> hangs. The entire call chain is below:<br /> <br /> ks8851_start_xmit_par from netdev_start_xmit<br /> netdev_start_xmit from dev_hard_start_xmit<br /> dev_hard_start_xmit from sch_direct_xmit<br /> sch_direct_xmit from __dev_queue_xmit<br /> __dev_queue_xmit from __neigh_update<br /> __neigh_update from neigh_update<br /> neigh_update from arp_process.constprop.0<br /> arp_process.constprop.0 from __netif_receive_skb_one_core<br /> __netif_receive_skb_one_core from process_backlog<br /> process_backlog from __napi_poll.constprop.0<br /> __napi_poll.constprop.0 from net_rx_action<br /> net_rx_action from __do_softirq<br /> __do_softirq from call_with_stack<br /> call_with_stack from do_softirq<br /> do_softirq from __local_bh_enable_ip<br /> __local_bh_enable_ip from netif_rx<br /> netif_rx from ks8851_irq<br /> ks8851_irq from irq_thread_fn<br /> irq_thread_fn from irq_thread<br /> irq_thread from kthread<br /> kthread from ret_from_fork<br /> <br /> The hang happens because ks8851_irq() first locks a spinlock in<br /> ks8851_par.c ks8851_lock_par() spin_lock_irqsave(&amp;ksp-&gt;lock, ...)<br /> and with that spinlock locked, calls netif_rx(). Once the execution<br /> reaches ks8851_start_xmit_par(), it calls ks8851_lock_par() again<br /> which attempts to claim the already locked spinlock again, and the<br /> hang happens.<br /> <br /> Move the do_softirq() call outside of the spinlock protected section<br /> of ks8851_irq() by disabling BHs around the entire spinlock protected<br /> section of ks8851_irq() handler. Place local_bh_enable() outside of<br /> the spinlock protected section, so that it can trigger do_softirq()<br /> without the ks8851_par.c ks8851_lock_par() spinlock being held, and<br /> safely call ks8851_start_xmit_par() without attempting to lock the<br /> already locked spinlock.<br /> <br /> Since ks8851_irq() is protected by local_bh_disable()/local_bh_enable()<br /> now, replace netif_rx() with __netif_rx() which is not duplicating the<br /> local_bh_disable()/local_bh_enable() calls.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: L2CAP: Fix not validating setsockopt user input<br /> <br /> Check user input length before copying data.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: hci_sock: Fix not validating setsockopt user input<br /> <br /> Check user input length before copying data.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: ISO: Fix not validating setsockopt user input<br /> <br /> Check user input length before copying data.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: RFCOMM: Fix not validating setsockopt user input<br /> <br /> syzbot reported rfcomm_sock_setsockopt_old() is copying data without<br /> checking user input length.<br /> <br /> BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset<br /> include/linux/sockptr.h:49 [inline]<br /> BUG: KASAN: slab-out-of-bounds in copy_from_sockptr<br /> include/linux/sockptr.h:55 [inline]<br /> BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old<br /> net/bluetooth/rfcomm/sock.c:632 [inline]<br /> BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70<br /> net/bluetooth/rfcomm/sock.c:673<br /> Read of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: SCO: Fix not validating setsockopt user input<br /> <br /> syzbot reported sco_sock_setsockopt() is copying data without<br /> checking user input length.<br /> <br /> BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset<br /> include/linux/sockptr.h:49 [inline]<br /> BUG: KASAN: slab-out-of-bounds in copy_from_sockptr<br /> include/linux/sockptr.h:55 [inline]<br /> BUG: KASAN: slab-out-of-bounds in sco_sock_setsockopt+0xc0b/0xf90<br /> net/bluetooth/sco.c:893<br /> Read of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: complete validation of user input<br /> <br /> In my recent commit, I missed that do_replace() handlers<br /> use copy_from_sockptr() (which I fixed), followed<br /> by unsafe copy_from_sockptr_offset() calls.<br /> <br /> In all functions, we can perform the @optlen validation<br /> before even calling xt_alloc_table_info() with the following<br /> check:<br /> <br /> if ((u64)optlen

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ena: Fix incorrect descriptor free behavior<br /> <br /> ENA has two types of TX queues:<br /> - queues which only process TX packets arriving from the network stack<br /> - queues which only process TX packets forwarded to it by XDP_REDIRECT<br /> or XDP_TX instructions<br /> <br /> The ena_free_tx_bufs() cycles through all descriptors in a TX queue<br /> and unmaps + frees every descriptor that hasn&amp;#39;t been acknowledged yet<br /> by the device (uncompleted TX transactions).<br /> The function assumes that the processed TX queue is necessarily from<br /> the first category listed above and ends up using napi_consume_skb()<br /> for descriptors belonging to an XDP specific queue.<br /> <br /> This patch solves a bug in which, in case of a VF reset, the<br /> descriptors aren&amp;#39;t freed correctly, leading to crashes.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr()<br /> <br /> Subject: [PATCH] drm/panfrost: Fix the error path in<br /> panfrost_mmu_map_fault_addr()<br /> <br /> If some the pages or sgt allocation failed, we shouldn&amp;#39;t release the<br /> pages ref we got earlier, otherwise we will end up with unbalanced<br /> get/put_pages() calls. We should instead leave everything in place<br /> and let the BO release function deal with extra cleanup when the object<br /> is destroyed, or let the fault handler try again next time it&amp;#39;s called.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/ast: Fix soft lockup<br /> <br /> There is a while-loop in ast_dp_set_on_off() that could lead to<br /> infinite-loop. This is because the register, VGACRI-Dx, checked in<br /> this API is a scratch register actually controlled by a MCU, named<br /> DPMCU, in BMC.<br /> <br /> These scratch registers are protected by scu-lock. If suc-lock is not<br /> off, DPMCU can not update these registers and then host will have soft<br /> lockup due to never updated status.<br /> <br /> DPMCU is used to control DP and relative registers to handshake with<br /> host&amp;#39;s VGA driver. Even the most time-consuming task, DP&amp;#39;s link<br /> training, is less than 100ms. 200ms should be enough.