Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/amd/iommu_v2: Fix pasid_state refcount dec hit 0 warning on pasid unbind<br /> <br /> When unbinding pasid - a race condition exists vs outstanding page faults.<br /> <br /> To prevent this, the pasid_state object contains a refcount.<br /> * set to 1 on pasid bind<br /> * incremented on each ppr notification start<br /> * decremented on each ppr notification done<br /> * decremented on pasid unbind<br /> <br /> Since refcount_dec assumes that refcount will never reach 0:<br /> the current implementation causes the following to be invoked on<br /> pasid unbind:<br /> REFCOUNT_WARN("decrement hit 0; leaking memory")<br /> <br /> Fix this issue by changing refcount_dec to refcount_dec_and_test<br /> to explicitly handle refcount=1.

*** Pendiente de traducción *** Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: allow ext4_get_group_info() to fail<br /> <br /> Previously, ext4_get_group_info() would treat an invalid group number<br /> as BUG(), since in theory it should never happen. However, if a<br /> malicious attaker (or fuzzer) modifies the superblock via the block<br /> device while it is the file system is mounted, it is possible for<br /> s_first_data_block to get set to a very large number. In that case,<br /> when calculating the block group of some block number (such as the<br /> starting block of a preallocation region), could result in an<br /> underflow and very large block group number. Then the BUG_ON check in<br /> ext4_get_group_info() would fire, resutling in a denial of service<br /> attack that can be triggered by root or someone with write access to<br /> the block device.<br /> <br /> For a quality of implementation perspective, it&amp;#39;s best that even if<br /> the system administrator does something that they shouldn&amp;#39;t, that it<br /> will not trigger a BUG. So instead of BUG&amp;#39;ing, ext4_get_group_info()<br /> will call ext4_error and return NULL. We also add fallback code in<br /> all of the callers of ext4_get_group_info() that it might NULL.<br /> <br /> Also, since ext4_get_group_info() was already borderline to be an<br /> inline function, un-inline it. The results in a next reduction of the<br /> compiled text size of ext4 by roughly 2k.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: fix disconnect vs accept race<br /> <br /> Despite commit 0ad529d9fd2b ("mptcp: fix possible divide by zero in<br /> recvmsg()"), the mptcp protocol is still prone to a race between<br /> disconnect() (or shutdown) and accept.<br /> <br /> The root cause is that the mentioned commit checks the msk-level<br /> flag, but mptcp_stream_accept() does acquire the msk-level lock,<br /> as it can rely directly on the first subflow lock.<br /> <br /> As reported by Christoph than can lead to a race where an msk<br /> socket is accepted after that mptcp_subflow_queue_clean() releases<br /> the listener socket lock and just before it takes destructive<br /> actions leading to the following splat:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000012<br /> PGD 5a4ca067 P4D 5a4ca067 PUD 37d4c067 PMD 0<br /> Oops: 0000 [#1] PREEMPT SMP<br /> CPU: 2 PID: 10955 Comm: syz-executor.5 Not tainted 6.5.0-rc1-gdc7b257ee5dd #37<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014<br /> RIP: 0010:mptcp_stream_accept+0x1ee/0x2f0 include/net/inet_sock.h:330<br /> Code: 0a 09 00 48 8b 1b 4c 39 e3 74 07 e8 bc 7c 7f fe eb a1 e8 b5 7c 7f fe 4c 8b 6c 24 08 eb 05 e8 a9 7c 7f fe 49 8b 85 d8 09 00 00 b6 40 12 88 44 24 07 0f b6 6c 24 07 bf 07 00 00 00 89 ee e8 89<br /> RSP: 0018:ffffc90000d07dc0 EFLAGS: 00010293<br /> RAX: 0000000000000000 RBX: ffff888037e8d020 RCX: ffff88803b093300<br /> RDX: 0000000000000000 RSI: ffffffff833822c5 RDI: ffffffff8333896a<br /> RBP: 0000607f82031520 R08: ffff88803b093300 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000003e83 R12: ffff888037e8d020<br /> R13: ffff888037e8c680 R14: ffff888009af7900 R15: ffff888009af6880<br /> FS: 00007fc26d708640(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000012 CR3: 0000000066bc5001 CR4: 0000000000370ee0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> do_accept+0x1ae/0x260 net/socket.c:1872<br /> __sys_accept4+0x9b/0x110 net/socket.c:1913<br /> __do_sys_accept4 net/socket.c:1954 [inline]<br /> __se_sys_accept4 net/socket.c:1951 [inline]<br /> __x64_sys_accept4+0x20/0x30 net/socket.c:1951<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x47/0xa0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x6e/0xd8<br /> <br /> Address the issue by temporary removing the pending request socket<br /> from the accept queue, so that racing accept() can&amp;#39;t touch them.<br /> <br /> After depleting the msk - the ssk still exists, as plain TCP sockets,<br /> re-insert them into the accept queue, so that later inet_csk_listen_stop()<br /> will complete the tcp socket disposal.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> start_kernel: Add __no_stack_protector function attribute<br /> <br /> Back during the discussion of<br /> commit a9a3ed1eff36 ("x86: Fix early boot crash on gcc-10, third try")<br /> we discussed the need for a function attribute to control the omission<br /> of stack protectors on a per-function basis; at the time Clang had<br /> support for no_stack_protector but GCC did not. This was fixed in<br /> gcc-11. Now that the function attribute is available, let&amp;#39;s start using<br /> it.<br /> <br /> Callers of boot_init_stack_canary need to use this function attribute<br /> unless they&amp;#39;re compiled with -fno-stack-protector, otherwise the canary<br /> stored in the stack slot of the caller will differ upon the call to<br /> boot_init_stack_canary. This will lead to a call to __stack_chk_fail()<br /> then panic.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: do not ignore genmask when looking up chain by id<br /> <br /> When adding a rule to a chain referring to its ID, if that chain had been<br /> deleted on the same batch, the rule might end up referring to a deleted<br /> chain.<br /> <br /> This will lead to a WARNING like following:<br /> <br /> [ 33.098431] ------------[ cut here ]------------<br /> [ 33.098678] WARNING: CPU: 5 PID: 69 at net/netfilter/nf_tables_api.c:2037 nf_tables_chain_destroy+0x23d/0x260<br /> [ 33.099217] Modules linked in:<br /> [ 33.099388] CPU: 5 PID: 69 Comm: kworker/5:1 Not tainted 6.4.0+ #409<br /> [ 33.099726] Workqueue: events nf_tables_trans_destroy_work<br /> [ 33.100018] RIP: 0010:nf_tables_chain_destroy+0x23d/0x260<br /> [ 33.100306] Code: 8b 7c 24 68 e8 64 9c ed fe 4c 89 e7 e8 5c 9c ed fe 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7 c3 cc cc cc cc 0b 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7<br /> [ 33.101271] RSP: 0018:ffffc900004ffc48 EFLAGS: 00010202<br /> [ 33.101546] RAX: 0000000000000001 RBX: ffff888006fc0a28 RCX: 0000000000000000<br /> [ 33.101920] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000<br /> [ 33.102649] RBP: ffffc900004ffc78 R08: 0000000000000000 R09: 0000000000000000<br /> [ 33.103018] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880135ef500<br /> [ 33.103385] R13: 0000000000000000 R14: dead000000000122 R15: ffff888006fc0a10<br /> [ 33.103762] FS: 0000000000000000(0000) GS:ffff888024c80000(0000) knlGS:0000000000000000<br /> [ 33.104184] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 33.104493] CR2: 00007fe863b56a50 CR3: 00000000124b0001 CR4: 0000000000770ee0<br /> [ 33.104872] PKRU: 55555554<br /> [ 33.104999] Call Trace:<br /> [ 33.105113] <br /> [ 33.105214] ? show_regs+0x72/0x90<br /> [ 33.105371] ? __warn+0xa5/0x210<br /> [ 33.105520] ? nf_tables_chain_destroy+0x23d/0x260<br /> [ 33.105732] ? report_bug+0x1f2/0x200<br /> [ 33.105902] ? handle_bug+0x46/0x90<br /> [ 33.106546] ? exc_invalid_op+0x19/0x50<br /> [ 33.106762] ? asm_exc_invalid_op+0x1b/0x20<br /> [ 33.106995] ? nf_tables_chain_destroy+0x23d/0x260<br /> [ 33.107249] ? nf_tables_chain_destroy+0x30/0x260<br /> [ 33.107506] nf_tables_trans_destroy_work+0x669/0x680<br /> [ 33.107782] ? mark_held_locks+0x28/0xa0<br /> [ 33.107996] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10<br /> [ 33.108294] ? _raw_spin_unlock_irq+0x28/0x70<br /> [ 33.108538] process_one_work+0x68c/0xb70<br /> [ 33.108755] ? lock_acquire+0x17f/0x420<br /> [ 33.108977] ? __pfx_process_one_work+0x10/0x10<br /> [ 33.109218] ? do_raw_spin_lock+0x128/0x1d0<br /> [ 33.109435] ? _raw_spin_lock_irq+0x71/0x80<br /> [ 33.109634] worker_thread+0x2bd/0x700<br /> [ 33.109817] ? __pfx_worker_thread+0x10/0x10<br /> [ 33.110254] kthread+0x18b/0x1d0<br /> [ 33.110410] ? __pfx_kthread+0x10/0x10<br /> [ 33.110581] ret_from_fork+0x29/0x50<br /> [ 33.110757] <br /> [ 33.110866] irq event stamp: 1651<br /> [ 33.111017] hardirqs last enabled at (1659): [] __up_console_sem+0x79/0xa0<br /> [ 33.111379] hardirqs last disabled at (1666): [] __up_console_sem+0x5e/0xa0<br /> [ 33.111740] softirqs last enabled at (1616): [] __irq_exit_rcu+0x9e/0xe0<br /> [ 33.112094] softirqs last disabled at (1367): [] __irq_exit_rcu+0x9e/0xe0<br /> [ 33.112453] ---[ end trace 0000000000000000 ]---<br /> <br /> This is due to the nft_chain_lookup_byid ignoring the genmask. After this<br /> change, adding the new rule will fail as it will not find the chain.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> accel/qaic: tighten bounds checking in decode_message()<br /> <br /> Copy the bounds checking from encode_message() to decode_message().<br /> <br /> This patch addresses the following concerns. Ensure that there is<br /> enough space for at least one header so that we don&amp;#39;t have a negative<br /> size later.<br /> <br /> if (msg_hdr_len data.<br /> <br /> if (msg_len &gt; msg_hdr_len - sizeof(*trans_hdr))<br /> return -EINVAL;<br /> <br /> Check that the trans_hdr-&gt;len is not below the minimum size:<br /> <br /> if (hdr_len data, in_trans-&gt;data, len - sizeof(in_trans-&gt;hdr));<br /> <br /> And finally, use size_add() to prevent an integer overflow:<br /> <br /> if (size_add(msg_len, hdr_len) &gt; msg_hdr_len)

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: xts - Handle EBUSY correctly<br /> <br /> As it is xts only handles the special return value of EINPROGRESS,<br /> which means that in all other cases it will free data related to the<br /> request.<br /> <br /> However, as the caller of xts may specify MAY_BACKLOG, we also need<br /> to expect EBUSY and treat it in the same way. Otherwise backlogged<br /> requests will trigger a use-after-free.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc()<br /> <br /> rules is allocated in ethtool_get_rxnfc and the size is determined by<br /> rule_cnt from user space. So rule_cnt needs to be check before using<br /> rules to avoid OOB writing or NULL pointer dereference.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/platform/uv: Use alternate source for socket to node data<br /> <br /> The UV code attempts to build a set of tables to allow it to do<br /> bidirectional socketnode lookups.<br /> <br /> But when nr_cpus is set to a smaller number than actually present, the<br /> cpu_to_node() mapping information for unused CPUs is not available to<br /> build_socket_tables(). This results in skipping some nodes or sockets<br /> when creating the tables and leaving some -1&amp;#39;s for later code to trip.<br /> over, causing oopses.<br /> <br /> The problem is that the socketnode lookups are created by doing a<br /> loop over all CPUs, then looking up the CPU&amp;#39;s APICID and socket. But<br /> if a CPU is not present, there is no way to start this lookup.<br /> <br /> Instead of looping over all CPUs, take CPUs out of the equation<br /> entirely. Loop over all APICIDs which are mapped to a valid NUMA node.<br /> Then just extract the socket-id from the APICID.<br /> <br /> This avoid tripping over disabled CPUs.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ACPI: processor: Check for null return of devm_kzalloc() in fch_misc_setup()<br /> <br /> devm_kzalloc() may fail, clk_data-&gt;name might be NULL and will<br /> cause a NULL pointer dereference later.<br /> <br /> [ rjw: Subject and changelog edits ]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> lib: cpu_rmap: Avoid use after free on rmap-&gt;obj array entries<br /> <br /> When calling irq_set_affinity_notifier() with NULL at the notify<br /> argument, it will cause freeing of the glue pointer in the<br /> corresponding array entry but will leave the pointer in the array. A<br /> subsequent call to free_irq_cpu_rmap() will try to free this entry again<br /> leading to possible use after free.<br /> <br /> Fix that by setting NULL to the array entry and checking that we have<br /> non-zero at the array entry when iterating over the array in<br /> free_irq_cpu_rmap().<br /> <br /> The current code does not suffer from this since there are no cases<br /> where irq_set_affinity_notifier(irq, NULL) (note the NULL passed for the<br /> notify arg) is called, followed by a call to free_irq_cpu_rmap() so we<br /> don&amp;#39;t hit and issue. Subsequent patches in this series excersize this<br /> flow, hence the required fix.