Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: xts - Handle EBUSY correctly<br /> <br /> As it is xts only handles the special return value of EINPROGRESS,<br /> which means that in all other cases it will free data related to the<br /> request.<br /> <br /> However, as the caller of xts may specify MAY_BACKLOG, we also need<br /> to expect EBUSY and treat it in the same way. Otherwise backlogged<br /> requests will trigger a use-after-free.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc()<br /> <br /> rules is allocated in ethtool_get_rxnfc and the size is determined by<br /> rule_cnt from user space. So rule_cnt needs to be check before using<br /> rules to avoid OOB writing or NULL pointer dereference.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/platform/uv: Use alternate source for socket to node data<br /> <br /> The UV code attempts to build a set of tables to allow it to do<br /> bidirectional socketnode lookups.<br /> <br /> But when nr_cpus is set to a smaller number than actually present, the<br /> cpu_to_node() mapping information for unused CPUs is not available to<br /> build_socket_tables(). This results in skipping some nodes or sockets<br /> when creating the tables and leaving some -1&amp;#39;s for later code to trip.<br /> over, causing oopses.<br /> <br /> The problem is that the socketnode lookups are created by doing a<br /> loop over all CPUs, then looking up the CPU&amp;#39;s APICID and socket. But<br /> if a CPU is not present, there is no way to start this lookup.<br /> <br /> Instead of looping over all CPUs, take CPUs out of the equation<br /> entirely. Loop over all APICIDs which are mapped to a valid NUMA node.<br /> Then just extract the socket-id from the APICID.<br /> <br /> This avoid tripping over disabled CPUs.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> start_kernel: Add __no_stack_protector function attribute<br /> <br /> Back during the discussion of<br /> commit a9a3ed1eff36 ("x86: Fix early boot crash on gcc-10, third try")<br /> we discussed the need for a function attribute to control the omission<br /> of stack protectors on a per-function basis; at the time Clang had<br /> support for no_stack_protector but GCC did not. This was fixed in<br /> gcc-11. Now that the function attribute is available, let&amp;#39;s start using<br /> it.<br /> <br /> Callers of boot_init_stack_canary need to use this function attribute<br /> unless they&amp;#39;re compiled with -fno-stack-protector, otherwise the canary<br /> stored in the stack slot of the caller will differ upon the call to<br /> boot_init_stack_canary. This will lead to a call to __stack_chk_fail()<br /> then panic.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/rtas_flash: allow user copy to flash block cache objects<br /> <br /> With hardened usercopy enabled (CONFIG_HARDENED_USERCOPY=y), using the<br /> /proc/powerpc/rtas/firmware_update interface to prepare a system<br /> firmware update yields a BUG():<br /> <br /> kernel BUG at mm/usercopy.c:102!<br /> Oops: Exception in kernel mode, sig: 5 [#1]<br /> LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries<br /> Modules linked in:<br /> CPU: 0 PID: 2232 Comm: dd Not tainted 6.5.0-rc3+ #2<br /> Hardware name: IBM,8408-E8E POWER8E (raw) 0x4b0201 0xf000004 of:IBM,FW860.50 (SV860_146) hv:phyp pSeries<br /> NIP: c0000000005991d0 LR: c0000000005991cc CTR: 0000000000000000<br /> REGS: c0000000148c76a0 TRAP: 0700 Not tainted (6.5.0-rc3+)<br /> MSR: 8000000000029033 CR: 24002242 XER: 0000000c<br /> CFAR: c0000000001fbd34 IRQMASK: 0<br /> [ ... GPRs omitted ... ]<br /> NIP usercopy_abort+0xa0/0xb0<br /> LR usercopy_abort+0x9c/0xb0<br /> Call Trace:<br /> usercopy_abort+0x9c/0xb0 (unreliable)<br /> __check_heap_object+0x1b4/0x1d0<br /> __check_object_size+0x2d0/0x380<br /> rtas_flash_write+0xe4/0x250<br /> proc_reg_write+0xfc/0x160<br /> vfs_write+0xfc/0x4e0<br /> ksys_write+0x90/0x160<br /> system_call_exception+0x178/0x320<br /> system_call_common+0x160/0x2c4<br /> <br /> The blocks of the firmware image are copied directly from user memory<br /> to objects allocated from flash_block_cache, so flash_block_cache must<br /> be created using kmem_cache_create_usercopy() to mark it safe for user<br /> access.<br /> <br /> [mpe: Trim and indent oops]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/ntfs3: Enhance the attribute size check<br /> <br /> This combines the overflow and boundary check so that all attribute size<br /> will be properly examined while enumerating them.<br /> <br /> [ 169.181521] BUG: KASAN: slab-out-of-bounds in run_unpack+0x2e3/0x570<br /> [ 169.183161] Read of size 1 at addr ffff8880094b6240 by task mount/247<br /> [ 169.184046]<br /> [ 169.184925] CPU: 0 PID: 247 Comm: mount Not tainted 6.0.0-rc7+ #3<br /> [ 169.185908] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014<br /> [ 169.187066] Call Trace:<br /> [ 169.187492] <br /> [ 169.188049] dump_stack_lvl+0x49/0x63<br /> [ 169.188495] print_report.cold+0xf5/0x689<br /> [ 169.188964] ? run_unpack+0x2e3/0x570<br /> [ 169.189331] kasan_report+0xa7/0x130<br /> [ 169.189714] ? run_unpack+0x2e3/0x570<br /> [ 169.190079] __asan_load1+0x51/0x60<br /> [ 169.190634] run_unpack+0x2e3/0x570<br /> [ 169.191290] ? run_pack+0x840/0x840<br /> [ 169.191569] ? run_lookup_entry+0xb3/0x1f0<br /> [ 169.192443] ? mi_enum_attr+0x20a/0x230<br /> [ 169.192886] run_unpack_ex+0xad/0x3e0<br /> [ 169.193276] ? run_unpack+0x570/0x570<br /> [ 169.193557] ? ni_load_mi+0x80/0x80<br /> [ 169.193889] ? debug_smp_processor_id+0x17/0x20<br /> [ 169.194236] ? mi_init+0x4a/0x70<br /> [ 169.194496] attr_load_runs_vcn+0x166/0x1c0<br /> [ 169.194851] ? attr_data_write_resident+0x250/0x250<br /> [ 169.195188] mi_read+0x133/0x2c0<br /> [ 169.195481] ntfs_iget5+0x277/0x1780<br /> [ 169.196017] ? call_rcu+0x1c7/0x330<br /> [ 169.196392] ? ntfs_get_block_bmap+0x70/0x70<br /> [ 169.196708] ? evict+0x223/0x280<br /> [ 169.197014] ? __kmalloc+0x33/0x540<br /> [ 169.197305] ? wnd_init+0x15b/0x1b0<br /> [ 169.197599] ntfs_fill_super+0x1026/0x1ba0<br /> [ 169.197994] ? put_ntfs+0x1d0/0x1d0<br /> [ 169.198299] ? vsprintf+0x20/0x20<br /> [ 169.198583] ? mutex_unlock+0x81/0xd0<br /> [ 169.198930] ? set_blocksize+0x95/0x150<br /> [ 169.199269] get_tree_bdev+0x232/0x370<br /> [ 169.199750] ? put_ntfs+0x1d0/0x1d0<br /> [ 169.200094] ntfs_fs_get_tree+0x15/0x20<br /> [ 169.200431] vfs_get_tree+0x4c/0x130<br /> [ 169.200714] path_mount+0x654/0xfe0<br /> [ 169.201067] ? putname+0x80/0xa0<br /> [ 169.201358] ? finish_automount+0x2e0/0x2e0<br /> [ 169.201965] ? putname+0x80/0xa0<br /> [ 169.202445] ? kmem_cache_free+0x1c4/0x440<br /> [ 169.203075] ? putname+0x80/0xa0<br /> [ 169.203414] do_mount+0xd6/0xf0<br /> [ 169.203719] ? path_mount+0xfe0/0xfe0<br /> [ 169.203977] ? __kasan_check_write+0x14/0x20<br /> [ 169.204382] __x64_sys_mount+0xca/0x110<br /> [ 169.204711] do_syscall_64+0x3b/0x90<br /> [ 169.205059] entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> [ 169.205571] RIP: 0033:0x7f67a80e948a<br /> [ 169.206327] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008<br /> [ 169.208296] RSP: 002b:00007ffddf020f58 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5<br /> [ 169.209253] RAX: ffffffffffffffda RBX: 000055e2547a6060 RCX: 00007f67a80e948a<br /> [ 169.209777] RDX: 000055e2547a6260 RSI: 000055e2547a62e0 RDI: 000055e2547aeaf0<br /> [ 169.210342] RBP: 0000000000000000 R08: 000055e2547a6280 R09: 0000000000000020<br /> [ 169.210843] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 000055e2547aeaf0<br /> [ 169.211307] R13: 000055e2547a6260 R14: 0000000000000000 R15: 00000000ffffffff<br /> [ 169.211913] <br /> [ 169.212304]<br /> [ 169.212680] Allocated by task 0:<br /> [ 169.212963] (stack is not available)<br /> [ 169.213200]<br /> [ 169.213472] The buggy address belongs to the object at ffff8880094b5e00<br /> [ 169.213472] which belongs to the cache UDP of size 1152<br /> [ 169.214095] The buggy address is located 1088 bytes inside of<br /> [ 169.214095] 1152-byte region [ffff8880094b5e00, ffff8880094b6280)<br /> [ 169.214639]<br /> [ 169.215004] The buggy address belongs to the physical page:<br /> [ 169.215766] page:000000002e324c8c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x94b4<br /> [ 169.218412] head:000000002e324c8c order:2 compound_mapcount:0 compound_pincount:0<br /> [ 169.219078] flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)<br /> [ 169.220272] raw: 000fffffc0010200<br /> ---truncated---

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> lib: cpu_rmap: Avoid use after free on rmap-&gt;obj array entries<br /> <br /> When calling irq_set_affinity_notifier() with NULL at the notify<br /> argument, it will cause freeing of the glue pointer in the<br /> corresponding array entry but will leave the pointer in the array. A<br /> subsequent call to free_irq_cpu_rmap() will try to free this entry again<br /> leading to possible use after free.<br /> <br /> Fix that by setting NULL to the array entry and checking that we have<br /> non-zero at the array entry when iterating over the array in<br /> free_irq_cpu_rmap().<br /> <br /> The current code does not suffer from this since there are no cases<br /> where irq_set_affinity_notifier(irq, NULL) (note the NULL passed for the<br /> notify arg) is called, followed by a call to free_irq_cpu_rmap() so we<br /> don&amp;#39;t hit and issue. Subsequent patches in this series excersize this<br /> flow, hence the required fix.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.<br /> <br /> syzkaller reported [0] memory leaks of an UDP socket and ZEROCOPY<br /> skbs. We can reproduce the problem with these sequences:<br /> <br /> sk = socket(AF_INET, SOCK_DGRAM, 0)<br /> sk.setsockopt(SOL_SOCKET, SO_TIMESTAMPING, SOF_TIMESTAMPING_TX_SOFTWARE)<br /> sk.setsockopt(SOL_SOCKET, SO_ZEROCOPY, 1)<br /> sk.sendto(b&amp;#39;&amp;#39;, MSG_ZEROCOPY, (&amp;#39;127.0.0.1&amp;#39;, 53))<br /> sk.close()<br /> <br /> sendmsg() calls msg_zerocopy_alloc(), which allocates a skb, sets<br /> skb-&gt;cb-&gt;ubuf.refcnt to 1, and calls sock_hold(). Here, struct<br /> ubuf_info_msgzc indirectly holds a refcnt of the socket. When the<br /> skb is sent, __skb_tstamp_tx() clones it and puts the clone into<br /> the socket&amp;#39;s error queue with the TX timestamp.<br /> <br /> When the original skb is received locally, skb_copy_ubufs() calls<br /> skb_unclone(), and pskb_expand_head() increments skb-&gt;cb-&gt;ubuf.refcnt.<br /> This additional count is decremented while freeing the skb, but struct<br /> ubuf_info_msgzc still has a refcnt, so __msg_zerocopy_callback() is<br /> not called.<br /> <br /> The last refcnt is not released unless we retrieve the TX timestamped<br /> skb by recvmsg(). Since we clear the error queue in inet_sock_destruct()<br /> after the socket&amp;#39;s refcnt reaches 0, there is a circular dependency.<br /> If we close() the socket holding such skbs, we never call sock_put()<br /> and leak the count, sk, and skb.<br /> <br /> TCP has the same problem, and commit e0c8bccd40fc ("net: stream:<br /> purge sk_error_queue in sk_stream_kill_queues()") tried to fix it<br /> by calling skb_queue_purge() during close(). However, there is a<br /> small chance that skb queued in a qdisc or device could be put<br /> into the error queue after the skb_queue_purge() call.<br /> <br /> In __skb_tstamp_tx(), the cloned skb should not have a reference<br /> to the ubuf to remove the circular dependency, but skb_clone() does<br /> not call skb_copy_ubufs() for zerocopy skb. So, we need to call<br /> skb_orphan_frags_rx() for the cloned skb to call skb_copy_ubufs().<br /> <br /> [0]:<br /> BUG: memory leak<br /> unreferenced object 0xffff88800c6d2d00 (size 1152):<br /> comm "syz-executor392", pid 264, jiffies 4294785440 (age 13.044s)<br /> hex dump (first 32 bytes):<br /> 00 00 00 00 00 00 00 00 cd af e8 81 00 00 00 00 ................<br /> 02 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............<br /> backtrace:<br /> [] sk_prot_alloc+0x64/0x2a0 net/core/sock.c:2024<br /> [] sk_alloc+0x3b/0x800 net/core/sock.c:2083<br /> [] inet_create net/ipv4/af_inet.c:319 [inline]<br /> [] inet_create+0x31e/0xe40 net/ipv4/af_inet.c:245<br /> [] __sock_create+0x2ab/0x550 net/socket.c:1515<br /> [] sock_create net/socket.c:1566 [inline]<br /> [] __sys_socket_create net/socket.c:1603 [inline]<br /> [] __sys_socket_create net/socket.c:1588 [inline]<br /> [] __sys_socket+0x138/0x250 net/socket.c:1636<br /> [] __do_sys_socket net/socket.c:1649 [inline]<br /> [] __se_sys_socket net/socket.c:1647 [inline]<br /> [] __x64_sys_socket+0x73/0xb0 net/socket.c:1647<br /> [] do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> [] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80<br /> [] entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> BUG: memory leak<br /> unreferenced object 0xffff888017633a00 (size 240):<br /> comm "syz-executor392", pid 264, jiffies 4294785440 (age 13.044s)<br /> hex dump (first 32 bytes):<br /> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> 00 00 00 00 00 00 00 00 00 2d 6d 0c 80 88 ff ff .........-m.....<br /> backtrace:<br /> [] __alloc_skb+0x229/0x320 net/core/skbuff.c:497<br /> [] alloc_skb include/linux/skbuff.h:1265 [inline]<br /> [] sock_omalloc+0xaa/0x190 net/core/sock.c:2596<br /> [] msg_zerocopy_alloc net/core/skbuff.c:1294 [inline]<br /> []<br /> ---truncated---

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> IB/hfi1: Fix possible panic during hotplug remove<br /> <br /> During hotplug remove it is possible that the update counters work<br /> might be pending, and may run after memory has been freed.<br /> Cancel the update counters work before freeing memory.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs: jfs: Fix UBSAN: array-index-out-of-bounds in dbAllocDmapLev<br /> <br /> Syzkaller reported the following issue:<br /> <br /> UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:1965:6<br /> index -84 is out of range for type &amp;#39;s8[341]&amp;#39; (aka &amp;#39;signed char[341]&amp;#39;)<br /> CPU: 1 PID: 4995 Comm: syz-executor146 Not tainted 6.4.0-rc6-syzkaller-00037-gb6dad5178cea #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106<br /> ubsan_epilogue lib/ubsan.c:217 [inline]<br /> __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348<br /> dbAllocDmapLev+0x3e5/0x430 fs/jfs/jfs_dmap.c:1965<br /> dbAllocCtl+0x113/0x920 fs/jfs/jfs_dmap.c:1809<br /> dbAllocAG+0x28f/0x10b0 fs/jfs/jfs_dmap.c:1350<br /> dbAlloc+0x658/0xca0 fs/jfs/jfs_dmap.c:874<br /> dtSplitUp fs/jfs/jfs_dtree.c:974 [inline]<br /> dtInsert+0xda7/0x6b00 fs/jfs/jfs_dtree.c:863<br /> jfs_create+0x7b6/0xbb0 fs/jfs/namei.c:137<br /> lookup_open fs/namei.c:3492 [inline]<br /> open_last_lookups fs/namei.c:3560 [inline]<br /> path_openat+0x13df/0x3170 fs/namei.c:3788<br /> do_filp_open+0x234/0x490 fs/namei.c:3818<br /> do_sys_openat2+0x13f/0x500 fs/open.c:1356<br /> do_sys_open fs/open.c:1372 [inline]<br /> __do_sys_openat fs/open.c:1388 [inline]<br /> __se_sys_openat fs/open.c:1383 [inline]<br /> __x64_sys_openat+0x247/0x290 fs/open.c:1383<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> RIP: 0033:0x7f1f4e33f7e9<br /> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007ffc21129578 EFLAGS: 00000246 ORIG_RAX: 0000000000000101<br /> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1f4e33f7e9<br /> RDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c<br /> RBP: 00007f1f4e2ff080 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1f4e2ff110<br /> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000<br /> <br /> <br /> The bug occurs when the dbAllocDmapLev()function attempts to access<br /> dp-&gt;tree.stree[leafidx + LEAFIND] while the leafidx value is negative.<br /> <br /> To rectify this, the patch introduces a safeguard within the<br /> dbAllocDmapLev() function. A check has been added to verify if leafidx is<br /> negative. If it is, the function immediately returns an I/O error, preventing<br /> any further execution that could potentially cause harm.<br /> <br /> Tested via syzbot.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ACPI: processor: Check for null return of devm_kzalloc() in fch_misc_setup()<br /> <br /> devm_kzalloc() may fail, clk_data-&gt;name might be NULL and will<br /> cause a NULL pointer dereference later.<br /> <br /> [ rjw: Subject and changelog edits ]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu: Fix error unwind in iommu_group_alloc()<br /> <br /> If either iommu_group_grate_file() fails then the<br /> iommu_group is leaked.<br /> <br /> Destroy it on these error paths.<br /> <br /> Found by kselftest/iommu/iommufd_fail_nth