Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fsdax: force clear dirty mark if CoW<br /> <br /> XFS allows CoW on non-shared extents to combat fragmentation[1]. The old<br /> non-shared extent could be mwrited before, its dax entry is marked dirty. <br /> <br /> This results in a WARNing:<br /> <br /> [ 28.512349] ------------[ cut here ]------------<br /> [ 28.512622] WARNING: CPU: 2 PID: 5255 at fs/dax.c:390 dax_insert_entry+0x342/0x390<br /> [ 28.513050] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace fscache netfs nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables<br /> [ 28.515462] CPU: 2 PID: 5255 Comm: fsstress Kdump: loaded Not tainted 6.3.0-rc1-00001-g85e1481e19c1-dirty #117<br /> [ 28.515902] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Arch Linux 1.16.1-1-1 04/01/2014<br /> [ 28.516307] RIP: 0010:dax_insert_entry+0x342/0x390<br /> [ 28.516536] Code: 30 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 48 8b 45 20 48 83 c0 01 e9 e2 fe ff ff 48 8b 45 20 48 83 c0 01 e9 cd fe ff ff 0b e9 53 ff ff ff 48 8b 7c 24 08 31 f6 e8 1b 61 a1 00 eb 8c 48<br /> [ 28.517417] RSP: 0000:ffffc9000845fb18 EFLAGS: 00010086<br /> [ 28.517721] RAX: 0000000000000053 RBX: 0000000000000155 RCX: 000000000018824b<br /> [ 28.518113] RDX: 0000000000000000 RSI: ffffffff827525a6 RDI: 00000000ffffffff<br /> [ 28.518515] RBP: ffffea00062092c0 R08: 0000000000000000 R09: ffffc9000845f9c8<br /> [ 28.518905] R10: 0000000000000003 R11: ffffffff82ddb7e8 R12: 0000000000000155<br /> [ 28.519301] R13: 0000000000000000 R14: 000000000018824b R15: ffff88810cfa76b8<br /> [ 28.519703] FS: 00007f14a0c94740(0000) GS:ffff88817bd00000(0000) knlGS:0000000000000000<br /> [ 28.520148] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 28.520472] CR2: 00007f14a0c8d000 CR3: 000000010321c004 CR4: 0000000000770ee0<br /> [ 28.520863] PKRU: 55555554<br /> [ 28.521043] Call Trace:<br /> [ 28.521219] <br /> [ 28.521368] dax_fault_iter+0x196/0x390<br /> [ 28.521595] dax_iomap_pte_fault+0x19b/0x3d0<br /> [ 28.521852] __xfs_filemap_fault+0x234/0x2b0<br /> [ 28.522116] __do_fault+0x30/0x130<br /> [ 28.522334] do_fault+0x193/0x340<br /> [ 28.522586] __handle_mm_fault+0x2d3/0x690<br /> [ 28.522975] handle_mm_fault+0xe6/0x2c0<br /> [ 28.523259] do_user_addr_fault+0x1bc/0x6f0<br /> [ 28.523521] exc_page_fault+0x60/0x140<br /> [ 28.523763] asm_exc_page_fault+0x22/0x30<br /> [ 28.524001] RIP: 0033:0x7f14a0b589ca<br /> [ 28.524225] Code: c5 fe 7f 07 c5 fe 7f 47 20 c5 fe 7f 47 40 c5 fe 7f 47 60 c5 f8 77 c3 66 0f 1f 84 00 00 00 00 00 40 0f b6 c6 48 89 d1 48 89 fa aa 48 89 d0 c5 f8 77 c3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90<br /> [ 28.525198] RSP: 002b:00007fff1dea1c98 EFLAGS: 00010202<br /> [ 28.525505] RAX: 000000000000001e RBX: 000000000014a000 RCX: 0000000000006046<br /> [ 28.525895] RDX: 00007f14a0c82000 RSI: 000000000000001e RDI: 00007f14a0c8d000<br /> [ 28.526290] RBP: 000000000000006f R08: 0000000000000004 R09: 000000000014a000<br /> [ 28.526681] R10: 0000000000000008 R11: 0000000000000246 R12: 028f5c28f5c28f5c<br /> [ 28.527067] R13: 8f5c28f5c28f5c29 R14: 0000000000011046 R15: 00007f14a0c946c0<br /> [ 28.527449] <br /> [ 28.527600] ---[ end trace 0000000000000000 ]---<br /> <br /> <br /> To be able to delete this entry, clear its dirty mark before<br /> invalidate_inode_pages2_range().<br /> <br /> [1] https://lore.kernel.org/linux-xfs/20230321151339.GA11376@frogsfrogsfrogs/

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails<br /> <br /> If getting an ID or setting up a work queue in rbd_dev_create() fails,<br /> use-after-free on rbd_dev-&gt;rbd_client, rbd_dev-&gt;spec and rbd_dev-&gt;opts<br /> is triggered in do_rbd_add(). The root cause is that the ownership of<br /> these structures is transfered to rbd_dev prematurely and they all end<br /> up getting freed when rbd_dev_create() calls rbd_dev_free() prior to<br /> returning to do_rbd_add().<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with SVACE, an<br /> incomplete patch submitted by Natalia Petrova .

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: fec: Better handle pm_runtime_get() failing in .remove()<br /> <br /> In the (unlikely) event that pm_runtime_get() (disguised as<br /> pm_runtime_resume_and_get()) fails, the remove callback returned an<br /> error early. The problem with this is that the driver core ignores the<br /> error value and continues removing the device. This results in a<br /> resource leak. Worse the devm allocated resources are freed and so if a<br /> callback of the driver is called later the register mapping is already<br /> gone which probably results in a crash.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/radeon: Fix integer overflow in radeon_cs_parser_init<br /> <br /> The type of size is unsigned, if size is 0x40000000, there will be an<br /> integer overflow, size will be zero after size *= sizeof(uint32_t),<br /> will cause uninitialized memory to be referenced later

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> power: supply: axp288_fuel_gauge: Fix external_power_changed race<br /> <br /> fuel_gauge_external_power_changed() dereferences info-&gt;bat,<br /> which gets sets in axp288_fuel_gauge_probe() like this:<br /> <br /> info-&gt;bat = devm_power_supply_register(dev, &amp;fuel_gauge_desc, &amp;psy_cfg);<br /> <br /> As soon as devm_power_supply_register() has called device_add()<br /> the external_power_changed callback can get called. So there is a window<br /> where fuel_gauge_external_power_changed() may get called while<br /> info-&gt;bat has not been set yet leading to a NULL pointer dereference.<br /> <br /> Fixing this is easy. The external_power_changed callback gets passed<br /> the power_supply which will eventually get stored in info-&gt;bat,<br /> so fuel_gauge_external_power_changed() can simply directly use<br /> the passed in psy argument which is always valid.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput<br /> <br /> During unmount process of nilfs2, nothing holds nilfs_root structure after<br /> nilfs2 detaches its writer in nilfs_detach_log_writer(). Previously,<br /> nilfs_evict_inode() could cause use-after-free read for nilfs_root if<br /> inodes are left in "garbage_list" and released by nilfs_dispose_list at<br /> the end of nilfs_detach_log_writer(), and this bug was fixed by commit<br /> 9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root in<br /> nilfs_evict_inode()").<br /> <br /> However, it turned out that there is another possibility of UAF in the<br /> call path where mark_inode_dirty_sync() is called from iput():<br /> <br /> nilfs_detach_log_writer()<br /> nilfs_dispose_list()<br /> iput()<br /> mark_inode_dirty_sync()<br /> __mark_inode_dirty()<br /> nilfs_dirty_inode()<br /> __nilfs_mark_inode_dirty()<br /> nilfs_load_inode_block() --&gt; causes UAF of nilfs_root struct<br /> <br /> This can happen after commit 0ae45f63d4ef ("vfs: add support for a<br /> lazytime mount option"), which changed iput() to call<br /> mark_inode_dirty_sync() on its final reference if i_state has I_DIRTY_TIME<br /> flag and i_nlink is non-zero.<br /> <br /> This issue appears after commit 28a65b49eb53 ("nilfs2: do not write dirty<br /> data after degenerating to read-only") when using the syzbot reproducer,<br /> but the issue has potentially existed before.<br /> <br /> Fix this issue by adding a "purging flag" to the nilfs structure, setting<br /> that flag while disposing the "garbage_list" and checking it in<br /> __nilfs_mark_inode_dirty().<br /> <br /> Unlike commit 9b5a04ac3ad9 ("nilfs2: fix use-after-free bug of nilfs_root<br /> in nilfs_evict_inode()"), this patch does not rely on ns_writer to<br /> determine whether to skip operations, so as not to break recovery on<br /> mount. The nilfs_salvage_orphan_logs routine dirties the buffer of<br /> salvaged data before attaching the log writer, so changing<br /> __nilfs_mark_inode_dirty() to skip the operation when ns_writer is NULL<br /> will cause recovery write to fail. The purpose of using the cleanup-only<br /> flag is to allow for narrowing of such conditions.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: hns: fix possible memory leak in hnae_ae_register()<br /> <br /> Inject fault while probing module, if device_register() fails,<br /> but the refcount of kobject is not decreased to 0, the name<br /> allocated in dev_set_name() is leaked. Fix this by calling<br /> put_device(), so that name can be freed in callback function<br /> kobject_cleanup().<br /> <br /> unreferenced object 0xffff00c01aba2100 (size 128):<br /> comm "systemd-udevd", pid 1259, jiffies 4294903284 (age 294.152s)<br /> hex dump (first 32 bytes):<br /> 68 6e 61 65 30 00 00 00 18 21 ba 1a c0 00 ff ff hnae0....!......<br /> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> backtrace:<br /> [] slab_post_alloc_hook+0xa0/0x3e0<br /> [] __kmem_cache_alloc_node+0x164/0x2b0<br /> [] __kmalloc_node_track_caller+0x6c/0x390<br /> [] kvasprintf+0x8c/0x118<br /> [] kvasprintf_const+0x60/0xc8<br /> [] kobject_set_name_vargs+0x3c/0xc0<br /> [] dev_set_name+0x7c/0xa0<br /> [] hnae_ae_register+0xcc/0x190 [hnae]<br /> [] hns_dsaf_ae_init+0x9c/0x108 [hns_dsaf]<br /> [] hns_dsaf_probe+0x548/0x748 [hns_dsaf]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nft_set_rbtree: fix overlap expiration walk<br /> <br /> The lazy gc on insert that should remove timed-out entries fails to release<br /> the other half of the interval, if any.<br /> <br /> Can be reproduced with tests/shell/testcases/sets/0044interval_overlap_0<br /> in nftables.git and kmemleak enabled kernel.<br /> <br /> Second bug is the use of rbe_prev vs. prev pointer.<br /> If rbe_prev() returns NULL after at least one iteration, rbe_prev points<br /> to element that is not an end interval, hence it should not be removed.<br /> <br /> Lastly, check the genmask of the end interval if this is active in the<br /> current generation.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix null-ptr-deref in ext4_write_info<br /> <br /> I caught a null-ptr-deref bug as follows:<br /> ==================================================================<br /> KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]<br /> CPU: 1 PID: 1589 Comm: umount Not tainted 5.10.0-02219-dirty #339<br /> RIP: 0010:ext4_write_info+0x53/0x1b0<br /> [...]<br /> Call Trace:<br /> dquot_writeback_dquots+0x341/0x9a0<br /> ext4_sync_fs+0x19e/0x800<br /> __sync_filesystem+0x83/0x100<br /> sync_filesystem+0x89/0xf0<br /> generic_shutdown_super+0x79/0x3e0<br /> kill_block_super+0xa1/0x110<br /> deactivate_locked_super+0xac/0x130<br /> deactivate_super+0xb6/0xd0<br /> cleanup_mnt+0x289/0x400<br /> __cleanup_mnt+0x16/0x20<br /> task_work_run+0x11c/0x1c0<br /> exit_to_user_mode_prepare+0x203/0x210<br /> syscall_exit_to_user_mode+0x5b/0x3a0<br /> do_syscall_64+0x59/0x70<br /> entry_SYSCALL_64_after_hwframe+0x44/0xa9<br /> ==================================================================<br /> <br /> Above issue may happen as follows:<br /> -------------------------------------<br /> exit_to_user_mode_prepare<br /> task_work_run<br /> __cleanup_mnt<br /> cleanup_mnt<br /> deactivate_super<br /> deactivate_locked_super<br /> kill_block_super<br /> generic_shutdown_super<br /> shrink_dcache_for_umount<br /> dentry = sb-&gt;s_root<br /> sb-&gt;s_root = NULL s_op-&gt;sync_fs &gt; ext4_sync_fs<br /> dquot_writeback_dquots<br /> sb-&gt;dq_op-&gt;write_info &gt; ext4_write_info<br /> ext4_journal_start(d_inode(sb-&gt;s_root), EXT4_HT_QUOTA, 2)<br /> d_inode(sb-&gt;s_root)<br /> s_root-&gt;d_inode

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFSD: Protect against send buffer overflow in NFSv3 READ<br /> <br /> Since before the git era, NFSD has conserved the number of pages<br /> held by each nfsd thread by combining the RPC receive and send<br /> buffers into a single array of pages. This works because there are<br /> no cases where an operation needs a large RPC Call message and a<br /> large RPC Reply at the same time.<br /> <br /> Once an RPC Call has been received, svc_process() updates<br /> svc_rqst::rq_res to describe the part of rq_pages that can be<br /> used for constructing the Reply. This means that the send buffer<br /> (rq_res) shrinks when the received RPC record containing the RPC<br /> Call is large.<br /> <br /> A client can force this shrinkage on TCP by sending a correctly-<br /> formed RPC Call header contained in an RPC record that is<br /> excessively large. The full maximum payload size cannot be<br /> constructed in that case.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: init quota for &amp;#39;old.inode&amp;#39; in &amp;#39;ext4_rename&amp;#39;<br /> <br /> Syzbot found the following issue:<br /> ext4_parse_param: s_want_extra_isize=128<br /> ext4_inode_info_init: s_want_extra_isize=32<br /> ext4_rename: old.inode=ffff88823869a2c8 old.dir=ffff888238699828 new.inode=ffff88823869d7e8 new.dir=ffff888238699828<br /> __ext4_mark_inode_dirty: inode=ffff888238699828 ea_isize=32 want_ea_size=128<br /> __ext4_mark_inode_dirty: inode=ffff88823869a2c8 ea_isize=32 want_ea_size=128<br /> ext4_xattr_block_set: inode=ffff88823869a2c8<br /> ------------[ cut here ]------------<br /> WARNING: CPU: 13 PID: 2234 at fs/ext4/xattr.c:2070 ext4_xattr_block_set.cold+0x22/0x980<br /> Modules linked in:<br /> RIP: 0010:ext4_xattr_block_set.cold+0x22/0x980<br /> RSP: 0018:ffff888227d3f3b0 EFLAGS: 00010202<br /> RAX: 0000000000000001 RBX: ffff88823007a000 RCX: 0000000000000000<br /> RDX: 0000000000000a03 RSI: 0000000000000040 RDI: ffff888230078178<br /> RBP: 0000000000000000 R08: 000000000000002c R09: ffffed1075c7df8e<br /> R10: ffff8883ae3efc6b R11: ffffed1075c7df8d R12: 0000000000000000<br /> R13: ffff88823869a2c8 R14: ffff8881012e0460 R15: dffffc0000000000<br /> FS: 00007f350ac1f740(0000) GS:ffff8883ae200000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f350a6ed6a0 CR3: 0000000237456000 CR4: 00000000000006e0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> ? ext4_xattr_set_entry+0x3b7/0x2320<br /> ? ext4_xattr_block_set+0x0/0x2020<br /> ? ext4_xattr_set_entry+0x0/0x2320<br /> ? ext4_xattr_check_entries+0x77/0x310<br /> ? ext4_xattr_ibody_set+0x23b/0x340<br /> ext4_xattr_move_to_block+0x594/0x720<br /> ext4_expand_extra_isize_ea+0x59a/0x10f0<br /> __ext4_expand_extra_isize+0x278/0x3f0<br /> __ext4_mark_inode_dirty.cold+0x347/0x410<br /> ext4_rename+0xed3/0x174f<br /> vfs_rename+0x13a7/0x2510<br /> do_renameat2+0x55d/0x920<br /> __x64_sys_rename+0x7d/0xb0<br /> do_syscall_64+0x3b/0xa0<br /> entry_SYSCALL_64_after_hwframe+0x72/0xdc<br /> <br /> As &amp;#39;ext4_rename&amp;#39; will modify &amp;#39;old.inode&amp;#39; ctime and mark inode dirty,<br /> which may trigger expand &amp;#39;extra_isize&amp;#39; and allocate block. If inode<br /> didn&amp;#39;t init quota will lead to warning. To solve above issue, init<br /> &amp;#39;old.inode&amp;#39; firstly in &amp;#39;ext4_rename&amp;#39;.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host()<br /> <br /> mmc_add_host() may return error, if we ignore its return value, the memory<br /> that allocated in mmc_alloc_host() will be leaked and it will lead a kernel<br /> crash because of deleting not added device in the remove path.<br /> <br /> So fix this by checking the return value and calling mmc_free_host() in the<br /> error path, besides, led_classdev_unregister() and pm_runtime_disable() also<br /> need be called.