Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: tuner: xc5000: Fix use-after-free in xc5000_release<br /> <br /> The original code uses cancel_delayed_work() in xc5000_release(), which<br /> does not guarantee that the delayed work item timer_sleep has fully<br /> completed if it was already running. This leads to use-after-free scenarios<br /> where xc5000_release() may free the xc5000_priv while timer_sleep is still<br /> active and attempts to dereference the xc5000_priv.<br /> <br /> A typical race condition is illustrated below:<br /> <br /> CPU 0 (release thread) | CPU 1 (delayed work callback)<br /> xc5000_release() | xc5000_do_timer_sleep()<br /> cancel_delayed_work() |<br /> hybrid_tuner_release_state(priv) |<br /> kfree(priv) |<br /> | priv = container_of() // UAF<br /> <br /> Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure<br /> that the timer_sleep is properly canceled before the xc5000_priv memory<br /> is deallocated.<br /> <br /> A deadlock concern was considered: xc5000_release() is called in a process<br /> context and is not holding any locks that the timer_sleep work item might<br /> also need. Therefore, the use of the _sync() variant is safe here.<br /> <br /> This bug was initially identified through static analysis.<br /> <br /> [hverkuil: fix typo in Subject: tunner -&gt; tuner]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe<br /> <br /> The state-&gt;timer is a cyclic timer that schedules work_i2c_poll and<br /> delayed_work_enable_hotplug, while rearming itself. Using timer_delete()<br /> fails to guarantee the timer isn&amp;#39;t still running when destroyed, similarly<br /> cancel_delayed_work() cannot ensure delayed_work_enable_hotplug has<br /> terminated if already executing. During probe failure after timer<br /> initialization, these may continue running as orphans and reference the<br /> already-freed tc358743_state object through tc358743_irq_poll_timer.<br /> <br /> The following is the trace captured by KASAN.<br /> <br /> BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0<br /> Write of size 8 at addr ffff88800ded83c8 by task swapper/1/0<br /> ...<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x55/0x70<br /> print_report+0xcf/0x610<br /> ? __pfx_sched_balance_find_src_group+0x10/0x10<br /> ? __run_timer_base.part.0+0x7d7/0x8c0<br /> kasan_report+0xb8/0xf0<br /> ? __run_timer_base.part.0+0x7d7/0x8c0<br /> __run_timer_base.part.0+0x7d7/0x8c0<br /> ? rcu_sched_clock_irq+0xb06/0x27d0<br /> ? __pfx___run_timer_base.part.0+0x10/0x10<br /> ? try_to_wake_up+0xb15/0x1960<br /> ? tmigr_update_events+0x280/0x740<br /> ? _raw_spin_lock_irq+0x80/0xe0<br /> ? __pfx__raw_spin_lock_irq+0x10/0x10<br /> tmigr_handle_remote_up+0x603/0x7e0<br /> ? __pfx_tmigr_handle_remote_up+0x10/0x10<br /> ? sched_balance_trigger+0x98/0x9f0<br /> ? sched_tick+0x221/0x5a0<br /> ? _raw_spin_lock_irq+0x80/0xe0<br /> ? __pfx__raw_spin_lock_irq+0x10/0x10<br /> ? tick_nohz_handler+0x339/0x440<br /> ? __pfx_tmigr_handle_remote_up+0x10/0x10<br /> __walk_groups.isra.0+0x42/0x150<br /> tmigr_handle_remote+0x1f4/0x2e0<br /> ? __pfx_tmigr_handle_remote+0x10/0x10<br /> ? ktime_get+0x60/0x140<br /> ? lapic_next_event+0x11/0x20<br /> ? clockevents_program_event+0x1d4/0x2a0<br /> ? hrtimer_interrupt+0x322/0x780<br /> handle_softirqs+0x16a/0x550<br /> irq_exit_rcu+0xaf/0xe0<br /> sysvec_apic_timer_interrupt+0x70/0x80<br /> <br /> ...<br /> <br /> Allocated by task 141:<br /> kasan_save_stack+0x24/0x50<br /> kasan_save_track+0x14/0x30<br /> __kasan_kmalloc+0x7f/0x90<br /> __kmalloc_node_track_caller_noprof+0x198/0x430<br /> devm_kmalloc+0x7b/0x1e0<br /> tc358743_probe+0xb7/0x610 i2c_device_probe+0x51d/0x880<br /> really_probe+0x1ca/0x5c0<br /> __driver_probe_device+0x248/0x310<br /> driver_probe_device+0x44/0x120<br /> __device_attach_driver+0x174/0x220<br /> bus_for_each_drv+0x100/0x190<br /> __device_attach+0x206/0x370<br /> bus_probe_device+0x123/0x170<br /> device_add+0xd25/0x1470<br /> i2c_new_client_device+0x7a0/0xcd0<br /> do_one_initcall+0x89/0x300<br /> do_init_module+0x29d/0x7f0<br /> load_module+0x4f48/0x69e0<br /> init_module_from_file+0xe4/0x150<br /> idempotent_init_module+0x320/0x670<br /> __x64_sys_finit_module+0xbd/0x120<br /> do_syscall_64+0xac/0x280<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Freed by task 141:<br /> kasan_save_stack+0x24/0x50<br /> kasan_save_track+0x14/0x30<br /> kasan_save_free_info+0x3a/0x60<br /> __kasan_slab_free+0x3f/0x50<br /> kfree+0x137/0x370<br /> release_nodes+0xa4/0x100<br /> devres_release_group+0x1b2/0x380<br /> i2c_device_probe+0x694/0x880<br /> really_probe+0x1ca/0x5c0<br /> __driver_probe_device+0x248/0x310<br /> driver_probe_device+0x44/0x120<br /> __device_attach_driver+0x174/0x220<br /> bus_for_each_drv+0x100/0x190<br /> __device_attach+0x206/0x370<br /> bus_probe_device+0x123/0x170<br /> device_add+0xd25/0x1470<br /> i2c_new_client_device+0x7a0/0xcd0<br /> do_one_initcall+0x89/0x300<br /> do_init_module+0x29d/0x7f0<br /> load_module+0x4f48/0x69e0<br /> init_module_from_file+0xe4/0x150<br /> idempotent_init_module+0x320/0x670<br /> __x64_sys_finit_module+0xbd/0x120<br /> do_syscall_64+0xac/0x280<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> ...<br /> <br /> Replace timer_delete() with timer_delete_sync() and cancel_delayed_work()<br /> with cancel_delayed_work_sync() to ensure proper termination of timer and<br /> work items before resource cleanup.<br /> <br /> This bug was initially identified through static analysis. For reproduction<br /> and testing, I created a functional emulation of the tc358743 device via a<br /> kernel module and introduced faults through the debugfs interface.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove<br /> <br /> The original code uses cancel_delayed_work() in flexcop_pci_remove(), which<br /> does not guarantee that the delayed work item irq_check_work has fully<br /> completed if it was already running. This leads to use-after-free scenarios<br /> where flexcop_pci_remove() may free the flexcop_device while irq_check_work<br /> is still active and attempts to dereference the device.<br /> <br /> A typical race condition is illustrated below:<br /> <br /> CPU 0 (remove) | CPU 1 (delayed work callback)<br /> flexcop_pci_remove() | flexcop_pci_irq_check_work()<br /> cancel_delayed_work() |<br /> flexcop_device_kfree(fc_pci-&gt;fc_dev) |<br /> | fc = fc_pci-&gt;fc_dev; // UAF<br /> <br /> This is confirmed by a KASAN report:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0<br /> Write of size 8 at addr ffff8880093aa8c8 by task bash/135<br /> ...<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x55/0x70<br /> print_report+0xcf/0x610<br /> ? __run_timer_base.part.0+0x7d7/0x8c0<br /> kasan_report+0xb8/0xf0<br /> ? __run_timer_base.part.0+0x7d7/0x8c0<br /> __run_timer_base.part.0+0x7d7/0x8c0<br /> ? __pfx___run_timer_base.part.0+0x10/0x10<br /> ? __pfx_read_tsc+0x10/0x10<br /> ? ktime_get+0x60/0x140<br /> ? lapic_next_event+0x11/0x20<br /> ? clockevents_program_event+0x1d4/0x2a0<br /> run_timer_softirq+0xd1/0x190<br /> handle_softirqs+0x16a/0x550<br /> irq_exit_rcu+0xaf/0xe0<br /> sysvec_apic_timer_interrupt+0x70/0x80<br /> <br /> ...<br /> <br /> Allocated by task 1:<br /> kasan_save_stack+0x24/0x50<br /> kasan_save_track+0x14/0x30<br /> __kasan_kmalloc+0x7f/0x90<br /> __kmalloc_noprof+0x1be/0x460<br /> flexcop_device_kmalloc+0x54/0xe0<br /> flexcop_pci_probe+0x1f/0x9d0<br /> local_pci_probe+0xdc/0x190<br /> pci_device_probe+0x2fe/0x470<br /> really_probe+0x1ca/0x5c0<br /> __driver_probe_device+0x248/0x310<br /> driver_probe_device+0x44/0x120<br /> __driver_attach+0xd2/0x310<br /> bus_for_each_dev+0xed/0x170<br /> bus_add_driver+0x208/0x500<br /> driver_register+0x132/0x460<br /> do_one_initcall+0x89/0x300<br /> kernel_init_freeable+0x40d/0x720<br /> kernel_init+0x1a/0x150<br /> ret_from_fork+0x10c/0x1a0<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> Freed by task 135:<br /> kasan_save_stack+0x24/0x50<br /> kasan_save_track+0x14/0x30<br /> kasan_save_free_info+0x3a/0x60<br /> __kasan_slab_free+0x3f/0x50<br /> kfree+0x137/0x370<br /> flexcop_device_kfree+0x32/0x50<br /> pci_device_remove+0xa6/0x1d0<br /> device_release_driver_internal+0xf8/0x210<br /> pci_stop_bus_device+0x105/0x150<br /> pci_stop_and_remove_bus_device_locked+0x15/0x30<br /> remove_store+0xcc/0xe0<br /> kernfs_fop_write_iter+0x2c3/0x440<br /> vfs_write+0x871/0xd70<br /> ksys_write+0xee/0x1c0<br /> do_syscall_64+0xac/0x280<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> ...<br /> <br /> Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure<br /> that the delayed work item is properly canceled and any executing delayed<br /> work has finished before the device memory is deallocated.<br /> <br /> This bug was initially identified through static analysis. To reproduce<br /> and test it, I simulated the B2C2 FlexCop PCI device in QEMU and introduced<br /> artificial delays within the flexcop_pci_irq_check_work() function to<br /> increase the likelihood of triggering the bug.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free<br /> <br /> The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at<br /> removal") patched a UAF issue caused by the error timer.<br /> <br /> However, because the error timer kill added in this patch occurs after the<br /> endpoint delete, a race condition to UAF still occurs, albeit rarely.<br /> <br /> Additionally, since kill-cleanup for urb is also missing, freed memory can<br /> be accessed in interrupt context related to urb, which can cause UAF.<br /> <br /> Therefore, to prevent this, error timer and urb must be killed before<br /> freeing the heap memory.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: MGMT: Fix possible UAFs<br /> <br /> This attemps to fix possible UAFs caused by struct mgmt_pending being<br /> freed while still being processed like in the following trace, in order<br /> to fix mgmt_pending_valid is introduce and use to check if the<br /> mgmt_pending hasn&amp;#39;t been removed from the pending list, on the complete<br /> callbacks it is used to check and in addtion remove the cmd from the list<br /> while holding mgmt_pending_lock to avoid TOCTOU problems since if the cmd<br /> is left on the list it can still be accessed and freed.<br /> <br /> BUG: KASAN: slab-use-after-free in mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223<br /> Read of size 8 at addr ffff8880709d4dc0 by task kworker/u11:0/55<br /> <br /> CPU: 0 UID: 0 PID: 55 Comm: kworker/u11:0 Not tainted 6.16.4 #2 PREEMPT(full)<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014<br /> Workqueue: hci0 hci_cmd_sync_work<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:378 [inline]<br /> print_report+0xca/0x240 mm/kasan/report.c:482<br /> kasan_report+0x118/0x150 mm/kasan/report.c:595<br /> mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223<br /> hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332<br /> process_one_work kernel/workqueue.c:3238 [inline]<br /> process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321<br /> worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402<br /> kthread+0x711/0x8a0 kernel/kthread.c:464<br /> ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148<br /> ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16.4/arch/x86/entry/entry_64.S:245<br /> <br /> <br /> Allocated by task 12210:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x3e/0x80 mm/kasan/common.c:68<br /> poison_kmalloc_redzone mm/kasan/common.c:377 [inline]<br /> __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394<br /> kasan_kmalloc include/linux/kasan.h:260 [inline]<br /> __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4364<br /> kmalloc_noprof include/linux/slab.h:905 [inline]<br /> kzalloc_noprof include/linux/slab.h:1039 [inline]<br /> mgmt_pending_new+0x65/0x1e0 net/bluetooth/mgmt_util.c:269<br /> mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296<br /> __add_adv_patterns_monitor+0x130/0x200 net/bluetooth/mgmt.c:5247<br /> add_adv_patterns_monitor+0x214/0x360 net/bluetooth/mgmt.c:5364<br /> hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719<br /> hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839<br /> sock_sendmsg_nosec net/socket.c:714 [inline]<br /> __sock_sendmsg+0x219/0x270 net/socket.c:729<br /> sock_write_iter+0x258/0x330 net/socket.c:1133<br /> new_sync_write fs/read_write.c:593 [inline]<br /> vfs_write+0x5c9/0xb30 fs/read_write.c:686<br /> ksys_write+0x145/0x250 fs/read_write.c:738<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Freed by task 12221:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x3e/0x80 mm/kasan/common.c:68<br /> kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576<br /> poison_slab_object mm/kasan/common.c:247 [inline]<br /> __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264<br /> kasan_slab_free include/linux/kasan.h:233 [inline]<br /> slab_free_hook mm/slub.c:2381 [inline]<br /> slab_free mm/slub.c:4648 [inline]<br /> kfree+0x18e/0x440 mm/slub.c:4847<br /> mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]<br /> mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257<br /> __mgmt_power_off+0x169/0x350 net/bluetooth/mgmt.c:9444<br /> hci_dev_close_sync+0x754/0x1330 net/bluetooth/hci_sync.c:5290<br /> hci_dev_do_close net/bluetooth/hci_core.c:501 [inline]<br /> hci_dev_close+0x108/0x200 net/bluetooth/hci_core.c:526<br /> sock_do_ioctl+0xd9/0x300 net/socket.c:1192<br /> sock_ioctl+0x576/0x790 net/socket.c:1313<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:907 [inline]<br /> __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xf<br /> ---truncated---

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync<br /> <br /> This fixes the following UFA in hci_acl_create_conn_sync where a<br /> connection still pending is command submission (conn-&gt;state == BT_OPEN)<br /> maybe freed, also since this also can happen with the likes of<br /> hci_le_create_conn_sync fix it as well:<br /> <br /> BUG: KASAN: slab-use-after-free in hci_acl_create_conn_sync+0x5ef/0x790 net/bluetooth/hci_sync.c:6861<br /> Write of size 2 at addr ffff88805ffcc038 by task kworker/u11:2/9541<br /> <br /> CPU: 1 UID: 0 PID: 9541 Comm: kworker/u11:2 Not tainted 6.16.0-rc7 #3 PREEMPT(full)<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014<br /> Workqueue: hci3 hci_cmd_sync_work<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:378 [inline]<br /> print_report+0xca/0x230 mm/kasan/report.c:480<br /> kasan_report+0x118/0x150 mm/kasan/report.c:593<br /> hci_acl_create_conn_sync+0x5ef/0x790 net/bluetooth/hci_sync.c:6861<br /> hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332<br /> process_one_work kernel/workqueue.c:3238 [inline]<br /> process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321<br /> worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402<br /> kthread+0x70e/0x8a0 kernel/kthread.c:464<br /> ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148<br /> ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245<br /> <br /> <br /> Allocated by task 123736:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x3e/0x80 mm/kasan/common.c:68<br /> poison_kmalloc_redzone mm/kasan/common.c:377 [inline]<br /> __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394<br /> kasan_kmalloc include/linux/kasan.h:260 [inline]<br /> __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359<br /> kmalloc_noprof include/linux/slab.h:905 [inline]<br /> kzalloc_noprof include/linux/slab.h:1039 [inline]<br /> __hci_conn_add+0x233/0x1b30 net/bluetooth/hci_conn.c:939<br /> hci_conn_add_unset net/bluetooth/hci_conn.c:1051 [inline]<br /> hci_connect_acl+0x16c/0x4e0 net/bluetooth/hci_conn.c:1634<br /> pair_device+0x418/0xa70 net/bluetooth/mgmt.c:3556<br /> hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719<br /> hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839<br /> sock_sendmsg_nosec net/socket.c:712 [inline]<br /> __sock_sendmsg+0x219/0x270 net/socket.c:727<br /> sock_write_iter+0x258/0x330 net/socket.c:1131<br /> new_sync_write fs/read_write.c:593 [inline]<br /> vfs_write+0x54b/0xa90 fs/read_write.c:686<br /> ksys_write+0x145/0x250 fs/read_write.c:738<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Freed by task 103680:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x3e/0x80 mm/kasan/common.c:68<br /> kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576<br /> poison_slab_object mm/kasan/common.c:247 [inline]<br /> __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264<br /> kasan_slab_free include/linux/kasan.h:233 [inline]<br /> slab_free_hook mm/slub.c:2381 [inline]<br /> slab_free mm/slub.c:4643 [inline]<br /> kfree+0x18e/0x440 mm/slub.c:4842<br /> device_release+0x9c/0x1c0<br /> kobject_cleanup lib/kobject.c:689 [inline]<br /> kobject_release lib/kobject.c:720 [inline]<br /> kref_put include/linux/kref.h:65 [inline]<br /> kobject_put+0x22b/0x480 lib/kobject.c:737<br /> hci_conn_cleanup net/bluetooth/hci_conn.c:175 [inline]<br /> hci_conn_del+0x8ff/0xcb0 net/bluetooth/hci_conn.c:1173<br /> hci_conn_complete_evt+0x3c7/0x1040 net/bluetooth/hci_event.c:3199<br /> hci_event_func net/bluetooth/hci_event.c:7477 [inline]<br /> hci_event_packet+0x7e0/0x1200 net/bluetooth/hci_event.c:7531<br /> hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4070<br /> process_one_work kernel/workqueue.c:3238 [inline]<br /> process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321<br /> worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402<br /> kthread+0x70e/0x8a0 kernel/kthread.c:464<br /> ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148<br /> ret_from_fork_asm+0x1a/0x30 home/kwqcheii/sour<br /> ---truncated---

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue<br /> <br /> This fixes the following UAF caused by not properly locking hdev when<br /> processing HCI_EV_NUM_COMP_PKTS:<br /> <br /> BUG: KASAN: slab-use-after-free in hci_conn_tx_dequeue+0x1be/0x220 net/bluetooth/hci_conn.c:3036<br /> Read of size 4 at addr ffff8880740f0940 by task kworker/u11:0/54<br /> <br /> CPU: 1 UID: 0 PID: 54 Comm: kworker/u11:0 Not tainted 6.16.0-rc7 #3 PREEMPT(full)<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014<br /> Workqueue: hci1 hci_rx_work<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:378 [inline]<br /> print_report+0xca/0x230 mm/kasan/report.c:480<br /> kasan_report+0x118/0x150 mm/kasan/report.c:593<br /> hci_conn_tx_dequeue+0x1be/0x220 net/bluetooth/hci_conn.c:3036<br /> hci_num_comp_pkts_evt+0x1c8/0xa50 net/bluetooth/hci_event.c:4404<br /> hci_event_func net/bluetooth/hci_event.c:7477 [inline]<br /> hci_event_packet+0x7e0/0x1200 net/bluetooth/hci_event.c:7531<br /> hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4070<br /> process_one_work kernel/workqueue.c:3238 [inline]<br /> process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321<br /> worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402<br /> kthread+0x70e/0x8a0 kernel/kthread.c:464<br /> ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148<br /> ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245<br /> <br /> <br /> Allocated by task 54:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x3e/0x80 mm/kasan/common.c:68<br /> poison_kmalloc_redzone mm/kasan/common.c:377 [inline]<br /> __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394<br /> kasan_kmalloc include/linux/kasan.h:260 [inline]<br /> __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359<br /> kmalloc_noprof include/linux/slab.h:905 [inline]<br /> kzalloc_noprof include/linux/slab.h:1039 [inline]<br /> __hci_conn_add+0x233/0x1b30 net/bluetooth/hci_conn.c:939<br /> le_conn_complete_evt+0x3d6/0x1220 net/bluetooth/hci_event.c:5628<br /> hci_le_enh_conn_complete_evt+0x189/0x470 net/bluetooth/hci_event.c:5794<br /> hci_event_func net/bluetooth/hci_event.c:7474 [inline]<br /> hci_event_packet+0x78c/0x1200 net/bluetooth/hci_event.c:7531<br /> hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4070<br /> process_one_work kernel/workqueue.c:3238 [inline]<br /> process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321<br /> worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402<br /> kthread+0x70e/0x8a0 kernel/kthread.c:464<br /> ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148<br /> ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245<br /> <br /> Freed by task 9572:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x3e/0x80 mm/kasan/common.c:68<br /> kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576<br /> poison_slab_object mm/kasan/common.c:247 [inline]<br /> __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264<br /> kasan_slab_free include/linux/kasan.h:233 [inline]<br /> slab_free_hook mm/slub.c:2381 [inline]<br /> slab_free mm/slub.c:4643 [inline]<br /> kfree+0x18e/0x440 mm/slub.c:4842<br /> device_release+0x9c/0x1c0<br /> kobject_cleanup lib/kobject.c:689 [inline]<br /> kobject_release lib/kobject.c:720 [inline]<br /> kref_put include/linux/kref.h:65 [inline]<br /> kobject_put+0x22b/0x480 lib/kobject.c:737<br /> hci_conn_cleanup net/bluetooth/hci_conn.c:175 [inline]<br /> hci_conn_del+0x8ff/0xcb0 net/bluetooth/hci_conn.c:1173<br /> hci_abort_conn_sync+0x5d1/0xdf0 net/bluetooth/hci_sync.c:5689<br /> hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332<br /> process_one_work kernel/workqueue.c:3238 [inline]<br /> process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321<br /> worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402<br /> kthread+0x70e/0x8a0 kernel/kthread.c:464<br /> ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148<br /> ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: tun: Update napi-&gt;skb after XDP process<br /> <br /> The syzbot report a UAF issue:<br /> <br /> BUG: KASAN: slab-use-after-free in skb_reset_mac_header include/linux/skbuff.h:3150 [inline]<br /> BUG: KASAN: slab-use-after-free in napi_frags_skb net/core/gro.c:723 [inline]<br /> BUG: KASAN: slab-use-after-free in napi_gro_frags+0x6e/0x1030 net/core/gro.c:758<br /> Read of size 8 at addr ffff88802ef22c18 by task syz.0.17/6079<br /> CPU: 0 UID: 0 PID: 6079 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:378 [inline]<br /> print_report+0xca/0x240 mm/kasan/report.c:482<br /> kasan_report+0x118/0x150 mm/kasan/report.c:595<br /> skb_reset_mac_header include/linux/skbuff.h:3150 [inline]<br /> napi_frags_skb net/core/gro.c:723 [inline]<br /> napi_gro_frags+0x6e/0x1030 net/core/gro.c:758<br /> tun_get_user+0x28cb/0x3e20 drivers/net/tun.c:1920<br /> tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996<br /> new_sync_write fs/read_write.c:593 [inline]<br /> vfs_write+0x5c9/0xb30 fs/read_write.c:686<br /> ksys_write+0x145/0x250 fs/read_write.c:738<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> <br /> Allocated by task 6079:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x3e/0x80 mm/kasan/common.c:68<br /> unpoison_slab_object mm/kasan/common.c:330 [inline]<br /> __kasan_mempool_unpoison_object+0xa0/0x170 mm/kasan/common.c:558<br /> kasan_mempool_unpoison_object include/linux/kasan.h:388 [inline]<br /> napi_skb_cache_get+0x37b/0x6d0 net/core/skbuff.c:295<br /> __alloc_skb+0x11e/0x2d0 net/core/skbuff.c:657<br /> napi_alloc_skb+0x84/0x7d0 net/core/skbuff.c:811<br /> napi_get_frags+0x69/0x140 net/core/gro.c:673<br /> tun_napi_alloc_frags drivers/net/tun.c:1404 [inline]<br /> tun_get_user+0x77c/0x3e20 drivers/net/tun.c:1784<br /> tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996<br /> new_sync_write fs/read_write.c:593 [inline]<br /> vfs_write+0x5c9/0xb30 fs/read_write.c:686<br /> ksys_write+0x145/0x250 fs/read_write.c:738<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Freed by task 6079:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x3e/0x80 mm/kasan/common.c:68<br /> kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576<br /> poison_slab_object mm/kasan/common.c:243 [inline]<br /> __kasan_slab_free+0x5b/0x80 mm/kasan/common.c:275<br /> kasan_slab_free include/linux/kasan.h:233 [inline]<br /> slab_free_hook mm/slub.c:2422 [inline]<br /> slab_free mm/slub.c:4695 [inline]<br /> kmem_cache_free+0x18f/0x400 mm/slub.c:4797<br /> skb_pp_cow_data+0xdd8/0x13e0 net/core/skbuff.c:969<br /> netif_skb_check_for_xdp net/core/dev.c:5390 [inline]<br /> netif_receive_generic_xdp net/core/dev.c:5431 [inline]<br /> do_xdp_generic+0x699/0x11a0 net/core/dev.c:5499<br /> tun_get_user+0x2523/0x3e20 drivers/net/tun.c:1872<br /> tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1996<br /> new_sync_write fs/read_write.c:593 [inline]<br /> vfs_write+0x5c9/0xb30 fs/read_write.c:686<br /> ksys_write+0x145/0x250 fs/read_write.c:738<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> After commit e6d5dbdd20aa ("xdp: add multi-buff support for xdp running in<br /> generic mode"), the original skb may be freed in skb_pp_cow_data() when<br /> XDP program was attached, which was allocated in tun_napi_alloc_frags().<br /> However, the napi-&gt;skb still point to the original skb, update it after<br /> XDP process.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow<br /> <br /> Sending an PF_PACKET allows to bypass the CAN framework logic and to<br /> directly reach the xmit() function of a CAN driver. The only check<br /> which is performed by the PF_PACKET framework is to make sure that<br /> skb-&gt;len fits the interface&amp;#39;s MTU.<br /> <br /> Unfortunately, because the mcba_usb driver does not populate its<br /> net_device_ops-&gt;ndo_change_mtu(), it is possible for an attacker to<br /> configure an invalid MTU by doing, for example:<br /> <br /> $ ip link set can0 mtu 9999<br /> <br /> After doing so, the attacker could open a PF_PACKET socket using the<br /> ETH_P_CANXL protocol:<br /> <br /> socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))<br /> <br /> to inject a malicious CAN XL frames. For example:<br /> <br /> struct canxl_frame frame = {<br /> .flags = 0xff,<br /> .len = 2048,<br /> };<br /> <br /> The CAN drivers&amp;#39; xmit() function are calling can_dev_dropped_skb() to<br /> check that the skb is valid, unfortunately under above conditions, the<br /> malicious packet is able to go through can_dev_dropped_skb() checks:<br /> <br /> 1. the skb-&gt;protocol is set to ETH_P_CANXL which is valid (the<br /> function does not check the actual device capabilities).<br /> <br /> 2. the length is a valid CAN XL length.<br /> <br /> And so, mcba_usb_start_xmit() receives a CAN XL frame which it is not<br /> able to correctly handle and will thus misinterpret it as a CAN frame.<br /> <br /> This can result in a buffer overflow. The driver will consume cf-&gt;len<br /> as-is with no further checks on these lines:<br /> <br /> usb_msg.dlc = cf-&gt;len;<br /> <br /> memcpy(usb_msg.data, cf-&gt;data, usb_msg.dlc);<br /> <br /> Here, cf-&gt;len corresponds to the flags field of the CAN XL frame. In<br /> our previous example, we set canxl_frame-&gt;flags to 0xff. Because the<br /> maximum expected length is 8, a buffer overflow of 247 bytes occurs!<br /> <br /> Populate net_device_ops-&gt;ndo_change_mtu() to ensure that the<br /> interface&amp;#39;s MTU can not be set to anything bigger than CAN_MTU. By<br /> fixing the root cause, this prevents the buffer overflow.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow<br /> <br /> Sending an PF_PACKET allows to bypass the CAN framework logic and to<br /> directly reach the xmit() function of a CAN driver. The only check<br /> which is performed by the PF_PACKET framework is to make sure that<br /> skb-&gt;len fits the interface&amp;#39;s MTU.<br /> <br /> Unfortunately, because the sun4i_can driver does not populate its<br /> net_device_ops-&gt;ndo_change_mtu(), it is possible for an attacker to<br /> configure an invalid MTU by doing, for example:<br /> <br /> $ ip link set can0 mtu 9999<br /> <br /> After doing so, the attacker could open a PF_PACKET socket using the<br /> ETH_P_CANXL protocol:<br /> <br /> socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))<br /> <br /> to inject a malicious CAN XL frames. For example:<br /> <br /> struct canxl_frame frame = {<br /> .flags = 0xff,<br /> .len = 2048,<br /> };<br /> <br /> The CAN drivers&amp;#39; xmit() function are calling can_dev_dropped_skb() to<br /> check that the skb is valid, unfortunately under above conditions, the<br /> malicious packet is able to go through can_dev_dropped_skb() checks:<br /> <br /> 1. the skb-&gt;protocol is set to ETH_P_CANXL which is valid (the<br /> function does not check the actual device capabilities).<br /> <br /> 2. the length is a valid CAN XL length.<br /> <br /> And so, sun4ican_start_xmit() receives a CAN XL frame which it is not<br /> able to correctly handle and will thus misinterpret it as a CAN frame.<br /> <br /> This can result in a buffer overflow. The driver will consume cf-&gt;len<br /> as-is with no further checks on this line:<br /> <br /> dlc = cf-&gt;len;<br /> <br /> Here, cf-&gt;len corresponds to the flags field of the CAN XL frame. In<br /> our previous example, we set canxl_frame-&gt;flags to 0xff. Because the<br /> maximum expected length is 8, a buffer overflow of 247 bytes occurs a<br /> couple line below when doing:<br /> <br /> for (i = 0; i data[i], priv-&gt;base + (dreg + i * 4));<br /> <br /> Populate net_device_ops-&gt;ndo_change_mtu() to ensure that the<br /> interface&amp;#39;s MTU can not be set to anything bigger than CAN_MTU. By<br /> fixing the root cause, this prevents the buffer overflow.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: hi311x: populate ndo_change_mtu() to prevent buffer overflow<br /> <br /> Sending an PF_PACKET allows to bypass the CAN framework logic and to<br /> directly reach the xmit() function of a CAN driver. The only check<br /> which is performed by the PF_PACKET framework is to make sure that<br /> skb-&gt;len fits the interface&amp;#39;s MTU.<br /> <br /> Unfortunately, because the sun4i_can driver does not populate its<br /> net_device_ops-&gt;ndo_change_mtu(), it is possible for an attacker to<br /> configure an invalid MTU by doing, for example:<br /> <br /> $ ip link set can0 mtu 9999<br /> <br /> After doing so, the attacker could open a PF_PACKET socket using the<br /> ETH_P_CANXL protocol:<br /> <br /> socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))<br /> <br /> to inject a malicious CAN XL frames. For example:<br /> <br /> struct canxl_frame frame = {<br /> .flags = 0xff,<br /> .len = 2048,<br /> };<br /> <br /> The CAN drivers&amp;#39; xmit() function are calling can_dev_dropped_skb() to<br /> check that the skb is valid, unfortunately under above conditions, the<br /> malicious packet is able to go through can_dev_dropped_skb() checks:<br /> <br /> 1. the skb-&gt;protocol is set to ETH_P_CANXL which is valid (the<br /> function does not check the actual device capabilities).<br /> <br /> 2. the length is a valid CAN XL length.<br /> <br /> And so, hi3110_hard_start_xmit() receives a CAN XL frame which it is<br /> not able to correctly handle and will thus misinterpret it as a CAN<br /> frame. The driver will consume frame-&gt;len as-is with no further<br /> checks.<br /> <br /> This can result in a buffer overflow later on in hi3110_hw_tx() on<br /> this line:<br /> <br /> memcpy(buf + HI3110_FIFO_EXT_DATA_OFF,<br /> frame-&gt;data, frame-&gt;len);<br /> <br /> Here, frame-&gt;len corresponds to the flags field of the CAN XL frame.<br /> In our previous example, we set canxl_frame-&gt;flags to 0xff. Because<br /> the maximum expected length is 8, a buffer overflow of 247 bytes<br /> occurs!<br /> <br /> Populate net_device_ops-&gt;ndo_change_mtu() to ensure that the<br /> interface&amp;#39;s MTU can not be set to anything bigger than CAN_MTU. By<br /> fixing the root cause, this prevents the buffer overflow.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow<br /> <br /> Sending an PF_PACKET allows to bypass the CAN framework logic and to<br /> directly reach the xmit() function of a CAN driver. The only check<br /> which is performed by the PF_PACKET framework is to make sure that<br /> skb-&gt;len fits the interface&amp;#39;s MTU.<br /> <br /> Unfortunately, because the etas_es58x driver does not populate its<br /> net_device_ops-&gt;ndo_change_mtu(), it is possible for an attacker to<br /> configure an invalid MTU by doing, for example:<br /> <br /> $ ip link set can0 mtu 9999<br /> <br /> After doing so, the attacker could open a PF_PACKET socket using the<br /> ETH_P_CANXL protocol:<br /> <br /> socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL));<br /> <br /> to inject a malicious CAN XL frames. For example:<br /> <br /> struct canxl_frame frame = {<br /> .flags = 0xff,<br /> .len = 2048,<br /> };<br /> <br /> The CAN drivers&amp;#39; xmit() function are calling can_dev_dropped_skb() to<br /> check that the skb is valid, unfortunately under above conditions, the<br /> malicious packet is able to go through can_dev_dropped_skb() checks:<br /> <br /> 1. the skb-&gt;protocol is set to ETH_P_CANXL which is valid (the<br /> function does not check the actual device capabilities).<br /> <br /> 2. the length is a valid CAN XL length.<br /> <br /> And so, es58x_start_xmit() receives a CAN XL frame which it is not<br /> able to correctly handle and will thus misinterpret it as a CAN(FD)<br /> frame.<br /> <br /> This can result in a buffer overflow. For example, using the es581.4<br /> variant, the frame will be dispatched to es581_4_tx_can_msg(), go<br /> through the last check at the beginning of this function:<br /> <br /> if (can_is_canfd_skb(skb))<br /> return -EMSGSIZE;<br /> <br /> and reach this line:<br /> <br /> memcpy(tx_can_msg-&gt;data, cf-&gt;data, cf-&gt;len);<br /> <br /> Here, cf-&gt;len corresponds to the flags field of the CAN XL frame. In<br /> our previous example, we set canxl_frame-&gt;flags to 0xff. Because the<br /> maximum expected length is 8, a buffer overflow of 247 bytes occurs!<br /> <br /> Populate net_device_ops-&gt;ndo_change_mtu() to ensure that the<br /> interface&amp;#39;s MTU can not be set to anything bigger than CAN_MTU or<br /> CANFD_MTU (depending on the device capabilities). By fixing the root<br /> cause, this prevents the buffer overflow.