Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/vmscape: Add conditional IBPB mitigation<br /> <br /> VMSCAPE is a vulnerability that exploits insufficient branch predictor<br /> isolation between a guest and a userspace hypervisor (like QEMU). Existing<br /> mitigations already protect kernel/KVM from a malicious guest. Userspace<br /> can additionally be protected by flushing the branch predictors after a<br /> VMexit.<br /> <br /> Since it is the userspace that consumes the poisoned branch predictors,<br /> conditionally issue an IBPB after a VMexit and before returning to<br /> userspace. Workloads that frequently switch between hypervisor and<br /> userspace will incur the most overhead from the new IBPB.<br /> <br /> This new IBPB is not integrated with the existing IBPB sites. For<br /> instance, a task can use the existing speculation control prctl() to<br /> get an IBPB at context switch time. With this implementation, the<br /> IBPB is doubled up: one at context switch and another before running<br /> userspace.<br /> <br /> The intent is to integrate and optimize these cases post-embargo.<br /> <br /> [ dhansen: elaborate on suboptimal IBPB solution ]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iio: adc: ad7173: fix channels index for syscalib_mode<br /> <br /> Fix the index used to look up the channel when accessing the<br /> syscalib_mode attribute. The address field is a 0-based index (same<br /> as scan_index) that it used to access the channel in the<br /> ad7173_channels array throughout the driver. The channels field, on<br /> the other hand, may not match the address field depending on the<br /> channel configuration specified in the device tree and could result<br /> in an out-of-bounds access.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/hisilicon/hibmc: fix irq_request()&amp;#39;s irq name variable is local<br /> <br /> The local variable is passed in request_irq (), and there will be use<br /> after free problem, which will make request_irq failed. Using the global<br /> irq name instead of it to fix.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PCI: Fix link speed calculation on retrain failure<br /> <br /> When pcie_failed_link_retrain() fails to retrain, it tries to revert to the<br /> previous link speed. However it calculates that speed from the Link<br /> Control 2 register without masking out non-speed bits first.<br /> <br /> PCIE_LNKCTL2_TLS2SPEED() converts such incorrect values to<br /> PCI_SPEED_UNKNOWN (0xff), which in turn causes a WARN splat in<br /> pcie_set_target_speed():<br /> <br /> pci 0000:00:01.1: [1022:14ed] type 01 class 0x060400 PCIe Root Port<br /> pci 0000:00:01.1: broken device, retraining non-functional downstream link at 2.5GT/s<br /> pci 0000:00:01.1: retraining failed<br /> WARNING: CPU: 1 PID: 1 at drivers/pci/pcie/bwctrl.c:168 pcie_set_target_speed<br /> RDX: 0000000000000001 RSI: 00000000000000ff RDI: ffff9acd82efa000<br /> pcie_failed_link_retrain<br /> pci_device_add<br /> pci_scan_single_device<br /> <br /> Mask out the non-speed bits in PCIE_LNKCTL2_TLS2SPEED() and<br /> PCIE_LNKCAP_SLS2SPEED() so they don&amp;#39;t incorrectly return PCI_SPEED_UNKNOWN.<br /> <br /> [bhelgaas: commit log, add details from https://lore.kernel.org/r/1c92ef6bcb314ee6977839b46b393282e4f52e74.1750684771.git.lukas@wunner.de]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> parisc: Drop WARN_ON_ONCE() from flush_cache_vmap<br /> <br /> I have observed warning to occassionally trigger.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> jbd2: prevent softlockup in jbd2_log_do_checkpoint()<br /> <br /> Both jbd2_log_do_checkpoint() and jbd2_journal_shrink_checkpoint_list()<br /> periodically release j_list_lock after processing a batch of buffers to<br /> avoid long hold times on the j_list_lock. However, since both functions<br /> contend for j_list_lock, the combined time spent waiting and processing<br /> can be significant.<br /> <br /> jbd2_journal_shrink_checkpoint_list() explicitly calls cond_resched() when<br /> need_resched() is true to avoid softlockups during prolonged operations.<br /> But jbd2_log_do_checkpoint() only exits its loop when need_resched() is<br /> true, relying on potentially sleeping functions like __flush_batch() or<br /> wait_on_buffer() to trigger rescheduling. If those functions do not sleep,<br /> the kernel may hit a softlockup.<br /> <br /> watchdog: BUG: soft lockup - CPU#3 stuck for 156s! [kworker/u129:2:373]<br /> CPU: 3 PID: 373 Comm: kworker/u129:2 Kdump: loaded Not tainted 6.6.0+ #10<br /> Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.27 06/13/2017<br /> Workqueue: writeback wb_workfn (flush-7:2)<br /> pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : native_queued_spin_lock_slowpath+0x358/0x418<br /> lr : jbd2_log_do_checkpoint+0x31c/0x438 [jbd2]<br /> Call trace:<br /> native_queued_spin_lock_slowpath+0x358/0x418<br /> jbd2_log_do_checkpoint+0x31c/0x438 [jbd2]<br /> __jbd2_log_wait_for_space+0xfc/0x2f8 [jbd2]<br /> add_transaction_credits+0x3bc/0x418 [jbd2]<br /> start_this_handle+0xf8/0x560 [jbd2]<br /> jbd2__journal_start+0x118/0x228 [jbd2]<br /> __ext4_journal_start_sb+0x110/0x188 [ext4]<br /> ext4_do_writepages+0x3dc/0x740 [ext4]<br /> ext4_writepages+0xa4/0x190 [ext4]<br /> do_writepages+0x94/0x228<br /> __writeback_single_inode+0x48/0x318<br /> writeback_sb_inodes+0x204/0x590<br /> __writeback_inodes_wb+0x54/0xf8<br /> wb_writeback+0x2cc/0x3d8<br /> wb_do_writeback+0x2e0/0x2f8<br /> wb_workfn+0x80/0x2a8<br /> process_one_work+0x178/0x3e8<br /> worker_thread+0x234/0x3b8<br /> kthread+0xf0/0x108<br /> ret_from_fork+0x10/0x20<br /> <br /> So explicitly call cond_resched() in jbd2_log_do_checkpoint() to avoid<br /> softlockup.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> PCI: endpoint: Fix configfs group list head handling<br /> <br /> Doing a list_del() on the epf_group field of struct pci_epf_driver in<br /> pci_epf_remove_cfs() is not correct as this field is a list head, not<br /> a list entry. This list_del() call triggers a KASAN warning when an<br /> endpoint function driver which has a configfs attribute group is torn<br /> down:<br /> <br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in pci_epf_remove_cfs+0x17c/0x198<br /> Write of size 8 at addr ffff00010f4a0d80 by task rmmod/319<br /> <br /> CPU: 3 UID: 0 PID: 319 Comm: rmmod Not tainted 6.16.0-rc2 #1 NONE<br /> Hardware name: Radxa ROCK 5B (DT)<br /> Call trace:<br /> show_stack+0x2c/0x84 (C)<br /> dump_stack_lvl+0x70/0x98<br /> print_report+0x17c/0x538<br /> kasan_report+0xb8/0x190<br /> __asan_report_store8_noabort+0x20/0x2c<br /> pci_epf_remove_cfs+0x17c/0x198<br /> pci_epf_unregister_driver+0x18/0x30<br /> nvmet_pci_epf_cleanup_module+0x24/0x30 [nvmet_pci_epf]<br /> __arm64_sys_delete_module+0x264/0x424<br /> invoke_syscall+0x70/0x260<br /> el0_svc_common.constprop.0+0xac/0x230<br /> do_el0_svc+0x40/0x58<br /> el0_svc+0x48/0xdc<br /> el0t_64_sync_handler+0x10c/0x138<br /> el0t_64_sync+0x198/0x19c<br /> ...<br /> <br /> Remove this incorrect list_del() call from pci_epf_remove_cfs().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> soc: qcom: mdt_loader: Ensure we don&amp;#39;t read past the ELF header<br /> <br /> When the MDT loader is used in remoteproc, the ELF header is sanitized<br /> beforehand, but that&amp;#39;s not necessary the case for other clients.<br /> <br /> Validate the size of the firmware buffer to ensure that we don&amp;#39;t read<br /> past the end as we iterate over the header. e_phentsize and e_shentsize<br /> are validated as well, to ensure that the assumptions about step size in<br /> the traversal are valid.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sched/ext: Fix invalid task state transitions on class switch<br /> <br /> When enabling a sched_ext scheduler, we may trigger invalid task state<br /> transitions, resulting in warnings like the following (which can be<br /> easily reproduced by running the hotplug selftest in a loop):<br /> <br /> sched_ext: Invalid task state transition 0 -&gt; 3 for fish[770]<br /> WARNING: CPU: 18 PID: 787 at kernel/sched/ext.c:3862 scx_set_task_state+0x7c/0xc0<br /> ...<br /> RIP: 0010:scx_set_task_state+0x7c/0xc0<br /> ...<br /> Call Trace:<br /> <br /> scx_enable_task+0x11f/0x2e0<br /> switching_to_scx+0x24/0x110<br /> scx_enable.isra.0+0xd14/0x13d0<br /> bpf_struct_ops_link_create+0x136/0x1a0<br /> __sys_bpf+0x1edd/0x2c30<br /> __x64_sys_bpf+0x21/0x30<br /> do_syscall_64+0xbb/0x370<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> This happens because we skip initialization for tasks that are already<br /> dead (with their usage counter set to zero), but we don&amp;#39;t exclude them<br /> during the scheduling class transition phase.<br /> <br /> Fix this by also skipping dead tasks during class swiching, preventing<br /> invalid task state transitions.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: subpage: keep TOWRITE tag until folio is cleaned<br /> <br /> btrfs_subpage_set_writeback() calls folio_start_writeback() the first time<br /> a folio is written back, and it also clears the PAGECACHE_TAG_TOWRITE tag<br /> even if there are still dirty blocks in the folio. This can break ordering<br /> guarantees, such as those required by btrfs_wait_ordered_extents().<br /> <br /> That ordering breakage leads to a real failure. For example, running<br /> generic/464 on a zoned setup will hit the following ASSERT. This happens<br /> because the broken ordering fails to flush existing dirty pages before the<br /> file size is truncated.<br /> <br /> assertion failed: !list_empty(&amp;ordered-&gt;list) :: 0, in fs/btrfs/zoned.c:1899<br /> ------------[ cut here ]------------<br /> kernel BUG at fs/btrfs/zoned.c:1899!<br /> Oops: invalid opcode: 0000 [#1] SMP NOPTI<br /> CPU: 2 UID: 0 PID: 1906169 Comm: kworker/u130:2 Kdump: loaded Not tainted 6.16.0-rc6-BTRFS-ZNS+ #554 PREEMPT(voluntary)<br /> Hardware name: Supermicro Super Server/H12SSL-NT, BIOS 2.0 02/22/2021<br /> Workqueue: btrfs-endio-write btrfs_work_helper [btrfs]<br /> RIP: 0010:btrfs_finish_ordered_zoned.cold+0x50/0x52 [btrfs]<br /> RSP: 0018:ffffc9002efdbd60 EFLAGS: 00010246<br /> RAX: 000000000000004c RBX: ffff88811923c4e0 RCX: 0000000000000000<br /> RDX: 0000000000000000 RSI: ffffffff827e38b1 RDI: 00000000ffffffff<br /> RBP: ffff88810005d000 R08: 00000000ffffdfff R09: ffffffff831051c8<br /> R10: ffffffff83055220 R11: 0000000000000000 R12: ffff8881c2458c00<br /> R13: ffff88811923c540 R14: ffff88811923c5e8 R15: ffff8881c1bd9680<br /> FS: 0000000000000000(0000) GS:ffff88a04acd0000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f907c7a918c CR3: 0000000004024000 CR4: 0000000000350ef0<br /> Call Trace:<br /> <br /> ? srso_return_thunk+0x5/0x5f<br /> btrfs_finish_ordered_io+0x4a/0x60 [btrfs]<br /> btrfs_work_helper+0xf9/0x490 [btrfs]<br /> process_one_work+0x204/0x590<br /> ? srso_return_thunk+0x5/0x5f<br /> worker_thread+0x1d6/0x3d0<br /> ? __pfx_worker_thread+0x10/0x10<br /> kthread+0x118/0x230<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x205/0x260<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> <br /> Consider process A calling writepages() with WB_SYNC_NONE. In zoned mode or<br /> for compressed writes, it locks several folios for delalloc and starts<br /> writing them out. Let&amp;#39;s call the last locked folio folio X. Suppose the<br /> write range only partially covers folio X, leaving some pages dirty.<br /> Process A calls btrfs_subpage_set_writeback() when building a bio. This<br /> function call clears the TOWRITE tag of folio X, whose size = 8K and<br /> the block size = 4K. It is following state.<br /> <br /> 0 4K 8K<br /> |/////|/////| (flag: DIRTY, tag: DIRTY)<br /> Process A will write this range.<br /> <br /> Now suppose process B concurrently calls writepages() with WB_SYNC_ALL. It<br /> calls tag_pages_for_writeback() to tag dirty folios with<br /> PAGECACHE_TAG_TOWRITE. Since folio X is still dirty, it gets tagged. Then,<br /> B collects tagged folios using filemap_get_folios_tag() and must wait for<br /> folio X to be written before returning from writepages().<br /> <br /> 0 4K 8K<br /> |/////|/////| (flag: DIRTY, tag: DIRTY|TOWRITE)<br /> <br /> However, between tagging and collecting, process A may call<br /> btrfs_subpage_set_writeback() and clear folio X&amp;#39;s TOWRITE tag.<br /> 0 4K 8K<br /> | |/////| (flag: DIRTY|WRITEBACK, tag: DIRTY)<br /> <br /> As a result, process B won&amp;#39;t see folio X in its batch, and returns without<br /> waiting for it. This breaks the WB_SYNC_ALL ordering requirement.<br /> <br /> Fix this by using btrfs_subpage_set_writeback_keepwrite(), which retains<br /> the TOWRITE tag. We now manually clear the tag only after the folio becomes<br /> clean, via the xas operation.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: acomp - Fix CFI failure due to type punning<br /> <br /> To avoid a crash when control flow integrity is enabled, make the<br /> workspace ("stream") free function use a consistent type, and call it<br /> through a function pointer that has that same type.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/mremap: fix WARN with uffd that has remap events disabled<br /> <br /> Registering userfaultd on a VMA that spans at least one PMD and then<br /> mremap()&amp;#39;ing that VMA can trigger a WARN when recovering from a failed<br /> page table move due to a page table allocation error.<br /> <br /> The code ends up doing the right thing (recurse, avoiding moving actual<br /> page tables), but triggering that WARN is unpleasant:<br /> <br /> WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_normal_pmd mm/mremap.c:357 [inline]<br /> WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_pgt_entry mm/mremap.c:595 [inline]<br /> WARNING: CPU: 2 PID: 6133 at mm/mremap.c:357 move_page_tables+0x3832/0x44a0 mm/mremap.c:852<br /> Modules linked in:<br /> CPU: 2 UID: 0 PID: 6133 Comm: syz.0.19 Not tainted 6.17.0-rc1-syzkaller-00004-g53e760d89498 #0 PREEMPT(full)<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014<br /> RIP: 0010:move_normal_pmd mm/mremap.c:357 [inline]<br /> RIP: 0010:move_pgt_entry mm/mremap.c:595 [inline]<br /> RIP: 0010:move_page_tables+0x3832/0x44a0 mm/mremap.c:852<br /> Code: ...<br /> RSP: 0018:ffffc900037a76d8 EFLAGS: 00010293<br /> RAX: 0000000000000000 RBX: 0000000032930007 RCX: ffffffff820c6645<br /> RDX: ffff88802e56a440 RSI: ffffffff820c7201 RDI: 0000000000000007<br /> RBP: ffff888037728fc0 R08: 0000000000000007 R09: 0000000000000000<br /> R10: 0000000032930007 R11: 0000000000000000 R12: 0000000000000000<br /> R13: ffffc900037a79a8 R14: 0000000000000001 R15: dffffc0000000000<br /> FS: 000055556316a500(0000) GS:ffff8880d68bc000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000001b30863fff CR3: 0000000050171000 CR4: 0000000000352ef0<br /> Call Trace:<br /> <br /> copy_vma_and_data+0x468/0x790 mm/mremap.c:1215<br /> move_vma+0x548/0x1780 mm/mremap.c:1282<br /> mremap_to+0x1b7/0x450 mm/mremap.c:1406<br /> do_mremap+0xfad/0x1f80 mm/mremap.c:1921<br /> __do_sys_mremap+0x119/0x170 mm/mremap.c:1977<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7f00d0b8ebe9<br /> Code: ...<br /> RSP: 002b:00007ffe5ea5ee98 EFLAGS: 00000246 ORIG_RAX: 0000000000000019<br /> RAX: ffffffffffffffda RBX: 00007f00d0db5fa0 RCX: 00007f00d0b8ebe9<br /> RDX: 0000000000400000 RSI: 0000000000c00000 RDI: 0000200000000000<br /> RBP: 00007ffe5ea5eef0 R08: 0000200000c00000 R09: 0000000000000000<br /> R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000002<br /> R13: 00007f00d0db5fa0 R14: 00007f00d0db5fa0 R15: 0000000000000005<br /> <br /> <br /> The underlying issue is that we recurse during the original page table<br /> move, but not during the recovery move.<br /> <br /> Fix it by checking for both VMAs and performing the check before the<br /> pmd_none() sanity check.<br /> <br /> Add a new helper where we perform+document that check for the PMD and PUD<br /> level.<br /> <br /> Thanks to Harry for bisecting.