Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix issue in verifying allow_ptr_leaks<br /> <br /> After we converted the capabilities of our networking-bpf program from<br /> cap_sys_admin to cap_net_admin+cap_bpf, our networking-bpf program<br /> failed to start. Because it failed the bpf verifier, and the error log<br /> is "R3 pointer comparison prohibited".<br /> <br /> A simple reproducer as follows,<br /> <br /> SEC("cls-ingress")<br /> int ingress(struct __sk_buff *skb)<br /> {<br /> struct iphdr *iph = (void *)(long)skb-&gt;data + sizeof(struct ethhdr);<br /> <br /> if ((long)(iph + 1) &gt; (long)skb-&gt;data_end)<br /> return TC_ACT_STOLEN;<br /> return TC_ACT_OK;<br /> }<br /> <br /> Per discussion with Yonghong and Alexei [1], comparison of two packet<br /> pointers is not a pointer leak. This patch fixes it.<br /> <br /> Our local kernel is 6.1.y and we expect this fix to be backported to<br /> 6.1.y, so stable is CCed.<br /> <br /> [1]. https://lore.kernel.org/bpf/CAADnVQ+Nmspr7Si+pxWn8zkE7hX-7s93ugwC+94aXSy4uQ9vBg@mail.gmail.com/

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix to check readonly condition correctly<br /> <br /> With below case, it can mount multi-device image w/ rw option, however<br /> one of secondary device is set as ro, later update will cause panic, so<br /> let&amp;#39;s introduce f2fs_dev_is_readonly(), and check multi-devices rw status<br /> in f2fs_remount() w/ it in order to avoid such inconsistent mount status.<br /> <br /> mkfs.f2fs -c /dev/zram1 /dev/zram0 -f<br /> blockdev --setro /dev/zram1<br /> mount -t f2fs dev/zram0 /mnt/f2fs<br /> mount: /mnt/f2fs: WARNING: source write-protected, mounted read-only.<br /> mount -t f2fs -o remount,rw mnt/f2fs<br /> dd if=/dev/zero of=/mnt/f2fs/file bs=1M count=8192<br /> <br /> kernel BUG at fs/f2fs/inline.c:258!<br /> RIP: 0010:f2fs_write_inline_data+0x23e/0x2d0 [f2fs]<br /> Call Trace:<br /> f2fs_write_single_data_page+0x26b/0x9f0 [f2fs]<br /> f2fs_write_cache_pages+0x389/0xa60 [f2fs]<br /> __f2fs_write_data_pages+0x26b/0x2d0 [f2fs]<br /> f2fs_write_data_pages+0x2e/0x40 [f2fs]<br /> do_writepages+0xd3/0x1b0<br /> __writeback_single_inode+0x5b/0x420<br /> writeback_sb_inodes+0x236/0x5a0<br /> __writeback_inodes_wb+0x56/0xf0<br /> wb_writeback+0x2a3/0x490<br /> wb_do_writeback+0x2b2/0x330<br /> wb_workfn+0x6a/0x260<br /> process_one_work+0x270/0x5e0<br /> worker_thread+0x52/0x3e0<br /> kthread+0xf4/0x120<br /> ret_from_fork+0x29/0x50

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: v4l2-core: Fix a potential resource leak in v4l2_fwnode_parse_link()<br /> <br /> If fwnode_graph_get_remote_endpoint() fails, &amp;#39;fwnode&amp;#39; is known to be NULL,<br /> so fwnode_handle_put() is a no-op.<br /> <br /> Release the reference taken from a previous fwnode_graph_get_port_parent()<br /> call instead.<br /> <br /> Also handle fwnode_graph_get_port_parent() failures.<br /> <br /> In order to fix these issues, add an error handling path to the function<br /> and the needed gotos.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: target: iscsit: Free cmds before session free<br /> <br /> Commands from recovery entries are freed after session has been closed.<br /> That leads to use-after-free at command free or NPE with such call trace:<br /> <br /> Time2Retain timer expired for SID: 1, cleaning up iSCSI session.<br /> BUG: kernel NULL pointer dereference, address: 0000000000000140<br /> RIP: 0010:sbitmap_queue_clear+0x3a/0xa0<br /> Call Trace:<br /> target_release_cmd_kref+0xd1/0x1f0 [target_core_mod]<br /> transport_generic_free_cmd+0xd1/0x180 [target_core_mod]<br /> iscsit_free_cmd+0x53/0xd0 [iscsi_target_mod]<br /> iscsit_free_connection_recovery_entries+0x29d/0x320 [iscsi_target_mod]<br /> iscsit_close_session+0x13a/0x140 [iscsi_target_mod]<br /> iscsit_check_post_dataout+0x440/0x440 [iscsi_target_mod]<br /> call_timer_fn+0x24/0x140<br /> <br /> Move cleanup of recovery enrties to before session freeing.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: remove BUG_ON()&amp;#39;s in add_new_free_space()<br /> <br /> At add_new_free_space() we have these BUG_ON()&amp;#39;s that are there to deal<br /> with any failure to add free space to the in memory free space cache.<br /> Such failures are mostly -ENOMEM that should be very rare. However there&amp;#39;s<br /> no need to have these BUG_ON()&amp;#39;s, we can just return any error to the<br /> caller and all callers and their upper call chain are already dealing with<br /> errors.<br /> <br /> So just make add_new_free_space() return any errors, while removing the<br /> BUG_ON()&amp;#39;s, and returning the total amount of added free space to an<br /> optional u64 pointer argument.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: typec: altmodes/displayport: fix pin_assignment_show<br /> <br /> This patch fixes negative indexing of buf array in pin_assignment_show<br /> when get_current_pin_assignments returns 0 i.e. no compatible pin<br /> assignments are found.<br /> <br /> BUG: KASAN: use-after-free in pin_assignment_show+0x26c/0x33c<br /> ...<br /> Call trace:<br /> dump_backtrace+0x110/0x204<br /> dump_stack_lvl+0x84/0xbc<br /> print_report+0x358/0x974<br /> kasan_report+0x9c/0xfc<br /> __do_kernel_fault+0xd4/0x2d4<br /> do_bad_area+0x48/0x168<br /> do_tag_check_fault+0x24/0x38<br /> do_mem_abort+0x6c/0x14c<br /> el1_abort+0x44/0x68<br /> el1h_64_sync_handler+0x64/0xa4<br /> el1h_64_sync+0x78/0x7c<br /> pin_assignment_show+0x26c/0x33c<br /> dev_attr_show+0x50/0xc0

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: fix potential corruption when moving a directory<br /> <br /> F2FS has the same issue in ext4_rename causing crash revealed by<br /> xfstests/generic/707.<br /> <br /> See also commit 0813299c586b ("ext4: Fix possible corruption when moving a directory")

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> dmaengine: apple-admac: Fix &amp;#39;current_tx&amp;#39; not getting freed<br /> <br /> In terminate_all we should queue up all submitted descriptors to be<br /> freed. We do that for the content of the &amp;#39;issued&amp;#39; and &amp;#39;submitted&amp;#39; lists,<br /> but the &amp;#39;current_tx&amp;#39; descriptor falls through the cracks as it&amp;#39;s<br /> removed from the &amp;#39;issued&amp;#39; list once it gets assigned to be the current<br /> descriptor. Explicitly queue up freeing of the &amp;#39;current_tx&amp;#39; descriptor<br /> to address a memory leak that is otherwise present.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> pstore/ram: Add check for kstrdup<br /> <br /> Add check for the return value of kstrdup() and return the error<br /> if it fails in order to avoid NULL pointer dereference.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> leds: led-core: Fix refcount leak in of_led_get()<br /> <br /> class_find_device_by_of_node() calls class_find_device(), it will take<br /> the reference, use the put_device() to drop the reference when not need<br /> anymore.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/hyperv: Disable IBT when hypercall page lacks ENDBR instruction<br /> <br /> On hardware that supports Indirect Branch Tracking (IBT), Hyper-V VMs<br /> with ConfigVersion 9.3 or later support IBT in the guest. However,<br /> current versions of Hyper-V have a bug in that there&amp;#39;s not an ENDBR64<br /> instruction at the beginning of the hypercall page. Since hypercalls are<br /> made with an indirect call to the hypercall page, all hypercall attempts<br /> fail with an exception and Linux panics.<br /> <br /> A Hyper-V fix is in progress to add ENDBR64. But guard against the Linux<br /> panic by clearing X86_FEATURE_IBT if the hypercall page doesn&amp;#39;t start<br /> with ENDBR. The VM will boot and run without IBT.<br /> <br /> If future Linux 32-bit kernels were to support IBT, additional hypercall<br /> page hackery would be needed to make IBT work for such kernels in a<br /> Hyper-V VM.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Disable preemption in bpf_event_output<br /> <br /> We received report [1] of kernel crash, which is caused by<br /> using nesting protection without disabled preemption.<br /> <br /> The bpf_event_output can be called by programs executed by<br /> bpf_prog_run_array_cg function that disabled migration but<br /> keeps preemption enabled.<br /> <br /> This can cause task to be preempted by another one inside the<br /> nesting protection and lead eventually to two tasks using same<br /> perf_sample_data buffer and cause crashes like:<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000001<br /> #PF: supervisor instruction fetch in kernel mode<br /> #PF: error_code(0x0010) - not-present page<br /> ...<br /> ? perf_output_sample+0x12a/0x9a0<br /> ? finish_task_switch.isra.0+0x81/0x280<br /> ? perf_event_output+0x66/0xa0<br /> ? bpf_event_output+0x13a/0x190<br /> ? bpf_event_output_data+0x22/0x40<br /> ? bpf_prog_dfc84bbde731b257_cil_sock4_connect+0x40a/0xacb<br /> ? xa_load+0x87/0xe0<br /> ? __cgroup_bpf_run_filter_sock_addr+0xc1/0x1a0<br /> ? release_sock+0x3e/0x90<br /> ? sk_setsockopt+0x1a1/0x12f0<br /> ? udp_pre_connect+0x36/0x50<br /> ? inet_dgram_connect+0x93/0xa0<br /> ? __sys_connect+0xb4/0xe0<br /> ? udp_setsockopt+0x27/0x40<br /> ? __pfx_udp_push_pending_frames+0x10/0x10<br /> ? __sys_setsockopt+0xdf/0x1a0<br /> ? __x64_sys_connect+0xf/0x20<br /> ? do_syscall_64+0x3a/0x90<br /> ? entry_SYSCALL_64_after_hwframe+0x72/0xdc<br /> <br /> Fixing this by disabling preemption in bpf_event_output.<br /> <br /> [1] https://github.com/cilium/cilium/issues/26756