Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: add bounds check for durable handle context<br /> <br /> Add missing bounds check for durable handle context.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> acpi: nfit: fix narrowing conversion in acpi_nfit_ctl<br /> <br /> Syzkaller has reported a warning in to_nfit_bus_uuid(): "only secondary<br /> bus families can be translated". This warning is emited if the argument<br /> is equal to NVDIMM_BUS_FAMILY_NFIT == 0. Function acpi_nfit_ctl() first<br /> verifies that a user-provided value call_pkg-&gt;nd_family of type u64 is<br /> not equal to 0. Then the value is converted to int, and only after that<br /> is compared to NVDIMM_BUS_FAMILY_MAX. This can lead to passing an invalid<br /> argument to acpi_nfit_ctl(), if call_pkg-&gt;nd_family is non-zero, while<br /> the lower 32 bits are zero.<br /> <br /> Furthermore, it is best to return EINVAL immediately upon seeing the<br /> invalid user input. The WARNING is insufficient to prevent further<br /> undefined behavior based on other invalid user input.<br /> <br /> All checks of the input value should be applied to the original variable<br /> call_pkg-&gt;nd_family.<br /> <br /> [iweiny: update commit message]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs<br /> <br /> On the following path, flush_tlb_range() can be used for zapping normal<br /> PMD entries (PMD entries that point to page tables) together with the PTE<br /> entries in the pointed-to page table:<br /> <br /> collapse_pte_mapped_thp<br /> pmdp_collapse_flush<br /> flush_tlb_range<br /> <br /> The arm64 version of flush_tlb_range() has a comment describing that it can<br /> be used for page table removal, and does not use any last-level<br /> invalidation optimizations. Fix the X86 version by making it behave the<br /> same way.<br /> <br /> Currently, X86 only uses this information for the following two purposes,<br /> which I think means the issue doesn&amp;#39;t have much impact:<br /> <br /> - In native_flush_tlb_multi() for checking if lazy TLB CPUs need to be<br /> IPI&amp;#39;d to avoid issues with speculative page table walks.<br /> - In Hyper-V TLB paravirtualization, again for lazy TLB stuff.<br /> <br /> The patch "x86/mm: only invalidate final translations with INVLPGB" which<br /> is currently under review (see<br /> )<br /> would probably be making the impact of this a lot worse.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: add bounds check for create lease context<br /> <br /> Add missing bounds check for create lease context.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mm/gup: reject FOLL_SPLIT_PMD with hugetlb VMAs<br /> <br /> Patch series "mm: fixes for device-exclusive entries (hmm)", v2.<br /> <br /> Discussing the PageTail() call in make_device_exclusive_range() with<br /> Willy, I recently discovered [1] that device-exclusive handling does not<br /> properly work with THP, making the hmm-tests selftests fail if THPs are<br /> enabled on the system.<br /> <br /> Looking into more details, I found that hugetlb is not properly fenced,<br /> and I realized that something that was bugging me for longer -- how<br /> device-exclusive entries interact with mapcounts -- completely breaks<br /> migration/swapout/split/hwpoison handling of these folios while they have<br /> device-exclusive PTEs.<br /> <br /> The program below can be used to allocate 1 GiB worth of pages and making<br /> them device-exclusive on a kernel with CONFIG_TEST_HMM.<br /> <br /> Once they are device-exclusive, these folios cannot get swapped out<br /> (proc$pid/smaps_rollup will always indicate 1 GiB RSS no matter how much<br /> one forces memory reclaim), and when having a memory block onlined to<br /> ZONE_MOVABLE, trying to offline it will loop forever and complain about<br /> failed migration of a page that should be movable.<br /> <br /> # echo offline &gt; /sys/devices/system/memory/memory136/state<br /> # echo online_movable &gt; /sys/devices/system/memory/memory136/state<br /> # ./hmm-swap &amp;<br /> ... wait until everything is device-exclusive<br /> # echo offline &gt; /sys/devices/system/memory/memory136/state<br /> [ 285.193431][T14882] page: refcount:2 mapcount:0 mapping:0000000000000000<br /> index:0x7f20671f7 pfn:0x442b6a<br /> [ 285.196618][T14882] memcg:ffff888179298000<br /> [ 285.198085][T14882] anon flags: 0x5fff0000002091c(referenced|uptodate|<br /> dirty|active|owner_2|swapbacked|node=1|zone=3|lastcpupid=0x7ff)<br /> [ 285.201734][T14882] raw: ...<br /> [ 285.204464][T14882] raw: ...<br /> [ 285.207196][T14882] page dumped because: migration failure<br /> [ 285.209072][T14882] page_owner tracks the page as allocated<br /> [ 285.210915][T14882] page last allocated via order 0, migratetype<br /> Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO),<br /> id 14926, tgid 14926 (hmm-swap), ts 254506295376, free_ts 227402023774<br /> [ 285.216765][T14882] post_alloc_hook+0x197/0x1b0<br /> [ 285.218874][T14882] get_page_from_freelist+0x76e/0x3280<br /> [ 285.220864][T14882] __alloc_frozen_pages_noprof+0x38e/0x2740<br /> [ 285.223302][T14882] alloc_pages_mpol+0x1fc/0x540<br /> [ 285.225130][T14882] folio_alloc_mpol_noprof+0x36/0x340<br /> [ 285.227222][T14882] vma_alloc_folio_noprof+0xee/0x1a0<br /> [ 285.229074][T14882] __handle_mm_fault+0x2b38/0x56a0<br /> [ 285.230822][T14882] handle_mm_fault+0x368/0x9f0<br /> ...<br /> <br /> This series fixes all issues I found so far. There is no easy way to fix<br /> without a bigger rework/cleanup. I have a bunch of cleanups on top (some<br /> previous sent, some the result of the discussion in v1) that I will send<br /> out separately once this landed and I get to it.<br /> <br /> I wish we could just use some special present PROT_NONE PTEs instead of<br /> these (non-present, non-none) fake-swap entries; but that just results in<br /> the same problem we keep having (lack of spare PTE bits), and staring at<br /> other similar fake-swap entries, that ship has sailed.<br /> <br /> With this series, make_device_exclusive() doesn&amp;#39;t actually belong into<br /> mm/rmap.c anymore, but I&amp;#39;ll leave moving that for another day.<br /> <br /> I only tested this series with the hmm-tests selftests due to lack of HW,<br /> so I&amp;#39;d appreciate some testing, especially if the interaction between two<br /> GPUs wanting a device-exclusive entry works as expected.<br /> <br /> <br /> #include <br /> #include <br /> #include <br /> #include <br /> #include <br /> #include <br /> #include <br /> #include <br /> #include <br /> #include <br /> <br /> #define HMM_DMIRROR_EXCLUSIVE _IOWR(&amp;#39;H&amp;#39;, 0x05, struct hmm_dmirror_cmd)<br /> <br /> struct hmm_dmirror_cmd {<br /> __u64 addr;<br /> __u64 ptr;<br /> __u64 npages;<br /> __u64 cpages;<br /> __u64 faults;<br /> };<br /> <br /> const size_t size = 1 * 1024 * 1024 * 1024ul;<br /> const size_t chunk_size = 2 * 1024 * 1024ul;<br /> <br /> int m<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> exfat: fix random stack corruption after get_block<br /> <br /> When get_block is called with a buffer_head allocated on the stack, such<br /> as do_mpage_readpage, stack corruption due to buffer_head UAF may occur in<br /> the following race condition situation.<br /> <br /> <br /> mpage_read_folio<br /> <br /> do_mpage_readpage<br /> exfat_get_block<br /> bh_read<br /> __bh_read<br /> get_bh(bh)<br /> submit_bh<br /> wait_on_buffer<br /> ...<br /> end_buffer_read_sync<br /> __end_buffer_read_notouch<br /> unlock_buffer<br /> <br /> ...<br /> ...<br /> ...<br /> ...<br /> <br /> .<br /> .<br /> another_function<br /> <br /> put_bh(bh)<br /> atomic_dec(bh-&gt;b_count)<br /> * stack corruption here *<br /> <br /> This patch returns -EAGAIN if a folio does not have buffers when bh_read<br /> needs to be called. By doing this, the caller can fallback to functions<br /> like block_read_full_folio(), create a buffer_head in the folio, and then<br /> call get_block again.<br /> <br /> Let&amp;#39;s do not call bh_read() with on-stack buffer_head.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix null pointer dereference in alloc_preauth_hash()<br /> <br /> The Client send malformed smb2 negotiate request. ksmbd return error<br /> response. Subsequently, the client can send smb2 session setup even<br /> thought conn-&gt;preauth_info is not allocated.<br /> This patch add KSMBD_SESS_NEED_SETUP status of connection to ignore<br /> session setup request if smb2 negotiate phase is not complete.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix overflow in dacloffset bounds check<br /> <br /> The dacloffset field was originally typed as int and used in an<br /> unchecked addition, which could overflow and bypass the existing<br /> bounds check in both smb_check_perm_dacl() and smb_inherit_dacl().<br /> <br /> This could result in out-of-bounds memory access and a kernel crash<br /> when dereferencing the DACL pointer.<br /> <br /> This patch converts dacloffset to unsigned int and uses<br /> check_add_overflow() to validate access to the DACL.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracing: Fix use-after-free in print_graph_function_flags during tracer switching<br /> <br /> Kairui reported a UAF issue in print_graph_function_flags() during<br /> ftrace stress testing [1]. This issue can be reproduced if puting a<br /> &amp;#39;mdelay(10)&amp;#39; after &amp;#39;mutex_unlock(&amp;trace_types_lock)&amp;#39; in s_start(),<br /> and executing the following script:<br /> <br /> $ echo function_graph &gt; current_tracer<br /> $ cat trace &gt; /dev/null &amp;<br /> $ sleep 5 # Ensure the &amp;#39;cat&amp;#39; reaches the &amp;#39;mdelay(10)&amp;#39; point<br /> $ echo timerlat &gt; current_tracer<br /> <br /> The root cause lies in the two calls to print_graph_function_flags<br /> within print_trace_line during each s_show():<br /> <br /> * One through &amp;#39;iter-&gt;trace-&gt;print_line()&amp;#39;;<br /> * Another through &amp;#39;event-&gt;funcs-&gt;trace()&amp;#39;, which is hidden in<br /> print_trace_fmt() before print_trace_line returns.<br /> <br /> Tracer switching only updates the former, while the latter continues<br /> to use the print_line function of the old tracer, which in the script<br /> above is print_graph_function_flags.<br /> <br /> Moreover, when switching from the &amp;#39;function_graph&amp;#39; tracer to the<br /> &amp;#39;timerlat&amp;#39; tracer, s_start only calls graph_trace_close of the<br /> &amp;#39;function_graph&amp;#39; tracer to free &amp;#39;iter-&gt;private&amp;#39;, but does not set<br /> it to NULL. This provides an opportunity for &amp;#39;event-&gt;funcs-&gt;trace()&amp;#39;<br /> to use an invalid &amp;#39;iter-&gt;private&amp;#39;.<br /> <br /> To fix this issue, set &amp;#39;iter-&gt;private&amp;#39; to NULL immediately after<br /> freeing it in graph_trace_close(), ensuring that an invalid pointer<br /> is not passed to other tracers. Additionally, clean up the unnecessary<br /> &amp;#39;iter-&gt;private = NULL&amp;#39; during each &amp;#39;cat trace&amp;#39; when using wakeup and<br /> irqsoff tracers.<br /> <br /> [1] https://lore.kernel.org/all/20231112150030.84609-1-ryncsn@gmail.com/

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: validate zero num_subauth before sub_auth is accessed<br /> <br /> Access psid-&gt;sub_auth[psid-&gt;num_subauth - 1] without checking<br /> if num_subauth is non-zero leads to an out-of-bounds read.<br /> This patch adds a validation step to ensure num_subauth != 0<br /> before sub_auth is accessed.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix use-after-free in ksmbd_sessions_deregister()<br /> <br /> In multichannel mode, UAF issue can occur in session_deregister<br /> when the second channel sets up a session through the connection of<br /> the first channel. session that is freed through the global session<br /> table can be accessed again through -&gt;sessions of connection.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix session use-after-free in multichannel connection<br /> <br /> There is a race condition between session setup and<br /> ksmbd_sessions_deregister. The session can be freed before the connection<br /> is added to channel list of session.<br /> This patch check reference count of session before freeing it.