Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vsock: Keep the binding until socket destruction<br /> <br /> Preserve sockets bindings; this includes both resulting from an explicit<br /> bind() and those implicitly bound through autobind during connect().<br /> <br /> Prevents socket unbinding during a transport reassignment, which fixes a<br /> use-after-free:<br /> <br /> 1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2)<br /> 2. transport-&gt;release() calls vsock_remove_bound() without checking if<br /> sk was bound and moved to bound list (refcnt=1)<br /> 3. vsock_bind() assumes sk is in unbound list and before<br /> __vsock_insert_bound(vsock_bound_sockets()) calls<br /> __vsock_remove_bound() which does:<br /> list_del_init(&amp;vsk-&gt;bound_table); // nop<br /> sock_put(&amp;vsk-&gt;sk); // refcnt=0<br /> <br /> BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730<br /> Read of size 4 at addr ffff88816b46a74c by task a.out/2057<br /> dump_stack_lvl+0x68/0x90<br /> print_report+0x174/0x4f6<br /> kasan_report+0xb9/0x190<br /> __vsock_bind+0x62e/0x730<br /> vsock_bind+0x97/0xe0<br /> __sys_bind+0x154/0x1f0<br /> __x64_sys_bind+0x6e/0xb0<br /> do_syscall_64+0x93/0x1b0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> Allocated by task 2057:<br /> kasan_save_stack+0x1e/0x40<br /> kasan_save_track+0x10/0x30<br /> __kasan_slab_alloc+0x85/0x90<br /> kmem_cache_alloc_noprof+0x131/0x450<br /> sk_prot_alloc+0x5b/0x220<br /> sk_alloc+0x2c/0x870<br /> __vsock_create.constprop.0+0x2e/0xb60<br /> vsock_create+0xe4/0x420<br /> __sock_create+0x241/0x650<br /> __sys_socket+0xf2/0x1a0<br /> __x64_sys_socket+0x6e/0xb0<br /> do_syscall_64+0x93/0x1b0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> Freed by task 2057:<br /> kasan_save_stack+0x1e/0x40<br /> kasan_save_track+0x10/0x30<br /> kasan_save_free_info+0x37/0x60<br /> __kasan_slab_free+0x4b/0x70<br /> kmem_cache_free+0x1a1/0x590<br /> __sk_destruct+0x388/0x5a0<br /> __vsock_bind+0x5e1/0x730<br /> vsock_bind+0x97/0xe0<br /> __sys_bind+0x154/0x1f0<br /> __x64_sys_bind+0x6e/0xb0<br /> do_syscall_64+0x93/0x1b0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> refcount_t: addition on 0; use-after-free.<br /> WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150<br /> RIP: 0010:refcount_warn_saturate+0xce/0x150<br /> __vsock_bind+0x66d/0x730<br /> vsock_bind+0x97/0xe0<br /> __sys_bind+0x154/0x1f0<br /> __x64_sys_bind+0x6e/0xb0<br /> do_syscall_64+0x93/0x1b0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> refcount_t: underflow; use-after-free.<br /> WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150<br /> RIP: 0010:refcount_warn_saturate+0xee/0x150<br /> vsock_remove_bound+0x187/0x1e0<br /> __vsock_release+0x383/0x4a0<br /> vsock_release+0x90/0x120<br /> __sock_release+0xa3/0x250<br /> sock_close+0x14/0x20<br /> __fput+0x359/0xa80<br /> task_work_run+0x107/0x1d0<br /> do_exit+0x847/0x2560<br /> do_group_exit+0xb8/0x250<br /> __x64_sys_exit_group+0x3a/0x50<br /> x64_sys_call+0xfec/0x14f0<br /> do_syscall_64+0x93/0x1b0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv6: mcast: add RCU protection to mld_newpack()<br /> <br /> mld_newpack() can be called without RTNL or RCU being held.<br /> <br /> Note that we no longer can use sock_alloc_send_skb() because<br /> ipv6.igmp_sk uses GFP_KERNEL allocations which can sleep.<br /> <br /> Instead use alloc_skb() and charge the net-&gt;ipv6.igmp_sk<br /> socket under RCU protection.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ndisc: extend RCU protection in ndisc_send_skb()<br /> <br /> ndisc_send_skb() can be called without RTNL or RCU held.<br /> <br /> Acquire rcu_read_lock() earlier, so that we can use dev_net_rcu()<br /> and avoid a potential UAF.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> openvswitch: use RCU protection in ovs_vport_cmd_fill_info()<br /> <br /> ovs_vport_cmd_fill_info() can be called without RTNL or RCU.<br /> <br /> Use RCU protection and dev_net_rcu() to avoid potential UAF.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> arp: use RCU protection in arp_xmit()<br /> <br /> arp_xmit() can be called without RTNL or RCU protection.<br /> <br /> Use RCU protection to avoid potential UAF.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> neighbour: use RCU protection in __neigh_notify()<br /> <br /> __neigh_notify() can be called without RTNL or RCU protection.<br /> <br /> Use RCU protection to avoid potential UAF.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: don&amp;#39;t use btrfs_set_item_key_safe on RAID stripe-extents<br /> <br /> Don&amp;#39;t use btrfs_set_item_key_safe() to modify the keys in the RAID<br /> stripe-tree, as this can lead to corruption of the tree, which is caught<br /> by the checks in btrfs_set_item_key_safe():<br /> <br /> BTRFS info (device nvme1n1): leaf 49168384 gen 15 total ptrs 194 free space 8329 owner 12<br /> BTRFS info (device nvme1n1): refs 2 lock_owner 1030 current 1030<br /> [ snip ]<br /> item 105 key (354549760 230 20480) itemoff 14587 itemsize 16<br /> stride 0 devid 5 physical 67502080<br /> item 106 key (354631680 230 4096) itemoff 14571 itemsize 16<br /> stride 0 devid 1 physical 88559616<br /> item 107 key (354631680 230 32768) itemoff 14555 itemsize 16<br /> stride 0 devid 1 physical 88555520<br /> item 108 key (354717696 230 28672) itemoff 14539 itemsize 16<br /> stride 0 devid 2 physical 67604480<br /> [ snip ]<br /> BTRFS critical (device nvme1n1): slot 106 key (354631680 230 32768) new key (354635776 230 4096)<br /> ------------[ cut here ]------------<br /> kernel BUG at fs/btrfs/ctree.c:2602!<br /> Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI<br /> CPU: 1 UID: 0 PID: 1055 Comm: fsstress Not tainted 6.13.0-rc1+ #1464<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014<br /> RIP: 0010:btrfs_set_item_key_safe+0xf7/0x270<br /> Code: <br /> RSP: 0018:ffffc90001337ab0 EFLAGS: 00010287<br /> RAX: 0000000000000000 RBX: ffff8881115fd000 RCX: 0000000000000000<br /> RDX: 0000000000000001 RSI: 0000000000000001 RDI: 00000000ffffffff<br /> RBP: ffff888110ed6f50 R08: 00000000ffffefff R09: ffffffff8244c500<br /> R10: 00000000ffffefff R11: 00000000ffffffff R12: ffff888100586000<br /> R13: 00000000000000c9 R14: ffffc90001337b1f R15: ffff888110f23b58<br /> FS: 00007f7d75c72740(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007fa811652c60 CR3: 0000000111398001 CR4: 0000000000370eb0<br /> Call Trace:<br /> <br /> ? __die_body.cold+0x14/0x1a<br /> ? die+0x2e/0x50<br /> ? do_trap+0xca/0x110<br /> ? do_error_trap+0x65/0x80<br /> ? btrfs_set_item_key_safe+0xf7/0x270<br /> ? exc_invalid_op+0x50/0x70<br /> ? btrfs_set_item_key_safe+0xf7/0x270<br /> ? asm_exc_invalid_op+0x1a/0x20<br /> ? btrfs_set_item_key_safe+0xf7/0x270<br /> btrfs_partially_delete_raid_extent+0xc4/0xe0<br /> btrfs_delete_raid_extent+0x227/0x240<br /> __btrfs_free_extent.isra.0+0x57f/0x9c0<br /> ? exc_coproc_segment_overrun+0x40/0x40<br /> __btrfs_run_delayed_refs+0x2fa/0xe80<br /> btrfs_run_delayed_refs+0x81/0xe0<br /> btrfs_commit_transaction+0x2dd/0xbe0<br /> ? preempt_count_add+0x52/0xb0<br /> btrfs_sync_file+0x375/0x4c0<br /> do_fsync+0x39/0x70<br /> __x64_sys_fsync+0x13/0x20<br /> do_syscall_64+0x54/0x110<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> RIP: 0033:0x7f7d7550ef90<br /> Code: <br /> RSP: 002b:00007ffd70237248 EFLAGS: 00000202 ORIG_RAX: 000000000000004a<br /> RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f7d7550ef90<br /> RDX: 000000000000013a RSI: 000000000040eb28 RDI: 0000000000000004<br /> RBP: 000000000000001b R08: 0000000000000078 R09: 00007ffd7023725c<br /> R10: 00007f7d75400390 R11: 0000000000000202 R12: 028f5c28f5c28f5c<br /> R13: 8f5c28f5c28f5c29 R14: 000000000040b520 R15: 00007f7d75c726c8<br /> <br /> <br /> While the root cause of the tree order corruption isn&amp;#39;t clear, using<br /> btrfs_duplicate_item() to copy the item and then adjusting both the key<br /> and the per-device physical addresses is a safe way to counter this<br /> problem.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/ast: astdp: Fix timeout for enabling video signal<br /> <br /> The ASTDP transmitter sometimes takes up to 1 second for enabling the<br /> video signal, while the timeout is only 200 msec. This results in a<br /> kernel error message. Increase the timeout to 1 second. An example<br /> of the error message is shown below.<br /> <br /> [ 697.084433] ------------[ cut here ]------------<br /> [ 697.091115] ast 0000:02:00.0: [drm] drm_WARN_ON(!__ast_dp_wait_enable(ast, enabled))<br /> [ 697.091233] WARNING: CPU: 1 PID: 160 at drivers/gpu/drm/ast/ast_dp.c:232 ast_dp_set_enable+0x123/0x140 [ast]<br /> [...]<br /> [ 697.272469] RIP: 0010:ast_dp_set_enable+0x123/0x140 [ast]<br /> [...]<br /> [ 697.415283] Call Trace:<br /> [ 697.420727] <br /> [ 697.425908] ? show_trace_log_lvl+0x196/0x2c0<br /> [ 697.433304] ? show_trace_log_lvl+0x196/0x2c0<br /> [ 697.440693] ? drm_atomic_helper_commit_modeset_enables+0x30a/0x470<br /> [ 697.450115] ? ast_dp_set_enable+0x123/0x140 [ast]<br /> [ 697.458059] ? __warn.cold+0xaf/0xca<br /> [ 697.464713] ? ast_dp_set_enable+0x123/0x140 [ast]<br /> [ 697.472633] ? report_bug+0x134/0x1d0<br /> [ 697.479544] ? handle_bug+0x58/0x90<br /> [ 697.486127] ? exc_invalid_op+0x13/0x40<br /> [ 697.492975] ? asm_exc_invalid_op+0x16/0x20<br /> [ 697.500224] ? preempt_count_sub+0x14/0xc0<br /> [ 697.507473] ? ast_dp_set_enable+0x123/0x140 [ast]<br /> [ 697.515377] ? ast_dp_set_enable+0x123/0x140 [ast]<br /> [ 697.523227] drm_atomic_helper_commit_modeset_enables+0x30a/0x470<br /> [ 697.532388] drm_atomic_helper_commit_tail+0x58/0x90<br /> [ 697.540400] ast_mode_config_helper_atomic_commit_tail+0x30/0x40 [ast]<br /> [ 697.550009] commit_tail+0xfe/0x1d0<br /> [ 697.556547] drm_atomic_helper_commit+0x198/0x1c0<br /> <br /> This is a cosmetical problem. Enabling the video signal still works<br /> even with the error message. The problem has always been present, but<br /> only recent versions of the ast driver warn about missing the timeout.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5: HWS, change error flow on matcher disconnect<br /> <br /> Currently, when firmware failure occurs during matcher disconnect flow,<br /> the error flow of the function reconnects the matcher back and returns<br /> an error, which continues running the calling function and eventually<br /> frees the matcher that is being disconnected.<br /> This leads to a case where we have a freed matcher on the matchers list,<br /> which in turn leads to use-after-free and eventual crash.<br /> <br /> This patch fixes that by not trying to reconnect the matcher back when<br /> some FW command fails during disconnect.<br /> <br /> Note that we&amp;#39;re dealing here with FW error. We can&amp;#39;t overcome this<br /> problem. This might lead to bad steering state (e.g. wrong connection<br /> between matchers), and will also lead to resource leakage, as it is<br /> the case with any other error handling during resource destruction.<br /> <br /> However, the goal here is to allow the driver to continue and not crash<br /> the machine with use-after-free error.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix integer overflows on 32 bit systems<br /> <br /> On 32bit systems the addition operations in ipc_msg_alloc() can<br /> potentially overflow leading to memory corruption.<br /> Add bounds checking using KSMBD_IPC_MAX_PAYLOAD to avoid overflow.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: rose: lock the socket in rose_bind()<br /> <br /> syzbot reported a soft lockup in rose_loopback_timer(),<br /> with a repro calling bind() from multiple threads.<br /> <br /> rose_bind() must lock the socket to avoid this issue.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: brcmfmac: Check the return value of of_property_read_string_index()<br /> <br /> Somewhen between 6.10 and 6.11 the driver started to crash on my<br /> MacBookPro14,3. The property doesn&amp;#39;t exist and &amp;#39;tmp&amp;#39; remains<br /> uninitialized, so we pass a random pointer to devm_kstrdup().<br /> <br /> The crash I am getting looks like this:<br /> <br /> BUG: unable to handle page fault for address: 00007f033c669379<br /> PF: supervisor read access in kernel mode<br /> PF: error_code(0x0001) - permissions violation<br /> PGD 8000000101341067 P4D 8000000101341067 PUD 101340067 PMD 1013bb067 PTE 800000010aee9025<br /> Oops: Oops: 0001 [#1] SMP PTI<br /> CPU: 4 UID: 0 PID: 827 Comm: (udev-worker) Not tainted 6.11.8-gentoo #1<br /> Hardware name: Apple Inc. MacBookPro14,3/Mac-551B86E5744E2388, BIOS 529.140.2.0.0 06/23/2024<br /> RIP: 0010:strlen+0x4/0x30<br /> Code: f7 75 ec 31 c0 c3 cc cc cc cc 48 89 f8 c3 cc cc cc cc 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 3f 00 74 14 48 89 f8 48 83 c0 01 80 38 00 75 f7 48 29 f8 c3 cc<br /> RSP: 0018:ffffb4aac0683ad8 EFLAGS: 00010202<br /> RAX: 00000000ffffffea RBX: 00007f033c669379 RCX: 0000000000000001<br /> RDX: 0000000000000cc0 RSI: 00007f033c669379 RDI: 00007f033c669379<br /> RBP: 00000000ffffffea R08: 0000000000000000 R09: 00000000c0ba916a<br /> R10: ffffffffffffffff R11: ffffffffb61ea260 R12: ffff91f7815b50c8<br /> R13: 0000000000000cc0 R14: ffff91fafefffe30 R15: ffffb4aac0683b30<br /> FS: 00007f033ccbe8c0(0000) GS:ffff91faeed00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007f033c669379 CR3: 0000000107b1e004 CR4: 00000000003706f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> ? __die+0x23/0x70<br /> ? page_fault_oops+0x149/0x4c0<br /> ? raw_spin_rq_lock_nested+0xe/0x20<br /> ? sched_balance_newidle+0x22b/0x3c0<br /> ? update_load_avg+0x78/0x770<br /> ? exc_page_fault+0x6f/0x150<br /> ? asm_exc_page_fault+0x26/0x30<br /> ? __pfx_pci_conf1_write+0x10/0x10<br /> ? strlen+0x4/0x30<br /> devm_kstrdup+0x25/0x70<br /> brcmf_of_probe+0x273/0x350 [brcmfmac]