Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs: Pass AT_GETATTR_NOSEC flag to getattr interface function<br /> <br /> When vfs_getattr_nosec() calls a filesystem&amp;#39;s getattr interface function<br /> then the &amp;#39;nosec&amp;#39; should propagate into this function so that<br /> vfs_getattr_nosec() can again be called from the filesystem&amp;#39;s gettattr<br /> rather than vfs_getattr(). The latter would add unnecessary security<br /> checks that the initial vfs_getattr_nosec() call wanted to avoid.<br /> Therefore, introduce the getattr flag GETATTR_NOSEC and allow to pass<br /> with the new getattr_flags parameter to the getattr interface function.<br /> In overlayfs and ecryptfs use this flag to determine which one of the<br /> two functions to call.<br /> <br /> In a recent code change introduced to IMA vfs_getattr_nosec() ended up<br /> calling vfs_getattr() in overlayfs, which in turn called<br /> security_inode_getattr() on an exiting process that did not have<br /> current-&gt;fs set anymore, which then caused a kernel NULL pointer<br /> dereference. With this change the call to security_inode_getattr() can<br /> be avoided, thus avoiding the NULL pointer dereference.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: mvneta: fix calls to page_pool_get_stats<br /> <br /> Calling page_pool_get_stats in the mvneta driver without checks<br /> leads to kernel crashes.<br /> First the page pool is only available if the bm is not used.<br /> The page pool is also not allocated when the port is stopped.<br /> It can also be not allocated in case of errors.<br /> <br /> The current implementation leads to the following crash calling<br /> ethstats on a port that is down or when calling it at the wrong moment:<br /> <br /> ble to handle kernel NULL pointer dereference at virtual address 00000070<br /> [00000070] *pgd=00000000<br /> Internal error: Oops: 5 [#1] SMP ARM<br /> Hardware name: Marvell Armada 380/385 (Device Tree)<br /> PC is at page_pool_get_stats+0x18/0x1cc<br /> LR is at mvneta_ethtool_get_stats+0xa0/0xe0 [mvneta]<br /> pc : [] lr : [] psr: a0000013<br /> sp : f1439d48 ip : f1439dc0 fp : 0000001d<br /> r10: 00000100 r9 : c4816b80 r8 : f0d75150<br /> r7 : bf0b400c r6 : c238f000 r5 : 00000000 r4 : f1439d68<br /> r3 : c2091040 r2 : ffffffd8 r1 : f1439d68 r0 : 00000000<br /> Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none<br /> Control: 10c5387d Table: 066b004a DAC: 00000051<br /> Register r0 information: NULL pointer<br /> Register r1 information: 2-page vmalloc region starting at 0xf1438000 allocated at kernel_clone+0x9c/0x390<br /> Register r2 information: non-paged memory<br /> Register r3 information: slab kmalloc-2k start c2091000 pointer offset 64 size 2048<br /> Register r4 information: 2-page vmalloc region starting at 0xf1438000 allocated at kernel_clone+0x9c/0x390<br /> Register r5 information: NULL pointer<br /> Register r6 information: slab kmalloc-cg-4k start c238f000 pointer offset 0 size 4096<br /> Register r7 information: 15-page vmalloc region starting at 0xbf0a8000 allocated at load_module+0xa30/0x219c<br /> Register r8 information: 1-page vmalloc region starting at 0xf0d75000 allocated at ethtool_get_stats+0x138/0x208<br /> Register r9 information: slab task_struct start c4816b80 pointer offset 0<br /> Register r10 information: non-paged memory<br /> Register r11 information: non-paged memory<br /> Register r12 information: 2-page vmalloc region starting at 0xf1438000 allocated at kernel_clone+0x9c/0x390<br /> Process snmpd (pid: 733, stack limit = 0x38de3a88)<br /> Stack: (0xf1439d48 to 0xf143a000)<br /> 9d40: 000000c0 00000001 c238f000 bf0b400c f0d75150 c4816b80<br /> 9d60: 00000100 bf0a98d8 00000000 00000000 00000000 00000000 00000000 00000000<br /> 9d80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000<br /> 9da0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000<br /> 9dc0: 00000dc0 5335509c 00000035 c238f000 bf0b2214 01067f50 f0d75000 c0b9b9c8<br /> 9de0: 0000001d 00000035 c2212094 5335509c c4816b80 c238f000 c5ad6e00 01067f50<br /> 9e00: c1b0be80 c4816b80 00014813 c0b9d7f0 00000000 00000000 0000001d 0000001d<br /> 9e20: 00000000 00001200 00000000 00000000 c216ed90 c73943b8 00000000 00000000<br /> 9e40: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000<br /> 9e60: 00000000 c0ad9034 00000000 00000000 00000000 00000000 00000000 00000000<br /> 9e80: 00000000 00000000 00000000 5335509c c1b0be80 f1439ee4 00008946 c1b0be80<br /> 9ea0: 01067f50 f1439ee3 00000000 00000046 b6d77ae0 c0b383f0 00008946 becc83e8<br /> 9ec0: c1b0be80 00000051 0000000b c68ca480 c7172d00 c0ad8ff0 f1439ee3 cf600e40<br /> 9ee0: 01600e40 32687465 00000000 00000000 00000000 01067f50 00000000 00000000<br /> 9f00: 00000000 5335509c 00008946 00008946 00000000 c68ca480 becc83e8 c05e2de0<br /> 9f20: f1439fb0 c03002f0 00000006 5ac3c35a c4816b80 00000006 b6d77ae0 c030caf0<br /> 9f40: c4817350 00000014 f1439e1c 0000000c 00000000 00000051 01000000 00000014<br /> 9f60: 00003fec f1439edc 00000001 c0372abc b6d77ae0 c0372abc cf600e40 5335509c<br /> 9f80: c21e6800 01015c9c 0000000b 00008946 00000036 c03002f0 c4816b80 00000036<br /> 9fa0: b6d77ae0 c03000c0 01015c9c 0000000b 0000000b 00008946 becc83e8 00000000<br /> 9fc0: 01015c9c 0000000b 00008946 00000036 00000035 010678a0 b6d797ec b6d77ae0<br /> 9fe0: b6dbf738 becc838c b6d186d7 b6baa858 40000030 0000000b 00000000 00000000<br /> page_pool_get_s<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath12k: fix htt mlo-offset event locking<br /> <br /> The ath12k active pdevs are protected by RCU but the htt mlo-offset<br /> event handling code calling ath12k_mac_get_ar_by_pdev_id() was not<br /> marked as a read-side critical section.<br /> <br /> Mark the code in question as an RCU read-side critical section to avoid<br /> any potential use-after-free issues.<br /> <br /> Compile tested only.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> f2fs: split initial and dynamic conditions for extent_cache<br /> <br /> Let&amp;#39;s allocate the extent_cache tree without dynamic conditions to avoid a<br /> missing condition causing a panic as below.<br /> <br /> # create a file w/ a compressed flag<br /> # disable the compression<br /> # panic while updating extent_cache<br /> <br /> F2FS-fs (dm-64): Swapfile: last extent is not aligned to section<br /> F2FS-fs (dm-64): Swapfile (3) is not align to section: 1) creat(), 2) ioctl(F2FS_IOC_SET_PIN_FILE), 3) fallocate(2097152 * N)<br /> Adding 124996k swap on ./swap-file. Priority:0 extents:2 across:17179494468k<br /> ==================================================================<br /> BUG: KASAN: null-ptr-deref in instrument_atomic_read_write out/common/include/linux/instrumented.h:101 [inline]<br /> BUG: KASAN: null-ptr-deref in atomic_try_cmpxchg_acquire out/common/include/asm-generic/atomic-instrumented.h:705 [inline]<br /> BUG: KASAN: null-ptr-deref in queued_write_lock out/common/include/asm-generic/qrwlock.h:92 [inline]<br /> BUG: KASAN: null-ptr-deref in __raw_write_lock out/common/include/linux/rwlock_api_smp.h:211 [inline]<br /> BUG: KASAN: null-ptr-deref in _raw_write_lock+0x5a/0x110 out/common/kernel/locking/spinlock.c:295<br /> Write of size 4 at addr 0000000000000030 by task syz-executor154/3327<br /> <br /> CPU: 0 PID: 3327 Comm: syz-executor154 Tainted: G O 5.10.185 #1<br /> Hardware name: emulation qemu-x86/qemu-x86, BIOS 2023.01-21885-gb3cc1cd24d 01/01/2023<br /> Call Trace:<br /> __dump_stack out/common/lib/dump_stack.c:77 [inline]<br /> dump_stack_lvl+0x17e/0x1c4 out/common/lib/dump_stack.c:118<br /> __kasan_report+0x16c/0x260 out/common/mm/kasan/report.c:415<br /> kasan_report+0x51/0x70 out/common/mm/kasan/report.c:428<br /> kasan_check_range+0x2f3/0x340 out/common/mm/kasan/generic.c:186<br /> __kasan_check_write+0x14/0x20 out/common/mm/kasan/shadow.c:37<br /> instrument_atomic_read_write out/common/include/linux/instrumented.h:101 [inline]<br /> atomic_try_cmpxchg_acquire out/common/include/asm-generic/atomic-instrumented.h:705 [inline]<br /> queued_write_lock out/common/include/asm-generic/qrwlock.h:92 [inline]<br /> __raw_write_lock out/common/include/linux/rwlock_api_smp.h:211 [inline]<br /> _raw_write_lock+0x5a/0x110 out/common/kernel/locking/spinlock.c:295<br /> __drop_extent_tree+0xdf/0x2f0 out/common/fs/f2fs/extent_cache.c:1155<br /> f2fs_drop_extent_tree+0x17/0x30 out/common/fs/f2fs/extent_cache.c:1172<br /> f2fs_insert_range out/common/fs/f2fs/file.c:1600 [inline]<br /> f2fs_fallocate+0x19fd/0x1f40 out/common/fs/f2fs/file.c:1764<br /> vfs_fallocate+0x514/0x9b0 out/common/fs/open.c:310<br /> ksys_fallocate out/common/fs/open.c:333 [inline]<br /> __do_sys_fallocate out/common/fs/open.c:341 [inline]<br /> __se_sys_fallocate out/common/fs/open.c:339 [inline]<br /> __x64_sys_fallocate+0xb8/0x100 out/common/fs/open.c:339<br /> do_syscall_64+0x35/0x50 out/common/arch/x86/entry/common.c:46

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cxl/port: Fix delete_endpoint() vs parent unregistration race<br /> <br /> The CXL subsystem, at cxl_mem -&gt;probe() time, establishes a lineage of<br /> ports (struct cxl_port objects) between an endpoint and the root of a<br /> CXL topology. Each port including the endpoint port is attached to the<br /> cxl_port driver.<br /> <br /> Given that setup, it follows that when either any port in that lineage<br /> goes through a cxl_port -&gt;remove() event, or the memdev goes through a<br /> cxl_mem -&gt;remove() event. The hierarchy below the removed port, or the<br /> entire hierarchy if the memdev is removed needs to come down.<br /> <br /> The delete_endpoint() callback is careful to check whether it is being<br /> called to tear down the hierarchy, or if it is only being called to<br /> teardown the memdev because an ancestor port is going through<br /> -&gt;remove().<br /> <br /> That care needs to take the device_lock() of the endpoint&amp;#39;s parent.<br /> Which requires 2 bugs to be fixed:<br /> <br /> 1/ A reference on the parent is needed to prevent use-after-free<br /> scenarios like this signature:<br /> <br /> BUG: spinlock bad magic on CPU#0, kworker/u56:0/11<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc38 05/24/2023<br /> Workqueue: cxl_port detach_memdev [cxl_core]<br /> RIP: 0010:spin_bug+0x65/0xa0<br /> Call Trace:<br /> do_raw_spin_lock+0x69/0xa0<br /> __mutex_lock+0x695/0xb80<br /> delete_endpoint+0xad/0x150 [cxl_core]<br /> devres_release_all+0xb8/0x110<br /> device_unbind_cleanup+0xe/0x70<br /> device_release_driver_internal+0x1d2/0x210<br /> detach_memdev+0x15/0x20 [cxl_core]<br /> process_one_work+0x1e3/0x4c0<br /> worker_thread+0x1dd/0x3d0<br /> <br /> 2/ In the case of RCH topologies, the parent device that needs to be<br /> locked is not always @port-&gt;dev as returned by cxl_mem_find_port(), use<br /> endpoint-&gt;dev.parent instead.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> af_unix: fix use-after-free in unix_stream_read_actor()<br /> <br /> syzbot reported the following crash [1]<br /> <br /> After releasing unix socket lock, u-&gt;oob_skb can be changed<br /> by another thread. We must temporarily increase skb refcount<br /> to make sure this other thread will not free the skb under us.<br /> <br /> [1]<br /> <br /> BUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866<br /> Read of size 4 at addr ffff88801f3b9cc4 by task syz-executor107/5297<br /> <br /> CPU: 1 PID: 5297 Comm: syz-executor107 Not tainted 6.6.0-syzkaller-15910-gb8e3a87a627b #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106<br /> print_address_description mm/kasan/report.c:364 [inline]<br /> print_report+0xc4/0x620 mm/kasan/report.c:475<br /> kasan_report+0xda/0x110 mm/kasan/report.c:588<br /> unix_stream_read_actor+0xa7/0xc0 net/unix/af_unix.c:2866<br /> unix_stream_recv_urg net/unix/af_unix.c:2587 [inline]<br /> unix_stream_read_generic+0x19a5/0x2480 net/unix/af_unix.c:2666<br /> unix_stream_recvmsg+0x189/0x1b0 net/unix/af_unix.c:2903<br /> sock_recvmsg_nosec net/socket.c:1044 [inline]<br /> sock_recvmsg+0xe2/0x170 net/socket.c:1066<br /> ____sys_recvmsg+0x21f/0x5c0 net/socket.c:2803<br /> ___sys_recvmsg+0x115/0x1a0 net/socket.c:2845<br /> __sys_recvmsg+0x114/0x1e0 net/socket.c:2875<br /> do_syscall_x64 arch/x86/entry/common.c:51 [inline]<br /> do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82<br /> entry_SYSCALL_64_after_hwframe+0x63/0x6b<br /> RIP: 0033:0x7fc67492c559<br /> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007fc6748ab228 EFLAGS: 00000246 ORIG_RAX: 000000000000002f<br /> RAX: ffffffffffffffda RBX: 000000000000001c RCX: 00007fc67492c559<br /> RDX: 0000000040010083 RSI: 0000000020000140 RDI: 0000000000000004<br /> RBP: 00007fc6749b6348 R08: 00007fc6748ab6c0 R09: 00007fc6748ab6c0<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc6749b6340<br /> R13: 00007fc6749b634c R14: 00007ffe9fac52a0 R15: 00007ffe9fac5388<br /> <br /> <br /> Allocated by task 5295:<br /> kasan_save_stack+0x33/0x50 mm/kasan/common.c:45<br /> kasan_set_track+0x25/0x30 mm/kasan/common.c:52<br /> __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:328<br /> kasan_slab_alloc include/linux/kasan.h:188 [inline]<br /> slab_post_alloc_hook mm/slab.h:763 [inline]<br /> slab_alloc_node mm/slub.c:3478 [inline]<br /> kmem_cache_alloc_node+0x180/0x3c0 mm/slub.c:3523<br /> __alloc_skb+0x287/0x330 net/core/skbuff.c:641<br /> alloc_skb include/linux/skbuff.h:1286 [inline]<br /> alloc_skb_with_frags+0xe4/0x710 net/core/skbuff.c:6331<br /> sock_alloc_send_pskb+0x7e4/0x970 net/core/sock.c:2780<br /> sock_alloc_send_skb include/net/sock.h:1884 [inline]<br /> queue_oob net/unix/af_unix.c:2147 [inline]<br /> unix_stream_sendmsg+0xb5f/0x10a0 net/unix/af_unix.c:2301<br /> sock_sendmsg_nosec net/socket.c:730 [inline]<br /> __sock_sendmsg+0xd5/0x180 net/socket.c:745<br /> ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584<br /> ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638<br /> __sys_sendmsg+0x117/0x1e0 net/socket.c:2667<br /> do_syscall_x64 arch/x86/entry/common.c:51 [inline]<br /> do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82<br /> entry_SYSCALL_64_after_hwframe+0x63/0x6b<br /> <br /> Freed by task 5295:<br /> kasan_save_stack+0x33/0x50 mm/kasan/common.c:45<br /> kasan_set_track+0x25/0x30 mm/kasan/common.c:52<br /> kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522<br /> ____kasan_slab_free mm/kasan/common.c:236 [inline]<br /> ____kasan_slab_free+0x15b/0x1b0 mm/kasan/common.c:200<br /> kasan_slab_free include/linux/kasan.h:164 [inline]<br /> slab_free_hook mm/slub.c:1800 [inline]<br /> slab_free_freelist_hook+0x114/0x1e0 mm/slub.c:1826<br /> slab_free mm/slub.c:3809 [inline]<br /> kmem_cache_free+0xf8/0x340 mm/slub.c:3831<br /> kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:1015<br /> __kfree_skb net/core/skbuff.c:1073 [inline]<br /> consume_skb net/core/skbuff.c:1288 [inline]<br /> consume_skb+0xdf/0x170 net/core/skbuff.c:1282<br /> queue_oob net/unix/af_unix.c:2178 [inline]<br /> u<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: fix a NULL pointer dereference in amdgpu_dm_i2c_xfer()<br /> <br /> When ddc_service_construct() is called, it explicitly checks both the<br /> link type and whether there is something on the link which will<br /> dictate whether the pin is marked as hw_supported.<br /> <br /> If the pin isn&amp;#39;t set or the link is not set (such as from<br /> unloading/reloading amdgpu in an IGT test) then fail the<br /> amdgpu_dm_i2c_xfer() call.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> s390/dasd: protect device queue against concurrent access<br /> <br /> In dasd_profile_start() the amount of requests on the device queue are<br /> counted. The access to the device queue is unprotected against<br /> concurrent access. With a lot of parallel I/O, especially with alias<br /> devices enabled, the device queue can change while dasd_profile_start()<br /> is accessing the queue. In the worst case this leads to a kernel panic<br /> due to incorrect pointer accesses.<br /> <br /> Fix this by taking the device lock before accessing the queue and<br /> counting the requests. Additionally the check for a valid profile data<br /> pointer can be done earlier to avoid unnecessary locking in a hot path.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ksmbd: fix slab out of bounds write in smb_inherit_dacl()<br /> <br /> slab out-of-bounds write is caused by that offsets is bigger than pntsd<br /> allocation size. This patch add the check to validate 3 offsets using<br /> allocation size.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.