Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow<br /> <br /> Sending an PF_PACKET allows to bypass the CAN framework logic and to<br /> directly reach the xmit() function of a CAN driver. The only check<br /> which is performed by the PF_PACKET framework is to make sure that<br /> skb-&gt;len fits the interface&amp;#39;s MTU.<br /> <br /> Unfortunately, because the etas_es58x driver does not populate its<br /> net_device_ops-&gt;ndo_change_mtu(), it is possible for an attacker to<br /> configure an invalid MTU by doing, for example:<br /> <br /> $ ip link set can0 mtu 9999<br /> <br /> After doing so, the attacker could open a PF_PACKET socket using the<br /> ETH_P_CANXL protocol:<br /> <br /> socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL));<br /> <br /> to inject a malicious CAN XL frames. For example:<br /> <br /> struct canxl_frame frame = {<br /> .flags = 0xff,<br /> .len = 2048,<br /> };<br /> <br /> The CAN drivers&amp;#39; xmit() function are calling can_dev_dropped_skb() to<br /> check that the skb is valid, unfortunately under above conditions, the<br /> malicious packet is able to go through can_dev_dropped_skb() checks:<br /> <br /> 1. the skb-&gt;protocol is set to ETH_P_CANXL which is valid (the<br /> function does not check the actual device capabilities).<br /> <br /> 2. the length is a valid CAN XL length.<br /> <br /> And so, es58x_start_xmit() receives a CAN XL frame which it is not<br /> able to correctly handle and will thus misinterpret it as a CAN(FD)<br /> frame.<br /> <br /> This can result in a buffer overflow. For example, using the es581.4<br /> variant, the frame will be dispatched to es581_4_tx_can_msg(), go<br /> through the last check at the beginning of this function:<br /> <br /> if (can_is_canfd_skb(skb))<br /> return -EMSGSIZE;<br /> <br /> and reach this line:<br /> <br /> memcpy(tx_can_msg-&gt;data, cf-&gt;data, cf-&gt;len);<br /> <br /> Here, cf-&gt;len corresponds to the flags field of the CAN XL frame. In<br /> our previous example, we set canxl_frame-&gt;flags to 0xff. Because the<br /> maximum expected length is 8, a buffer overflow of 247 bytes occurs!<br /> <br /> Populate net_device_ops-&gt;ndo_change_mtu() to ensure that the<br /> interface&amp;#39;s MTU can not be set to anything bigger than CAN_MTU or<br /> CANFD_MTU (depending on the device capabilities). By fixing the root<br /> cause, this prevents the buffer overflow.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: MGMT: Fix possible UAFs<br /> <br /> This attemps to fix possible UAFs caused by struct mgmt_pending being<br /> freed while still being processed like in the following trace, in order<br /> to fix mgmt_pending_valid is introduce and use to check if the<br /> mgmt_pending hasn&amp;#39;t been removed from the pending list, on the complete<br /> callbacks it is used to check and in addtion remove the cmd from the list<br /> while holding mgmt_pending_lock to avoid TOCTOU problems since if the cmd<br /> is left on the list it can still be accessed and freed.<br /> <br /> BUG: KASAN: slab-use-after-free in mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223<br /> Read of size 8 at addr ffff8880709d4dc0 by task kworker/u11:0/55<br /> <br /> CPU: 0 UID: 0 PID: 55 Comm: kworker/u11:0 Not tainted 6.16.4 #2 PREEMPT(full)<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014<br /> Workqueue: hci0 hci_cmd_sync_work<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:378 [inline]<br /> print_report+0xca/0x240 mm/kasan/report.c:482<br /> kasan_report+0x118/0x150 mm/kasan/report.c:595<br /> mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223<br /> hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332<br /> process_one_work kernel/workqueue.c:3238 [inline]<br /> process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321<br /> worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402<br /> kthread+0x711/0x8a0 kernel/kthread.c:464<br /> ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148<br /> ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16.4/arch/x86/entry/entry_64.S:245<br /> <br /> <br /> Allocated by task 12210:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x3e/0x80 mm/kasan/common.c:68<br /> poison_kmalloc_redzone mm/kasan/common.c:377 [inline]<br /> __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394<br /> kasan_kmalloc include/linux/kasan.h:260 [inline]<br /> __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4364<br /> kmalloc_noprof include/linux/slab.h:905 [inline]<br /> kzalloc_noprof include/linux/slab.h:1039 [inline]<br /> mgmt_pending_new+0x65/0x1e0 net/bluetooth/mgmt_util.c:269<br /> mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296<br /> __add_adv_patterns_monitor+0x130/0x200 net/bluetooth/mgmt.c:5247<br /> add_adv_patterns_monitor+0x214/0x360 net/bluetooth/mgmt.c:5364<br /> hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719<br /> hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839<br /> sock_sendmsg_nosec net/socket.c:714 [inline]<br /> __sock_sendmsg+0x219/0x270 net/socket.c:729<br /> sock_write_iter+0x258/0x330 net/socket.c:1133<br /> new_sync_write fs/read_write.c:593 [inline]<br /> vfs_write+0x5c9/0xb30 fs/read_write.c:686<br /> ksys_write+0x145/0x250 fs/read_write.c:738<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Freed by task 12221:<br /> kasan_save_stack mm/kasan/common.c:47 [inline]<br /> kasan_save_track+0x3e/0x80 mm/kasan/common.c:68<br /> kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576<br /> poison_slab_object mm/kasan/common.c:247 [inline]<br /> __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264<br /> kasan_slab_free include/linux/kasan.h:233 [inline]<br /> slab_free_hook mm/slub.c:2381 [inline]<br /> slab_free mm/slub.c:4648 [inline]<br /> kfree+0x18e/0x440 mm/slub.c:4847<br /> mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]<br /> mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257<br /> __mgmt_power_off+0x169/0x350 net/bluetooth/mgmt.c:9444<br /> hci_dev_close_sync+0x754/0x1330 net/bluetooth/hci_sync.c:5290<br /> hci_dev_do_close net/bluetooth/hci_core.c:501 [inline]<br /> hci_dev_close+0x108/0x200 net/bluetooth/hci_core.c:526<br /> sock_do_ioctl+0xd9/0x300 net/socket.c:1192<br /> sock_ioctl+0x576/0x790 net/socket.c:1313<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:907 [inline]<br /> __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893<br /> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br /> do_syscall_64+0xf<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i40e: add validation for ring_len param<br /> <br /> The `ring_len` parameter provided by the virtual function (VF)<br /> is assigned directly to the hardware memory context (HMC) without<br /> any validation.<br /> <br /> To address this, introduce an upper boundary check for both Tx and Rx<br /> queue lengths. The maximum number of descriptors supported by the<br /> hardware is 8k-32.<br /> Additionally, enforce alignment constraints: Tx rings must be a multiple<br /> of 8, and Rx rings must be a multiple of 32.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracing/osnoise: Fix slab-out-of-bounds in _parse_integer_limit()<br /> <br /> When config osnoise cpus by write() syscall, the following KASAN splat may<br /> be observed:<br /> <br /> BUG: KASAN: slab-out-of-bounds in _parse_integer_limit+0x103/0x130<br /> Read of size 1 at addr ffff88810121e3a1 by task test/447<br /> CPU: 1 UID: 0 PID: 447 Comm: test Not tainted 6.17.0-rc6-dirty #288 PREEMPT(voluntary)<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x55/0x70<br /> print_report+0xcb/0x610<br /> kasan_report+0xb8/0xf0<br /> _parse_integer_limit+0x103/0x130<br /> bitmap_parselist+0x16d/0x6f0<br /> osnoise_cpus_write+0x116/0x2d0<br /> vfs_write+0x21e/0xcc0<br /> ksys_write+0xee/0x1c0<br /> do_syscall_64+0xa8/0x2a0<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> <br /> This issue can be reproduced by below code:<br /> <br /> const char *cpulist = "1";<br /> int fd=open("/sys/kernel/debug/tracing/osnoise/cpus", O_WRONLY);<br /> write(fd, cpulist, strlen(cpulist));<br /> <br /> Function bitmap_parselist() was called to parse cpulist, it require that<br /> the parameter &amp;#39;buf&amp;#39; must be terminated with a &amp;#39;\0&amp;#39; or &amp;#39;\n&amp;#39;. Fix this issue<br /> by adding a &amp;#39;\0&amp;#39; to &amp;#39;buf&amp;#39; in osnoise_cpus_write().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: fix wrong index reference in smb2_compound_op()<br /> <br /> In smb2_compound_op(), the loop that processes each command&amp;#39;s response<br /> uses wrong indices when accessing response bufferes.<br /> <br /> This incorrect indexing leads to improper handling of command results.<br /> Also, if incorrectly computed index is greather than or equal to<br /> MAX_COMPOUND, it can cause out-of-bounds accesses.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> futex: Use correct exit on failure from futex_hash_allocate_default()<br /> <br /> copy_process() uses the wrong error exit path from futex_hash_allocate_default().<br /> After exiting from futex_hash_allocate_default(), neither tasklist_lock<br /> nor siglock has been acquired. The exit label bad_fork_core_free unlocks<br /> both of these locks which is wrong.<br /> <br /> The next exit label, bad_fork_cancel_cgroup, is the correct exit.<br /> sched_cgroup_fork() did not allocate any resources that need to freed.<br /> <br /> Use bad_fork_cancel_cgroup on error exit from futex_hash_allocate_default().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> futex: Prevent use-after-free during requeue-PI<br /> <br /> syzbot managed to trigger the following race:<br /> <br /> T1 T2<br /> <br /> futex_wait_requeue_pi()<br /> futex_do_wait()<br /> schedule()<br /> futex_requeue()<br /> futex_proxy_trylock_atomic()<br /> futex_requeue_pi_prepare()<br /> requeue_pi_wake_futex()<br /> futex_requeue_pi_complete()<br /> /* preempt */<br /> <br /> * timeout/ signal wakes T1 *<br /> <br /> futex_requeue_pi_wakeup_sync() // Q_REQUEUE_PI_LOCKED<br /> futex_hash_put()<br /> // back to userland, on stack futex_q is garbage<br /> <br /> /* back */<br /> wake_up_state(q-&gt;task, TASK_NORMAL);<br /> <br /> In this scenario futex_wait_requeue_pi() is able to leave without using<br /> futex_q::lock_ptr for synchronization.<br /> <br /> This can be prevented by reading futex_q::task before updating the<br /> futex_q::requeue_state. A reference on the task_struct is not needed<br /> because requeue_pi_wake_futex() is invoked with a spinlock_t held which<br /> implies a RCU read section.<br /> <br /> Even if T1 terminates immediately after, the task_struct will remain valid<br /> during T2&amp;#39;s wake_up_state(). A READ_ONCE on futex_q::task before<br /> futex_requeue_pi_complete() is enough because it ensures that the variable<br /> is read before the state is updated.<br /> <br /> Read futex_q::task before updating the requeue state, use it for the<br /> following wakeup.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> octeontx2-pf: Fix potential use after free in otx2_tc_add_flow()<br /> <br /> This code calls kfree_rcu(new_node, rcu) and then dereferences "new_node"<br /> and then dereferences it on the next line. Two lines later, we take<br /> a mutex so I don&amp;#39;t think this is an RCU safe region. Re-order it to do<br /> the dereferences before queuing up the free.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/mlx5: fs, fix UAF in flow counter release<br /> <br /> Fix a kernel trace [1] caused by releasing an HWS action of a local flow<br /> counter in mlx5_cmd_hws_delete_fte(), where the HWS action refcount and<br /> mutex were not initialized and the counter struct could already be freed<br /> when deleting the rule.<br /> <br /> Fix it by adding the missing initializations and adding refcount for the<br /> local flow counter struct.<br /> <br /> [1] Kernel log:<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x34/0x48<br /> mlx5_fs_put_hws_action.part.0.cold+0x21/0x94 [mlx5_core]<br /> mlx5_fc_put_hws_action+0x96/0xad [mlx5_core]<br /> mlx5_fs_destroy_fs_actions+0x8b/0x152 [mlx5_core]<br /> mlx5_cmd_hws_delete_fte+0x5a/0xa0 [mlx5_core]<br /> del_hw_fte+0x1ce/0x260 [mlx5_core]<br /> mlx5_del_flow_rules+0x12d/0x240 [mlx5_core]<br /> ? ttwu_queue_wakelist+0xf4/0x110<br /> mlx5_ib_destroy_flow+0x103/0x1b0 [mlx5_ib]<br /> uverbs_free_flow+0x20/0x50 [ib_uverbs]<br /> destroy_hw_idr_uobject+0x1b/0x50 [ib_uverbs]<br /> uverbs_destroy_uobject+0x34/0x1a0 [ib_uverbs]<br /> uobj_destroy+0x3c/0x80 [ib_uverbs]<br /> ib_uverbs_run_method+0x23e/0x360 [ib_uverbs]<br /> ? uverbs_finalize_object+0x60/0x60 [ib_uverbs]<br /> ib_uverbs_cmd_verbs+0x14f/0x2c0 [ib_uverbs]<br /> ? do_tty_write+0x1a9/0x270<br /> ? file_tty_write.constprop.0+0x98/0xc0<br /> ? new_sync_write+0xfc/0x190<br /> ib_uverbs_ioctl+0xd7/0x160 [ib_uverbs]<br /> __x64_sys_ioctl+0x87/0xc0<br /> do_syscall_64+0x59/0x90

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nexthop: Forbid FDB status change while nexthop is in a group<br /> <br /> The kernel forbids the creation of non-FDB nexthop groups with FDB<br /> nexthops:<br /> <br /> # ip nexthop add id 1 via 192.0.2.1 fdb<br /> # ip nexthop add id 2 group 1<br /> Error: Non FDB nexthop group cannot have fdb nexthops.<br /> <br /> And vice versa:<br /> <br /> # ip nexthop add id 3 via 192.0.2.2 dev dummy1<br /> # ip nexthop add id 4 group 3 fdb<br /> Error: FDB nexthop group can only have fdb nexthops.<br /> <br /> However, as long as no routes are pointing to a non-FDB nexthop group,<br /> the kernel allows changing the type of a nexthop from FDB to non-FDB and<br /> vice versa:<br /> <br /> # ip nexthop add id 5 via 192.0.2.2 dev dummy1<br /> # ip nexthop add id 6 group 5<br /> # ip nexthop replace id 5 via 192.0.2.2 fdb<br /> # echo $?<br /> 0<br /> <br /> This configuration is invalid and can result in a NPD [1] since FDB<br /> nexthops are not associated with a nexthop device:<br /> <br /> # ip route add 198.51.100.1/32 nhid 6<br /> # ping 198.51.100.1<br /> <br /> Fix by preventing nexthop FDB status change while the nexthop is in a<br /> group:<br /> <br /> # ip nexthop add id 7 via 192.0.2.2 dev dummy1<br /> # ip nexthop add id 8 group 7<br /> # ip nexthop replace id 7 via 192.0.2.2 fdb<br /> Error: Cannot change nexthop FDB status while in a group.<br /> <br /> [1]<br /> BUG: kernel NULL pointer dereference, address: 00000000000003c0<br /> [...]<br /> Oops: Oops: 0000 [#1] SMP<br /> CPU: 6 UID: 0 PID: 367 Comm: ping Not tainted 6.17.0-rc6-virtme-gb65678cacc03 #1 PREEMPT(voluntary)<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014<br /> RIP: 0010:fib_lookup_good_nhc+0x1e/0x80<br /> [...]<br /> Call Trace:<br /> <br /> fib_table_lookup+0x541/0x650<br /> ip_route_output_key_hash_rcu+0x2ea/0x970<br /> ip_route_output_key_hash+0x55/0x80<br /> __ip4_datagram_connect+0x250/0x330<br /> udp_connect+0x2b/0x60<br /> __sys_connect+0x9c/0xd0<br /> __x64_sys_connect+0x18/0x20<br /> do_syscall_64+0xa4/0x2a0<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommufd: Fix race during abort for file descriptors<br /> <br /> fput() doesn&amp;#39;t actually call file_operations release() synchronously, it<br /> puts the file on a work queue and it will be released eventually.<br /> <br /> This is normally fine, except for iommufd the file and the iommufd_object<br /> are tied to gether. The file has the object as it&amp;#39;s private_data and holds<br /> a users refcount, while the object is expected to remain alive as long as<br /> the file is.<br /> <br /> When the allocation of a new object aborts before installing the file it<br /> will fput() the file and then go on to immediately kfree() the obj. This<br /> causes a UAF once the workqueue completes the fput() and tries to<br /> decrement the users refcount.<br /> <br /> Fix this by putting the core code in charge of the file lifetime, and call<br /> __fput_sync() during abort to ensure that release() is called before<br /> kfree. __fput_sync() is a bit too tricky to open code in all the object<br /> implementations. Instead the objects tell the core code where the file<br /> pointer is and the core will take care of the life cycle.<br /> <br /> If the object is successfully allocated then the file will hold a users<br /> refcount and the iommufd_object cannot be destroyed.<br /> <br /> It is worth noting that close(); ioctl(IOMMU_DESTROY); doesn&amp;#39;t have an<br /> issue because close() is already using a synchronous version of fput().<br /> <br /> The UAF looks like this:<br /> <br /> BUG: KASAN: slab-use-after-free in iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376<br /> Write of size 4 at addr ffff888059c97804 by task syz.0.46/6164<br /> <br /> CPU: 0 UID: 0 PID: 6164 Comm: syz.0.46 Not tainted syzkaller #0 PREEMPT(full)<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:94 [inline]<br /> dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120<br /> print_address_description mm/kasan/report.c:378 [inline]<br /> print_report+0xcd/0x630 mm/kasan/report.c:482<br /> kasan_report+0xe0/0x110 mm/kasan/report.c:595<br /> check_region_inline mm/kasan/generic.c:183 [inline]<br /> kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:189<br /> instrument_atomic_read_write include/linux/instrumented.h:96 [inline]<br /> atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:400 [inline]<br /> __refcount_dec include/linux/refcount.h:455 [inline]<br /> refcount_dec include/linux/refcount.h:476 [inline]<br /> iommufd_eventq_fops_release+0x45/0xc0 drivers/iommu/iommufd/eventq.c:376<br /> __fput+0x402/0xb70 fs/file_table.c:468<br /> task_work_run+0x14d/0x240 kernel/task_work.c:227<br /> resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]<br /> exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:43<br /> exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]<br /> syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]<br /> syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]<br /> do_syscall_64+0x41c/0x4c0 arch/x86/entry/syscall_64.c:100<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fbcon: fix integer overflow in fbcon_do_set_font<br /> <br /> Fix integer overflow vulnerabilities in fbcon_do_set_font() where font<br /> size calculations could overflow when handling user-controlled font<br /> parameters.<br /> <br /> The vulnerabilities occur when:<br /> 1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount<br /> multiplication with user-controlled values that can overflow.<br /> 2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow<br /> 3. This results in smaller allocations than expected, leading to buffer<br /> overflows during font data copying.<br /> <br /> Add explicit overflow checking using check_mul_overflow() and<br /> check_add_overflow() kernel helpers to safety validate all size<br /> calculations before allocation.