Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs: jfs: Fix UBSAN: array-index-out-of-bounds in dbAllocDmapLev<br /> <br /> Syzkaller reported the following issue:<br /> <br /> UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:1965:6<br /> index -84 is out of range for type &amp;#39;s8[341]&amp;#39; (aka &amp;#39;signed char[341]&amp;#39;)<br /> CPU: 1 PID: 4995 Comm: syz-executor146 Not tainted 6.4.0-rc6-syzkaller-00037-gb6dad5178cea #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106<br /> ubsan_epilogue lib/ubsan.c:217 [inline]<br /> __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348<br /> dbAllocDmapLev+0x3e5/0x430 fs/jfs/jfs_dmap.c:1965<br /> dbAllocCtl+0x113/0x920 fs/jfs/jfs_dmap.c:1809<br /> dbAllocAG+0x28f/0x10b0 fs/jfs/jfs_dmap.c:1350<br /> dbAlloc+0x658/0xca0 fs/jfs/jfs_dmap.c:874<br /> dtSplitUp fs/jfs/jfs_dtree.c:974 [inline]<br /> dtInsert+0xda7/0x6b00 fs/jfs/jfs_dtree.c:863<br /> jfs_create+0x7b6/0xbb0 fs/jfs/namei.c:137<br /> lookup_open fs/namei.c:3492 [inline]<br /> open_last_lookups fs/namei.c:3560 [inline]<br /> path_openat+0x13df/0x3170 fs/namei.c:3788<br /> do_filp_open+0x234/0x490 fs/namei.c:3818<br /> do_sys_openat2+0x13f/0x500 fs/open.c:1356<br /> do_sys_open fs/open.c:1372 [inline]<br /> __do_sys_openat fs/open.c:1388 [inline]<br /> __se_sys_openat fs/open.c:1383 [inline]<br /> __x64_sys_openat+0x247/0x290 fs/open.c:1383<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> RIP: 0033:0x7f1f4e33f7e9<br /> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007ffc21129578 EFLAGS: 00000246 ORIG_RAX: 0000000000000101<br /> RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1f4e33f7e9<br /> RDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c<br /> RBP: 00007f1f4e2ff080 R08: 0000000000000000 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1f4e2ff110<br /> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000<br /> <br /> <br /> The bug occurs when the dbAllocDmapLev()function attempts to access<br /> dp-&gt;tree.stree[leafidx + LEAFIND] while the leafidx value is negative.<br /> <br /> To rectify this, the patch introduces a safeguard within the<br /> dbAllocDmapLev() function. A check has been added to verify if leafidx is<br /> negative. If it is, the function immediately returns an I/O error, preventing<br /> any further execution that could potentially cause harm.<br /> <br /> Tested via syzbot.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ACPI: processor: Check for null return of devm_kzalloc() in fch_misc_setup()<br /> <br /> devm_kzalloc() may fail, clk_data-&gt;name might be NULL and will<br /> cause a NULL pointer dereference later.<br /> <br /> [ rjw: Subject and changelog edits ]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu: Fix error unwind in iommu_group_alloc()<br /> <br /> If either iommu_group_grate_file() fails then the<br /> iommu_group is leaked.<br /> <br /> Destroy it on these error paths.<br /> <br /> Found by kselftest/iommu/iommufd_fail_nth

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed<br /> <br /> Following process will trigger an infinite loop in ubi_wl_put_peb():<br /> <br /> ubifs_bgt ubi_bgt<br /> ubifs_leb_unmap<br /> ubi_leb_unmap<br /> ubi_eba_unmap_leb<br /> ubi_wl_put_peb wear_leveling_worker<br /> e1 = rb_entry(rb_first(&amp;ubi-&gt;used)<br /> e2 = get_peb_for_wl(ubi)<br /> ubi_io_read_vid_hdr // return err (flash fault)<br /> out_error:<br /> ubi-&gt;move_from = ubi-&gt;move_to = NULL<br /> wl_entry_destroy(ubi, e1)<br /> ubi-&gt;lookuptbl[e-&gt;pnum] = NULL<br /> retry:<br /> e = ubi-&gt;lookuptbl[pnum]; // return NULL<br /> if (e == ubi-&gt;move_from) { // NULL == NULL gets true<br /> goto retry; // infinite loop !!!<br /> <br /> $ top<br /> PID USER PR NI VIRT RES SHR S %CPU %MEM COMMAND<br /> 7676 root 20 0 0 0 0 R 100.0 0.0 ubifs_bgt0_0<br /> <br /> Fix it by:<br /> 1) Letting ubi_wl_put_peb() returns directly if wearl leveling entry has<br /> been removed from &amp;#39;ubi-&gt;lookuptbl&amp;#39;.<br /> 2) Using &amp;#39;ubi-&gt;wl_lock&amp;#39; protecting wl entry deletion to preventing an<br /> use-after-free problem for wl entry in ubi_wl_put_peb().<br /> <br /> Fetch a reproducer in [Link].

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cxl/acpi: Fix a use-after-free in cxl_parse_cfmws()<br /> <br /> KASAN and KFENCE detected an user-after-free in the CXL driver. This<br /> happens in the cxl_decoder_add() fail path. KASAN prints the following<br /> error:<br /> <br /> BUG: KASAN: slab-use-after-free in cxl_parse_cfmws (drivers/cxl/acpi.c:299)<br /> <br /> This happens in cxl_parse_cfmws(), where put_device() is called,<br /> releasing cxld, which is accessed later.<br /> <br /> Use the local variables in the dev_err() instead of pointing to the<br /> released memory. Since the dev_err() is printing a resource, change the open<br /> coded print format to use the %pr format specifier.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracing/synthetic: Fix races on freeing last_cmd<br /> <br /> Currently, the "last_cmd" variable can be accessed by multiple processes<br /> asynchronously when multiple users manipulate synthetic_events node<br /> at the same time, it could lead to use-after-free or double-free.<br /> <br /> This patch add "lastcmd_mutex" to prevent "last_cmd" from being accessed<br /> asynchronously.<br /> <br /> ================================================================<br /> <br /> It&amp;#39;s easy to reproduce in the KASAN environment by running the two<br /> scripts below in different shells.<br /> <br /> script 1:<br /> while :<br /> do<br /> echo -n -e &amp;#39;\x88&amp;#39; &gt; /sys/kernel/tracing/synthetic_events<br /> done<br /> <br /> script 2:<br /> while :<br /> do<br /> echo -n -e &amp;#39;\xb0&amp;#39; &gt; /sys/kernel/tracing/synthetic_events<br /> done<br /> <br /> ================================================================<br /> double-free scenario:<br /> <br /> process A process B<br /> ------------------- ---------------<br /> 1.kstrdup last_cmd<br /> 2.free last_cmd<br /> 3.free last_cmd(double-free)<br /> <br /> ================================================================<br /> use-after-free scenario:<br /> <br /> process A process B<br /> ------------------- ---------------<br /> 1.kstrdup last_cmd<br /> 2.free last_cmd<br /> 3.tracing_log_err(use-after-free)<br /> <br /> ================================================================<br /> <br /> Appendix 1. KASAN report double-free:<br /> <br /> BUG: KASAN: double-free in kfree+0xdc/0x1d4<br /> Free of addr ***** by task sh/4879<br /> Call trace:<br /> ...<br /> kfree+0xdc/0x1d4<br /> create_or_delete_synth_event+0x60/0x1e8<br /> trace_parse_run_command+0x2bc/0x4b8<br /> synth_events_write+0x20/0x30<br /> vfs_write+0x200/0x830<br /> ...<br /> <br /> Allocated by task 4879:<br /> ...<br /> kstrdup+0x5c/0x98<br /> create_or_delete_synth_event+0x6c/0x1e8<br /> trace_parse_run_command+0x2bc/0x4b8<br /> synth_events_write+0x20/0x30<br /> vfs_write+0x200/0x830<br /> ...<br /> <br /> Freed by task 5464:<br /> ...<br /> kfree+0xdc/0x1d4<br /> create_or_delete_synth_event+0x60/0x1e8<br /> trace_parse_run_command+0x2bc/0x4b8<br /> synth_events_write+0x20/0x30<br /> vfs_write+0x200/0x830<br /> ...<br /> <br /> ================================================================<br /> Appendix 2. KASAN report use-after-free:<br /> <br /> BUG: KASAN: use-after-free in strlen+0x5c/0x7c<br /> Read of size 1 at addr ***** by task sh/5483<br /> sh: CPU: 7 PID: 5483 Comm: sh<br /> ...<br /> __asan_report_load1_noabort+0x34/0x44<br /> strlen+0x5c/0x7c<br /> tracing_log_err+0x60/0x444<br /> create_or_delete_synth_event+0xc4/0x204<br /> trace_parse_run_command+0x2bc/0x4b8<br /> synth_events_write+0x20/0x30<br /> vfs_write+0x200/0x830<br /> ...<br /> <br /> Allocated by task 5483:<br /> ...<br /> kstrdup+0x5c/0x98<br /> create_or_delete_synth_event+0x80/0x204<br /> trace_parse_run_command+0x2bc/0x4b8<br /> synth_events_write+0x20/0x30<br /> vfs_write+0x200/0x830<br /> ...<br /> <br /> Freed by task 5480:<br /> ...<br /> kfree+0xdc/0x1d4<br /> create_or_delete_synth_event+0x74/0x204<br /> trace_parse_run_command+0x2bc/0x4b8<br /> synth_events_write+0x20/0x30<br /> vfs_write+0x200/0x830<br /> ...

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv6: Add lwtunnel encap size of all siblings in nexthop calculation<br /> <br /> In function rt6_nlmsg_size(), the length of nexthop is calculated<br /> by multipling the nexthop length of fib6_info and the number of<br /> siblings. However if the fib6_info has no lwtunnel but the siblings<br /> have lwtunnels, the nexthop length is less than it should be, and<br /> it will trigger a warning in inet6_rt_notify() as follows:<br /> <br /> WARNING: CPU: 0 PID: 6082 at net/ipv6/route.c:6180 inet6_rt_notify+0x120/0x130<br /> ......<br /> Call Trace:<br /> <br /> fib6_add_rt2node+0x685/0xa30<br /> fib6_add+0x96/0x1b0<br /> ip6_route_add+0x50/0xd0<br /> inet6_rtm_newroute+0x97/0xa0<br /> rtnetlink_rcv_msg+0x156/0x3d0<br /> netlink_rcv_skb+0x5a/0x110<br /> netlink_unicast+0x246/0x350<br /> netlink_sendmsg+0x250/0x4c0<br /> sock_sendmsg+0x66/0x70<br /> ___sys_sendmsg+0x7c/0xd0<br /> __sys_sendmsg+0x5d/0xb0<br /> do_syscall_64+0x3f/0x90<br /> entry_SYSCALL_64_after_hwframe+0x72/0xdc<br /> <br /> This bug can be reproduced by script:<br /> <br /> ip -6 addr add 2002::2/64 dev ens2<br /> ip -6 route add 100::/64 via 2002::1 dev ens2 metric 100<br /> <br /> for i in 10 20 30 40 50 60 70;<br /> do<br /> ip link add link ens2 name ipv_$i type ipvlan<br /> ip -6 addr add 2002::$i/64 dev ipv_$i<br /> ifconfig ipv_$i up<br /> done<br /> <br /> for i in 10 20 30 40 50 60;<br /> do<br /> ip -6 route append 100::/64 encap ip6 dst 2002::$i via 2002::1<br /> dev ipv_$i metric 100<br /> done<br /> <br /> ip -6 route append 100::/64 via 2002::1 dev ipv_70 metric 100<br /> <br /> This patch fixes it by adding nexthop_len of every siblings using<br /> rt6_nh_nlmsg_size().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> kobject: Add sanity check for kset-&gt;kobj.ktype in kset_register()<br /> <br /> When I register a kset in the following way:<br /> static struct kset my_kset;<br /> kobject_set_name(&amp;my_kset.kobj, "my_kset");<br /> ret = kset_register(&amp;my_kset);<br /> <br /> A null pointer dereference exception is occurred:<br /> [ 4453.568337] Unable to handle kernel NULL pointer dereference at \<br /> virtual address 0000000000000028<br /> ... ...<br /> [ 4453.810361] Call trace:<br /> [ 4453.813062] kobject_get_ownership+0xc/0x34<br /> [ 4453.817493] kobject_add_internal+0x98/0x274<br /> [ 4453.822005] kset_register+0x5c/0xb4<br /> [ 4453.825820] my_kobj_init+0x44/0x1000 [my_kset]<br /> ... ...<br /> <br /> Because I didn&amp;#39;t initialize my_kset.kobj.ktype.<br /> <br /> According to the description in Documentation/core-api/kobject.rst:<br /> - A ktype is the type of object that embeds a kobject. Every structure<br /> that embeds a kobject needs a corresponding ktype.<br /> <br /> So add sanity check to make sure kset-&gt;kobj.ktype is not NULL.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ionic: catch failure from devlink_alloc<br /> <br /> Add a check for NULL on the alloc return. If devlink_alloc() fails and<br /> we try to use devlink_priv() on the NULL return, the kernel gets very<br /> unhappy and panics. With this fix, the driver load will still fail,<br /> but at least it won&amp;#39;t panic the kernel.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iw_cxgb4: Fix potential NULL dereference in c4iw_fill_res_cm_id_entry()<br /> <br /> This condition needs to match the previous "if (epcp-&gt;state == LISTEN) {"<br /> exactly to avoid a NULL dereference of either "listen_ep" or "ep". The<br /> problem is that "epcp" has been re-assigned so just testing<br /> "if (epcp-&gt;state == LISTEN) {" a second time is not sufficient.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: xhci: tegra: fix sleep in atomic call<br /> <br /> When we set the dual-role port to Host mode, we observed the following<br /> splat:<br /> [ 167.057718] BUG: sleeping function called from invalid context at<br /> include/linux/sched/mm.h:229<br /> [ 167.057872] Workqueue: events tegra_xusb_usb_phy_work<br /> [ 167.057954] Call trace:<br /> [ 167.057962] dump_backtrace+0x0/0x210<br /> [ 167.057996] show_stack+0x30/0x50<br /> [ 167.058020] dump_stack_lvl+0x64/0x84<br /> [ 167.058065] dump_stack+0x14/0x34<br /> [ 167.058100] __might_resched+0x144/0x180<br /> [ 167.058140] __might_sleep+0x64/0xd0<br /> [ 167.058171] slab_pre_alloc_hook.constprop.0+0xa8/0x110<br /> [ 167.058202] __kmalloc_track_caller+0x74/0x2b0<br /> [ 167.058233] kvasprintf+0xa4/0x190<br /> [ 167.058261] kasprintf+0x58/0x90<br /> [ 167.058285] tegra_xusb_find_port_node.isra.0+0x58/0xd0<br /> [ 167.058334] tegra_xusb_find_port+0x38/0xa0<br /> [ 167.058380] tegra_xusb_padctl_get_usb3_companion+0x38/0xd0<br /> [ 167.058430] tegra_xhci_id_notify+0x8c/0x1e0<br /> [ 167.058473] notifier_call_chain+0x88/0x100<br /> [ 167.058506] atomic_notifier_call_chain+0x44/0x70<br /> [ 167.058537] tegra_xusb_usb_phy_work+0x60/0xd0<br /> [ 167.058581] process_one_work+0x1dc/0x4c0<br /> [ 167.058618] worker_thread+0x54/0x410<br /> [ 167.058650] kthread+0x188/0x1b0<br /> [ 167.058672] ret_from_fork+0x10/0x20<br /> <br /> The function tegra_xusb_padctl_get_usb3_companion eventually calls<br /> tegra_xusb_find_port and this in turn calls kasprintf which might sleep<br /> and so cannot be called from an atomic context.<br /> <br /> Fix this by moving the call to tegra_xusb_padctl_get_usb3_companion to<br /> the tegra_xhci_id_work function where it is really needed.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/MCE/AMD: Use an u64 for bank_map<br /> <br /> Thee maximum number of MCA banks is 64 (MAX_NR_BANKS), see<br /> <br /> a0bc32b3cacf ("x86/mce: Increase maximum number of banks to 64").<br /> <br /> However, the bank_map which contains a bitfield of which banks to<br /> initialize is of type unsigned int and that overflows when those bit<br /> numbers are &gt;= 32, leading to UBSAN complaining correctly:<br /> <br /> UBSAN: shift-out-of-bounds in arch/x86/kernel/cpu/mce/amd.c:1365:38<br /> shift exponent 32 is too large for 32-bit type &amp;#39;int&amp;#39;<br /> <br /> Change the bank_map to a u64 and use the proper BIT_ULL() macro when<br /> modifying bits in there.<br /> <br /> [ bp: Rewrite commit message. ]