Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: reserve enough transaction items for qgroup ioctls<br /> <br /> Currently our qgroup ioctls don&amp;#39;t reserve any space, they just do a<br /> transaction join, which does not reserve any space, neither for the quota<br /> tree updates nor for the delayed refs generated when updating the quota<br /> tree. The quota root uses the global block reserve, which is fine most of<br /> the time since we don&amp;#39;t expect a lot of updates to the quota root, or to<br /> be too close to -ENOSPC such that other critical metadata updates need to<br /> resort to the global reserve.<br /> <br /> However this is not optimal, as not reserving proper space may result in a<br /> transaction abort due to not reserving space for delayed refs and then<br /> abusing the use of the global block reserve.<br /> <br /> For example, the following reproducer (which is unlikely to model any<br /> real world use case, but just to illustrate the problem), triggers such a<br /> transaction abort due to -ENOSPC when running delayed refs:<br /> <br /> $ cat test.sh<br /> #!/bin/bash<br /> <br /> DEV=/dev/nullb0<br /> MNT=/mnt/nullb0<br /> <br /> umount $DEV &amp;&gt; /dev/null<br /> # Limit device to 1G so that it&amp;#39;s much faster to reproduce the issue.<br /> mkfs.btrfs -f -b 1G $DEV<br /> mount -o commit=600 $DEV $MNT<br /> <br /> fallocate -l 800M $MNT/filler<br /> btrfs quota enable $MNT<br /> <br /> for ((i = 1; i

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ipv6: prevent possible UaF in addrconf_permanent_addr()<br /> <br /> The mentioned helper try to warn the user about an exceptional<br /> condition, but the message is delivered too late, accessing the ipv6<br /> after its possible deletion.<br /> <br /> Reorder the statement to avoid the possible UaF; while at it, place the<br /> warning outside the idev-&gt;lock as it needs no protection.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> comedi: Reinit dev-&gt;spinlock between attachments to low-level drivers<br /> <br /> `struct comedi_device` is the main controlling structure for a COMEDI<br /> device created by the COMEDI subsystem. It contains a member `spinlock`<br /> containing a spin-lock that is initialized by the COMEDI subsystem, but<br /> is reserved for use by a low-level driver attached to the COMEDI device<br /> (at least since commit 25436dc9d84f ("Staging: comedi: remove RT<br /> code")).<br /> <br /> Some COMEDI devices (those created on initialization of the COMEDI<br /> subsystem when the "comedi.comedi_num_legacy_minors" parameter is<br /> non-zero) can be attached to different low-level drivers over their<br /> lifetime using the `COMEDI_DEVCONFIG` ioctl command. This can result in<br /> inconsistent lock states being reported when there is a mismatch in the<br /> spin-lock locking levels used by each low-level driver to which the<br /> COMEDI device has been attached. Fix it by reinitializing<br /> `dev-&gt;spinlock` before calling the low-level driver&amp;#39;s `attach` function<br /> pointer if `CONFIG_LOCKDEP` is enabled.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> thermal: core: Fix thermal zone device registration error path<br /> <br /> If thermal_zone_device_register_with_trips() fails after registering<br /> a thermal zone device, it needs to wait for the tz-&gt;removal completion<br /> like thermal_zone_device_unregister(), in case user space has managed<br /> to take a reference to the thermal zone device&amp;#39;s kobject, in which case<br /> thermal_release() may not be called by the error path itself and tz may<br /> be freed prematurely.<br /> <br /> Add the missing wait_for_completion() call to the thermal zone device<br /> registration error path.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/kexec: Disable KCOV instrumentation after load_segments()<br /> <br /> The load_segments() function changes segment registers, invalidating GS base<br /> (which KCOV relies on for per-cpu data). When CONFIG_KCOV is enabled, any<br /> subsequent instrumented C code call (e.g. native_gdt_invalidate()) begins<br /> crashing the kernel in an endless loop.<br /> <br /> To reproduce the problem, it&amp;#39;s sufficient to do kexec on a KCOV-instrumented<br /> kernel:<br /> <br /> $ kexec -l /boot/otherKernel<br /> $ kexec -e<br /> <br /> The real-world context for this problem is enabling crash dump collection in<br /> syzkaller. For this, the tool loads a panic kernel before fuzzing and then<br /> calls makedumpfile after the panic. This workflow requires both CONFIG_KEXEC<br /> and CONFIG_KCOV to be enabled simultaneously.<br /> <br /> Adding safeguards directly to the KCOV fast-path (__sanitizer_cov_trace_pc())<br /> is also undesirable as it would introduce an extra performance overhead.<br /> <br /> Disabling instrumentation for the individual functions would be too fragile,<br /> so disable KCOV instrumentation for the entire machine_kexec_64.c and<br /> physaddr.c. If coverage-guided fuzzing ever needs these components in the<br /> future, other approaches should be considered.<br /> <br /> The problem is not relevant for 32 bit kernels as CONFIG_KCOV is not supported<br /> there.<br /> <br /> [ bp: Space out comment for better readability. ]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: caam - fix overflow on long hmac keys<br /> <br /> When a key longer than block size is supplied, it is copied and then<br /> hashed into the real key. The memory allocated for the copy needs to<br /> be rounded to DMA cache alignment, as otherwise the hashed key may<br /> corrupt neighbouring memory.<br /> <br /> The copying is performed using kmemdup, however this leads to an overflow:<br /> reading more bytes (aligned_len - keylen) from the keylen source buffer.<br /> Fix this by replacing kmemdup with kmalloc, followed by memcpy.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: flowtable: strictly check for maximum number of actions<br /> <br /> The maximum number of flowtable hardware offload actions in IPv6 is:<br /> <br /> * ethernet mangling (4 payload actions, 2 for each ethernet address)<br /> * SNAT (4 payload actions)<br /> * DNAT (4 payload actions)<br /> * Double VLAN (4 vlan actions, 2 for popping vlan, and 2 for pushing)<br /> for QinQ.<br /> * Redirect (1 action)<br /> <br /> Which makes 17, while the maximum is 16. But act_ct supports for tunnels<br /> actions too. Note that payload action operates at 32-bit word level, so<br /> mangling an IPv6 address takes 4 payload actions.<br /> <br /> Update flow_action_entry_next() calls to check for the maximum number of<br /> supported actions.<br /> <br /> While at it, rise the maximum number of actions per flow from 16 to 24<br /> so this works fine with IPv6 setups.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path<br /> <br /> When kobject_init_and_add() fails, cpufreq_dbs_governor_init() calls<br /> kobject_put(&amp;dbs_data-&gt;attr_set.kobj).<br /> <br /> The kobject release callback cpufreq_dbs_data_release() calls<br /> gov-&gt;exit(dbs_data) and kfree(dbs_data), but the current error path<br /> then calls gov-&gt;exit(dbs_data) and kfree(dbs_data) again, causing a<br /> double free.<br /> <br /> Keep the direct kfree(dbs_data) for the gov-&gt;init() failure path, but<br /> after kobject_init_and_add() has been called, let kobject_put() handle<br /> the cleanup through cpufreq_dbs_data_release().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sched_ext: Fix SCX_KICK_WAIT deadlock by deferring wait to balance callback<br /> <br /> SCX_KICK_WAIT busy-waits in kick_cpus_irq_workfn() using<br /> smp_cond_load_acquire() until the target CPU&amp;#39;s kick_sync advances. Because<br /> the irq_work runs in hardirq context, the waiting CPU cannot reschedule and<br /> its own kick_sync never advances. If multiple CPUs form a wait cycle, all<br /> CPUs deadlock.<br /> <br /> Replace the busy-wait in kick_cpus_irq_workfn() with resched_curr() to<br /> force the CPU through do_pick_task_scx(), which queues a balance callback<br /> to perform the wait. The balance callback drops the rq lock and enables<br /> IRQs following the sched_core_balance() pattern, so the CPU can process<br /> IPIs while waiting. The local CPU&amp;#39;s kick_sync is advanced on entry to<br /> do_pick_task_scx() and continuously during the wait, ensuring any CPU that<br /> starts waiting for us sees the advancement and cannot form cyclic<br /> dependencies.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> USB: dummy-hcd: Fix locking/synchronization error<br /> <br /> Syzbot testing was able to provoke an addressing exception and crash<br /> in the usb_gadget_udc_reset() routine in<br /> drivers/usb/gadgets/udc/core.c, resulting from the fact that the<br /> routine was called with a second ("driver") argument of NULL. The bad<br /> caller was set_link_state() in dummy_hcd.c, and the problem arose<br /> because of a race between a USB reset and driver unbind.<br /> <br /> These sorts of races were not supposed to be possible; commit<br /> 7dbd8f4cabd9 ("USB: dummy-hcd: Fix erroneous synchronization change"),<br /> along with a few followup commits, was written specifically to prevent<br /> them. As it turns out, there are (at least) two errors remaining in<br /> the code. Another patch will address the second error; this one is<br /> concerned with the first.<br /> <br /> The error responsible for the syzbot crash occurred because the<br /> stop_activity() routine will sometimes drop and then re-acquire the<br /> dum-&gt;lock spinlock. A call to stop_activity() occurs in<br /> set_link_state() when handling an emulated USB reset, after the test<br /> of dum-&gt;ints_enabled and before the increment of dum-&gt;callback_usage.<br /> This allowed another thread (doing a driver unbind) to sneak in and<br /> grab the spinlock, and then clear dum-&gt;ints_enabled and dum-&gt;driver.<br /> Normally this other thread would have to wait for dum-&gt;callback_usage<br /> to go down to 0 before it would clear dum-&gt;driver, but in this case it<br /> didn&amp;#39;t have to wait since dum-&gt;callback_usage had not yet been<br /> incremented.<br /> <br /> The fix is to increment dum-&gt;callback_usage _before_ calling<br /> stop_activity() instead of after. Then the thread doing the unbind<br /> will not clear dum-&gt;driver until after the call to<br /> usb_gadget_udc_reset() safely returns and dum-&gt;callback_usage has been<br /> decremented again.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> USB: dummy-hcd: Fix interrupt synchronization error<br /> <br /> This fixes an error in synchronization in the dummy-hcd driver. The<br /> error has a somewhat involved history. The synchronization mechanism<br /> was introduced by commit 7dbd8f4cabd9 ("USB: dummy-hcd: Fix erroneous<br /> synchronization change"), which added an emulated "interrupts enabled"<br /> flag together with code emulating synchronize_irq() (it waits until<br /> all current handler callbacks have returned).<br /> <br /> But the emulated interrupt-disable occurred too late, after the driver<br /> containing the handler callback routines had been told that it was<br /> unbound and no more callbacks would occur. Commit 4a5d797a9f9c ("usb:<br /> gadget: dummy_hcd: fix gpf in gadget_setup") tried to fix this by<br /> moving the synchronize_irq() emulation code from dummy_stop() to<br /> dummy_pullup(), which runs before the unbind callback.<br /> <br /> There still were races, though, because the emulated interrupt-disable<br /> still occurred too late. It couldn&amp;#39;t be moved to dummy_pullup(),<br /> because that routine can be called for reasons other than an impending<br /> unbind. Therefore commits 7dc0c55e9f30 ("USB: UDC core: Add<br /> udc_async_callbacks gadget op") and 04145a03db9d ("USB: UDC: Implement<br /> udc_async_callbacks in dummy-hcd") added an API allowing the UDC core<br /> to tell dummy-hcd exactly when emulated interrupts and their callbacks<br /> should be disabled.<br /> <br /> That brings us to the current state of things, which is still wrong<br /> because the emulated synchronize_irq() occurs before the emulated<br /> interrupt-disable! That&amp;#39;s no good, beause it means that more emulated<br /> interrupts can occur after the synchronize_irq() emulation has run,<br /> leading to the possibility that a callback handler may be running when<br /> the gadget driver is unbound.<br /> <br /> To fix this, we have to move the synchronize_irq() emulation code yet<br /> again, to the dummy_udc_async_callbacks() routine, which takes care of<br /> enabling and disabling emulated interrupt requests. The<br /> synchronization will now run immediately after emulated interrupts are<br /> disabled, which is where it belongs.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: iwlwifi: mvm: don&amp;#39;t send a 6E related command when not supported<br /> <br /> MCC_ALLOWED_AP_TYPE_CMD is related to 6E support. Do not send it if the<br /> device doesn&amp;#39;t support 6E.<br /> Apparently, the firmware is mistakenly advertising support for this<br /> command even on AX201 which does not support 6E and then the firmware<br /> crashes.