Vulnerabilidades

*** Pendiente de traducción *** A rogue primary server may cause file descriptor exhaustion and eventually a denial of service, when a PowerDNS secondary server forwards a DNS update request to it.

*** Pendiente de traducción *** A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query.

*** Pendiente de traducción *** A client can trigger excessive memory allocation by generating a lot of errors responses over a single DoQ and DoH3 connection, as some resources were not properly released until the end of the connection.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cxl/port: Fix use after free of parent_port in cxl_detach_ep()<br /> <br /> cxl_detach_ep() is called during bottom-up removal when all CXL memory<br /> devices beneath a switch port have been removed. For each port in the<br /> hierarchy it locks both the port and its parent, removes the endpoint,<br /> and if the port is now empty, marks it dead and unregisters the port<br /> by calling delete_switch_port(). There are two places during this work<br /> where the parent_port may be used after freeing:<br /> <br /> First, a concurrent detach may have already processed a port by the<br /> time a second worker finds it via bus_find_device(). Without pinning<br /> parent_port, it may already be freed when we discover port-&gt;dead and<br /> attempt to unlock the parent_port. In a production kernel that&amp;#39;s a<br /> silent memory corruption, with lock debug, it looks like this:<br /> <br /> []DEBUG_LOCKS_WARN_ON(__owner_task(owner) != get_current())<br /> []WARNING: kernel/locking/mutex.c:949 at __mutex_unlock_slowpath+0x1ee/0x310<br /> []Call Trace:<br /> []mutex_unlock+0xd/0x20<br /> []cxl_detach_ep+0x180/0x400 [cxl_core]<br /> []devm_action_release+0x10/0x20<br /> []devres_release_all+0xa8/0xe0<br /> []device_unbind_cleanup+0xd/0xa0<br /> []really_probe+0x1a6/0x3e0<br /> <br /> Second, delete_switch_port() releases three devm actions registered<br /> against parent_port. The last of those is unregister_port() and it<br /> calls device_unregister() on the child port, which can cascade. If<br /> parent_port is now also empty the device core may unregister and free<br /> it too. So by the time delete_switch_port() returns, parent_port may<br /> be free, and the subsequent device_unlock(&amp;parent_port-&gt;dev) operates<br /> on freed memory. The kernel log looks same as above, with a different<br /> offset in cxl_detach_ep().<br /> <br /> Both of these issues stem from the absence of a lifetime guarantee<br /> between a child port and its parent port.<br /> <br /> Establish a lifetime rule for ports: child ports hold a reference to<br /> their parent device until release. Take the reference when the port<br /> is allocated and drop it when released. This ensures the parent is<br /> valid for the full lifetime of the child and eliminates the use after<br /> free window in cxl_detach_ep().<br /> <br /> This is easily reproduced with a reload of cxl_acpi in QEMU with CXL<br /> devices present.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cxl/region: Fix leakage in __construct_region()<br /> <br /> Failing the first sysfs_update_group() needs to explicitly<br /> kfree the resource as it is too early for cxl_region_iomem_release()<br /> to do so.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> perf: Make sure to use pmu_ctx-&gt;pmu for groups<br /> <br /> Oliver reported that x86_pmu_del() ended up doing an out-of-bound memory access<br /> when group_sched_in() fails and needs to roll back.<br /> <br /> This *should* be handled by the transaction callbacks, but he found that when<br /> the group leader is a software event, the transaction handlers of the wrong PMU<br /> are used. Despite the move_group case in perf_event_open() and group_sched_in()<br /> using pmu_ctx-&gt;pmu.<br /> <br /> Turns out, inherit uses event-&gt;pmu to clone the events, effectively undoing the<br /> move_group case for all inherited contexts. Fix this by also making inherit use<br /> pmu_ctx-&gt;pmu, ensuring all inherited counters end up in the same pmu context.<br /> <br /> Similarly, __perf_event_read() should use equally use pmu_ctx-&gt;pmu for the<br /> group case.

*** Pendiente de traducción *** An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default.

*** Pendiente de traducción *** A client can trigger excessive memory allocation by generating a lot of queries that are routed to an overloaded DoH backend, causing queries to accumulate into a buffer that will not be released until the end of the connection.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> driver core: platform: use generic driver_override infrastructure<br /> <br /> When a driver is probed through __driver_attach(), the bus&amp;#39; match()<br /> callback is called without the device lock held, thus accessing the<br /> driver_override field without a lock, which can cause a UAF.<br /> <br /> Fix this by using the driver-core driver_override infrastructure taking<br /> care of proper locking internally.<br /> <br /> Note that calling match() from __driver_attach() without the device lock<br /> held is intentional. [1]

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix exception exit lock checking for subprogs<br /> <br /> process_bpf_exit_full() passes check_lock = !curframe to<br /> check_resource_leak(), which is false in cases when bpf_throw() is<br /> called from a static subprog. This makes check_resource_leak() to skip<br /> validation of active_rcu_locks, active_preempt_locks, and<br /> active_irq_id on exception exits from subprogs.<br /> <br /> At runtime bpf_throw() unwinds the stack via ORC without releasing any<br /> user-acquired locks, which may cause various issues as the result.<br /> <br /> Fix by setting check_lock = true for exception exits regardless of<br /> curframe, since exceptions bypass all intermediate frame<br /> cleanup. Update the error message prefix to "bpf_throw" for exception<br /> exits to distinguish them from normal BPF_EXIT.<br /> <br /> Fix reject_subprog_with_rcu_read_lock test which was previously<br /> passing for the wrong reason. Test program returned directly from the<br /> subprog call without closing the RCU section, so the error was<br /> triggered by the unclosed RCU lock on normal exit, not by<br /> bpf_throw. Update __msg annotations for affected tests to match the<br /> new "bpf_throw" error prefix.<br /> <br /> The spin_lock case is not affected because they are already checked [1]<br /> at the call site in do_check_insn() before bpf_throw can run.<br /> <br /> [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/bpf/verifier.c?h=v7.0-rc4#n21098

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix undefined behavior in interpreter sdiv/smod for INT_MIN<br /> <br /> The BPF interpreter&amp;#39;s signed 32-bit division and modulo handlers use<br /> the kernel abs() macro on s32 operands. The abs() macro documentation<br /> (include/linux/math.h) explicitly states the result is undefined when<br /> the input is the type minimum. When DST contains S32_MIN (0x80000000),<br /> abs((s32)DST) triggers undefined behavior and returns S32_MIN unchanged<br /> on arm64/x86. This value is then sign-extended to u64 as<br /> 0xFFFFFFFF80000000, causing do_div() to compute the wrong result.<br /> <br /> The verifier&amp;#39;s abstract interpretation (scalar32_min_max_sdiv) computes<br /> the mathematically correct result for range tracking, creating a<br /> verifier/interpreter mismatch that can be exploited for out-of-bounds<br /> map value access.<br /> <br /> Introduce abs_s32() which handles S32_MIN correctly by casting to u32<br /> before negating, avoiding signed overflow entirely. Replace all 8<br /> abs((s32)...) call sites in the interpreter&amp;#39;s sdiv32/smod32 handlers.<br /> <br /> s32 is the only affected case -- the s64 division/modulo handlers do<br /> not use abs().

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> HID: asus: avoid memory leak in asus_report_fixup()<br /> <br /> The asus_report_fixup() function was returning a newly allocated<br /> kmemdup()-allocated buffer, but never freeing it. Switch to<br /> devm_kzalloc() to ensure the memory is managed and freed automatically<br /> when the device is removed.<br /> <br /> The caller of report_fixup() does not take ownership of the returned<br /> pointer, but it is permitted to return a pointer whose lifetime is at<br /> least that of the input buffer.<br /> <br /> Also fix a harmless out-of-bounds read by copying only the original<br /> descriptor size.