Vulnerabilidades

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fs/ntfs3: Initialize allocated memory before use<br /> <br /> KMSAN reports: Multiple uninitialized values detected:<br /> <br /> - KMSAN: uninit-value in ntfs_read_hdr (3)<br /> - KMSAN: uninit-value in bcmp (3)<br /> <br /> Memory is allocated by __getname(), which is a wrapper for<br /> kmem_cache_alloc(). This memory is used before being properly<br /> cleared. Change kmem_cache_alloc() to kmem_cache_zalloc() to<br /> properly allocate and clear memory before use.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix double free of qgroup record after failure to add delayed ref head<br /> <br /> In the previous code it was possible to incur into a double kfree()<br /> scenario when calling add_delayed_ref_head(). This could happen if the<br /> record was reported to already exist in the<br /> btrfs_qgroup_trace_extent_nolock() call, but then there was an error<br /> later on add_delayed_ref_head(). In this case, since<br /> add_delayed_ref_head() returned an error, the caller went to free the<br /> record. Since add_delayed_ref_head() couldn&amp;#39;t set this kfree&amp;#39;d pointer<br /> to NULL, then kfree() would have acted on a non-NULL &amp;#39;record&amp;#39; object<br /> which was pointing to memory already freed by the callee.<br /> <br /> The problem comes from the fact that the responsibility to kfree the<br /> object is on both the caller and the callee at the same time. Hence, the<br /> fix for this is to shift the ownership of the &amp;#39;qrecord&amp;#39; object out of<br /> the add_delayed_ref_head(). That is, we will never attempt to kfree()<br /> the given object inside of this function, and will expect the caller to<br /> act on the &amp;#39;qrecord&amp;#39; object on its own. The only exception where the<br /> &amp;#39;qrecord&amp;#39; object cannot be kfree&amp;#39;d is if it was inserted into the<br /> tracing logic, for which we already have the &amp;#39;qrecord_inserted_ret&amp;#39;<br /> boolean to account for this. Hence, the caller has to kfree the object<br /> only if add_delayed_ref_head() reports not to have inserted it on the<br /> tracing logic.<br /> <br /> As a side-effect of the above, we must guarantee that<br /> &amp;#39;qrecord_inserted_ret&amp;#39; is properly initialized at the start of the<br /> function, not at the end, and then set when an actual insert<br /> happens. This way we avoid &amp;#39;qrecord_inserted_ret&amp;#39; having an invalid<br /> value on an early exit.<br /> <br /> The documentation from the add_delayed_ref_head() has also been updated<br /> to reflect on the exact ownership of the &amp;#39;qrecord&amp;#39; object.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: mt76: wed: use proper wed reference in mt76 wed driver callabacks<br /> <br /> MT7996 driver can use both wed and wed_hif2 devices to offload traffic<br /> from/to the wireless NIC. In the current codebase we assume to always<br /> use the primary wed device in wed callbacks resulting in the following<br /> crash if the hw runs wed_hif2 (e.g. 6GHz link).<br /> <br /> [ 297.455876] Unable to handle kernel read from unreadable memory at virtual address 000000000000080a<br /> [ 297.464928] Mem abort info:<br /> [ 297.467722] ESR = 0x0000000096000005<br /> [ 297.471461] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [ 297.476766] SET = 0, FnV = 0<br /> [ 297.479809] EA = 0, S1PTW = 0<br /> [ 297.482940] FSC = 0x05: level 1 translation fault<br /> [ 297.487809] Data abort info:<br /> [ 297.490679] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000<br /> [ 297.496156] CM = 0, WnR = 0, TnD = 0, TagAccess = 0<br /> [ 297.501196] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0<br /> [ 297.506500] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000107480000<br /> [ 297.512927] [000000000000080a] pgd=08000001097fb003, p4d=08000001097fb003, pud=08000001097fb003, pmd=0000000000000000<br /> [ 297.523532] Internal error: Oops: 0000000096000005 [#1] SMP<br /> [ 297.715393] CPU: 2 UID: 0 PID: 45 Comm: kworker/u16:2 Tainted: G O 6.12.50 #0<br /> [ 297.723908] Tainted: [O]=OOT_MODULE<br /> [ 297.727384] Hardware name: Banana Pi BPI-R4 (2x SFP+) (DT)<br /> [ 297.732857] Workqueue: nf_ft_offload_del nf_flow_rule_route_ipv6 [nf_flow_table]<br /> [ 297.740254] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 297.747205] pc : mt76_wed_offload_disable+0x64/0xa0 [mt76]<br /> [ 297.752688] lr : mtk_wed_flow_remove+0x58/0x80<br /> [ 297.757126] sp : ffffffc080fe3ae0<br /> [ 297.760430] x29: ffffffc080fe3ae0 x28: ffffffc080fe3be0 x27: 00000000deadbef7<br /> [ 297.767557] x26: ffffff80c5ebca00 x25: 0000000000000001 x24: ffffff80c85f4c00<br /> [ 297.774683] x23: ffffff80c1875b78 x22: ffffffc080d42cd0 x21: ffffffc080660018<br /> [ 297.781809] x20: ffffff80c6a076d0 x19: ffffff80c6a043c8 x18: 0000000000000000<br /> [ 297.788935] x17: 0000000000000000 x16: 0000000000000001 x15: 0000000000000000<br /> [ 297.796060] x14: 0000000000000019 x13: ffffff80c0ad8ec0 x12: 00000000fa83b2da<br /> [ 297.803185] x11: ffffff80c02700c0 x10: ffffff80c0ad8ec0 x9 : ffffff81fef96200<br /> [ 297.810311] x8 : ffffff80c02700c0 x7 : ffffff80c02700d0 x6 : 0000000000000002<br /> [ 297.817435] x5 : 0000000000000400 x4 : 0000000000000000 x3 : 0000000000000000<br /> [ 297.824561] x2 : 0000000000000001 x1 : 0000000000000800 x0 : ffffff80c6a063c8<br /> [ 297.831686] Call trace:<br /> [ 297.834123] mt76_wed_offload_disable+0x64/0xa0 [mt76]<br /> [ 297.839254] mtk_wed_flow_remove+0x58/0x80<br /> [ 297.843342] mtk_flow_offload_cmd+0x434/0x574<br /> [ 297.847689] mtk_wed_setup_tc_block_cb+0x30/0x40<br /> [ 297.852295] nf_flow_offload_ipv6_hook+0x7f4/0x964 [nf_flow_table]<br /> [ 297.858466] nf_flow_rule_route_ipv6+0x438/0x4a4 [nf_flow_table]<br /> [ 297.864463] process_one_work+0x174/0x300<br /> [ 297.868465] worker_thread+0x278/0x430<br /> [ 297.872204] kthread+0xd8/0xdc<br /> [ 297.875251] ret_from_fork+0x10/0x20<br /> [ 297.878820] Code: 928b5ae0 8b000273 91400a60 f943fa61 (79401421)<br /> [ 297.884901] ---[ end trace 0000000000000000 ]---<br /> <br /> Fix the issue detecting the proper wed reference to use running wed<br /> callabacks.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> erofs: limit the level of fs stacking for file-backed mounts<br /> <br /> Otherwise, it could cause potential kernel stack overflow (e.g., EROFS<br /> mounting itself).

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iomap: allocate s_dio_done_wq for async reads as well<br /> <br /> Since commit 222f2c7c6d14 ("iomap: always run error completions in user<br /> context"), read error completions are deferred to s_dio_done_wq. This<br /> means the workqueue also needs to be allocated for async reads.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Check skb-&gt;transport_header is set in bpf_skb_check_mtu<br /> <br /> The bpf_skb_check_mtu helper needs to use skb-&gt;transport_header when<br /> the BPF_MTU_CHK_SEGS flag is used:<br /> <br /> bpf_skb_check_mtu(skb, ifindex, &amp;mtu_len, 0, BPF_MTU_CHK_SEGS)<br /> <br /> The transport_header is not always set. There is a WARN_ON_ONCE<br /> report when CONFIG_DEBUG_NET is enabled + skb-&gt;gso_size is set +<br /> bpf_prog_test_run is used:<br /> <br /> WARNING: CPU: 1 PID: 2216 at ./include/linux/skbuff.h:3071<br /> skb_gso_validate_network_len<br /> bpf_skb_check_mtu<br /> bpf_prog_3920e25740a41171_tc_chk_segs_flag # A test in the next patch<br /> bpf_test_run<br /> bpf_prog_test_run_skb<br /> <br /> For a normal ingress skb (not test_run), skb_reset_transport_header<br /> is performed but there is plan to avoid setting it as described in<br /> commit 2170a1f09148 ("net: no longer reset transport_header in __netif_receive_skb_core()").<br /> <br /> This patch fixes the bpf helper by checking<br /> skb_transport_header_was_set(). The check is done just before<br /> skb-&gt;transport_header is used, to avoid breaking the existing bpf prog.<br /> The WARN_ON_ONCE is limited to bpf_prog_test_run, so targeting bpf-next.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()<br /> <br /> The rtl8187_rx_cb() calculates the rx descriptor header address<br /> by subtracting its size from the skb tail pointer.<br /> However, it does not validate if the received packet<br /> (skb-&gt;len from urb-&gt;actual_length) is large enough to contain this<br /> header.<br /> <br /> If a truncated packet is received, this will lead to a buffer<br /> underflow, reading memory before the start of the skb data area,<br /> and causing a kernel panic.<br /> <br /> Add length checks for both rtl8187 and rtl8187b descriptor headers<br /> before attempting to access them, dropping the packet cleanly if the<br /> check fails.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent()<br /> <br /> In &amp;#39;__ocfs2_move_extent()&amp;#39;, relax &amp;#39;BUG()&amp;#39; to &amp;#39;ocfs2_error()&amp;#39; just<br /> to avoid crashing the whole kernel due to a filesystem corruption.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: fix racy bitfield write in btrfs_clear_space_info_full()<br /> <br /> From the memory-barriers.txt document regarding memory barrier ordering<br /> guarantees:<br /> <br /> (*) These guarantees do not apply to bitfields, because compilers often<br /> generate code to modify these using non-atomic read-modify-write<br /> sequences. Do not attempt to use bitfields to synchronize parallel<br /> algorithms.<br /> <br /> (*) Even in cases where bitfields are protected by locks, all fields<br /> in a given bitfield must be protected by one lock. If two fields<br /> in a given bitfield are protected by different locks, the compiler&amp;#39;s<br /> non-atomic read-modify-write sequences can cause an update to one<br /> field to corrupt the value of an adjacent field.<br /> <br /> btrfs_space_info has a bitfield sharing an underlying word consisting of<br /> the fields full, chunk_alloc, and flush:<br /> <br /> struct btrfs_space_info {<br /> struct btrfs_fs_info * fs_info; /* 0 8 */<br /> struct btrfs_space_info * parent; /* 8 8 */<br /> ...<br /> int clamp; /* 172 4 */<br /> unsigned int full:1; /* 176: 0 4 */<br /> unsigned int chunk_alloc:1; /* 176: 1 4 */<br /> unsigned int flush:1; /* 176: 2 4 */<br /> ...<br /> <br /> Therefore, to be safe from parallel read-modify-writes losing a write to<br /> one of the bitfield members protected by a lock, all writes to all the<br /> bitfields must use the lock. They almost universally do, except for<br /> btrfs_clear_space_info_full() which iterates over the space_infos and<br /> writes out found-&gt;full = 0 without a lock.<br /> <br /> Imagine that we have one thread completing a transaction in which we<br /> finished deleting a block_group and are thus calling<br /> btrfs_clear_space_info_full() while simultaneously the data reclaim<br /> ticket infrastructure is running do_async_reclaim_data_space():<br /> <br /> T1 T2<br /> btrfs_commit_transaction<br /> btrfs_clear_space_info_full<br /> data_sinfo-&gt;full = 0<br /> READ: full:0, chunk_alloc:0, flush:1<br /> do_async_reclaim_data_space(data_sinfo)<br /> spin_lock(&amp;space_info-&gt;lock);<br /> if(list_empty(tickets))<br /> space_info-&gt;flush = 0;<br /> READ: full: 0, chunk_alloc:0, flush:1<br /> MOD/WRITE: full: 0, chunk_alloc:0, flush:0<br /> spin_unlock(&amp;space_info-&gt;lock);<br /> return;<br /> MOD/WRITE: full:0, chunk_alloc:0, flush:1<br /> <br /> and now data_sinfo-&gt;flush is 1 but the reclaim worker has exited. This<br /> breaks the invariant that flush is 0 iff there is no work queued or<br /> running. Once this invariant is violated, future allocations that go<br /> into __reserve_bytes() will add tickets to space_info-&gt;tickets but will<br /> see space_info-&gt;flush is set to 1 and not queue the work. After this,<br /> they will block forever on the resulting ticket, as it is now impossible<br /> to kick the worker again.<br /> <br /> I also confirmed by looking at the assembly of the affected kernel that<br /> it is doing RMW operations. For example, to set the flush (3rd) bit to 0,<br /> the assembly is:<br /> andb $0xfb,0x60(%rbx)<br /> and similarly for setting the full (1st) bit to 0:<br /> andb $0xfe,-0x20(%rax)<br /> <br /> So I think this is really a bug on practical systems. I have observed<br /> a number of systems in this exact state, but am currently unable to<br /> reproduce it.<br /> <br /> Rather than leaving this footgun lying around for the future, take<br /> advantage of the fact that there is room in the struct anyway, and that<br /> it is already quite large and simply change the three bitfield members to<br /> bools. This avoids writes to space_info-&gt;full having any effect on<br /> ---truncated---

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> block: fix memory leak in __blkdev_issue_zero_pages<br /> <br /> Move the fatal signal check before bio_alloc() to prevent a memory<br /> leak when BLKDEV_ZERO_KILLABLE is set and a fatal signal is pending.<br /> <br /> Previously, the bio was allocated before checking for a fatal signal.<br /> If a signal was pending, the code would break out of the loop without<br /> freeing or chaining the just-allocated bio, causing a memory leak.<br /> <br /> This matches the pattern already used in __blkdev_issue_write_zeroes()<br /> where the signal check precedes the allocation.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> exfat: fix divide-by-zero in exfat_allocate_bitmap<br /> <br /> The variable max_ra_count can be 0 in exfat_allocate_bitmap(),<br /> which causes a divide-by-zero error in the subsequent modulo operation<br /> (i % max_ra_count), leading to a system crash.<br /> When max_ra_count is 0, it means that readahead is not used. This patch<br /> load the bitmap without readahead.

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spi: ch341: fix out-of-bounds memory access in ch341_transfer_one<br /> <br /> Discovered by Atuin - Automated Vulnerability Discovery Engine.<br /> <br /> The &amp;#39;len&amp;#39; variable is calculated as &amp;#39;min(32, trans-&gt;len + 1)&amp;#39;,<br /> which includes the 1-byte command header.<br /> <br /> When copying data from &amp;#39;trans-&gt;tx_buf&amp;#39; to &amp;#39;ch341-&gt;tx_buf + 1&amp;#39;, using &amp;#39;len&amp;#39;<br /> as the length is incorrect because:<br /> <br /> 1. It causes an out-of-bounds read from &amp;#39;trans-&gt;tx_buf&amp;#39; (which has size<br /> &amp;#39;trans-&gt;len&amp;#39;, i.e., &amp;#39;len - 1&amp;#39; in this context).<br /> 2. It can cause an out-of-bounds write to &amp;#39;ch341-&gt;tx_buf&amp;#39; if &amp;#39;len&amp;#39; is<br /> CH341_PACKET_LENGTH (32). Writing 32 bytes to ch341-&gt;tx_buf + 1<br /> overflows the buffer.<br /> <br /> Fix this by copying &amp;#39;len - 1&amp;#39; bytes.