CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2023-52921 – drm/amdgpu: fix possible UAF in amdgpu_cs_pass1()
https://notcve.org/view.php?id=CVE-2023-52921
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix possible UAF in amdgpu_cs_pass1() Since the gang_size check is outside of chunk parsing loop, we need to reset i before we free the chunk data. Suggested by Ye Zhang (@VAR10CK) of Baidu Security. • https://git.kernel.org/stable/c/9a2393af1f35d1975204fc00035c64a1c792b278 https://git.kernel.org/stable/c/e08e9dd09809b16f8f8cee8c466841b33d24ed96 https://git.kernel.org/stable/c/90e065677e0362a777b9db97ea21d43a39211399 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2024-50262 – bpf: Fix out-of-bounds write in trie_get_next_key()
https://notcve.org/view.php?id=CVE-2024-50262
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix out-of-bounds write in trie_get_next_key() trie_get_next_key() allocates a node stack with size trie->max_prefixlen, while it writes (trie->max_prefixlen + 1) nodes to the stack when it has full paths from the root to leaves. For example, consider a trie with max_prefixlen is 8, and the nodes with key 0x00/0, 0x00/1, 0x00/2, ... 0x00/8 inserted. Subsequent calls to trie_get_next_key with _key with .prefixlen = 8 make 9 nodes be written on the node stack with size 8. • https://git.kernel.org/stable/c/b471f2f1de8b816f1e799b80aa92588f3566e4bd https://git.kernel.org/stable/c/e8494ac079814a53fbc2258d2743e720907488ed https://git.kernel.org/stable/c/91afbc0eb3c90258ae378ae3c6ead3d2371e926d https://git.kernel.org/stable/c/590976f921723d53ac199c01d5b7b73a94875e68 https://git.kernel.org/stable/c/86c8ebe02d8806dd8878d0063e8e185622ab6ea6 https://git.kernel.org/stable/c/a035df0b98df424559fd383e8e1a268f422ea2ba https://git.kernel.org/stable/c/90a6e0e1e151ef7a9282e78f54c3091de2dcc99c https://git.kernel.org/stable/c/c4b4f9a9ab82238cb158fa4fe61a8c0ae •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2024-50259 – netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write()
https://notcve.org/view.php?id=CVE-2024-50259
In the Linux kernel, the following vulnerability has been resolved: netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write() This was found by a static analyzer. We should not forget the trailing zero after copy_from_user() if we will further do some string operations, sscanf() in this case. Adding a trailing zero will ensure that the function performs properly. • https://git.kernel.org/stable/c/c6385c0b67c527b298111775bc89a7407ba1581e https://git.kernel.org/stable/c/c2150f666c6fc301d5d1643ed0f92251f1a0ff0d https://git.kernel.org/stable/c/bcba86e03b3aac361ea671672cf48eed11f9011c https://git.kernel.org/stable/c/6a604877160fe5ab2e1985d5ce1ba6a61abe0693 https://git.kernel.org/stable/c/27bd7a742e171362c9eb52ad5d1d71d3321f949f https://git.kernel.org/stable/c/4ce1f56a1eaced2523329bef800d004e30f2f76c •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2024-50258 – net: fix crash when config small gso_max_size/gso_ipv4_max_size
https://notcve.org/view.php?id=CVE-2024-50258
In the Linux kernel, the following vulnerability has been resolved: net: fix crash when config small gso_max_size/gso_ipv4_max_size Config a small gso_max_size/gso_ipv4_max_size will lead to an underflow in sk_dst_gso_max_size(), which may trigger a BUG_ON crash, because sk->sk_gso_max_size would be much bigger than device limits. Call Trace: tcp_write_xmit tso_segs = tcp_init_tso_segs(skb, mss_now); tcp_set_skb_tso_segs tcp_skb_pcount_set // skb->len = 524288, mss_now = 8 // u16 tso_segs = 524288/8 = 65535 -> 0 tso_segs = DIV_ROUND_UP(skb->len, mss_now) BUG_ON(!tso_segs) Add check for the minimum value of gso_max_size and gso_ipv4_max_size. • https://git.kernel.org/stable/c/46e6b992c2502b094e61da6994f1363f3b7c1413 https://git.kernel.org/stable/c/ac5977001eee7660c643f8e07a2de9001990b7b8 https://git.kernel.org/stable/c/e72fd1389a5364bc6aa6312ecf30bdb5891b9486 https://git.kernel.org/stable/c/9ab5cf19fb0e4680f95e506d6c544259bf1111c4 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2024-50257 – netfilter: Fix use-after-free in get_info()
https://notcve.org/view.php?id=CVE-2024-50257
In the Linux kernel, the following vulnerability has been resolved: netfilter: Fix use-after-free in get_info() ip6table_nat module unload has refcnt warning for UAF. call trace is: WARNING: CPU: 1 PID: 379 at kernel/module/main.c:853 module_put+0x6f/0x80 Modules linked in: ip6table_nat(-) CPU: 1 UID: 0 PID: 379 Comm: ip6tables Not tainted 6.12.0-rc4-00047-gc2ee9f594da8-dirty #205 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:module_put+0x6f/0x80 Call Trace: <TASK> get_info+0x128/0x180 do_ip6t_get_ctl+0x6a/0x430 nf_getsockopt+0x46/0x80 ipv6_getsockopt+0xb9/0x100 rawv6_getsockopt+0x42/0x190 do_sock_getsockopt+0xaa/0x180 __sys_getsockopt+0x70/0xc0 __x64_sys_getsockopt+0x20/0x30 do_syscall_64+0xa2/0x1a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Concurrent execution of module unload and get_info() trigered the warning. The root cause is as follows: cpu0 cpu1 module_exit //mod->state = MODULE_STATE_GOING ip6table_nat_exit xt_unregister_template kfree(t) //removed from templ_list getinfo() t = xt_find_table_lock list_for_each_entry(tmpl, &xt_templates[af]...) if (strcmp(tmpl->name, name)) continue; //table not found try_module_get list_for_each_entry(t, &xt_net->tables[af]...) return t; //not get refcnt module_put(t->me) //uaf unregister_pernet_subsys //remove table from xt_net list While xt_table module was going away and has been removed from xt_templates list, we couldnt get refcnt of xt_table->me. Check module in xt_net->tables list re-traversal to fix it. • https://git.kernel.org/stable/c/fdacd57c79b79a03c7ca88f706ad9fb7b46831c1 https://git.kernel.org/stable/c/ba22ea01348384df19cc1fabc7964be6e7189749 https://git.kernel.org/stable/c/cb7c388b5967946f097afdb759b7c860305f2d96 https://git.kernel.org/stable/c/6a1f088f9807f5166f58902d26246d0b88da03a8 https://git.kernel.org/stable/c/bab3bb35c03b263c486833d50d50c081d9e9832b https://git.kernel.org/stable/c/f48d258f0ac540f00fa617dac496c4c18b5dc2fa •