CVE-2024-44990 – bonding: fix null pointer deref in bond_ipsec_offload_ok
https://notcve.org/view.php?id=CVE-2024-44990
In the Linux kernel, the following vulnerability has been resolved: bonding: fix null pointer deref in bond_ipsec_offload_ok We must check if there is an active slave before dereferencing the pointer. • https://git.kernel.org/stable/c/18cb261afd7bf50134e5ccacc5ec91ea16efadd4 https://git.kernel.org/stable/c/81216b9352be43f8958092d379f6dec85443c309 https://git.kernel.org/stable/c/2f5bdd68c1ce64bda6bef4d361a3de23b04ccd59 https://git.kernel.org/stable/c/32a0173600c63aadaf2103bf02f074982e8602ab https://git.kernel.org/stable/c/0707260a18312bbcd2a5668584e3692d0a29e3f6 https://git.kernel.org/stable/c/b70b0ddfed31fc92c8dc722d0afafc8e14cb550c https://git.kernel.org/stable/c/95c90e4ad89d493a7a14fa200082e466e2548f9d https://access.redhat.com/security/cve/CVE-2024-44990 • CWE-476: NULL Pointer Dereference •
CVE-2024-44989 – bonding: fix xfrm real_dev null pointer dereference
https://notcve.org/view.php?id=CVE-2024-44989
In the Linux kernel, the following vulnerability has been resolved: bonding: fix xfrm real_dev null pointer dereference We shouldn't set real_dev to NULL because packets can be in transit and xfrm might call xdo_dev_offload_ok() in parallel. All callbacks assume real_dev is set. Example trace: kernel: BUG: unable to handle page fault for address: 0000000000001030 kernel: bond0: (slave eni0np1): making interface the new active one kernel: #PF: supervisor write access in kernel mode kernel: #PF: error_code(0x0002) - not-present page kernel: PGD 0 P4D 0 kernel: Oops: 0002 [#1] PREEMPT SMP kernel: CPU: 4 PID: 2237 Comm: ping Not tainted 6.7.7+ #12 kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 kernel: RIP: 0010:nsim_ipsec_offload_ok+0xc/0x20 [netdevsim] kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA kernel: Code: e0 0f 0b 48 83 7f 38 00 74 de 0f 0b 48 8b 47 08 48 8b 37 48 8b 78 40 e9 b2 e5 9a d7 66 90 0f 1f 44 00 00 48 8b 86 80 02 00 00 <83> 80 30 10 00 00 01 b8 01 00 00 00 c3 0f 1f 80 00 00 00 00 0f 1f kernel: bond0: (slave eni0np1): making interface the new active one kernel: RSP: 0018:ffffabde81553b98 EFLAGS: 00010246 kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA kernel: kernel: RAX: 0000000000000000 RBX: ffff9eb404e74900 RCX: ffff9eb403d97c60 kernel: RDX: ffffffffc090de10 RSI: ffff9eb404e74900 RDI: ffff9eb3c5de9e00 kernel: RBP: ffff9eb3c0a42000 R08: 0000000000000010 R09: 0000000000000014 kernel: R10: 7974203030303030 R11: 3030303030303030 R12: 0000000000000000 kernel: R13: ffff9eb3c5de9e00 R14: ffffabde81553cc8 R15: ffff9eb404c53000 kernel: FS: 00007f2a77a3ad00(0000) GS:ffff9eb43bd00000(0000) knlGS:0000000000000000 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 kernel: CR2: 0000000000001030 CR3: 00000001122ab000 CR4: 0000000000350ef0 kernel: bond0: (slave eni0np1): making interface the new active one kernel: Call Trace: kernel: <TASK> kernel: ? __die+0x1f/0x60 kernel: bond0: (slave eni0np1): bond_ipsec_add_sa_all: failed to add SA kernel: ? page_fault_oops+0x142/0x4c0 kernel: ? do_user_addr_fault+0x65/0x670 kernel: ? • https://git.kernel.org/stable/c/18cb261afd7bf50134e5ccacc5ec91ea16efadd4 https://git.kernel.org/stable/c/21816b696c172c19d53a30d45ee005cce246ed21 https://git.kernel.org/stable/c/2f72c6a66bcd7e0187ec085237fee5db27145294 https://git.kernel.org/stable/c/7fa9243391ad2afe798ef4ea2e2851947b95754f https://git.kernel.org/stable/c/4582d4ff413a07d4ed8a4823c652dc5207760548 https://git.kernel.org/stable/c/89fc1dca79db5c3e7a2d589ecbf8a3661c65f436 https://git.kernel.org/stable/c/f8cde9805981c50d0c029063dc7d82821806fc44 https://access.redhat.com/security/cve/CVE-2024-44989 • CWE-476: NULL Pointer Dereference •
CVE-2024-44988 – net: dsa: mv88e6xxx: Fix out-of-bound access
https://notcve.org/view.php?id=CVE-2024-44988
In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: Fix out-of-bound access If an ATU violation was caused by a CPU Load operation, the SPID could be larger than DSA_MAX_PORTS (the size of mv88e6xxx_chip.ports[] array). • https://git.kernel.org/stable/c/27a2fa0098171199022affa76bdf15d77585457f https://git.kernel.org/stable/c/75c05a74e745ae7d663b04d75777af80ada2233c https://git.kernel.org/stable/c/1657d2814e83d3e338d6d60c5829d15d86645bc0 https://git.kernel.org/stable/c/4a88fca95c8df3746b71e31f44a02d35f06f9864 https://git.kernel.org/stable/c/d39f5be62f098fe367d672b4dd4bc4b2b80e08e7 https://git.kernel.org/stable/c/050e7274ab2150cd212b2372595720e7b83a15bd https://git.kernel.org/stable/c/a10d0337115a6d223a1563d853d4455f05d0b2e3 https://git.kernel.org/stable/c/18b2e833daf049223ab3c2efdf8cdee08 •
CVE-2024-44987 – ipv6: prevent UAF in ip6_send_skb()
https://notcve.org/view.php?id=CVE-2024-44987
In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent UAF in ip6_send_skb() syzbot reported an UAF in ip6_send_skb() [1] After ip6_local_out() has returned, we no longer can safely dereference rt, unless we hold rcu_read_lock(). A similar issue has been fixed in commit a688caa34beb ("ipv6: take rcu lock in rawv6_send_hdrinc()") Another potential issue in ip6_finish_output2() is handled in a separate patch. [1] BUG: KASAN: slab-use-after-free in ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964 Read of size 8 at addr ffff88806dde4858 by task syz.1.380/6530 CPU: 1 UID: 0 PID: 6530 Comm: syz.1.380 Not tainted 6.11.0-rc3-syzkaller-00306-gdf6cbc62cc9b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964 rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588 rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 sock_write_iter+0x2dd/0x400 net/socket.c:1160 do_iter_readv_writev+0x60a/0x890 vfs_writev+0x37c/0xbb0 fs/read_write.c:971 do_writev+0x1b1/0x350 fs/read_write.c:1018 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f936bf79e79 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f936cd7f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 00007f936c115f80 RCX: 00007f936bf79e79 RDX: 0000000000000001 RSI: 0000000020000040 RDI: 0000000000000004 RBP: 00007f936bfe7916 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f936c115f80 R15: 00007fff2860a7a8 </TASK> Allocated by task 6530: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:312 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3988 [inline] slab_alloc_node mm/slub.c:4037 [inline] kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4044 dst_alloc+0x12b/0x190 net/core/dst.c:89 ip6_blackhole_route+0x59/0x340 net/ipv6/route.c:2670 make_blackhole net/xfrm/xfrm_policy.c:3120 [inline] xfrm_lookup_route+0xd1/0x1c0 net/xfrm/xfrm_policy.c:3313 ip6_dst_lookup_flow+0x13e/0x180 net/ipv6/ip6_output.c:1257 rawv6_sendmsg+0x1283/0x23c0 net/ipv6/raw.c:898 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597 ___sys_sendmsg net/socket.c:2651 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 45: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2252 [inline] slab_free mm/slub.c:4473 [inline] kmem_cache_free+0x145/0x350 mm/slub.c:4548 dst_destroy+0x2ac/0x460 net/core/dst.c:124 rcu_do_batch kernel/rcu/tree.c:2569 [inline] rcu_core+0xafd/0x1830 kernel/rcu/tree. ---truncated--- • https://git.kernel.org/stable/c/0625491493d9000e4556bf566d205c28c8e7dc4e https://git.kernel.org/stable/c/571567e0277008459750f0728f246086b2659429 https://git.kernel.org/stable/c/ce2f6cfab2c637d0bd9762104023a15d0ab7c0a8 https://git.kernel.org/stable/c/cb5880a0de12c7f618d2bdd84e2d985f1e06ed7e https://git.kernel.org/stable/c/24e93695b1239fbe4c31e224372be77f82dab69a https://git.kernel.org/stable/c/9a3e55afa95ed4ac9eda112d4f918af645d72f25 https://git.kernel.org/stable/c/af1dde074ee2ed7dd5bdca4e7e8ba17f44e7b011 https://git.kernel.org/stable/c/e44bd76dd072756e674f45c5be00153f4 •
CVE-2024-44986 – ipv6: fix possible UAF in ip6_finish_output2()
https://notcve.org/view.php?id=CVE-2024-44986
In the Linux kernel, the following vulnerability has been resolved: ipv6: fix possible UAF in ip6_finish_output2() If skb_expand_head() returns NULL, skb has been freed and associated dst/idev could also have been freed. We need to hold rcu_read_lock() to make sure the dst and associated idev are alive. • https://git.kernel.org/stable/c/5796015fa968a3349027a27dcd04c71d95c53ba5 https://git.kernel.org/stable/c/ded37d03440d0ab346a8287cc2ba88b8dc90ceb0 https://git.kernel.org/stable/c/2323690eb05865a657709f4d28eb9538ea97bfc2 https://git.kernel.org/stable/c/b34c668a867ffdcf8bd8db4a36512572e82b4a15 https://git.kernel.org/stable/c/e891b36de161fcd96f12ff83667473e5067b9037 https://git.kernel.org/stable/c/3574d28caf9a09756ae87ad1ea096c6f47b6101e https://git.kernel.org/stable/c/6ab6bf731354a6fdbaa617d1ec194960db61cf3b https://git.kernel.org/stable/c/56efc253196751ece1fc535a5b582be12 •