CVE-2024-50267 – USB: serial: io_edgeport: fix use after free in debug printk
https://notcve.org/view.php?id=CVE-2024-50267
In the Linux kernel, the following vulnerability has been resolved: USB: serial: io_edgeport: fix use after free in debug printk The "dev_dbg(&urb->dev->dev, ..." which happens after usb_free_urb(urb) is a use after free of the "urb" pointer. Store the "dev" pointer at the start of the function to avoid this issue. • https://git.kernel.org/stable/c/984f68683298ba53af32f909de1f9452fbb37ccb https://git.kernel.org/stable/c/e6ceb04eeb6115d872d4c4078d12f1170ed755ce https://git.kernel.org/stable/c/39709ce93f5c3f9eb535efe2afea088805d1128f https://git.kernel.org/stable/c/e567fc8f7a4460e486e52c9261b1e8b9f5dc42aa https://git.kernel.org/stable/c/44fff2c16c5aafbdb70c7183dae0a415ae74705e https://git.kernel.org/stable/c/275258c30bbda29467216e96fb655b16bcc9992b https://git.kernel.org/stable/c/13d6ff3ca76056d06a9d88300be2a293442ff595 https://git.kernel.org/stable/c/314bdf446053e123f37543aa535197ee7 •
CVE-2024-50265 – ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove()
https://notcve.org/view.php?id=CVE-2024-50265
In the Linux kernel, the following vulnerability has been resolved: ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove() Syzkaller is able to provoke null-ptr-dereference in ocfs2_xa_remove(): [ 57.319872] (a.out,1161,7):ocfs2_xa_remove:2028 ERROR: status = -12 [ 57.320420] (a.out,1161,7):ocfs2_xa_cleanup_value_truncate:1999 ERROR: Partial truncate while removing xattr overlay.upper. Leaking 1 clusters and removing the entry [ 57.321727] BUG: kernel NULL pointer dereference, address: 0000000000000004 [...] [ 57.325727] RIP: 0010:ocfs2_xa_block_wipe_namevalue+0x2a/0xc0 [...] [ 57.331328] Call Trace: [ 57.331477] <TASK> [...] [ 57.333511] ? do_user_addr_fault+0x3e5/0x740 [ 57.333778] ? exc_page_fault+0x70/0x170 [ 57.334016] ? asm_exc_page_fault+0x2b/0x30 [ 57.334263] ? • https://git.kernel.org/stable/c/399ff3a748cf4c8c853e96dd477153202636527b https://git.kernel.org/stable/c/38cbf13b2e7a31362babe411f7c2c3c52cd2734b https://git.kernel.org/stable/c/168a9b8303fcb0317db4c06b23ce1c0ce2af4e10 https://git.kernel.org/stable/c/6a7e6dcf90fe7721d0863067b6ca9a9442134692 https://git.kernel.org/stable/c/dcc8fe8c83145041cb6c80cac21f6173a3ff0204 https://git.kernel.org/stable/c/86dd0e8d42828923c68ad506933336bcd6f2317d https://git.kernel.org/stable/c/dd73c942eed76a014c7a5597e6926435274d2c4c https://git.kernel.org/stable/c/2b5369528ee63c88371816178a05b5e66 •
CVE-2024-50264 – vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans
https://notcve.org/view.php?id=CVE-2024-50264
In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans During loopback communication, a dangling pointer can be created in vsk->trans, potentially leading to a Use-After-Free condition. This issue is resolved by initializing vsk->trans to NULL. • https://git.kernel.org/stable/c/06a8fc78367d070720af960dcecec917d3ae5f3b https://git.kernel.org/stable/c/5f092a4271f6dccf88fe0d132475a17b69ef71df https://git.kernel.org/stable/c/fd8ae346692a56b4437d626c5460c7104980f389 https://git.kernel.org/stable/c/eb1bdcb7dfc30b24495ee4c5533af0ed135cb5f1 https://git.kernel.org/stable/c/2a6a4e69f255b7aed17f93995691ab4f0d3c2203 https://git.kernel.org/stable/c/44d29897eafd0e1196453d3003a4d5e0b968eeab https://git.kernel.org/stable/c/b110196fec44fe966952004bd426967c2a8fd358 https://git.kernel.org/stable/c/5f970935d09934222fdef3d0e20c648ea •
CVE-2024-50262 – bpf: Fix out-of-bounds write in trie_get_next_key()
https://notcve.org/view.php?id=CVE-2024-50262
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix out-of-bounds write in trie_get_next_key() trie_get_next_key() allocates a node stack with size trie->max_prefixlen, while it writes (trie->max_prefixlen + 1) nodes to the stack when it has full paths from the root to leaves. For example, consider a trie with max_prefixlen is 8, and the nodes with key 0x00/0, 0x00/1, 0x00/2, ... 0x00/8 inserted. Subsequent calls to trie_get_next_key with _key with .prefixlen = 8 make 9 nodes be written on the node stack with size 8. • https://git.kernel.org/stable/c/b471f2f1de8b816f1e799b80aa92588f3566e4bd https://git.kernel.org/stable/c/e8494ac079814a53fbc2258d2743e720907488ed https://git.kernel.org/stable/c/91afbc0eb3c90258ae378ae3c6ead3d2371e926d https://git.kernel.org/stable/c/590976f921723d53ac199c01d5b7b73a94875e68 https://git.kernel.org/stable/c/86c8ebe02d8806dd8878d0063e8e185622ab6ea6 https://git.kernel.org/stable/c/a035df0b98df424559fd383e8e1a268f422ea2ba https://git.kernel.org/stable/c/90a6e0e1e151ef7a9282e78f54c3091de2dcc99c https://git.kernel.org/stable/c/c4b4f9a9ab82238cb158fa4fe61a8c0ae •
CVE-2024-50261 – macsec: Fix use-after-free while sending the offloading packet
https://notcve.org/view.php?id=CVE-2024-50261
In the Linux kernel, the following vulnerability has been resolved: macsec: Fix use-after-free while sending the offloading packet KASAN reports the following UAF. The metadata_dst, which is used to store the SCI value for macsec offload, is already freed by metadata_dst_free() in macsec_free_netdev(), while driver still use it for sending the packet. To fix this issue, dst_release() is used instead to release metadata_dst. So it is not freed instantly in macsec_free_netdev() if still referenced by skb. BUG: KASAN: slab-use-after-free in mlx5e_xmit+0x1e8f/0x4190 [mlx5_core] Read of size 2 at addr ffff88813e42e038 by task kworker/7:2/714 [...] Workqueue: mld mld_ifc_work Call Trace: <TASK> dump_stack_lvl+0x51/0x60 print_report+0xc1/0x600 kasan_report+0xab/0xe0 mlx5e_xmit+0x1e8f/0x4190 [mlx5_core] dev_hard_start_xmit+0x120/0x530 sch_direct_xmit+0x149/0x11e0 __qdisc_run+0x3ad/0x1730 __dev_queue_xmit+0x1196/0x2ed0 vlan_dev_hard_start_xmit+0x32e/0x510 [8021q] dev_hard_start_xmit+0x120/0x530 __dev_queue_xmit+0x14a7/0x2ed0 macsec_start_xmit+0x13e9/0x2340 dev_hard_start_xmit+0x120/0x530 __dev_queue_xmit+0x14a7/0x2ed0 ip6_finish_output2+0x923/0x1a70 ip6_finish_output+0x2d7/0x970 ip6_output+0x1ce/0x3a0 NF_HOOK.constprop.0+0x15f/0x190 mld_sendpack+0x59a/0xbd0 mld_ifc_work+0x48a/0xa80 process_one_work+0x5aa/0xe50 worker_thread+0x79c/0x1290 kthread+0x28f/0x350 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x11/0x20 </TASK> Allocated by task 3922: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0x77/0x90 __kmalloc_noprof+0x188/0x400 metadata_dst_alloc+0x1f/0x4e0 macsec_newlink+0x914/0x1410 __rtnl_newlink+0xe08/0x15b0 rtnl_newlink+0x5f/0x90 rtnetlink_rcv_msg+0x667/0xa80 netlink_rcv_skb+0x12c/0x360 netlink_unicast+0x551/0x770 netlink_sendmsg+0x72d/0xbd0 __sock_sendmsg+0xc5/0x190 ____sys_sendmsg+0x52e/0x6a0 ___sys_sendmsg+0xeb/0x170 __sys_sendmsg+0xb5/0x140 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Freed by task 4011: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x50 poison_slab_object+0x10c/0x190 __kasan_slab_free+0x11/0x30 kfree+0xe0/0x290 macsec_free_netdev+0x3f/0x140 netdev_run_todo+0x450/0xc70 rtnetlink_rcv_msg+0x66f/0xa80 netlink_rcv_skb+0x12c/0x360 netlink_unicast+0x551/0x770 netlink_sendmsg+0x72d/0xbd0 __sock_sendmsg+0xc5/0x190 ____sys_sendmsg+0x52e/0x6a0 ___sys_sendmsg+0xeb/0x170 __sys_sendmsg+0xb5/0x140 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53 • https://git.kernel.org/stable/c/0a28bfd4971fd570d1f3e4653b21415becefc92c https://git.kernel.org/stable/c/872932cf75cf859804370a265dd58118129386fa https://git.kernel.org/stable/c/9f5ae743dbe9a2458540a7d35fff0f990df025cf https://git.kernel.org/stable/c/4614640f1d5c93c22272117dc256e9940ccac8e8 https://git.kernel.org/stable/c/f1e54d11b210b53d418ff1476c6b58a2f434dfc0 •