CVE-2024-43842 – wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()
https://notcve.org/view.php?id=CVE-2024-43842
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter() In rtw89_sta_info_get_iter() 'status->he_gi' is compared to array size. But then 'rate->he_gi' is used as array index instead of 'status->he_gi'. This can lead to go beyond array boundaries in case of 'rate->he_gi' is not equal to 'status->he_gi' and is bigger than array size. Looks like "copy-paste" mistake. Fix this mistake by replacing 'rate->he_gi' with 'status->he_gi'. Found by Linux Verification Center (linuxtesting.org) with SVACE. • https://git.kernel.org/stable/c/e3ec7017f6a20d12ddd9fe23d345ebb7b8c104dd https://git.kernel.org/stable/c/a2a095c08b95372d6d0c5819b77f071af5e75366 https://git.kernel.org/stable/c/7a0edc3d83aff3a48813d78c9cad9daf38decc74 https://git.kernel.org/stable/c/96ae4de5bc4c8ba39fd072369398f59495b73f58 https://git.kernel.org/stable/c/85099c7ce4f9e64c66aa397cd9a37473637ab891 •
CVE-2024-43841 – wifi: virt_wifi: avoid reporting connection success with wrong SSID
https://notcve.org/view.php?id=CVE-2024-43841
In the Linux kernel, the following vulnerability has been resolved: wifi: virt_wifi: avoid reporting connection success with wrong SSID When user issues a connection with a different SSID than the one virt_wifi has advertised, the __cfg80211_connect_result() will trigger the warning: WARN_ON(bss_not_found). The issue is because the connection code in virt_wifi does not check the SSID from user space (it only checks the BSSID), and virt_wifi will call cfg80211_connect_result() with WLAN_STATUS_SUCCESS even if the SSID is different from the one virt_wifi has advertised. Eventually cfg80211 won't be able to find the cfg80211_bss and generate the warning. Fixed it by checking the SSID (from user space) in the connection code. • https://git.kernel.org/stable/c/c7cdba31ed8b87526db978976392802d3f93110c https://git.kernel.org/stable/c/994fc2164a03200c3bf42fb45b3d49d9d6d33a4d https://git.kernel.org/stable/c/05c4488a0e446c6ccde9f22b573950665e1cd414 https://git.kernel.org/stable/c/93e898a264b4e0a475552ba9f99a016eb43ef942 https://git.kernel.org/stable/c/d3cc85a10abc8eae48988336cdd3689ab92581b3 https://git.kernel.org/stable/c/36e92b5edc8e0daa18e9325674313802ce3fbc29 https://git.kernel.org/stable/c/416d3c1538df005195721a200b0371d39636e05d https://git.kernel.org/stable/c/b5d14b0c6716fad7f0c94ac6e1d6f60a4 •
CVE-2024-43840 – bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG
https://notcve.org/view.php?id=CVE-2024-43840
In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG When BPF_TRAMP_F_CALL_ORIG is set, the trampoline calls __bpf_tramp_enter() and __bpf_tramp_exit() functions, passing them the struct bpf_tramp_image *im pointer as an argument in R0. The trampoline generation code uses emit_addr_mov_i64() to emit instructions for moving the bpf_tramp_image address into R0, but emit_addr_mov_i64() assumes the address to be in the vmalloc() space and uses only 48 bits. Because bpf_tramp_image is allocated using kzalloc(), its address can use more than 48-bits, in this case the trampoline will pass an invalid address to __bpf_tramp_enter/exit() causing a kernel crash. Fix this by using emit_a64_mov_i64() in place of emit_addr_mov_i64() as it can work with addresses that are greater than 48-bits. • https://git.kernel.org/stable/c/efc9909fdce00a827a37609628223cd45bf95d0b https://git.kernel.org/stable/c/6d218fcc707d6b2c3616b6cd24b948fd4825cfec https://git.kernel.org/stable/c/19d3c179a37730caf600a97fed3794feac2b197b •
CVE-2024-43839 – bna: adjust 'name' buf size of bna_tcb and bna_ccb structures
https://notcve.org/view.php?id=CVE-2024-43839
In the Linux kernel, the following vulnerability has been resolved: bna: adjust 'name' buf size of bna_tcb and bna_ccb structures To have enough space to write all possible sprintf() args. Currently 'name' size is 16, but the first '%s' specifier may already need at least 16 characters, since 'bnad->netdev->name' is used there. For '%d' specifiers, assume that they require: * 1 char for 'tx_id + tx_info->tcb[i]->id' sum, BNAD_MAX_TXQ_PER_TX is 8 * 2 chars for 'rx_id + rx_info->rx_ctrl[i].ccb->id', BNAD_MAX_RXP_PER_RX is 16 And replace sprintf with snprintf. Detected using the static analysis tool - Svace. • https://git.kernel.org/stable/c/8b230ed8ec96c933047dd0625cf95f739e4939a6 https://git.kernel.org/stable/c/f121740f69eda4da2de9a20a6687a13593e72540 https://git.kernel.org/stable/c/c90b1cd7758fd4839909e838ae195d19f8065d76 https://git.kernel.org/stable/c/6ce46045f9b90d952602e2c0b8886cfadf860bf1 https://git.kernel.org/stable/c/6d20c4044ab4d0e6a99aa35853e66f0aed5589e3 https://git.kernel.org/stable/c/ab748dd10d8742561f2980fea08ffb4f0cacfdef https://git.kernel.org/stable/c/b0ff0cd0847b03c0a0abe20cfa900eabcfcb9e43 https://git.kernel.org/stable/c/e0f48f51d55fb187400e9787192eda09f •
CVE-2024-43837 – bpf: Fix null pointer dereference in resolve_prog_type() for BPF_PROG_TYPE_EXT
https://notcve.org/view.php?id=CVE-2024-43837
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix null pointer dereference in resolve_prog_type() for BPF_PROG_TYPE_EXT When loading a EXT program without specifying `attr->attach_prog_fd`, the `prog->aux->dst_prog` will be null. At this time, calling resolve_prog_type() anywhere will result in a null pointer dereference. Example stack trace: [ 8.107863] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004 [ 8.108262] Mem abort info: [ 8.108384] ESR = 0x0000000096000004 [ 8.108547] EC = 0x25: DABT (current EL), IL = 32 bits [ 8.108722] SET = 0, FnV = 0 [ 8.108827] EA = 0, S1PTW = 0 [ 8.108939] FSC = 0x04: level 0 translation fault [ 8.109102] Data abort info: [ 8.109203] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 8.109399] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 8.109614] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 8.109836] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101354000 [ 8.110011] [0000000000000004] pgd=0000000000000000, p4d=0000000000000000 [ 8.112624] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 8.112783] Modules linked in: [ 8.113120] CPU: 0 PID: 99 Comm: may_access_dire Not tainted 6.10.0-rc3-next-20240613-dirty #1 [ 8.113230] Hardware name: linux,dummy-virt (DT) [ 8.113390] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 8.113429] pc : may_access_direct_pkt_data+0x24/0xa0 [ 8.113746] lr : add_subprog_and_kfunc+0x634/0x8e8 [ 8.113798] sp : ffff80008283b9f0 [ 8.113813] x29: ffff80008283b9f0 x28: ffff800082795048 x27: 0000000000000001 [ 8.113881] x26: ffff0000c0bb2600 x25: 0000000000000000 x24: 0000000000000000 [ 8.113897] x23: ffff0000c1134000 x22: 000000000001864f x21: ffff0000c1138000 [ 8.113912] x20: 0000000000000001 x19: ffff0000c12b8000 x18: ffffffffffffffff [ 8.113929] x17: 0000000000000000 x16: 0000000000000000 x15: 0720072007200720 [ 8.113944] x14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720 [ 8.113958] x11: 0720072007200720 x10: 0000000000f9fca4 x9 : ffff80008021f4e4 [ 8.113991] x8 : 0101010101010101 x7 : 746f72705f6d656d x6 : 000000001e0e0f5f [ 8.114006] x5 : 000000000001864f x4 : ffff0000c12b8000 x3 : 000000000000001c [ 8.114020] x2 : 0000000000000002 x1 : 0000000000000000 x0 : 0000000000000000 [ 8.114126] Call trace: [ 8.114159] may_access_direct_pkt_data+0x24/0xa0 [ 8.114202] bpf_check+0x3bc/0x28c0 [ 8.114214] bpf_prog_load+0x658/0xa58 [ 8.114227] __sys_bpf+0xc50/0x2250 [ 8.114240] __arm64_sys_bpf+0x28/0x40 [ 8.114254] invoke_syscall.constprop.0+0x54/0xf0 [ 8.114273] do_el0_svc+0x4c/0xd8 [ 8.114289] el0_svc+0x3c/0x140 [ 8.114305] el0t_64_sync_handler+0x134/0x150 [ 8.114331] el0t_64_sync+0x168/0x170 [ 8.114477] Code: 7100707f 54000081 f9401c00 f9403800 (b9400403) [ 8.118672] ---[ end trace 0000000000000000 ]--- One way to fix it is by forcing `attach_prog_fd` non-empty when bpf_prog_load(). But this will lead to `libbpf_probe_bpf_prog_type` API broken which use verifier log to probe prog type and will log nothing if we reject invalid EXT prog before bpf_check(). Another way is by adding null check in resolve_prog_type(). The issue was introduced by commit 4a9c7bbe2ed4 ("bpf: Resolve to prog->aux->dst_prog->type only for BPF_PROG_TYPE_EXT") which wanted to correct type resolution for BPF_PROG_TYPE_TRACING programs. Before that, the type resolution of BPF_PROG_TYPE_EXT prog actually follows the logic below: prog->aux->dst_prog ? prog->aux->dst_prog->type : prog->type; It implies that when EXT program is not yet attached to `dst_prog`, the prog type should be EXT itself. • https://git.kernel.org/stable/c/4a9c7bbe2ed4d2b240674b1fb606c41d3940c412 https://git.kernel.org/stable/c/fcac5feb06f31ee4c88bca9bf98d8bc3ca7d2615 https://git.kernel.org/stable/c/9d40fd516aeae6779e3c84c6b96700ca76285847 https://git.kernel.org/stable/c/b29a880bb145e1f1c1df5ab88ed26b1495ff9f09 https://git.kernel.org/stable/c/f7866c35873377313ff94398f17d425b28b71de1 •