CVE-2023-52762 – virtio-blk: fix implicit overflow on virtio_max_dma_size
https://notcve.org/view.php?id=CVE-2023-52762
In the Linux kernel, the following vulnerability has been resolved: virtio-blk: fix implicit overflow on virtio_max_dma_size The following codes have an implicit conversion from size_t to u32: (u32)max_size = (size_t)virtio_max_dma_size(vdev); This may lead overflow, Ex (size_t)4G -> (u32)0. Once virtio_max_dma_size() has a larger size than U32_MAX, use U32_MAX instead. En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: virtio-blk: corrige el desbordamiento implícito en virtio_max_dma_size. Los siguientes códigos tienen una conversión implícita de size_t a u32: (u32)max_size = (size_t)virtio_max_dma_size(vdev); Esto puede provocar un desbordamiento, Ex (size_t)4G -> (u32)0. Una vez que virtio_max_dma_size() tenga un tamaño mayor que U32_MAX, use U32_MAX en su lugar. • https://git.kernel.org/stable/c/72775cad7f572bb2501f9ea609e1d20e68f0b38b https://git.kernel.org/stable/c/472bd4787406bef2e8b41ee4c74d960a06a49a48 https://git.kernel.org/stable/c/017278f141141367f7d14b203e930b45b6ffffb9 https://git.kernel.org/stable/c/d667fe301dcbcb12d1d6494fc4b8abee2cb75d90 https://git.kernel.org/stable/c/fafb51a67fb883eb2dde352539df939a251851be https://access.redhat.com/security/cve/CVE-2023-52762 https://bugzilla.redhat.com/show_bug.cgi?id=2282623 • CWE-121: Stack-based Buffer Overflow •
CVE-2023-52760 – gfs2: Fix slab-use-after-free in gfs2_qd_dealloc
https://notcve.org/view.php?id=CVE-2023-52760
In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in gfs2_qd_dealloc In gfs2_put_super(), whether withdrawn or not, the quota should be cleaned up by gfs2_quota_cleanup(). Otherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu callback) has run for all gfs2_quota_data objects, resulting in use-after-free. Also, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called by gfs2_make_fs_ro(), so in gfs2_put_super(), after calling gfs2_make_fs_ro(), there is no need to call them again. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: gfs2: corrige slab-use-after-free en gfs2_qd_dealloc. En gfs2_put_super(), ya sea retirada o no, gfs2_quota_cleanup() debe limpiar la cuota. De lo contrario, la estructura gfs2_sbd se liberará antes de que se ejecute gfs2_qd_dealloc (devolución de llamada de rcu) para todos los objetos gfs2_quota_data, lo que dará como resultado un use after free. Además, gfs2_destroy_threads() y gfs2_quota_cleanup() ya son llamados por gfs2_make_fs_ro(), por lo que en gfs2_put_super(), después de llamar a gfs2_make_fs_ro(), no es necesario volver a llamarlos. • https://git.kernel.org/stable/c/7ad4e0a4f61c57c3ca291ee010a9d677d0199fba https://git.kernel.org/stable/c/08a28272faa750d4357ea2cb48d2baefd778ea81 https://git.kernel.org/stable/c/bdcb8aa434c6d36b5c215d02a9ef07551be25a37 • CWE-416: Use After Free •
CVE-2023-52759 – gfs2: ignore negated quota changes
https://notcve.org/view.php?id=CVE-2023-52759
In the Linux kernel, the following vulnerability has been resolved: gfs2: ignore negated quota changes When lots of quota changes are made, there may be cases in which an inode's quota information is increased and then decreased, such as when blocks are added to a file, then deleted from it. If the timing is right, function do_qc can add pending quota changes to a transaction, then later, another call to do_qc can negate those changes, resulting in a net gain of 0. The quota_change information is recorded in the qc buffer (and qd element of the inode as well). The buffer is added to the transaction by the first call to do_qc, but a subsequent call changes the value from non-zero back to zero. At that point it's too late to remove the buffer_head from the transaction. • https://git.kernel.org/stable/c/1c28dace66015b675a343b89b0c87abbfda05ff4 https://git.kernel.org/stable/c/b4deec69fe32b58dc5fb4ace52456ece85b75561 https://git.kernel.org/stable/c/2bb42a27a92ff3984c9fa5fbe128eced3ea693f2 https://git.kernel.org/stable/c/2a054b87a1b799b391e578597a42ee6e57a987ae https://git.kernel.org/stable/c/5bfda356e903633d16ae1bac1ee38364e12628a3 https://git.kernel.org/stable/c/53fc16c1ad84f5467ec24341670b63aa759335d3 https://git.kernel.org/stable/c/212f112fe5e90e98eb8d48585682880dae139f4c https://git.kernel.org/stable/c/119565e566f91ff3588ffcd5812f0c806 •
CVE-2023-52757 – smb: client: fix potential deadlock when releasing mids
https://notcve.org/view.php?id=CVE-2023-52757
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential deadlock when releasing mids All release_mid() callers seem to hold a reference of @mid so there is no need to call kref_put(&mid->refcount, __release_mid) under @server->mid_lock spinlock. If they don't, then an use-after-free bug would have occurred anyways. By getting rid of such spinlock also fixes a potential deadlock as shown below CPU 0 CPU 1 ------------------------------------------------------------------ cifs_demultiplex_thread() cifs_debug_data_proc_show() release_mid() spin_lock(&server->mid_lock); spin_lock(&cifs_tcp_ses_lock) spin_lock(&server->mid_lock) __release_mid() smb2_find_smb_tcon() spin_lock(&cifs_tcp_ses_lock) *deadlock* En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: smb: client: corrige un posible punto muerto al liberar mids. Todos los llamadores de release_mid() parecen tener una referencia de @mid, por lo que no hay necesidad de llamar a kref_put(&mid->refcount, __release_mid ) en @servidor->mid_lock spinlock. Si no lo hacen, de todos modos se habría producido un error de use after free. Al deshacerse de dicho bloqueo de giro, también se soluciona un posible punto muerto como se muestra a continuación CPU 0 CPU 1 -------------------------------- ---------------------------------- cifs_demultiplex_thread() cifs_debug_data_proc_show() release_mid() spin_lock(&servidor->mid_lock) ; spin_lock(&cifs_tcp_ses_lock) spin_lock(&servidor->mid_lock) __release_mid() smb2_find_smb_tcon() spin_lock(&cifs_tcp_ses_lock) *punto muerto* • https://git.kernel.org/stable/c/9eb44db68c5b7f5aa22b8fc7de74a3e2e08d1f29 https://git.kernel.org/stable/c/b9bb9607b1fc12fca51f5632da25b36975f599bf https://git.kernel.org/stable/c/c1a5962f1462b64fe7b69f20a4b6af8067bc2d26 https://git.kernel.org/stable/c/e6322fd177c6885a21dd4609dc5e5c973d1a2eb7 https://access.redhat.com/security/cve/CVE-2023-52757 https://bugzilla.redhat.com/show_bug.cgi?id=2282641 • CWE-833: Deadlock •
CVE-2023-52755 – ksmbd: fix slab out of bounds write in smb_inherit_dacl()
https://notcve.org/view.php?id=CVE-2023-52755
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix slab out of bounds write in smb_inherit_dacl() slab out-of-bounds write is caused by that offsets is bigger than pntsd allocation size. This patch add the check to validate 3 offsets using allocation size. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ksmbd: corrige la escritura fuera de los límites de slab en smb_inherit_dacl(). La escritura fuera de los límites de slab se debe a que las compensaciones son mayores que el tamaño de asignación de pntsd. Este parche agrega la verificación para validar 3 compensaciones usando el tamaño de asignación. • https://git.kernel.org/stable/c/aaf0a07d60887d6c36fc46a24de0083744f07819 https://git.kernel.org/stable/c/8387c94d73ec66eb597c7a23a8d9eadf64bfbafa https://git.kernel.org/stable/c/09d9d8b40a3338193619c14ed4dc040f4f119e70 https://git.kernel.org/stable/c/712e01f32e577e7e48ab0adb5fe550646a3d93cb https://git.kernel.org/stable/c/eebff19acaa35820cb09ce2ccb3d21bee2156ffb • CWE-787: Out-of-bounds Write •