CVE-2024-41049 – filelock: fix potential use-after-free in posix_lock_inode
https://notcve.org/view.php?id=CVE-2024-41049
In the Linux kernel, the following vulnerability has been resolved: filelock: fix potential use-after-free in posix_lock_inode Light Hsieh reported a KASAN UAF warning in trace_posix_lock_inode(). The request pointer had been changed earlier to point to a lock entry that was added to the inode's list. However, before the tracepoint could fire, another task raced in and freed that lock. Fix this by moving the tracepoint inside the spinlock, which should ensure that this doesn't happen. • https://git.kernel.org/stable/c/117fb80cd1e63c419c7a221ce070becb4bfc7b6d https://git.kernel.org/stable/c/a6f4129378ca15f62cbdde09a7d3ccc35adcf49d https://git.kernel.org/stable/c/766e56faddbec2eaf70c9299e1c9ef74d846d32b https://git.kernel.org/stable/c/34bff6d850019e00001129d6de3aa4874c2cf471 https://git.kernel.org/stable/c/74f6f5912693ce454384eaeec48705646a21c74f https://git.kernel.org/stable/c/e75396988bb9b3b90e6e8690604d0f566cea403a https://git.kernel.org/stable/c/1cbbb3d9475c403ebedc327490c7c2b991398197 https://git.kernel.org/stable/c/7d4c14f4b511fd4c0dc788084ae59b465 • CWE-416: Use After Free •
CVE-2024-41048 – skmsg: Skip zero length skb in sk_msg_recvmsg
https://notcve.org/view.php?id=CVE-2024-41048
In the Linux kernel, the following vulnerability has been resolved: skmsg: Skip zero length skb in sk_msg_recvmsg When running BPF selftests (./test_progs -t sockmap_basic) on a Loongarch platform, the following kernel panic occurs: [...] Oops[#1]: CPU: 22 PID: 2824 Comm: test_progs Tainted: G OE 6.10.0-rc2+ #18 Hardware name: LOONGSON Dabieshan/Loongson-TC542F0, BIOS Loongson-UDK2018 ... ... ra: 90000000048bf6c0 sk_msg_recvmsg+0x120/0x560 ERA: 9000000004162774 copy_page_to_iter+0x74/0x1c0 CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) PRMD: 0000000c (PPLV0 +PIE +PWE) EUEN: 00000007 (+FPE +SXE +ASXE -BTE) ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7) ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0) BADV: 0000000000000040 PRID: 0014c011 (Loongson-64bit, Loongson-3C5000) Modules linked in: bpf_testmod(OE) xt_CHECKSUM xt_MASQUERADE xt_conntrack Process test_progs (pid: 2824, threadinfo=0000000000863a31, task=...) Stack : ... Call Trace: [<9000000004162774>] copy_page_to_iter+0x74/0x1c0 [<90000000048bf6c0>] sk_msg_recvmsg+0x120/0x560 [<90000000049f2b90>] tcp_bpf_recvmsg_parser+0x170/0x4e0 [<90000000049aae34>] inet_recvmsg+0x54/0x100 [<900000000481ad5c>] sock_recvmsg+0x7c/0xe0 [<900000000481e1a8>] __sys_recvfrom+0x108/0x1c0 [<900000000481e27c>] sys_recvfrom+0x1c/0x40 [<9000000004c076ec>] do_syscall+0x8c/0xc0 [<9000000003731da4>] handle_syscall+0xc4/0x160 Code: ... ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Fatal exception Kernel relocated by 0x3510000 .text @ 0x9000000003710000 .data @ 0x9000000004d70000 .bss @ 0x9000000006469400 ---[ end Kernel panic - not syncing: Fatal exception ]--- [...] This crash happens every time when running sockmap_skb_verdict_shutdown subtest in sockmap_basic. This crash is because a NULL pointer is passed to page_address() in the sk_msg_recvmsg(). Due to the different implementations depending on the architecture, page_address(NULL) will trigger a panic on Loongarch platform but not on x86 platform. So this bug was hidden on x86 platform for a while, but now it is exposed on Loongarch platform. The root cause is that a zero length skb (skb->len == 0) was put on the queue. This zero length skb is a TCP FIN packet, which was sent by shutdown(), invoked in test_sockmap_skb_verdict_shutdown(): shutdown(p1, SHUT_WR); In this case, in sk_psock_skb_ingress_enqueue(), num_sge is zero, and no page is put to this sge (see sg_set_page in sg_set_page), but this empty sge is queued into ingress_msg list. And in sk_msg_recvmsg(), this empty sge is used, and a NULL page is got by sg_page(sge). • https://git.kernel.org/stable/c/604326b41a6fb9b4a78b6179335decee0365cd8c https://git.kernel.org/stable/c/195b7bcdfc5adc5b2468f279dd9eb7eebd2e7632 https://git.kernel.org/stable/c/fb61d7b9fb6ef0032de469499a54dab4c7260d0d https://git.kernel.org/stable/c/b180739b45a38b4caa88fe16bb5273072e6613dc https://git.kernel.org/stable/c/f8bd689f37f4198a4c61c4684f591ba639595b97 https://git.kernel.org/stable/c/f0c18025693707ec344a70b6887f7450bf4c826b •
CVE-2024-41046 – net: ethernet: lantiq_etop: fix double free in detach
https://notcve.org/view.php?id=CVE-2024-41046
In the Linux kernel, the following vulnerability has been resolved: net: ethernet: lantiq_etop: fix double free in detach The number of the currently released descriptor is never incremented which results in the same skb being released multiple times. • https://git.kernel.org/stable/c/504d4721ee8e432af4b5f196a08af38bc4dac5fe https://git.kernel.org/stable/c/1a2db00a554cfda57c397cce79b2804bf9633fec https://git.kernel.org/stable/c/907443174e76b854d28024bd079f0e53b94dc9a1 https://git.kernel.org/stable/c/22b16618a80858b3a9d607708444426948cc4ae1 https://git.kernel.org/stable/c/69ad5fa0ce7c548262e0770fc2b726fe7ab4f156 https://git.kernel.org/stable/c/c2b66e2b3939af63699e4a4bd25a8ac4a9b1d1b3 https://git.kernel.org/stable/c/9d23909ae041761cb2aa0c3cb1748598d8b6bc54 https://git.kernel.org/stable/c/84aaaa796a19195fc59290154fef9aeb1 •
CVE-2024-41044 – ppp: reject claimed-as-LCP but actually malformed packets
https://notcve.org/view.php?id=CVE-2024-41044
In the Linux kernel, the following vulnerability has been resolved: ppp: reject claimed-as-LCP but actually malformed packets Since 'ppp_async_encode()' assumes valid LCP packets (with code from 1 to 7 inclusive), add 'ppp_check_packet()' to ensure that LCP packet has an actual body beyond PPP_LCP header bytes, and reject claimed-as-LCP but actually malformed data otherwise. • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 https://git.kernel.org/stable/c/97d1efd8be26615ff680cdde86937d5943138f37 https://git.kernel.org/stable/c/6e8f1c21174f9482033bbb59f13ce1a8cbe843c3 https://git.kernel.org/stable/c/3ba12c2afd933fc1bf800f6d3f6c7ec8f602ce56 https://git.kernel.org/stable/c/ebc5c630457783d17d0c438b0ad70b232a64a82f https://git.kernel.org/stable/c/3134bdf7356ed952dcecb480861d2afcc1e40492 https://git.kernel.org/stable/c/099502ca410922b56353ccef2749bc0de669da78 https://git.kernel.org/stable/c/d683e7f3fc48f59576af34631b4fb07fd • CWE-20: Improper Input Validation •
CVE-2024-41042 – netfilter: nf_tables: prefer nft_chain_validate
https://notcve.org/view.php?id=CVE-2024-41042
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: prefer nft_chain_validate nft_chain_validate already performs loop detection because a cycle will result in a call stack overflow (ctx->level >= NFT_JUMP_STACK_SIZE). It also follows maps via ->validate callback in nft_lookup, so there appears no reason to iterate the maps again. nf_tables_check_loops() and all its helper functions can be removed. This improves ruleset load time significantly, from 23s down to 12s. This also fixes a crash bug. Old loop detection code can result in unbounded recursion: BUG: TASK stack guard page was hit at .... Oops: stack guard page: 0000 [#1] PREEMPT SMP KASAN CPU: 4 PID: 1539 Comm: nft Not tainted 6.10.0-rc5+ #1 [..] with a suitable ruleset during validation of register stores. I can't see any actual reason to attempt to check for this from nft_validate_register_store(), at this point the transaction is still in progress, so we don't have a full picture of the rule graph. For nf-next it might make sense to either remove it or make this depend on table->validate_state in case we could catch an error earlier (for improved error reporting to userspace). • https://git.kernel.org/stable/c/20a69341f2d00cd042e81c82289fba8a13c05a25 https://git.kernel.org/stable/c/1947e4c3346faa8ac7e343652c0fd3b3e394202f https://git.kernel.org/stable/c/cd4348e0a50286282c314ad6d2b0740e7c812c24 https://git.kernel.org/stable/c/31c35f9f89ef585f1edb53e17ac73a0ca4a9712b https://git.kernel.org/stable/c/8246b7466c8da49d0d9e85e26cbd69dd6d3e3d1e https://git.kernel.org/stable/c/b6b6e430470e1c3c5513311cb35a15a205595abe https://git.kernel.org/stable/c/717c91c6ed73e248de6a15bc53adefb81446c9d0 https://git.kernel.org/stable/c/9df785aeb7dcc8efd1d4110bb27d26005 • CWE-121: Stack-based Buffer Overflow •