CVE-2024-50126 – net: sched: use RCU read-side critical section in taprio_dump()
https://notcve.org/view.php?id=CVE-2024-50126
In the Linux kernel, the following vulnerability has been resolved: net: sched: use RCU read-side critical section in taprio_dump() Fix possible use-after-free in 'taprio_dump()' by adding RCU read-side critical section there. Never seen on x86 but found on a KASAN-enabled arm64 system when investigating https://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa: [T15862] BUG: KASAN: slab-use-after-free in taprio_dump+0xa0c/0xbb0 [T15862] Read of size 4 at addr ffff0000d4bb88f8 by task repro/15862 [T15862] [T15862] CPU: 0 UID: 0 PID: 15862 Comm: repro Not tainted 6.11.0-rc1-00293-gdefaf1a2113a-dirty #2 [T15862] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-20240524-5.fc40 05/24/2024 [T15862] Call trace: [T15862] dump_backtrace+0x20c/0x220 [T15862] show_stack+0x2c/0x40 [T15862] dump_stack_lvl+0xf8/0x174 [T15862] print_report+0x170/0x4d8 [T15862] kasan_report+0xb8/0x1d4 [T15862] __asan_report_load4_noabort+0x20/0x2c [T15862] taprio_dump+0xa0c/0xbb0 [T15862] tc_fill_qdisc+0x540/0x1020 [T15862] qdisc_notify.isra.0+0x330/0x3a0 [T15862] tc_modify_qdisc+0x7b8/0x1838 [T15862] rtnetlink_rcv_msg+0x3c8/0xc20 [T15862] netlink_rcv_skb+0x1f8/0x3d4 [T15862] rtnetlink_rcv+0x28/0x40 [T15862] netlink_unicast+0x51c/0x790 [T15862] netlink_sendmsg+0x79c/0xc20 [T15862] __sock_sendmsg+0xe0/0x1a0 [T15862] ____sys_sendmsg+0x6c0/0x840 [T15862] ___sys_sendmsg+0x1ac/0x1f0 [T15862] __sys_sendmsg+0x110/0x1d0 [T15862] __arm64_sys_sendmsg+0x74/0xb0 [T15862] invoke_syscall+0x88/0x2e0 [T15862] el0_svc_common.constprop.0+0xe4/0x2a0 [T15862] do_el0_svc+0x44/0x60 [T15862] el0_svc+0x50/0x184 [T15862] el0t_64_sync_handler+0x120/0x12c [T15862] el0t_64_sync+0x190/0x194 [T15862] [T15862] Allocated by task 15857: [T15862] kasan_save_stack+0x3c/0x70 [T15862] kasan_save_track+0x20/0x3c [T15862] kasan_save_alloc_info+0x40/0x60 [T15862] __kasan_kmalloc+0xd4/0xe0 [T15862] __kmalloc_cache_noprof+0x194/0x334 [T15862] taprio_change+0x45c/0x2fe0 [T15862] tc_modify_qdisc+0x6a8/0x1838 [T15862] rtnetlink_rcv_msg+0x3c8/0xc20 [T15862] netlink_rcv_skb+0x1f8/0x3d4 [T15862] rtnetlink_rcv+0x28/0x40 [T15862] netlink_unicast+0x51c/0x790 [T15862] netlink_sendmsg+0x79c/0xc20 [T15862] __sock_sendmsg+0xe0/0x1a0 [T15862] ____sys_sendmsg+0x6c0/0x840 [T15862] ___sys_sendmsg+0x1ac/0x1f0 [T15862] __sys_sendmsg+0x110/0x1d0 [T15862] __arm64_sys_sendmsg+0x74/0xb0 [T15862] invoke_syscall+0x88/0x2e0 [T15862] el0_svc_common.constprop.0+0xe4/0x2a0 [T15862] do_el0_svc+0x44/0x60 [T15862] el0_svc+0x50/0x184 [T15862] el0t_64_sync_handler+0x120/0x12c [T15862] el0t_64_sync+0x190/0x194 [T15862] [T15862] Freed by task 6192: [T15862] kasan_save_stack+0x3c/0x70 [T15862] kasan_save_track+0x20/0x3c [T15862] kasan_save_free_info+0x4c/0x80 [T15862] poison_slab_object+0x110/0x160 [T15862] __kasan_slab_free+0x3c/0x74 [T15862] kfree+0x134/0x3c0 [T15862] taprio_free_sched_cb+0x18c/0x220 [T15862] rcu_core+0x920/0x1b7c [T15862] rcu_core_si+0x10/0x1c [T15862] handle_softirqs+0x2e8/0xd64 [T15862] __do_softirq+0x14/0x20 En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: sched: usar la sección crítica del lado de lectura de RCU en taprio_dump(). Corrija el posible use-after-free en 'taprio_dump()' agregando allí la sección crítica del lado de lectura de RCU. Nunca visto en x86 pero encontrado en un sistema arm64 habilitado para KASAN al investigar https://syzkaller.appspot.com/bug? • https://git.kernel.org/stable/c/18cdd2f0998a4967b1fff4c43ed9aef049e42c39 https://git.kernel.org/stable/c/5d282467245f267c0b9ada3f7f309ff838521536 https://git.kernel.org/stable/c/e4369cb6acf6b895ac2453cc1cdf2f4326122c6d https://git.kernel.org/stable/c/b22db8b8befe90b61c98626ca1a2fbb0505e9fe3 •
CVE-2024-50125 – Bluetooth: SCO: Fix UAF on sco_sock_timeout
https://notcve.org/view.php?id=CVE-2024-50125
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_sock_timeout conn->sk maybe have been unlinked/freed while waiting for sco_conn_lock so this checks if the conn->sk is still valid by checking if it part of sco_sk_list. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: SCO: Se corrige que UAF en sco_sock_timeout conn->sk pueda haberse desvinculado/liberado mientras se esperaba sco_conn_lock, por lo que esto verifica si conn->sk aún es válido verificando si es parte de sco_sk_list. • https://git.kernel.org/stable/c/ba316be1b6a00db7126ed9a39f9bee434a508043 https://git.kernel.org/stable/c/fea63ccd928c01573306983346588b26cffb5572 https://git.kernel.org/stable/c/48669c81a65628ef234cbdd91b9395952c7c27fe https://git.kernel.org/stable/c/37d7ae2b0578f2373674a755402ee722e96edc08 https://git.kernel.org/stable/c/a1073aad497d0d071a71f61b721966a176d50c08 https://git.kernel.org/stable/c/ec1f74319bb35c1c90c25014ec0f6ea6c3ca2134 https://git.kernel.org/stable/c/b657bba82ff6a007d84fd076bd73b11131726a2b https://git.kernel.org/stable/c/9ddda5d967e84796e7df1b54a55f36b4b •
CVE-2024-50124 – Bluetooth: ISO: Fix UAF on iso_sock_timeout
https://notcve.org/view.php?id=CVE-2024-50124
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix UAF on iso_sock_timeout conn->sk maybe have been unlinked/freed while waiting for iso_conn_lock so this checks if the conn->sk is still valid by checking if it part of iso_sk_list. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: ISO: Se corrigió que UAF en iso_sock_timeout conn->sk pudiera haberse desvinculado/liberado mientras se esperaba a iso_conn_lock, por lo que esto verifica si conn->sk aún es válido verificando si es parte de iso_sk_list. • https://git.kernel.org/stable/c/ccf74f2390d60a2f9a75ef496d2564abb478f46a https://git.kernel.org/stable/c/876ac72d535fa94f4ac57bba651987c6f990f646 https://git.kernel.org/stable/c/14bcb721d241e62fdd18f6f434a2ed2ab6e71a9b https://git.kernel.org/stable/c/d75aad1d3143ca68cda52ff80ac392e1bbd84325 https://git.kernel.org/stable/c/246b435ad668596aa0e2bbb9d491b6413861211a •
CVE-2024-50123 – bpf: Add the missing BPF_LINK_TYPE invocation for sockmap
https://notcve.org/view.php?id=CVE-2024-50123
In the Linux kernel, the following vulnerability has been resolved: bpf: Add the missing BPF_LINK_TYPE invocation for sockmap There is an out-of-bounds read in bpf_link_show_fdinfo() for the sockmap link fd. Fix it by adding the missing BPF_LINK_TYPE invocation for sockmap link Also add comments for bpf_link_type to prevent missing updates in the future. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: Agregue la invocación BPF_LINK_TYPE faltante para sockmap Hay una lectura fuera de los límites en bpf_link_show_fdinfo() para el fd del enlace sockmap. Arréglelo agregando la invocación BPF_LINK_TYPE faltante para el enlace sockmap Agregue también comentarios para bpf_link_type para evitar actualizaciones faltantes en el futuro. • https://git.kernel.org/stable/c/699c23f02c65cbfc3e638f14ce0d70c23a2e1f02 https://git.kernel.org/stable/c/6d79f12c0ce2bc8ff5f109093df1734bd6450615 https://git.kernel.org/stable/c/c2f803052bc7a7feb2e03befccc8e49b6ff1f5f5 •
CVE-2024-50122 – PCI: Hold rescan lock while adding devices during host probe
https://notcve.org/view.php?id=CVE-2024-50122
In the Linux kernel, the following vulnerability has been resolved: PCI: Hold rescan lock while adding devices during host probe Since adding the PCI power control code, we may end up with a race between the pwrctl platform device rescanning the bus and host controller probe functions. The latter need to take the rescan lock when adding devices or we may end up in an undefined state having two incompletely added devices and hit the following crash when trying to remove the device over sysfs: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP Call trace: __pi_strlen+0x14/0x150 kernfs_find_ns+0x80/0x13c kernfs_remove_by_name_ns+0x54/0xf0 sysfs_remove_bin_file+0x24/0x34 pci_remove_resource_files+0x3c/0x84 pci_remove_sysfs_dev_files+0x28/0x38 pci_stop_bus_device+0x8c/0xd8 pci_stop_bus_device+0x40/0xd8 pci_stop_and_remove_bus_device_locked+0x28/0x48 remove_store+0x70/0xb0 dev_attr_store+0x20/0x38 sysfs_kf_write+0x58/0x78 kernfs_fop_write_iter+0xe8/0x184 vfs_write+0x2dc/0x308 ksys_write+0x7c/0xec En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: PCI: Mantener el bloqueo de rescaneo mientras se agregan dispositivos durante la sonda del host. Desde que se agregó el código de control de energía PCI, podemos terminar con una ejecución entre el dispositivo de la plataforma pwrctl que vuelve a escanear el bus y las funciones de sonda del controlador del host. Estos últimos deben tomar el bloqueo de rescan al agregar dispositivos o podemos terminar en un estado indefinido con dos dispositivos agregados de forma incompleta y encontrar el siguiente bloqueo al intentar eliminar el dispositivo a través de sysfs: No se puede manejar la desreferencia del puntero NULL del kernel en la dirección virtual 0000000000000000 Error interno: Oops: 0000000096000004 [#1] Rastreo de llamadas SMP: __pi_strlen+0x14/0x150 kernfs_find_ns+0x80/0x13c kernfs_remove_by_name_ns+0x54/0xf0 sysfs_remove_bin_file+0x24/0x34 pci_remove_resource_files+0x3c/0x84 pci_remove_sysfs_dev_files+0x28/0x38 pci_stop_bus_device+0x8c/0xd8 pci_stop_bus_device+0x40/0xd8 pci_stop_and_remove_bus_device_locked+0x28/0x48 remove_store+0x70/0xb0 dev_attr_store+0x20/0x38 sysfs_kf_write+0x58/0x78 kernfs_fop_write_iter+0xe8/0x184 vfs_write+0x2dc/0x308 ksys_write+0x7c/0xec • https://git.kernel.org/stable/c/4565d2652a37e438e4cd729e2a8dfeffe34c958c https://git.kernel.org/stable/c/d4f38a0e7cc94615f63cf7765ca117e5cc2773ae https://git.kernel.org/stable/c/1d59d474e1cb7d4fdf87dfaf96f44647f13ea590 •