CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2021-47248 – udp: fix race between close() and udp_abort()
https://notcve.org/view.php?id=CVE-2021-47248
In the Linux kernel, the following vulnerability has been resolved: udp: fix race between close() and udp_abort() Kaustubh reported and diagnosed a panic in udp_lib_lookup(). The root cause is udp_abort() racing with close(). Both racing functions acquire the socket lock, but udp{v6}_destroy_sock() release it before performing destructive actions. We can't easily extend the socket lock scope to avoid the race, instead use the SOCK_DEAD flag to prevent udp_abort from doing any action when the critical race happens. Diagnosed-and-tested-by: Kaustubh Pandey <kapandey@codeaurora.org> En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: udp: corrige la ejecución entre close() y udp_abort(). Kaustubh informó y diagnosticó un pánico en udp_lib_lookup(). La causa principal es que udp_abort() compite con close(). Ambas funciones de ejecución adquieren el bloqueo del socket, pero udp{v6}_destroy_sock() lo libera antes de realizar acciones destructivas. • https://git.kernel.org/stable/c/5d77dca82839ef016a93ad7acd7058b14d967752 https://git.kernel.org/stable/c/e3c36c773aed0fef8b1d3d555b43393ec564400f https://git.kernel.org/stable/c/a0882f68f54f7a8b6308261acee9bd4faab5a69e https://git.kernel.org/stable/c/2f73448041bd0682d4b552cfd314ace66107f1ad https://git.kernel.org/stable/c/5a88477c1c85e4baa51e91f2d40f2166235daa56 https://git.kernel.org/stable/c/8729ec8a2238152a4afc212a331a6cd2c61aeeac https://git.kernel.org/stable/c/65310b0aff86980a011c7c7bfa487a333d4ca241 https://git.kernel.org/stable/c/a8b897c7bcd47f4147d066e22cc01d102 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47245 – netfilter: synproxy: Fix out of bounds when parsing TCP options
https://notcve.org/view.php?id=CVE-2021-47245
In the Linux kernel, the following vulnerability has been resolved: netfilter: synproxy: Fix out of bounds when parsing TCP options The TCP option parser in synproxy (synproxy_parse_options) could read one byte out of bounds. When the length is 1, the execution flow gets into the loop, reads one byte of the opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds the length of 1. This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack out of bounds when parsing TCP options."). v2 changes: Added an early return when length < 0 to avoid calling skb_header_pointer with negative length. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: netfilter: synproxy: corrección de límites al analizar opciones TCP. El analizador de opciones TCP en synproxy (synproxy_parse_options) podría leer un byte fuera de los límites. Cuando la longitud es 1, el flujo de ejecución entra en el bucle, lee un byte del código de operación y, si el código de operación no es TCPOPT_EOL ni TCPOPT_NOP, lee un byte más, que excede la longitud de 1. • https://git.kernel.org/stable/c/48b1de4c110a7afa4b85862f6c75af817db26fad https://git.kernel.org/stable/c/e1eb98cfeafdd85537e7e3cefe93ca9bfbcc3ea8 https://git.kernel.org/stable/c/576c1526b4d83c44ad7b673cb841f36cbc6cb6c4 https://git.kernel.org/stable/c/674b5f0c6a4fc5d3abce877048290cea6091fcb1 https://git.kernel.org/stable/c/7d9a9a1a88a3da574e019b4de756bc73337b3b0b https://git.kernel.org/stable/c/6defc77d48eff74075b80ad5925061b2fc010d98 https://git.kernel.org/stable/c/9cdf299ba4e153b5e56187648420de22c6216f02 https://git.kernel.org/stable/c/f648089337cb8ed40b2bb96e244f72b9d •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2021-47239 – net: usb: fix possible use-after-free in smsc75xx_bind
https://notcve.org/view.php?id=CVE-2021-47239
In the Linux kernel, the following vulnerability has been resolved: net: usb: fix possible use-after-free in smsc75xx_bind The commit 46a8b29c6306 ("net: usb: fix memory leak in smsc75xx_bind") fails to clean up the work scheduled in smsc75xx_reset-> smsc75xx_set_multicast, which leads to use-after-free if the work is scheduled to start after the deallocation. In addition, this patch also removes a dangling pointer - dev->data[0]. This patch calls cancel_work_sync to cancel the scheduled work and set the dangling pointer to NULL. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net:usb: corrige posible use after free en smsc75xx_bind. La confirmación 46a8b29c6306 ("net:usb: corrige la pérdida de memoria en smsc75xx_bind") no logra limpiar el trabajo programado en smsc75xx_reset -> smsc75xx_set_multicast, lo que genera use after free si el trabajo está programado para comenzar después de la desasignación. Además, este parche también elimina un puntero colgante: dev->data[0]. • https://git.kernel.org/stable/c/200dbfcad8011e50c3cec269ed7b980836eeb1fa https://git.kernel.org/stable/c/22c840596af0c09068b6cf948616e6496e59e07f https://git.kernel.org/stable/c/9e6b8c1ff9d997e1fa16cbd2d60739adf6dc1bbc https://git.kernel.org/stable/c/9e6a3eccb28779710cbbafc4f4258d92509c6d07 https://git.kernel.org/stable/c/b95fb96e6339e34694dd578fb6bde3575b01af17 https://git.kernel.org/stable/c/635ac38b36255d3cfb8312cf7c471334f4d537e0 https://git.kernel.org/stable/c/70c886ac93f87ae7214a0c69151a28a8075dd95b https://git.kernel.org/stable/c/7cc8b2e05fcea6edd022d26e82091d781 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2021-47238 – net: ipv4: fix memory leak in ip_mc_add1_src
https://notcve.org/view.php?id=CVE-2021-47238
In the Linux kernel, the following vulnerability has been resolved: net: ipv4: fix memory leak in ip_mc_add1_src BUG: memory leak unreferenced object 0xffff888101bc4c00 (size 32): comm "syz-executor527", pid 360, jiffies 4294807421 (age 19.329s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01 00 00 00 00 00 00 00 ac 14 14 bb 00 00 02 00 ................ backtrace: [<00000000f17c5244>] kmalloc include/linux/slab.h:558 [inline] [<00000000f17c5244>] kzalloc include/linux/slab.h:688 [inline] [<00000000f17c5244>] ip_mc_add1_src net/ipv4/igmp.c:1971 [inline] [<00000000f17c5244>] ip_mc_add_src+0x95f/0xdb0 net/ipv4/igmp.c:2095 [<000000001cb99709>] ip_mc_source+0x84c/0xea0 net/ipv4/igmp.c:2416 [<0000000052cf19ed>] do_ip_setsockopt net/ipv4/ip_sockglue.c:1294 [inline] [<0000000052cf19ed>] ip_setsockopt+0x114b/0x30c0 net/ipv4/ip_sockglue.c:1423 [<00000000477edfbc>] raw_setsockopt+0x13d/0x170 net/ipv4/raw.c:857 [<00000000e75ca9bb>] __sys_setsockopt+0x158/0x270 net/socket.c:2117 [<00000000bdb993a8>] __do_sys_setsockopt net/socket.c:2128 [inline] [<00000000bdb993a8>] __se_sys_setsockopt net/socket.c:2125 [inline] [<00000000bdb993a8>] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125 [<000000006a1ffdbd>] do_syscall_64+0x40/0x80 arch/x86/entry/common.c:47 [<00000000b11467c4>] entry_SYSCALL_64_after_hwframe+0x44/0xae In commit 24803f38a5c0 ("igmp: do not remove igmp souce list info when set link down"), the ip_mc_clear_src() in ip_mc_destroy_dev() was removed, because it was also called in igmpv3_clear_delrec(). Rough callgraph: inetdev_destroy -> ip_mc_destroy_dev -> igmpv3_clear_delrec -> ip_mc_clear_src -> RCU_INIT_POINTER(dev->ip_ptr, NULL) However, ip_mc_clear_src() called in igmpv3_clear_delrec() doesn't release in_dev->mc_list->sources. And RCU_INIT_POINTER() assigns the NULL to dev->ip_ptr. As a result, in_dev cannot be obtained through inetdev_by_index() and then in_dev->mc_list->sources cannot be released by ip_mc_del1_src() in the sock_close. Rough call sequence goes like: sock_close -> __sock_release -> inet_release -> ip_mc_drop_socket -> inetdev_by_index -> ip_mc_leave_src -> ip_mc_del_src -> ip_mc_del1_src So we still need to call ip_mc_clear_src() in ip_mc_destroy_dev() to free in_dev->mc_list->sources. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: ipv4: corrige la pérdida de memoria en ip_mc_add1_src. • https://git.kernel.org/stable/c/24803f38a5c0b6c57ed800b47e695f9ce474bc3a https://git.kernel.org/stable/c/bd1b664a19403ede448d29c87b2f23796bc7a577 https://git.kernel.org/stable/c/b38c6e0bd5b5e439ecebdc0df599d573c2f610f8 https://git.kernel.org/stable/c/0dc13e75507faa17ac9f7562b4ef7bf8fcd78422 https://git.kernel.org/stable/c/6cff57eea3347f79f1867cc53e1093b6614138d8 https://git.kernel.org/stable/c/1e28018b5c83d5073f74a6fb72eabe8370b2f501 https://git.kernel.org/stable/c/3dd2aeac2e9624cff9fa634710837e4f2e352758 https://git.kernel.org/stable/c/ac31cc837cafb57a271babad8ccffbf73 • CWE-400: Uncontrolled Resource Consumption •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2021-47237 – net: hamradio: fix memory leak in mkiss_close
https://notcve.org/view.php?id=CVE-2021-47237
In the Linux kernel, the following vulnerability has been resolved: net: hamradio: fix memory leak in mkiss_close My local syzbot instance hit memory leak in mkiss_open()[1]. The problem was in missing free_netdev() in mkiss_close(). In mkiss_open() netdevice is allocated and then registered, but in mkiss_close() netdevice was only unregistered, but not freed. Fail log: BUG: memory leak unreferenced object 0xffff8880281ba000 (size 4096): comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) hex dump (first 32 bytes): 61 78 30 00 00 00 00 00 00 00 00 00 00 00 00 00 ax0............. 00 27 fa 2a 80 88 ff ff 00 00 00 00 00 00 00 00 .'.*............ backtrace: [<ffffffff81a27201>] kvmalloc_node+0x61/0xf0 [<ffffffff8706e7e8>] alloc_netdev_mqs+0x98/0xe80 [<ffffffff84e64192>] mkiss_open+0xb2/0x6f0 [1] [<ffffffff842355db>] tty_ldisc_open+0x9b/0x110 [<ffffffff84236488>] tty_set_ldisc+0x2e8/0x670 [<ffffffff8421f7f3>] tty_ioctl+0xda3/0x1440 [<ffffffff81c9f273>] __x64_sys_ioctl+0x193/0x200 [<ffffffff8911263a>] do_syscall_64+0x3a/0xb0 [<ffffffff89200068>] entry_SYSCALL_64_after_hwframe+0x44/0xae BUG: memory leak unreferenced object 0xffff8880141a9a00 (size 96): comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) hex dump (first 32 bytes): e8 a2 1b 28 80 88 ff ff e8 a2 1b 28 80 88 ff ff ...(.......(.... 98 92 9c aa b0 40 02 00 00 00 00 00 00 00 00 00 .....@.......... backtrace: [<ffffffff8709f68b>] __hw_addr_create_ex+0x5b/0x310 [<ffffffff8709fb38>] __hw_addr_add_ex+0x1f8/0x2b0 [<ffffffff870a0c7b>] dev_addr_init+0x10b/0x1f0 [<ffffffff8706e88b>] alloc_netdev_mqs+0x13b/0xe80 [<ffffffff84e64192>] mkiss_open+0xb2/0x6f0 [1] [<ffffffff842355db>] tty_ldisc_open+0x9b/0x110 [<ffffffff84236488>] tty_set_ldisc+0x2e8/0x670 [<ffffffff8421f7f3>] tty_ioctl+0xda3/0x1440 [<ffffffff81c9f273>] __x64_sys_ioctl+0x193/0x200 [<ffffffff8911263a>] do_syscall_64+0x3a/0xb0 [<ffffffff89200068>] entry_SYSCALL_64_after_hwframe+0x44/0xae BUG: memory leak unreferenced object 0xffff8880219bfc00 (size 512): comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) hex dump (first 32 bytes): 00 a0 1b 28 80 88 ff ff 80 8f b1 8d ff ff ff ff ...(............ 80 8f b1 8d ff ff ff ff 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff81a27201>] kvmalloc_node+0x61/0xf0 [<ffffffff8706eec7>] alloc_netdev_mqs+0x777/0xe80 [<ffffffff84e64192>] mkiss_open+0xb2/0x6f0 [1] [<ffffffff842355db>] tty_ldisc_open+0x9b/0x110 [<ffffffff84236488>] tty_set_ldisc+0x2e8/0x670 [<ffffffff8421f7f3>] tty_ioctl+0xda3/0x1440 [<ffffffff81c9f273>] __x64_sys_ioctl+0x193/0x200 [<ffffffff8911263a>] do_syscall_64+0x3a/0xb0 [<ffffffff89200068>] entry_SYSCALL_64_after_hwframe+0x44/0xae BUG: memory leak unreferenced object 0xffff888029b2b200 (size 256): comm "syz-executor.1", pid 11443, jiffies 4295046091 (age 17.660s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff81a27201>] kvmalloc_node+0x61/0xf0 [<ffffffff8706f062>] alloc_netdev_mqs+0x912/0xe80 [<ffffffff84e64192>] mkiss_open+0xb2/0x6f0 [1] [<ffffffff842355db>] tty_ldisc_open+0x9b/0x110 [<ffffffff84236488>] tty_set_ldisc+0x2e8/0x670 [<ffffffff8421f7f3>] tty_ioctl+0xda3/0x1440 [<ffffffff81c9f273>] __x64_sys_ioctl+0x193/0x200 [<ffffffff8911263a>] do_syscall_64+0x3a/0xb0 [<ffffffff89200068>] entry_SYSCALL_64_after_hwframe+0x44/0xae En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net: hamradio: corrige la pérdida de memoria en mkiss_close. Mi instancia local de syzbot tuvo una pérdida de memoria en mkiss_open()[1]. El problema estaba en que faltaba free_netdev() en mkiss_close(). En mkiss_open() el dispositivo de red se asigna y luego se registra, pero en mkiss_close() el dispositivo de red solo se anula del registro, pero no se libera. • https://git.kernel.org/stable/c/815f62bf742718458ba822a7e1f51f285eb997f2 https://git.kernel.org/stable/c/c634ba0b4159838ff45a60d3a0ace3b4118077a5 https://git.kernel.org/stable/c/3942d0f9ace1a95a74930b5b4fc0e5005c62b37b https://git.kernel.org/stable/c/765a8a04f828db7222b36a42b1031f576bfe95c3 https://git.kernel.org/stable/c/c16c4716a1b5ba4f83c7e00da457cba06761f119 https://git.kernel.org/stable/c/a49cbb762ef20655f5c91abdc13658b0af5e159d https://git.kernel.org/stable/c/290b0b6432e2599021db0b8d6046f756d931c29f https://git.kernel.org/stable/c/f4de2b43d13b7cf3ced9310e371b90c83 •