CVE-2024-27405 – usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs
https://notcve.org/view.php?id=CVE-2024-27405
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs It is observed sometimes when tethering is used over NCM with Windows 11 as host, at some instances, the gadget_giveback has one byte appended at the end of a proper NTB. When the NTB is parsed, unwrap call looks for any leftover bytes in SKB provided by u_ether and if there are any pending bytes, it treats them as a separate NTB and parses it. But in case the second NTB (as per unwrap call) is faulty/corrupt, all the datagrams that were parsed properly in the first NTB and saved in rx_list are dropped. Adding a few custom traces showed the following: [002] d..1 7828.532866: dwc3_gadget_giveback: ep1out: req 000000003868811a length 1025/16384 zsI ==> 0 [002] d..1 7828.532867: ncm_unwrap_ntb: K: ncm_unwrap_ntb toprocess: 1025 [002] d..1 7828.532867: ncm_unwrap_ntb: K: ncm_unwrap_ntb nth: 1751999342 [002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb seq: 0xce67 [002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb blk_len: 0x400 [002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb ndp_len: 0x10 [002] d..1 7828.532869: ncm_unwrap_ntb: K: Parsed NTB with 1 frames In this case, the giveback is of 1025 bytes and block length is 1024. The rest 1 byte (which is 0x00) won't be parsed resulting in drop of all datagrams in rx_list. Same is case with packets of size 2048: [002] d..1 7828.557948: dwc3_gadget_giveback: ep1out: req 0000000011dfd96e length 2049/16384 zsI ==> 0 [002] d..1 7828.557949: ncm_unwrap_ntb: K: ncm_unwrap_ntb nth: 1751999342 [002] d..1 7828.557950: ncm_unwrap_ntb: K: ncm_unwrap_ntb blk_len: 0x800 Lecroy shows one byte coming in extra confirming that the byte is coming in from PC: Transfer 2959 - Bytes Transferred(1025) Timestamp((18.524 843 590) - Transaction 8391 - Data(1025 bytes) Timestamp(18.524 843 590) --- Packet 4063861 Data(1024 bytes) Duration(2.117us) Idle(14.700ns) Timestamp(18.524 843 590) --- Packet 4063863 Data(1 byte) Duration(66.160ns) Time(282.000ns) Timestamp(18.524 845 722) According to Windows driver, no ZLP is needed if wBlockLength is non-zero, because the non-zero wBlockLength has already told the function side the size of transfer to be expected. However, there are in-market NCM devices that rely on ZLP as long as the wBlockLength is multiple of wMaxPacketSize. To deal with such devices, it pads an extra 0 at end so the transfer is no longer multiple of wMaxPacketSize. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: gadget: ncm: Evite soltar datagramas de NTB analizados correctamente. • https://git.kernel.org/stable/c/9f6ce4240a2bf456402c15c06768059e5973f28c https://git.kernel.org/stable/c/059285e04ebb273d32323fbad5431c5b94f77e48 https://git.kernel.org/stable/c/a31cf46d108dabce3df80b3e5c07661e24912151 https://git.kernel.org/stable/c/57ca0e16f393bb21d69734e536e383a3a4c665fd https://git.kernel.org/stable/c/2cb66b62a5d64ccf09b0591ab86fb085fa491fc5 https://git.kernel.org/stable/c/35b604a37ec70d68b19dafd10bbacf1db505c9ca https://git.kernel.org/stable/c/2b7ec68869d50ea998908af43b643bca7e54577e https://git.kernel.org/stable/c/c7f43900bc723203d7554d299a2ce8440 • CWE-476: NULL Pointer Dereference •
CVE-2024-27402 – phonet/pep: fix racy skb_queue_empty() use
https://notcve.org/view.php?id=CVE-2024-27402
In the Linux kernel, the following vulnerability has been resolved: phonet/pep: fix racy skb_queue_empty() use The receive queues are protected by their respective spin-lock, not the socket lock. This could lead to skb_peek() unexpectedly returning NULL or a pointer to an already dequeued socket buffer. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: phonet/pep: corrige el uso picante de skb_queue_empty() Las colas de recepción están protegidas por sus respectivos spin-lock, no por el socket lock. Esto podría provocar que skb_peek() devuelva inesperadamente NULL o un puntero a un búfer de socket ya retirado de la cola. • https://git.kernel.org/stable/c/9641458d3ec42def729fde64669abf07f3220cd5 https://git.kernel.org/stable/c/9d5523e065b568e79dfaa2ea1085a5bcf74baf78 https://git.kernel.org/stable/c/0a9f558c72c47472c38c05fcb72c70abb9104277 https://git.kernel.org/stable/c/8ef4fcc7014b9f93619851d6b78d6cc2789a4c88 https://git.kernel.org/stable/c/7d2a894d7f487dcb894df023e9d3014cf5b93fe5 •
CVE-2023-52656 – io_uring: drop any code related to SCM_RIGHTS
https://notcve.org/view.php?id=CVE-2023-52656
In the Linux kernel, the following vulnerability has been resolved: io_uring: drop any code related to SCM_RIGHTS This is dead code after we dropped support for passing io_uring fds over SCM_RIGHTS, get rid of it. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: io_uring: elimina cualquier código relacionado con SCM_RIGHTS. Este es un código inactivo después de que dejamos de admitir el paso de io_uring fds sobre SCM_RIGHTS, deshazte de él. • https://git.kernel.org/stable/c/cfb24022bb2c31f1f555dc6bc3cc5e2547446fb3 https://git.kernel.org/stable/c/a6771f343af90a25f3a14911634562bb5621df02 https://git.kernel.org/stable/c/d909d381c3152393421403be4b6435f17a2378b4 https://git.kernel.org/stable/c/a3812a47a32022ca76bf46ddacdd823dc2aabf8b https://git.kernel.org/stable/c/88c49d9c896143cdc0f77197c4dcf24140375e89 https://git.kernel.org/stable/c/6e5e6d274956305f1fc0340522b38f5f5be74bdb https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html https://access.redhat.com/security/cve/CVE-2023 •
CVE-2024-27401 – firewire: nosy: ensure user_length is taken into account when fetching packet contents
https://notcve.org/view.php?id=CVE-2024-27401
In the Linux kernel, the following vulnerability has been resolved: firewire: nosy: ensure user_length is taken into account when fetching packet contents Ensure that packet_buffer_get respects the user_length provided. If the length of the head packet exceeds the user_length, packet_buffer_get will now return 0 to signify to the user that no data were read and a larger buffer size is required. Helps prevent user space overflows. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: firewire: nosy: asegúrese de que se tenga en cuenta la longitud de usuario al recuperar el contenido del paquete. Asegúrese de que paquete_buffer_get respete la longitud de usuario proporcionada. • https://git.kernel.org/stable/c/67f34f093c0f7bf33f5b4ae64d3d695a3b978285 https://git.kernel.org/stable/c/7b8c7bd2296e95b38a6ff346242356a2e7190239 https://git.kernel.org/stable/c/cca330c59c54207567a648357835f59df9a286bb https://git.kernel.org/stable/c/79f988d3ffc1aa778fc5181bdfab312e57956c6b https://git.kernel.org/stable/c/4ee0941da10e8fdcdb34756b877efd3282594c1f https://git.kernel.org/stable/c/1fe60ee709436550f8cfbab01295936b868d5baa https://git.kernel.org/stable/c/539d51ac48bcfcfa1b3d4a85f8df92fa22c1d41c https://git.kernel.org/stable/c/38762a0763c10c24a4915feee722d7aa6 •
CVE-2024-27399 – Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout
https://notcve.org/view.php?id=CVE-2024-27399
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout There is a race condition between l2cap_chan_timeout() and l2cap_chan_del(). When we use l2cap_chan_del() to delete the channel, the chan->conn will be set to null. But the conn could be dereferenced again in the mutex_lock() of l2cap_chan_timeout(). As a result the null pointer dereference bug will happen. The KASAN report triggered by POC is shown below: [ 472.074580] ================================================================== [ 472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0 [ 472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7 [ 472.075308] [ 472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36 [ 472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4 [ 472.075308] Workqueue: events l2cap_chan_timeout [ 472.075308] Call Trace: [ 472.075308] <TASK> [ 472.075308] dump_stack_lvl+0x137/0x1a0 [ 472.075308] print_report+0x101/0x250 [ 472.075308] ? __virt_addr_valid+0x77/0x160 [ 472.075308] ? • https://git.kernel.org/stable/c/3df91ea20e744344100b10ae69a17211fcf5b207 https://git.kernel.org/stable/c/e137e2ba96e51902dc2878131823a96bf8e638ae https://git.kernel.org/stable/c/6466ee65e5b27161c846c73ef407f49dfa1bd1d9 https://git.kernel.org/stable/c/06acb75e7ed600d0bbf7bff5628aa8f24a97978c https://git.kernel.org/stable/c/e97e16433eb4533083b096a3824b93a5ca3aee79 https://git.kernel.org/stable/c/8960ff650aec70485b40771cd8e6e8c4cb467d33 https://git.kernel.org/stable/c/955b5b6c54d95b5e7444dfc81c95c8e013f27ac0 https://git.kernel.org/stable/c/eb86f955488c39526534211f2610e48a5 •