CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-52803 – SUNRPC: Fix RPC client cleaned up the freed pipefs dentries
https://notcve.org/view.php?id=CVE-2023-52803
In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix RPC client cleaned up the freed pipefs dentries RPC client pipefs dentries cleanup is in separated rpc_remove_pipedir() workqueue,which takes care about pipefs superblock locking. In some special scenarios, when kernel frees the pipefs sb of the current client and immediately alloctes a new pipefs sb, rpc_remove_pipedir function would misjudge the existence of pipefs sb which is not the one it used to hold. As a result, the rpc_remove_pipedir would clean the released freed pipefs dentries. To fix this issue, rpc_remove_pipedir should check whether the current pipefs sb is consistent with the original pipefs sb. This error can be catched by KASAN: ========================================================= [ 250.497700] BUG: KASAN: slab-use-after-free in dget_parent+0x195/0x200 [ 250.498315] Read of size 4 at addr ffff88800a2ab804 by task kworker/0:18/106503 [ 250.500549] Workqueue: events rpc_free_client_work [ 250.501001] Call Trace: [ 250.502880] kasan_report+0xb6/0xf0 [ 250.503209] ? dget_parent+0x195/0x200 [ 250.503561] dget_parent+0x195/0x200 [ 250.503897] ? __pfx_rpc_clntdir_depopulate+0x10/0x10 [ 250.504384] rpc_rmdir_depopulate+0x1b/0x90 [ 250.504781] rpc_remove_client_dir+0xf5/0x150 [ 250.505195] rpc_free_client_work+0xe4/0x230 [ 250.505598] process_one_work+0x8ee/0x13b0 ... [ 22.039056] Allocated by task 244: [ 22.039390] kasan_save_stack+0x22/0x50 [ 22.039758] kasan_set_track+0x25/0x30 [ 22.040109] __kasan_slab_alloc+0x59/0x70 [ 22.040487] kmem_cache_alloc_lru+0xf0/0x240 [ 22.040889] __d_alloc+0x31/0x8e0 [ 22.041207] d_alloc+0x44/0x1f0 [ 22.041514] __rpc_lookup_create_exclusive+0x11c/0x140 [ 22.041987] rpc_mkdir_populate.constprop.0+0x5f/0x110 [ 22.042459] rpc_create_client_dir+0x34/0x150 [ 22.042874] rpc_setup_pipedir_sb+0x102/0x1c0 [ 22.043284] rpc_client_register+0x136/0x4e0 [ 22.043689] rpc_new_client+0x911/0x1020 [ 22.044057] rpc_create_xprt+0xcb/0x370 [ 22.044417] rpc_create+0x36b/0x6c0 ... [ 22.049524] Freed by task 0: [ 22.049803] kasan_save_stack+0x22/0x50 [ 22.050165] kasan_set_track+0x25/0x30 [ 22.050520] kasan_save_free_info+0x2b/0x50 [ 22.050921] __kasan_slab_free+0x10e/0x1a0 [ 22.051306] kmem_cache_free+0xa5/0x390 [ 22.051667] rcu_core+0x62c/0x1930 [ 22.051995] __do_softirq+0x165/0x52a [ 22.052347] [ 22.052503] Last potentially related work creation: [ 22.052952] kasan_save_stack+0x22/0x50 [ 22.053313] __kasan_record_aux_stack+0x8e/0xa0 [ 22.053739] __call_rcu_common.constprop.0+0x6b/0x8b0 [ 22.054209] dentry_free+0xb2/0x140 [ 22.054540] __dentry_kill+0x3be/0x540 [ 22.054900] shrink_dentry_list+0x199/0x510 [ 22.055293] shrink_dcache_parent+0x190/0x240 [ 22.055703] do_one_tree+0x11/0x40 [ 22.056028] shrink_dcache_for_umount+0x61/0x140 [ 22.056461] generic_shutdown_super+0x70/0x590 [ 22.056879] kill_anon_super+0x3a/0x60 [ 22.057234] rpc_kill_sb+0x121/0x200 En el kernel de Linux, se resolvió la siguiente vulnerabilidad: SUNRPC: el cliente RPC limpió los pipefs dentries liberados. La limpieza de pipefs dentries del cliente RPC está en la cola de trabajo separada rpc_remove_pipedir(), que se encarga del bloqueo del superbloque de pipefs. • https://git.kernel.org/stable/c/0157d021d23a087eecfa830502f81cfe843f0d16 https://git.kernel.org/stable/c/17866066b8ac1cc38fb449670bc15dc9fee4b40a https://git.kernel.org/stable/c/7d61d1da2ed1f682c41cae0c8d4719cdaccee5c5 https://git.kernel.org/stable/c/dedf2a0eb9448ae73b270743e6ea9b108189df46 https://git.kernel.org/stable/c/194454afa6aa9d6ed74f0c57127bc8beb27c20df https://git.kernel.org/stable/c/7749fd2dbef72a52b5c9ffdbf877691950ed4680 https://git.kernel.org/stable/c/1cdb52ffd6600a37bd355d8dce58ecd03e55e618 https://git.kernel.org/stable/c/cc2e7ebbeb1d0601f7f3c8d93b78fcc03 • CWE-416: Use After Free •
CVSS: 4.4EPSS: 0%CPEs: 6EXPL: 0CVE-2023-52800 – wifi: ath11k: fix htt pktlog locking
https://notcve.org/view.php?id=CVE-2023-52800
In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix htt pktlog locking The ath11k active pdevs are protected by RCU but the htt pktlog handling code calling ath11k_mac_get_ar_by_pdev_id() was not marked as a read-side critical section. Mark the code in question as an RCU read-side critical section to avoid any potential use-after-free issues. Compile tested only. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: wifi: ath11k: corrige el bloqueo de htt pktlog. Los pdevs activos de ath11k están protegidos por RCU, pero el código de manejo de htt pktlog que llama a ath11k_mac_get_ar_by_pdev_id() no se marcó como una sección crítica del lado de lectura. Marque el código en cuestión como una sección crítica del lado de lectura de RCU para evitar posibles problemas de use after free. Compilación probada únicamente. • https://git.kernel.org/stable/c/d5c65159f2895379e11ca13f62feabe93278985d https://git.kernel.org/stable/c/03ed26935bebf6b6fd8a656490bf3dcc71b72679 https://git.kernel.org/stable/c/3a51e6b4da71fdfa43ec006d6abc020f3e22d14e https://git.kernel.org/stable/c/e3199b3fac65c9f103055390b6fd07c5cffa5961 https://git.kernel.org/stable/c/423762f021825b5e57c3d6f01ff96a9ff19cdcd8 https://git.kernel.org/stable/c/69cede2a5a5f60e3f5602b901b52cb64edd2ea6c https://git.kernel.org/stable/c/3f77c7d605b29df277d77e9ee75d96e7ad145d2d https://access.redhat.com/security/cve/CVE-2023-52800 • CWE-413: Improper Resource Locking •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2023-52799 – jfs: fix array-index-out-of-bounds in dbFindLeaf
https://notcve.org/view.php?id=CVE-2023-52799
In the Linux kernel, the following vulnerability has been resolved: jfs: fix array-index-out-of-bounds in dbFindLeaf Currently while searching for dmtree_t for sufficient free blocks there is an array out of bounds while getting element in tp->dm_stree. To add the required check for out of bound we first need to determine the type of dmtree. Thus added an extra parameter to dbFindLeaf so that the type of tree can be determined and the required check can be applied. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: jfs: corrige el índice de matriz fuera de los límites en dbFindLeaf. Actualmente, mientras se busca dmtree_t para suficientes bloques libres, hay una matriz fuera de los límites al obtener el elemento en tp->dm_stree . • https://git.kernel.org/stable/c/20f9310a18e3e99fc031e036fcbed67105ae1859 https://git.kernel.org/stable/c/86df90f3fea7c5591f05c8a0010871d435e83046 https://git.kernel.org/stable/c/ecfb47f13b08b02cf28b7b50d4941eefa21954d2 https://git.kernel.org/stable/c/81aa58cd8495b8c3b527f58ccbe19478d8087f61 https://git.kernel.org/stable/c/da3da5e1e6f71c21d8e6149d7076d936ef5d4cb9 https://git.kernel.org/stable/c/a50b796d36719757526ee094c703378895ab5e67 https://git.kernel.org/stable/c/88b7894a8f8705bf4e7ea90b10229376abf14514 https://git.kernel.org/stable/c/87c681ab49e99039ff2dd3e7185241738 •
CVSS: 4.4EPSS: 0%CPEs: 6EXPL: 0CVE-2023-52798 – wifi: ath11k: fix dfs radar event locking
https://notcve.org/view.php?id=CVE-2023-52798
In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix dfs radar event locking The ath11k active pdevs are protected by RCU but the DFS radar event handling code calling ath11k_mac_get_ar_by_pdev_id() was not marked as a read-side critical section. Mark the code in question as an RCU read-side critical section to avoid any potential use-after-free issues. Compile tested only. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: wifi: ath11k: corrige el bloqueo de eventos de radar dfs. Los pdevs activos de ath11k están protegidos por RCU, pero el código de manejo de eventos de radar DFS que llama a ath11k_mac_get_ar_by_pdev_id() no se marcó como una sección crítica del lado de lectura . Marque el código en cuestión como una sección crítica del lado de lectura de RCU para evitar posibles problemas de use after free. Compilación probada únicamente. • https://git.kernel.org/stable/c/d5c65159f2895379e11ca13f62feabe93278985d https://git.kernel.org/stable/c/f882f51905517575c9f793a3dff567af90ef9a10 https://git.kernel.org/stable/c/426e718ce9ba60013364a54233feee309356cb82 https://git.kernel.org/stable/c/ca420ac4f9451f22347bae44b18ab47ba2c267ec https://git.kernel.org/stable/c/1fd878e1750190a612b5de2af357cca422ec0822 https://git.kernel.org/stable/c/21ebb0aba580d347e12f01ce5f6e75044427b3d5 https://git.kernel.org/stable/c/3b6c14833165f689cc5928574ebafe52bbce5f1e https://access.redhat.com/security/cve/CVE-2023-52798 • CWE-416: Use After Free •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2023-52797 – drivers: perf: Check find_first_bit() return value
https://notcve.org/view.php?id=CVE-2023-52797
In the Linux kernel, the following vulnerability has been resolved: drivers: perf: Check find_first_bit() return value We must check the return value of find_first_bit() before using the return value as an index array since it happens to overflow the array and then panic: [ 107.318430] Kernel BUG [#1] [ 107.319434] CPU: 3 PID: 1238 Comm: kill Tainted: G E 6.6.0-rc6ubuntu-defconfig #2 [ 107.319465] Hardware name: riscv-virtio,qemu (DT) [ 107.319551] epc : pmu_sbi_ovf_handler+0x3a4/0x3ae [ 107.319840] ra : pmu_sbi_ovf_handler+0x52/0x3ae [ 107.319868] epc : ffffffff80a0a77c ra : ffffffff80a0a42a sp : ffffaf83fecda350 [ 107.319884] gp : ffffffff823961a8 tp : ffffaf8083db1dc0 t0 : ffffaf83fecda480 [ 107.319899] t1 : ffffffff80cafe62 t2 : 000000000000ff00 s0 : ffffaf83fecda520 [ 107.319921] s1 : ffffaf83fecda380 a0 : 00000018fca29df0 a1 : ffffffffffffffff [ 107.319936] a2 : 0000000001073734 a3 : 0000000000000004 a4 : 0000000000000000 [ 107.319951] a5 : 0000000000000040 a6 : 000000001d1c8774 a7 : 0000000000504d55 [ 107.319965] s2 : ffffffff82451f10 s3 : ffffffff82724e70 s4 : 000000000000003f [ 107.319980] s5 : 0000000000000011 s6 : ffffaf8083db27c0 s7 : 0000000000000000 [ 107.319995] s8 : 0000000000000001 s9 : 00007fffb45d6558 s10: 00007fffb45d81a0 [ 107.320009] s11: ffffaf7ffff60000 t3 : 0000000000000004 t4 : 0000000000000000 [ 107.320023] t5 : ffffaf7f80000000 t6 : ffffaf8000000000 [ 107.320037] status: 0000000200000100 badaddr: 0000000000000000 cause: 0000000000000003 [ 107.320081] [<ffffffff80a0a77c>] pmu_sbi_ovf_handler+0x3a4/0x3ae [ 107.320112] [<ffffffff800b42d0>] handle_percpu_devid_irq+0x9e/0x1a0 [ 107.320131] [<ffffffff800ad92c>] generic_handle_domain_irq+0x28/0x36 [ 107.320148] [<ffffffff8065f9f8>] riscv_intc_irq+0x36/0x4e [ 107.320166] [<ffffffff80caf4a0>] handle_riscv_irq+0x54/0x86 [ 107.320189] [<ffffffff80cb0036>] do_irq+0x64/0x96 [ 107.320271] Code: 85a6 855e b097 ff7f 80e7 9220 b709 9002 4501 bbd9 (9002) 6097 [ 107.320585] ---[ end trace 0000000000000000 ]--- [ 107.320704] Kernel panic - not syncing: Fatal exception in interrupt [ 107.320775] SMP: stopping secondary CPUs [ 107.321219] Kernel Offset: 0x0 from 0xffffffff80000000 [ 107.333051] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drivers: perf: Verifique el valor de retorno de find_first_bit(). Debemos verificar el valor de retorno de find_first_bit() antes de usar el valor de retorno como una matriz de índice ya que sucede que desborda la matriz y luego pánico: [107.318430] BUG del kernel [#1] [107.319434] CPU: 3 PID: 1238 Comm: kill Contaminado: GE 6.6.0-rc6ubuntu-defconfig #2 [ 107.319465] Nombre de hardware: riscv-virtio,qemu (DT) [ 107.319551] epc: pmu_sbi_ovf_handler+0x3a4/0x3ae [107.319840] ra: pmu_sbi_ovf_handler+0x52/0x3ae [107.319868] epc: ffffffff80a0a77c ra: ffffffff80a0a42a sp: 83fecda350 [ 107.319884] gp : ffffffff823961a8 tp : ffffaf8083db1dc0 t0 : ffffaf83fecda480 [ 107.319899] t1 : ffffffff80cafe62 t2 : 000000000000ff00 s0 : ffffaf83fecda520 [ 107.319921] s1 : ffffaf83fecda380 a0 : 00000018fca29df0 a1 : ffffffffffffffff [ 107.319936] a2 : 000000000107373 4 a3: 0000000000000004 a4: 0000000000000000 [107.319951] a5: 0000000000000040 a6: 000000001d1c8774 a7: 000000000504d55 [107.3199 65] s2: ffffffff82451f10 s3: ffffffff82724e70 s4: 000000000000003f [107.319980] s5: 0000000000000011 s6: ffffaf8083db27c0 s7: 00000000000000000 [107.319995] s8: 000000000000 0001 s9: 00007fffb45d6558 s10: 00007fffb45d81a0 [107.320009] s11: ffffaf7ffff60000 t3: 00000000000000004 t4: 0000000000000000 [ 107.320 023] t5: ffffaf7f80000000 t6: ffffaf8000000000 [107.320037 ] estado: 0000000200000100 badaddr: 00000000000000000 causa: 0000000000000003 [ 107.320081] [] pmu_sbi_ovf_handler+0x3a4/0x3ae [ 107.3201 12] [] handle_percpu_devid_irq+0x9e/0x1a0 [ 107.320131] [] generic_handle_domain_irq+0x28/0x36 [ 107.320148] [] riscv_intc_irq+0x36/0x4e [ 107.320166] [] handle_riscv_irq+0x54/0x86 [ 107.320189] [] _irq+0x64/0x96 [ 107.320271] Código: 85a6 855e b097 ff7f 80e7 9220 b709 9002 4501 bbd9 (9002) 6097 [107.320585] ---[ seguimiento final 0000000000000000 ]--- [ 107.320704] Pánico del kernel - no se sincroniza: excepción fatal en interrupción [ 107.320775] SMP: deteniendo CPU secundarias [ 107.32121 9]Compensación del kernel: 0x0 desde 0xffffffff80000000 [107.333051] ---[ fin del pánico del kernel - no se sincroniza: excepción fatal en la interrupción ]--- • https://git.kernel.org/stable/c/4905ec2fb7e6421c14c9fb7276f5aa92f60f2b98 https://git.kernel.org/stable/c/2c86b24095fcf72cf51bc72d12e4350163b4e11d https://git.kernel.org/stable/c/45a0de41ec383c8b7c6d442734ba3852dd2fc4a7 https://git.kernel.org/stable/c/c6e316ac05532febb0c966fa9b55f5258ed037be •