CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-53139 – sctp: fix possible UAF in sctp_v6_available()
https://notcve.org/view.php?id=CVE-2024-53139
In the Linux kernel, the following vulnerability has been resolved: sctp: fix possible UAF in sctp_v6_available() A lockdep report [1] with CONFIG_PROVE_RCU_LIST=y hints that sctp_v6_available() is calling dev_get_by_index_rcu() and ipv6_chk_addr() without holding rcu. [1] ============================= WARNING: suspicious RCU usage 6.12.0-rc5-virtme #1216 Tainted: G W ----------------------------- net/core/dev.c:876 RCU-list traversed in non-reader section!! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by sctp_hello/31495: #0: ffff9f1ebbdb7418 (sk_lock-AF_INET6){+.+.}-{0:0}, at: sctp_bind (./arch/x86/include/asm/jump_label.h:27 net/sctp/socket.c:315) sctp stack backtrace: CPU: 7 UID: 0 PID: 31495 Comm: sctp_hello Tainted: G W 6.12.0-rc5-virtme #1216 Tainted: [W]=WARN Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:123) lockdep_rcu_suspicious (kernel/locking/lockdep.c:6822) dev_get_by_index_rcu (net/core/dev.c:876 (discriminator 7)) sctp_v6_available (net/sctp/ipv6.c:701) sctp sctp_do_bind (net/sctp/socket.c:400 (discriminator 1)) sctp sctp_bind (net/sctp/socket.c:320) sctp inet6_bind_sk (net/ipv6/af_inet6.c:465) ? security_socket_bind (security/security.c:4581 (discriminator 1)) __sys_bind (net/socket.c:1848 net/socket.c:1869) ? do_user_addr_fault (. • https://git.kernel.org/stable/c/6fe1e52490a91cb23f6b3aafc93e7c5beb99f862 https://git.kernel.org/stable/c/ad975697211f4f2c4ce61c3ba524fd14d88ceab8 https://git.kernel.org/stable/c/05656a66592759242c74063616291b7274d11b2f https://git.kernel.org/stable/c/eb72e7fcc83987d5d5595b43222f23b295d5de7f • CWE-416: Use After Free •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-53138 – net/mlx5e: kTLS, Fix incorrect page refcounting
https://notcve.org/view.php?id=CVE-2024-53138
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: kTLS, Fix incorrect page refcounting The kTLS tx handling code is using a mix of get_page() and page_ref_inc() APIs to increment the page reference. But on the release path (mlx5e_ktls_tx_handle_resync_dump_comp()), only put_page() is used. This is an issue when using pages from large folios: the get_page() references are stored on the folio page while the page_ref_inc() references are stored directly in the given page. On release the folio page will be dereferenced too many times. This was found while doing kTLS testing with sendfile() + ZC when the served file was read from NFS on a kernel with NFS large folios support (commit 49b29a573da8 ("nfs: add support for large folios")). En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/mlx5e: kTLS, Fix wrong page refcounting El código de manejo de tx de kTLS usa una combinación de API get_page() y page_ref_inc() para incrementar la referencia de página. Pero en la ruta de lanzamiento (mlx5e_ktls_tx_handle_resync_dump_comp()), solo se usa put_page(). • https://git.kernel.org/stable/c/84d1bb2b139e0184b1754aa1b5776186b475fce8 https://git.kernel.org/stable/c/a0ddb20a748b122ea86003485f7992fa5e84cc95 https://git.kernel.org/stable/c/ffad2ac8c859c1c1a981fe9c4f7ff925db684a43 https://git.kernel.org/stable/c/c7b97f9e794d8e2bbaa50e1d6c230196fd214b5e https://git.kernel.org/stable/c/69fbd07f17b0fdaf8970bc705f5bf115c297839d https://git.kernel.org/stable/c/93a14620b97c911489a5b008782f3d9b0c4aeff4 https://git.kernel.org/stable/c/2723e8b2cbd486cb96e5a61b22473f7fd62e18df https://git.kernel.org/stable/c/dd6e972cc5890d91d6749bb48e3912721 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-53137 – ARM: fix cacheflush with PAN
https://notcve.org/view.php?id=CVE-2024-53137
In the Linux kernel, the following vulnerability has been resolved: ARM: fix cacheflush with PAN It seems that the cacheflush syscall got broken when PAN for LPAE was implemented. User access was not enabled around the cache maintenance instructions, causing them to fault. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ARM: reparar cacheflush con PAN Parece que la llamada al sistema cacheflush se rompió cuando se implementó PAN para LPAE. El acceso de usuario no estaba habilitado en torno a las instrucciones de mantenimiento de caché, lo que provocó que fallaran. • https://git.kernel.org/stable/c/7af5b901e84743c608aae90cb0e429702812c324 https://git.kernel.org/stable/c/e6960a2ed49c9a25357817535f7cc50594a58604 https://git.kernel.org/stable/c/ca29cfcc4a21083d671522ad384532e28a43f033 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-53136 – mm: revert "mm: shmem: fix data-race in shmem_getattr()"
https://notcve.org/view.php?id=CVE-2024-53136
In the Linux kernel, the following vulnerability has been resolved: mm: revert "mm: shmem: fix data-race in shmem_getattr()" Revert d949d1d14fa2 ("mm: shmem: fix data-race in shmem_getattr()") as suggested by Chuck [1]. It is causing deadlocks when accessing tmpfs over NFS. As Hugh commented, "added just to silence a syzbot sanitizer splat: added where there has never been any practical problem". En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm: revert "mm: shmem: fix data-race in shmem_getattr()" Revert d949d1d14fa2 ("mm: shmem: fix data-race in shmem_getattr()") como lo sugirió Chuck [1]. Está causando bloqueos al acceder a tmpfs a través de NFS. Como comentó Hugh, "agregado solo para silenciar un splat de sanitizador de syzbot: agregado donde nunca ha habido ningún problema práctico". • https://git.kernel.org/stable/c/9fb9703cd43ee20a6de8ccdef991677b7274cec0 https://git.kernel.org/stable/c/7cc30ada84323be19395094d567579536e0d187e https://git.kernel.org/stable/c/bda1a99a0dd644f31a87d636ac624eeb975cb65a https://git.kernel.org/stable/c/3d9528484480e8f4979b3a347930ed383be99f89 https://git.kernel.org/stable/c/82cae1e30bd940253593c2d4f16d88343d1358f4 https://git.kernel.org/stable/c/edd1f905050686fdc4cfe233d818469fdf7d5ff8 https://git.kernel.org/stable/c/ffd56612566bc23877c8f45def2801f3324a222a https://git.kernel.org/stable/c/36b537e8f302f670c7cf35d88a3a29444 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-53135 – KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN
https://notcve.org/view.php?id=CVE-2024-53135
In the Linux kernel, the following vulnerability has been resolved: KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN Hide KVM's pt_mode module param behind CONFIG_BROKEN, i.e. disable support for virtualizing Intel PT via guest/host mode unless BROKEN=y. There are myriad bugs in the implementation, some of which are fatal to the guest, and others which put the stability and health of the host at risk. For guest fatalities, the most glaring issue is that KVM fails to ensure tracing is disabled, and *stays* disabled prior to VM-Enter, which is necessary as hardware disallows loading (the guest's) RTIT_CTL if tracing is enabled (enforced via a VMX consistency check). Per the SDM: If the logical processor is operating with Intel PT enabled (if IA32_RTIT_CTL.TraceEn = 1) at the time of VM entry, the "load IA32_RTIT_CTL" VM-entry control must be 0. On the host side, KVM doesn't validate the guest CPUID configuration provided by userspace, and even worse, uses the guest configuration to decide what MSRs to save/load at VM-Enter and VM-Exit. E.g. configuring guest CPUID to enumerate more address ranges than are supported in hardware will result in KVM trying to passthrough, save, and load non-existent MSRs, which generates a variety of WARNs, ToPA ERRORs in the host, a potential deadlock, etc. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: VMX: oculta la virtualización de Intel PT (modo invitado/host) detrás de CONFIG_BROKEN Oculta el parámetro del módulo pt_mode de KVM detrás de CONFIG_BROKEN, es decir, deshabilita la compatibilidad con la virtualización de Intel PT a través del modo invitado/host a menos que BROKEN=y. • https://git.kernel.org/stable/c/f99e3daf94ff35dd4a878d32ff66e1fd35223ad6 https://git.kernel.org/stable/c/c3742319d021f5aa3a0a8c828485fee14753f6de https://git.kernel.org/stable/c/d4b42f926adcce4e5ec193c714afd9d37bba8e5b https://git.kernel.org/stable/c/b8a1d572478b6f239061ee9578b2451bf2f021c2 https://git.kernel.org/stable/c/e6716f4230a8784957273ddd27326264b27b9313 https://git.kernel.org/stable/c/d28b059ee4779b5102c5da6e929762520510e406 https://git.kernel.org/stable/c/b91bb0ce5cd7005b376eac690ec664c1b56372ec https://git.kernel.org/stable/c/aa0d42cacf093a6fcca872edc954f6f81 •