CVE-2024-39496 – btrfs: zoned: fix use-after-free due to race with dev replace
https://notcve.org/view.php?id=CVE-2024-39496
In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: fix use-after-free due to race with dev replace While loading a zone's info during creation of a block group, we can race with a device replace operation and then trigger a use-after-free on the device that was just replaced (source device of the replace operation). This happens because at btrfs_load_zone_info() we extract a device from the chunk map into a local variable and then use the device while not under the protection of the device replace rwsem. So if there's a device replace operation happening when we extract the device and that device is the source of the replace operation, we will trigger a use-after-free if before we finish using the device the replace operation finishes and frees the device. Fix this by enlarging the critical section under the protection of the device replace rwsem so that all uses of the device are done inside the critical section. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: btrfs:zoned: corrige el use-after-free debido a la ejecución con el reemplazo de desarrollo. Mientras cargamos la información de una zona durante la creación de un grupo de bloques, podemos ejecutar una operación de reemplazo de dispositivo y luego activar un use-after-free en el dispositivo que acaba de ser reemplazado (dispositivo fuente de la operación de reemplazo). Esto sucede porque en btrfs_load_zone_info() extraemos un dispositivo del mapa de fragmentos en una variable local y luego usamos el dispositivo mientras no está bajo la protección del dispositivo y reemplazamos rwsem. • https://git.kernel.org/stable/c/17765964703b88d8befd899f8501150bb7e07e43 https://git.kernel.org/stable/c/092571ef9a812566c8f2c9038d9c2a64c49788d6 https://git.kernel.org/stable/c/a0cc006f4214b87e70983c692e05bb36c59b5752 https://git.kernel.org/stable/c/0090d6e1b210551e63cf43958dc7a1ec942cdde9 • CWE-416: Use After Free •
CVE-2024-39495 – greybus: Fix use-after-free bug in gb_interface_release due to race condition.
https://notcve.org/view.php?id=CVE-2024-39495
In the Linux kernel, the following vulnerability has been resolved: greybus: Fix use-after-free bug in gb_interface_release due to race condition. In gb_interface_create, &intf->mode_switch_completion is bound with gb_interface_mode_switch_work. Then it will be started by gb_interface_request_mode_switch. Here is the relevant code. if (!queue_work(system_long_wq, &intf->mode_switch_work)) { ... } If we call gb_interface_release to make cleanup, there may be an unfinished work. This function will call kfree to free the object "intf". • https://git.kernel.org/stable/c/74cd0a421896b2e07eafe7da4275302bfecef201 https://git.kernel.org/stable/c/2b6bb0b4abfd79b8698ee161bb73c0936a2aaf83 https://git.kernel.org/stable/c/fb071f5c75d4b1c177824de74ee75f9dd34123b9 https://git.kernel.org/stable/c/9a733d69a4a59c2d08620e6589d823c24be773dc https://git.kernel.org/stable/c/0b8fba38bdfb848fac52e71270b2aa3538c996ea https://git.kernel.org/stable/c/03ea2b129344152157418929f06726989efc0445 https://git.kernel.org/stable/c/5c9c5d7f26acc2c669c1dcf57d1bb43ee99220ce • CWE-416: Use After Free •
CVE-2024-39494 – ima: Fix use-after-free on a dentry's dname.name
https://notcve.org/view.php?id=CVE-2024-39494
In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ima: corrige el use-after-free en dentry dname.name ->d_name.name puede cambiar al cambiar el nombre y el valor anterior se puede liberar; existen condiciones suficientes para estabilizarlo (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusivo en el inodo del padre, rename_lock), pero ninguna de ellas se cumple en ninguno de los sitios. En su lugar, tome una instantánea estable del nombre. • https://git.kernel.org/stable/c/7fb374981e31c193b1152ed8d3b0a95b671330d4 https://git.kernel.org/stable/c/dd431c3ac1fc34a9268580dd59ad3e3c76b32a8c https://git.kernel.org/stable/c/a78a6f0da57d058e2009e9958fdcef66f165208c https://git.kernel.org/stable/c/be84f32bb2c981ca670922e047cdde1488b233de • CWE-416: Use After Free •
CVE-2024-39493 – crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak
https://notcve.org/view.php?id=CVE-2024-39493
In the Linux kernel, the following vulnerability has been resolved: crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak Using completion_done to determine whether the caller has gone away only works after a complete call. Furthermore it's still possible that the caller has not yet called wait_for_completion, resulting in another potential UAF. Fix this by making the caller use cancel_work_sync and then freeing the memory safely. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: crypto: qat: corrige la pérdida de memoria ADF_DEV_RESET_SYNC. El uso de complete_done para determinar si la persona que llama se ha ido solo funciona después de una llamada completa. Además, aún es posible que la persona que llama aún no haya llamado a wait_for_completion, lo que genera otra posible UAF. • https://git.kernel.org/stable/c/daba62d9eeddcc5b1081be7d348ca836c83c59d7 https://git.kernel.org/stable/c/8e81cd58aee14a470891733181a47d123193ba81 https://git.kernel.org/stable/c/d03092550f526a79cf1ade7f0dfa74906f39eb71 https://git.kernel.org/stable/c/4ae5a97781ce7d6ecc9c7055396535815b64ca4f https://git.kernel.org/stable/c/226fc408c5fcd23cc4186f05ea3a09a7a9aef2f7 https://git.kernel.org/stable/c/8a5a7611ccc7b1fba8d933a9f22a2e76859d94dc https://git.kernel.org/stable/c/7d42e097607c4d246d99225bf2b195b6167a210c https://git.kernel.org/stable/c/0c2cf5142bfb634c0ef0a1a69cdf37950 •
CVE-2024-39490 – ipv6: sr: fix missing sk_buff release in seg6_input_core
https://notcve.org/view.php?id=CVE-2024-39490
In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix missing sk_buff release in seg6_input_core The seg6_input() function is responsible for adding the SRH into a packet, delegating the operation to the seg6_input_core(). This function uses the skb_cow_head() to ensure that there is sufficient headroom in the sk_buff for accommodating the link-layer header. In the event that the skb_cow_header() function fails, the seg6_input_core() catches the error but it does not release the sk_buff, which will result in a memory leak. This issue was introduced in commit af3b5158b89d ("ipv6: sr: fix BUG due to headroom too small after SRH push") and persists even after commit 7a3f5b0de364 ("netfilter: add netfilter hooks to SRv6 data plane"), where the entire seg6_input() code was refactored to deal with netfilter hooks. The proposed patch addresses the identified memory leak by requiring the seg6_input_core() function to release the sk_buff in the event that skb_cow_head() fails. En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: ipv6: sr: corrige la versión faltante de sk_buff en seg6_input_core La función seg6_input() es responsable de agregar el SRH a un paquete, delegando la operación al seg6_input_core(). Esta función utiliza skb_cow_head() para garantizar que haya suficiente espacio libre en sk_buff para acomodar el encabezado de la capa de enlace. En caso de que la función skb_cow_header() falle, seg6_input_core() detecta el error pero no libera sk_buff, lo que provocará una pérdida de memoria. • https://git.kernel.org/stable/c/af3b5158b89d3bab9be881113417558c71b71ca4 https://git.kernel.org/stable/c/e8688218e38111ace457509d8f0cad75f79c1a7a https://git.kernel.org/stable/c/8f1fc3b86eaea70be6abcae2e9aa7e7b99453864 https://git.kernel.org/stable/c/f4df8c7670a73752201cbde215254598efdf6ce8 https://git.kernel.org/stable/c/f5fec1588642e415a3d72e02140160661b303940 https://git.kernel.org/stable/c/5447f9708d9e4c17a647b16a9cb29e9e02820bd9 •