CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2023-52701 – net: use a bounce buffer for copying skb->mark
https://notcve.org/view.php?id=CVE-2023-52701
In the Linux kernel, the following vulnerability has been resolved: net: use a bounce buffer for copying skb->mark syzbot found arm64 builds would crash in sock_recv_mark() when CONFIG_HARDENED_USERCOPY=y x86 and powerpc are not detecting the issue because they define user_access_begin. This will be handled in a different patch, because a check_object_size() is missing. Only data from skb->cb[] can be copied directly to/from user space, as explained in commit 79a8a642bf05 ("net: Whitelist the skbuff_head_cache "cb" field") syzbot report was: usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_head_cache' (offset 168, size 4)! ------------[ cut here ]------------ kernel BUG at mm/usercopy.c:102 ! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 4410 Comm: syz-executor533 Not tainted 6.2.0-rc7-syzkaller-17907-g2d3827b3f393 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : usercopy_abort+0x90/0x94 mm/usercopy.c:90 lr : usercopy_abort+0x90/0x94 mm/usercopy.c:90 sp : ffff80000fb9b9a0 x29: ffff80000fb9b9b0 x28: ffff0000c6073400 x27: 0000000020001a00 x26: 0000000000000014 x25: ffff80000cf52000 x24: fffffc0000000000 x23: 05ffc00000000200 x22: fffffc000324bf80 x21: ffff0000c92fe1a8 x20: 0000000000000001 x19: 0000000000000004 x18: 0000000000000000 x17: 656a626f2042554c x16: ffff0000c6073dd0 x15: ffff80000dbd2118 x14: ffff0000c6073400 x13: 00000000ffffffff x12: ffff0000c6073400 x11: ff808000081bbb4c x10: 0000000000000000 x9 : 7b0572d7cc0ccf00 x8 : 7b0572d7cc0ccf00 x7 : ffff80000bf650d4 x6 : 0000000000000000 x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000 x2 : ffff0001fefbff08 x1 : 0000000100000000 x0 : 000000000000006c Call trace: usercopy_abort+0x90/0x94 mm/usercopy.c:90 __check_heap_object+0xa8/0x100 mm/slub.c:4761 check_heap_object mm/usercopy.c:196 [inline] __check_object_size+0x208/0x6b8 mm/usercopy.c:251 check_object_size include/linux/thread_info.h:199 [inline] __copy_to_user include/linux/uaccess.h:115 [inline] put_cmsg+0x408/0x464 net/core/scm.c:238 sock_recv_mark net/socket.c:975 [inline] __sock_recv_cmsgs+0x1fc/0x248 net/socket.c:984 sock_recv_cmsgs include/net/sock.h:2728 [inline] packet_recvmsg+0x2d8/0x678 net/packet/af_packet.c:3482 ____sys_recvmsg+0x110/0x3a0 ___sys_recvmsg net/socket.c:2737 [inline] __sys_recvmsg+0x194/0x210 net/socket.c:2767 __do_sys_recvmsg net/socket.c:2777 [inline] __se_sys_recvmsg net/socket.c:2774 [inline] __arm64_sys_recvmsg+0x2c/0x3c net/socket.c:2774 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x64/0x178 arch/arm64/kernel/syscall.c:52 el0_svc_common+0xbc/0x180 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x48/0x110 arch/arm64/kernel/syscall.c:193 el0_svc+0x58/0x14c arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591 Code: 91388800 aa0903e1 f90003e8 94e6d752 (d4210000) En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net: use un búfer de rebote para copiar skb->mark syzbot encontró que las compilaciones arm64 fallarían en sock_recv_mark() cuando CONFIG_HARDENED_USERCOPY=y x86 y powerpc no detectan el problema porque definen user_access_begin . Esto se manejará en un parche diferente, porque falta check_object_size(). Solo los datos de skb->cb[] se pueden copiar directamente hacia/desde el espacio de usuario, como se explica en la confirmación 79a8a642bf05 ("net: Lista blanca del campo skbuff_head_cache "cb") El informe de syzbot fue: copia de usuario: intento de exposición de la memoria del kernel detectado desde SLUB objeto 'skbuff_head_cache' (desplazamiento 168, tamaño 4)! • https://git.kernel.org/stable/c/6fd1d51cfa253b5ee7dae18d7cf1df830e9b6137 https://git.kernel.org/stable/c/863a7de987f02a901bf215509276a7de0370e0f9 https://git.kernel.org/stable/c/2558b8039d059342197610498c8749ad294adee5 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-52700 – tipc: fix kernel warning when sending SYN message
https://notcve.org/view.php?id=CVE-2023-52700
In the Linux kernel, the following vulnerability has been resolved: tipc: fix kernel warning when sending SYN message When sending a SYN message, this kernel stack trace is observed: ... [ 13.396352] RIP: 0010:_copy_from_iter+0xb4/0x550 ... [ 13.398494] Call Trace: [ 13.398630] <TASK> [ 13.398630] ? __alloc_skb+0xed/0x1a0 [ 13.398630] tipc_msg_build+0x12c/0x670 [tipc] [ 13.398630] ? shmem_add_to_page_cache.isra.71+0x151/0x290 [ 13.398630] __tipc_sendmsg+0x2d1/0x710 [tipc] [ 13.398630] ? tipc_connect+0x1d9/0x230 [tipc] [ 13.398630] ? __local_bh_enable_ip+0x37/0x80 [ 13.398630] tipc_connect+0x1d9/0x230 [tipc] [ 13.398630] ? • https://git.kernel.org/stable/c/f25dcc7687d42a72de18aa41b04990a24c9e77c7 https://git.kernel.org/stable/c/54b6082aec178f16ad6d193b4ecdc9c4823d9a32 https://git.kernel.org/stable/c/11a4d6f67cf55883dc78e31c247d1903ed7feccc https://access.redhat.com/security/cve/CVE-2023-52700 https://bugzilla.redhat.com/show_bug.cgi?id=2282609 • CWE-20: Improper Input Validation •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2022-48709 – ice: switch: fix potential memleak in ice_add_adv_recipe()
https://notcve.org/view.php?id=CVE-2022-48709
In the Linux kernel, the following vulnerability has been resolved: ice: switch: fix potential memleak in ice_add_adv_recipe() When ice_add_special_words() fails, the 'rm' is not released, which will lead to a memory leak. Fix this up by going to 'err_unroll' label. Compile tested only. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ice: switch: soluciona una posible fuga de memoria en ice_add_adv_recipe(). Cuando ice_add_special_words() falla, el 'rm' no se libera, lo que provocará una pérdida de memoria. Solucione este problema yendo a la etiqueta 'err_unroll'. • https://git.kernel.org/stable/c/8b032a55c1bd5d47527263445aba9dc45144b00d https://git.kernel.org/stable/c/47f4ff6f23f00f5501ff2d7054c1a37c170a7aa0 https://git.kernel.org/stable/c/4a606ce68426c88ff2563382b33cc34f3485fe57 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2022-48708 – pinctrl: single: fix potential NULL dereference
https://notcve.org/view.php?id=CVE-2022-48708
In the Linux kernel, the following vulnerability has been resolved: pinctrl: single: fix potential NULL dereference Added checking of pointer "function" in pcs_set_mux(). pinmux_generic_get_function() can return NULL and the pointer "function" was dereferenced without checking against NULL. Found by Linux Verification Center (linuxtesting.org) with SVACE. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: pinctrl: single: corrige una posible desreferencia NULL. Se agregó la verificación de la "función" del puntero en pcs_set_mux(). pinmux_generic_get_function() puede devolver NULL y se eliminó la referencia al puntero "función" sin compararlo con NULL. Encontrado por el Centro de verificación de Linux (linuxtesting.org) con SVACE. • https://git.kernel.org/stable/c/571aec4df5b72a80f80d1e524da8fbd7ff525c98 https://git.kernel.org/stable/c/1177bdafe87cbe543a2dc48a9bbac265aa5864db https://git.kernel.org/stable/c/e671e63587c92b3fd767cf82e73129f6d5feeb33 https://git.kernel.org/stable/c/2b763f7de108cb1a5ad5ed08e617d677341947cb https://git.kernel.org/stable/c/6e2a0521e4e84a2698f2da3950fb5c5496a4d208 https://git.kernel.org/stable/c/71668706fbe7d20e6f172fa3287fa8aac1b56c26 https://git.kernel.org/stable/c/bcc487001a15f71f103d102cba4ac8145d7a68f2 https://git.kernel.org/stable/c/d2d73e6d4822140445ad4a7b1c6091e0f •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2022-48707 – cxl/region: Fix null pointer dereference for resetting decoder
https://notcve.org/view.php?id=CVE-2022-48707
In the Linux kernel, the following vulnerability has been resolved: cxl/region: Fix null pointer dereference for resetting decoder Not all decoders have a reset callback. The CXL specification allows a host bridge with a single root port to have no explicit HDM decoders. Currently the region driver assumes there are none. As such the CXL core creates a special pass through decoder instance without a commit/reset callback. Prior to this patch, the ->reset() callback was called unconditionally when calling cxl_region_decode_reset. Thus a configuration with 1 Host Bridge, 1 Root Port, and one directly attached CXL type 3 device or multiple CXL type 3 devices attached to downstream ports of a switch can cause a null pointer dereference. Before the fix, a kernel crash was observed when we destroy the region, and a pass through decoder is reset. The issue can be reproduced as below, 1) create a region with a CXL setup which includes a HB with a single root port under which a memdev is attached directly. 2) destroy the region with cxl destroy-region regionX -f. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: cxl/region: corrige la desreferencia del puntero null para restablecer el decodificador. • https://git.kernel.org/stable/c/176baefb2eb5d7a3ddebe3ff803db1fce44574b5 https://git.kernel.org/stable/c/a04c7d062b537ff787d00da95bdfe343260d4beb https://git.kernel.org/stable/c/4fa4302d6dc7de7e8e74dc7405611a2efb4bf54b •