CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-36013 – Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()
https://notcve.org/view.php?id=CVE-2024-36013
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect() Extend a critical section to prevent chan from early freeing. Also make the l2cap_connect() return type void. Nothing is using the returned value but it is ugly to return a potentially freed pointer. Making it void will help with backports because earlier kernels did use the return value. Now the compile will break for kernels where this patch is not a complete fix. Call stack summary: [use] l2cap_bredr_sig_cmd l2cap_connect ┌ mutex_lock(&conn->chan_lock); │ chan = pchan->ops->new_connection(pchan); <- alloc chan │ __l2cap_chan_add(conn, chan); │ l2cap_chan_hold(chan); │ list_add(&chan->list, &conn->chan_l); ... (1) └ mutex_unlock(&conn->chan_lock); chan->conf_state ... (4) <- use after free [free] l2cap_conn_del ┌ mutex_lock(&conn->chan_lock); │ foreach chan in conn->chan_l: ... (2) │ l2cap_chan_put(chan); │ l2cap_chan_destroy │ kfree(chan) ... (3) <- chan freed └ mutex_unlock(&conn->chan_lock); ================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: slab-use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0 net/bluetooth/l2cap_core.c:4260 Read of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311 En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: L2CAP: corrige slab-use-after-free en l2cap_connect() Amplia una sección crítica para evitar que chan se libere anticipadamente. También anule el tipo de retorno l2cap_connect(). Nada utiliza el valor devuelto, pero es feo devolver un puntero potencialmente liberado. • https://git.kernel.org/stable/c/73ffa904b78287f6acf8797e040150aa26a4af4a https://git.kernel.org/stable/c/cfe560c7050bfb37b0d2491bbe7cd8b59e77fdc5 https://git.kernel.org/stable/c/826af9d2f69567c646ff46d10393d47e30ad23c6 https://git.kernel.org/stable/c/4d7b41c0e43995b0e992b9f8903109275744b658 http://www.openwall.com/lists/oss-security/2024/05/30/1 http://www.openwall.com/lists/oss-security/2024/05/30/2 • CWE-416: Use After Free •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-36012 – Bluetooth: msft: fix slab-use-after-free in msft_do_close()
https://notcve.org/view.php?id=CVE-2024-36012
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: msft: fix slab-use-after-free in msft_do_close() Tying the msft->data lifetime to hdev by freeing it in hci_release_dev() to fix the following case: [use] msft_do_close() msft = hdev->msft_data; if (!msft) ...(1) <- passed. return; mutex_lock(&msft->filter_lock); ...(4) <- used after freed. [free] msft_unregister() msft = hdev->msft_data; hdev->msft_data = NULL; ...(2) kfree(msft); ...(3) <- msft is freed. ================================================================== BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline] BUG: KASAN: slab-use-after-free in __mutex_lock+0x8f/0xc30 kernel/locking/mutex.c:752 Read of size 8 at addr ffff888106cbbca8 by task kworker/u5:2/309 En el kernel de Linux, se resolvió la siguiente vulnerabilidad: Bluetooth: msft: corrija slab-use-after-free en msft_do_close() Vinculando la vida útil de msft->data a hdev liberándolo en hci_release_dev() para solucionar el siguiente caso: [usar] msft_do_close() msft = hdev->msft_data; if (!msft) ...(1) <- aprobado. devolver; mutex_lock(&msft->filter_lock); ...(4) <- usado después de liberado. [gratis] msft_unregister() msft = hdev->msft_data; hdev->msft_data = NULL; ...(2) klibre(msft); ...(3) <- se libera msft. ==================================================== ================ ERROR: KASAN: slab-use-after-free en __mutex_lock_common kernel/locking/mutex.c:587 [en línea] ERROR: KASAN: slab-use-after -free en __mutex_lock+0x8f/0xc30 kernel/locking/mutex.c:752 Lectura de tamaño 8 en addr ffff888106cbbca8 por tarea kworker/u5:2/309 • https://git.kernel.org/stable/c/bf6a4e30ffbd9e9ef8934582feb937f6532f8b68 https://git.kernel.org/stable/c/e3880b531b68f98d3941d83f2f6dd11cf4fd6b76 https://git.kernel.org/stable/c/a85a60e62355e3bf4802dead7938966824b23940 https://git.kernel.org/stable/c/4f1de02de07748da80a8178879bc7a1df37fdf56 https://git.kernel.org/stable/c/10f9f426ac6e752c8d87bf4346930ba347aaabac •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2021-47479 – staging: rtl8712: fix use-after-free in rtl8712_dl_fw
https://notcve.org/view.php?id=CVE-2021-47479
In the Linux kernel, the following vulnerability has been resolved: staging: rtl8712: fix use-after-free in rtl8712_dl_fw Syzbot reported use-after-free in rtl8712_dl_fw(). The problem was in race condition between r871xu_dev_remove() ->ndo_open() callback. It's easy to see from crash log, that driver accesses released firmware in ->ndo_open() callback. It may happen, since driver was releasing firmware _before_ unregistering netdev. Fix it by moving unregister_netdev() before cleaning up resources. Call Trace: ... rtl871x_open_fw drivers/staging/rtl8712/hal_init.c:83 [inline] rtl8712_dl_fw+0xd95/0xe10 drivers/staging/rtl8712/hal_init.c:170 rtl8712_hal_init drivers/staging/rtl8712/hal_init.c:330 [inline] rtl871x_hal_init+0xae/0x180 drivers/staging/rtl8712/hal_init.c:394 netdev_open+0xe6/0x6c0 drivers/staging/rtl8712/os_intfs.c:380 __dev_open+0x2bc/0x4d0 net/core/dev.c:1484 Freed by task 1306: ... release_firmware+0x1b/0x30 drivers/base/firmware_loader/main.c:1053 r871xu_dev_remove+0xcc/0x2c0 drivers/staging/rtl8712/usb_intf.c:599 usb_unbind_interface+0x1d8/0x8d0 drivers/usb/core/driver.c:458 En el kernel de Linux, se resolvió la siguiente vulnerabilidad: staging: rtl8712: corrige el use-after-free en rtl8712_dl_fw Syzbot informó el use-after-free en rtl8712_dl_fw(). El problema estaba en la condición de ejecución entre la devolución de llamada r871xu_dev_remove() ->ndo_open(). • https://git.kernel.org/stable/c/8c213fa59199f9673d66970d6940fa093186642f https://git.kernel.org/stable/c/bc5d453eab4506cb52397db8830d1070904265a4 https://git.kernel.org/stable/c/c430094541a80575259a94ff879063ef01473506 https://git.kernel.org/stable/c/befd23bd3b17f1a3f9c943a8580b47444c7c63ed https://git.kernel.org/stable/c/a65c9afe9f2f55b7a7fb4a25ab654cd4139683a4 https://git.kernel.org/stable/c/c052cc1a069c3e575619cf64ec427eb41176ca70 •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2021-47478 – isofs: Fix out of bound access for corrupted isofs image
https://notcve.org/view.php?id=CVE-2021-47478
In the Linux kernel, the following vulnerability has been resolved: isofs: Fix out of bound access for corrupted isofs image When isofs image is suitably corrupted isofs_read_inode() can read data beyond the end of buffer. Sanity-check the directory entry length before using it. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: isofs: corrige el acceso fuera de los límites para una imagen isofs corrupta. Cuando la imagen isofs está adecuadamente dañada, isofs_read_inode() puede leer datos más allá del final del búfer. Cordura: verifique la longitud de la entrada del directorio antes de usarla. • https://git.kernel.org/stable/c/156ce5bb6cc43a80a743810199defb1dc3f55b7f https://git.kernel.org/stable/c/9ec33a9b8790c212cc926a88c5e2105f97f3f57e https://git.kernel.org/stable/c/afbd40f425227e661d991757e11cc4db024e761f https://git.kernel.org/stable/c/b0ddff8d68f2e43857a84dce54c3deab181c8ae1 https://git.kernel.org/stable/c/6e80e9314f8bb52d9eabe1907698718ff01120f5 https://git.kernel.org/stable/c/86d4aedcbc69c0f84551fb70f953c24e396de2d7 https://git.kernel.org/stable/c/b2fa1f52d22c5455217b294629346ad23a744945 https://git.kernel.org/stable/c/e7fb722586a2936b37bdff096c095c30c •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2021-47477 – comedi: dt9812: fix DMA buffers on stack
https://notcve.org/view.php?id=CVE-2021-47477
In the Linux kernel, the following vulnerability has been resolved: comedi: dt9812: fix DMA buffers on stack USB transfer buffers are typically mapped for DMA and must not be allocated on the stack or transfers will fail. Allocate proper transfer buffers in the various command helpers and return an error on short transfers instead of acting on random stack data. Note that this also fixes a stack info leak on systems where DMA is not used as 32 bytes are always sent to the device regardless of how short the command is. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: comedi: dt9812: corrige los búferes DMA en la pila Los búferes de transferencia USB generalmente están asignados para DMA y no deben asignarse en la pila o las transferencias fallarán. Asigne búferes de transferencia adecuados en los distintos asistentes de comando y devuelva un error en transferencias cortas en lugar de actuar sobre datos de pila aleatorios. Tenga en cuenta que esto también soluciona una fuga de información de la pila en sistemas donde no se usa DMA, ya que siempre se envían 32 bytes al dispositivo, independientemente de cuán corto sea el comando. • https://git.kernel.org/stable/c/63274cd7d38a3322d90b66a5bc976de1fb899051 https://git.kernel.org/stable/c/a6af69768d5cb4b2528946d53be5fa19ade37723 https://git.kernel.org/stable/c/365a346cda82f51d835c49136a00a9df8a78c7f2 https://git.kernel.org/stable/c/8a52bc480992c7c9da3ebfea456af731f50a4b97 https://git.kernel.org/stable/c/39ea61037ae78f14fa121228dd962ea3280eacf3 https://git.kernel.org/stable/c/3efb7af8ac437085b6c776e5b54830b149d86efe https://git.kernel.org/stable/c/786f5b03450454557ff858a8bead5d7c0cbf78d6 https://git.kernel.org/stable/c/3ac273d154d634e2034508a14db82a95d •