Page 23 of 2974 results (0.007 seconds)

CVSS: -EPSS: 0%CPEs: 3EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: fsl/fman: Fix refcount handling of fman-related devices In mac_probe() there are multiple calls to of_find_device_by_node(), fman_bind() and fman_port_bind() which takes references to of_dev->dev. Not all references taken by these calls are released later on error path in mac_probe() and in mac_remove() which lead to reference leaks. Add references release. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: fsl/fman: se ha corregido el manejo de refcount de dispositivos relacionados con fman En mac_probe() hay múltiples llamadas a of_find_device_by_node(), fman_bind() y fman_port_bind() que toman referencias a of_dev->dev. No todas las referencias tomadas por estas llamadas se liberan más tarde en la ruta de error en mac_probe() y en mac_remove(), lo que provoca fugas de referencias. Agregar referencias release. • https://git.kernel.org/stable/c/3933961682a30ae7d405cda344c040a129fea422 https://git.kernel.org/stable/c/5ed4334fc9512f934fe2ae9c4cf7f8142e451b8b https://git.kernel.org/stable/c/3c2a3619d565fe16bf59b0a047bab103a2ee4490 https://git.kernel.org/stable/c/1dec67e0d9fbb087c2ab17bf1bd17208231c3bb1 •

CVSS: -EPSS: 0%CPEs: 5EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: bpf: Make sure internal and UAPI bpf_redirect flags don't overlap The bpf_redirect_info is shared between the SKB and XDP redirect paths, and the two paths use the same numeric flag values in the ri->flags field (specifically, BPF_F_BROADCAST == BPF_F_NEXTHOP). This means that if skb bpf_redirect_neigh() is used with a non-NULL params argument and, subsequently, an XDP redirect is performed using the same bpf_redirect_info struct, the XDP path will get confused and end up crashing, which syzbot managed to trigger. With the stack-allocated bpf_redirect_info, the structure is no longer shared between the SKB and XDP paths, so the crash doesn't happen anymore. However, different code paths using identically-numbered flag values in the same struct field still seems like a bit of a mess, so this patch cleans that up by moving the flag definitions together and redefining the three flags in BPF_F_REDIRECT_INTERNAL to not overlap with the flags used for XDP. It also adds a BUILD_BUG_ON() check to make sure the overlap is not re-introduced by mistake. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: Asegúrese de que los indicadores bpf_redirect internos y de UAPI no se superpongan El bpf_redirect_info se comparte entre las rutas de redireccionamiento de SKB y XDP, y las dos rutas usan los mismos valores de indicador numérico en el campo ri->flags (específicamente, BPF_F_BROADCAST == BPF_F_NEXTHOP). • https://git.kernel.org/stable/c/e624d4ed4aa8cc3c69d1359b0aaea539203ed266 https://git.kernel.org/stable/c/4e1e428533845d48828bd3875c0e92e8565b9962 https://git.kernel.org/stable/c/314dbee9fe4f5cee36435465de52c988d7caa466 https://git.kernel.org/stable/c/0fca5ed4be8e8bfbfb9bd97845af596bab7192d3 https://git.kernel.org/stable/c/cec288e05ceac9a0d3a3a1fd279534b11844c826 https://git.kernel.org/stable/c/09d88791c7cd888d5195c84733caf9183dcfbd16 •

CVSS: -EPSS: 0%CPEs: 5EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: bpf: devmap: provide rxq after redirect rxq contains a pointer to the device from where the redirect happened. Currently, the BPF program that was executed after a redirect via BPF_MAP_TYPE_DEVMAP* does not have it set. This is particularly bad since accessing ingress_ifindex, e.g. SEC("xdp") int prog(struct xdp_md *pkt) { return bpf_redirect_map(&dev_redirect_map, 0, 0); } SEC("xdp/devmap") int prog_after_redirect(struct xdp_md *pkt) { bpf_printk("ifindex %i", pkt->ingress_ifindex); return XDP_PASS; } depends on access to rxq, so a NULL pointer gets dereferenced: <1>[ 574.475170] BUG: kernel NULL pointer dereference, address: 0000000000000000 <1>[ 574.475188] #PF: supervisor read access in kernel mode <1>[ 574.475194] #PF: error_code(0x0000) - not-present page <6>[ 574.475199] PGD 0 P4D 0 <4>[ 574.475207] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI <4>[ 574.475217] CPU: 4 UID: 0 PID: 217 Comm: kworker/4:1 Not tainted 6.11.0-rc5-reduced-00859-g780801200300 #23 <4>[ 574.475226] Hardware name: Intel(R) Client Systems NUC13ANHi7/NUC13ANBi7, BIOS ANRPL357.0026.2023.0314.1458 03/14/2023 <4>[ 574.475231] Workqueue: mld mld_ifc_work <4>[ 574.475247] RIP: 0010:bpf_prog_5e13354d9cf5018a_prog_after_redirect+0x17/0x3c <4>[ 574.475257] Code: cc cc cc cc cc cc cc 80 00 00 00 cc cc cc cc cc cc cc cc f3 0f 1e fa 0f 1f 44 00 00 66 90 55 48 89 e5 f3 0f 1e fa 48 8b 57 20 <48> 8b 52 00 8b 92 e0 00 00 00 48 bf f8 a6 d5 c4 5d a0 ff ff be 0b <4>[ 574.475263] RSP: 0018:ffffa62440280c98 EFLAGS: 00010206 <4>[ 574.475269] RAX: ffffa62440280cd8 RBX: 0000000000000001 RCX: 0000000000000000 <4>[ 574.475274] RDX: 0000000000000000 RSI: ffffa62440549048 RDI: ffffa62440280ce0 <4>[ 574.475278] RBP: ffffa62440280c98 R08: 0000000000000002 R09: 0000000000000001 <4>[ 574.475281] R10: ffffa05dc8b98000 R11: ffffa05f577fca40 R12: ffffa05dcab24000 <4>[ 574.475285] R13: ffffa62440280ce0 R14: ffffa62440549048 R15: ffffa62440549000 <4>[ 574.475289] FS: 0000000000000000(0000) GS:ffffa05f4f700000(0000) knlGS:0000000000000000 <4>[ 574.475294] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 <4>[ 574.475298] CR2: 0000000000000000 CR3: 000000025522e000 CR4: 0000000000f50ef0 <4>[ 574.475303] PKRU: 55555554 <4>[ 574.475306] Call Trace: <4>[ 574.475313] <IRQ> <4>[ 574.475318] ? __die+0x23/0x70 <4>[ 574.475329] ? page_fault_oops+0x180/0x4c0 <4>[ 574.475339] ? skb_pp_cow_data+0x34c/0x490 <4>[ 574.475346] ? • https://git.kernel.org/stable/c/cb261b594b4108668e00f565184c7c221efe0359 https://git.kernel.org/stable/c/fe068afb868660fe683a8391c6c17ecbe2254922 https://git.kernel.org/stable/c/a778fbe087c19f4ece5f5fc14173328f070c3803 https://git.kernel.org/stable/c/49454f09936a9a96edfb047156889879cb4001eb https://git.kernel.org/stable/c/9167d1c274a336e4763eeb3f3f9cb763c55df5aa https://git.kernel.org/stable/c/ca9984c5f0ab3690d98b13937b2485a978c8dd73 •

CVSS: -EPSS: 0%CPEs: 5EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: drm/msm: Avoid NULL dereference in msm_disp_state_print_regs() If the allocation in msm_disp_state_dump_regs() failed then `block->state` can be NULL. The msm_disp_state_print_regs() function _does_ have code to try to handle it with: if (*reg) dump_addr = *reg; ...but since "dump_addr" is initialized to NULL the above is actually a noop. The code then goes on to dereference `dump_addr`. Make the function print "Registers not stored" when it sees a NULL to solve this. Since we're touching the code, fix msm_disp_state_print_regs() not to pointlessly take a double-pointer and properly mark the pointer as `const`. Patchwork: https://patchwork.freedesktop.org/patch/619657/ En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/msm: Evitar la desreferenciación NULL en msm_disp_state_print_regs() Si la asignación en msm_disp_state_dump_regs() falla, entonces `block-&gt;state` puede ser NULL. La función msm_disp_state_print_regs() _sí_ tiene código para intentar manejarlo con: if (*reg) dump_addr = *reg; ...pero como "dump_addr" se inicializa a NULL, lo anterior es en realidad un noop. • https://git.kernel.org/stable/c/98659487b845c05b6bed85d881713545db674c7c https://git.kernel.org/stable/c/42cf045086feae77b212f0f66e742b91a5b566b7 https://git.kernel.org/stable/c/e8e9f2a12a6214080c8ea83220a596f6e1dedc6c https://git.kernel.org/stable/c/f7ad916273483748582d97cfa31054ccb19224f3 https://git.kernel.org/stable/c/563aa81fd66a4e7e6e551a0e02bcc23957cafe2f https://git.kernel.org/stable/c/293f53263266bc4340d777268ab4328a97f041fa •

CVSS: -EPSS: 0%CPEs: 6EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler(). """ We are seeing a use-after-free from a bpf prog attached to trace_tcp_retransmit_synack. The program passes the req->sk to the bpf_sk_storage_get_tracing kernel helper which does check for null before using it. """ The commit 83fccfc3940c ("inet: fix potential deadlock in reqsk_queue_unlink()") added timer_pending() in reqsk_queue_unlink() not to call del_timer_sync() from reqsk_timer_handler(), but it introduced a small race window. Before the timer is called, expire_timers() calls detach_timer(timer, true) to clear timer->entry.pprev and marks it as not pending. If reqsk_queue_unlink() checks timer_pending() just after expire_timers() calls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will continue running and send multiple SYN+ACKs until it expires. The reported UAF could happen if req->sk is close()d earlier than the timer expiration, which is 63s by default. The scenario would be 1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(), but del_timer_sync() is missed 2. reqsk timer is executed and scheduled again 3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but reqsk timer still has another one, and inet_csk_accept() does not clear req->sk for non-TFO sockets 4. sk is close()d 5. reqsk timer is executed again, and BPF touches req->sk Let's not use timer_pending() by passing the caller context to __inet_csk_reqsk_queue_drop(). Note that reqsk timer is pinned, so the issue does not happen in most use cases. [1] [0] BUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0 Use-after-free read at 0x00000000a891fb3a (in kfence-#1): bpf_sk_storage_get_tracing+0x2e/0x1b0 bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda bpf_trace_run2+0x4c/0xc0 tcp_rtx_synack+0xf9/0x100 reqsk_timer_handler+0xda/0x3d0 run_timer_softirq+0x292/0x8a0 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 intel_idle_irq+0x5a/0xa0 cpuidle_enter_state+0x94/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6 allocated by task 0 on cpu 9 at 260507.901592s: sk_prot_alloc+0x35/0x140 sk_clone_lock+0x1f/0x3f0 inet_csk_clone_lock+0x15/0x160 tcp_create_openreq_child+0x1f/0x410 tcp_v6_syn_recv_sock+0x1da/0x700 tcp_check_req+0x1fb/0x510 tcp_v6_rcv+0x98b/0x1420 ipv6_list_rcv+0x2258/0x26e0 napi_complete_done+0x5b1/0x2990 mlx5e_napi_poll+0x2ae/0x8d0 net_rx_action+0x13e/0x590 irq_exit_rcu+0xf5/0x320 common_interrupt+0x80/0x90 asm_common_interrupt+0x22/0x40 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb freed by task 0 on cpu 9 at 260507.927527s: rcu_core_si+0x4ff/0xf10 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tcp/dccp: No use timer_pending() en reqsk_queue_unlink(). Martin KaFai Lau informó de un use-after-free [0] en reqsk_timer_handler(). """ Estamos viendo un use-after-free de un programa bpf adjunto a trace_tcp_retransmit_synack. El programa pasa el req-&gt;sk al ayudante del kernel bpf_sk_storage_get_tracing que comprueba si hay valores nulos antes de usarlo. """ El commit 83fccfc3940c ("inet: soluciona un posible bloqueo en reqsk_queue_unlink()") agregó timer_pending() en reqsk_queue_unlink() para no llamar a del_timer_sync() desde reqsk_timer_handler(), pero introdujo una pequeña ventana de carrera. Antes de que se llame al temporizador, expire_timers() llama a detach_timer(timer, true) para borrar timer-&gt;entry.pprev y lo marca como no pendiente. • https://git.kernel.org/stable/c/83fccfc3940c4a2db90fd7e7079f5b465cd8c6af https://git.kernel.org/stable/c/d3a1196bfc462943694623412d8e03aaf172bdc1 https://git.kernel.org/stable/c/8459d61fbf24967839a70235165673148c7c7f17 https://git.kernel.org/stable/c/5071beb59ee416e8ab456ac8647a4dabcda823b1 https://git.kernel.org/stable/c/997ae8da14f1639ce6fb66a063dab54031cd61b3 https://git.kernel.org/stable/c/51e34db64f4e43c7b055ccf881b7f3e0c31bb26d https://git.kernel.org/stable/c/e8c526f2bdf1845bedaf6a478816a3d06fa78b8f •