CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-35903 – x86/bpf: Fix IP after emitting call depth accounting
https://notcve.org/view.php?id=CVE-2024-35903
19 May 2024 — In the Linux kernel, the following vulnerability has been resolved: x86/bpf: Fix IP after emitting call depth accounting Adjust the IP passed to `emit_patch` so it calculates the correct offset for the CALL instruction if `x86_call_depth_emit_accounting` emits code. Otherwise we will skip some instructions and most likely crash. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: x86/bpf: corrige la IP después de emitir la contabilidad de profundidad de llamadas. Ajuste la IP pasada a `emit_patc... • https://git.kernel.org/stable/c/b2e9dfe54be4d023124d588d6f03d16a9c0d2507 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2024-35902 – net/rds: fix possible cp null dereference
https://notcve.org/view.php?id=CVE-2024-35902
19 May 2024 — In the Linux kernel, the following vulnerability has been resolved: net/rds: fix possible cp null dereference cp might be null, calling cp->cp_conn would produce null dereference [Simon Horman adds:] Analysis: * cp is a parameter of __rds_rdma_map and is not reassigned. * The following call-sites pass a NULL cp argument to __rds_rdma_map() - rds_get_mr() - rds_get_mr_for_dest * Prior to the code above, the following assumes that cp may be NULL (which is indicative, but could itself be unnecessary) trans_pri... • https://git.kernel.org/stable/c/786854141057751bc08eb26f1b02e97c1631c8f4 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-35901 – net: mana: Fix Rx DMA datasize and skb_over_panic
https://notcve.org/view.php?id=CVE-2024-35901
19 May 2024 — In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix Rx DMA datasize and skb_over_panic mana_get_rxbuf_cfg() aligns the RX buffer's DMA datasize to be multiple of 64. So a packet slightly bigger than mtu+14, say 1536, can be received and cause skb_over_panic. Sample dmesg: [ 5325.237162] skbuff: skb_over_panic: text:ffffffffc043277a len:1536 put:1536 head:ff1100018b517000 data:ff1100018b517100 tail:0x700 end:0x6ea dev:
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-35900 – netfilter: nf_tables: reject new basechain after table flag update
https://notcve.org/view.php?id=CVE-2024-35900
19 May 2024 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: reject new basechain after table flag update When dormant flag is toggled, hooks are disabled in the commit phase by iterating over current chains in table (existing and new). The following configuration allows for an inconsistent state: add table x add chain x y { type filter hook input priority 0; } add table x { flags dormant; } add chain x w { type filter hook input priority 1; } which triggers the following warnin... • https://git.kernel.org/stable/c/e10f661adc556c4969c70ddaddf238bffdaf1e87 •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2024-35899 – netfilter: nf_tables: flush pending destroy work before exit_net release
https://notcve.org/view.php?id=CVE-2024-35899
19 May 2024 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: flush pending destroy work before exit_net release Similar to 2c9f0293280e ("netfilter: nf_tables: flush pending destroy work before netlink notifier") to address a race between exit_net and the destroy workqueue. The trace below shows an element to be released via destroy workqueue while exit_net path (triggered via module removal) has already released the set that is used in such transaction. [ 1360.547789] BUG: KASA... • https://git.kernel.org/stable/c/0935d558840099b3679c67bb7468dc78fcbad940 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-35898 – netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()
https://notcve.org/view.php?id=CVE-2024-35898
19 May 2024 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() nft_unregister_flowtable_type() within nf_flow_inet_module_exit() can concurrent with __nft_flowtable_type_get() within nf_tables_newflowtable(). And thhere is not any protection when iterate over nf_tables_flowtables list in __nft_flowtable_type_get(). Therefore, there is pertential data-race of nf_tables_flowtables list entry. Use list_for_each_entry_rcu() to iter... • https://git.kernel.org/stable/c/3b49e2e94e6ebb8b23d0955d9e898254455734f8 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-35897 – netfilter: nf_tables: discard table flag update with pending basechain deletion
https://notcve.org/view.php?id=CVE-2024-35897
19 May 2024 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: discard table flag update with pending basechain deletion Hook unregistration is deferred to the commit phase, same occurs with hook updates triggered by the table dormant flag. When both commands are combined, this results in deleting a basechain while leaving its hook still registered in the core. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: netfilter: nf_tables: descartar actualización del indicad... • https://git.kernel.org/stable/c/e10f661adc556c4969c70ddaddf238bffdaf1e87 •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2024-35896 – netfilter: validate user input for expected length
https://notcve.org/view.php?id=CVE-2024-35896
19 May 2024 — In the Linux kernel, the following vulnerability has been resolved: netfilter: validate user input for expected length I got multiple syzbot reports showing old bugs exposed by BPF after commit 20f2505fb436 ("bpf: Try to avoid kzalloc in cgroup/{s,g}etsockopt") setsockopt() @optlen argument should be taken into account before copying data. BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-35895 – bpf, sockmap: Prevent lock inversion deadlock in map delete elem
https://notcve.org/view.php?id=CVE-2024-35895
19 May 2024 — In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Prevent lock inversion deadlock in map delete elem syzkaller started using corpuses where a BPF tracing program deletes elements from a sockmap/sockhash map. Because BPF tracing programs can be invoked from any interrupt context, locks taken during a map_delete_elem operation must be hardirq-safe. Otherwise a deadlock due to lock inversion is possible, as reported by lockdep: CPU0 CPU1 ---- ---- lock(&htab->buckets[i].lock); l... • https://git.kernel.org/stable/c/604326b41a6fb9b4a78b6179335decee0365cd8c •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-35894 – mptcp: prevent BPF accessing lowat from a subflow socket.
https://notcve.org/view.php?id=CVE-2024-35894
19 May 2024 — In the Linux kernel, the following vulnerability has been resolved: mptcp: prevent BPF accessing lowat from a subflow socket. Alexei reported the following splat: WARNING: CPU: 32 PID: 3276 at net/mptcp/subflow.c:1430 subflow_data_ready+0x147/0x1c0 Modules linked in: dummy bpf_testmod(O) [last unloaded: bpf_test_no_cfi(O)] CPU: 32 PID: 3276 Comm: test_progs Tainted: GO 6.8.0-12873-g2c43c33bfd23 Call Trace: