CVSS: 7.8EPSS: 0%CPEs: 11EXPL: 0CVE-2024-26883 – bpf: Fix stackmap overflow check on 32-bit arches
https://notcve.org/view.php?id=CVE-2024-26883
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stackmap overflow check on 32-bit arches The stackmap code relies on roundup_pow_of_two() to compute the number of hash buckets, and contains an overflow check by checking if the resulting value is 0. However, on 32-bit arches, the roundup code itself can overflow by doing a 32-bit left-shift of an unsigned long value, which is undefined behaviour, so it is not guaranteed to truncate neatly. This was triggered by syzbot on the DEVMAP_HASH type, which contains the same check, copied from the hashtab code. The commit in the fixes tag actually attempted to fix this, but the fix did not account for the UB, so the fix only works on CPUs where an overflow does result in a neat truncation to zero, which is not guaranteed. Checking the value before rounding does not have this problem. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: bpf: corrige la verificación de desbordamiento del mapa de pila en arcos de 32 bits. • https://git.kernel.org/stable/c/063c722dd9d285d877e6fd499e753d6224f4c046 https://git.kernel.org/stable/c/7e3a6b820535eb395784060ae26c5af579528fa0 https://git.kernel.org/stable/c/8032bf2af9ce26b3a362b9711d15f626ab946a74 https://git.kernel.org/stable/c/6183f4d3a0a2ad230511987c6c362ca43ec0055f https://git.kernel.org/stable/c/253150830a012adfccf90afcebae8fda5b05a80f https://git.kernel.org/stable/c/766107351731ae223ebf60ca22bdfeb47ce6acc8 https://git.kernel.org/stable/c/d0e214acc59145ce25113f617311aa79dda39cb3 https://git.kernel.org/stable/c/21e5fa4688e1a4d3db6b72216231b2423 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2024-26882 – net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()
https://notcve.org/view.php?id=CVE-2024-26882
In the Linux kernel, the following vulnerability has been resolved: net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv() Apply the same fix than ones found in : 8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()") 1ca1ba465e55 ("geneve: make sure to pull inner header in geneve_rx()") We have to save skb->network_header in a temporary variable in order to be able to recompute the network_header pointer after a pskb_inet_may_pull() call. pskb_inet_may_pull() makes sure the needed headers are in skb->head. syzbot reported: BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline] BUG: KMSAN: uninit-value in ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline] ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409 __ipgre_rcv+0x9bc/0xbc0 net/ipv4/ip_gre.c:389 ipgre_rcv net/ipv4/ip_gre.c:411 [inline] gre_rcv+0x423/0x19f0 net/ipv4/ip_gre.c:447 gre_rcv+0x2a4/0x390 net/ipv4/gre_demux.c:163 ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:314 [inline] ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:461 [inline] ip_rcv_finish net/ipv4/ip_input.c:449 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569 __netif_receive_skb_one_core net/core/dev.c:5534 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648 netif_receive_skb_internal net/core/dev.c:5734 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5793 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1556 tun_get_user+0x53b9/0x66e0 drivers/net/tun.c:2009 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055 call_write_iter include/linux/fs.h:2087 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0xb6b/0x1520 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit was created at: __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590 alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133 alloc_pages+0x1be/0x1e0 mm/mempolicy.c:2204 skb_page_frag_refill+0x2bf/0x7c0 net/core/sock.c:2909 tun_build_skb drivers/net/tun.c:1686 [inline] tun_get_user+0xe0a/0x66e0 drivers/net/tun.c:1826 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055 call_write_iter include/linux/fs.h:2087 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0xb6b/0x1520 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: ip_tunnel: asegúrese de extraer el encabezado interno en ip_tunnel_rcv(). Aplique la misma solución que las encontradas en: 8d975c15c0cd ("ip6_tunnel: asegúrese de extraer el encabezado interno en __ip6_tnl_rcv() ") 1ca1ba465e55 ("geneve: asegúrese de extraer el encabezado interno en geneve_rx()") Tenemos que guardar skb->network_header en una variable temporal para poder volver a calcular el puntero network_header después de una llamada a pskb_inet_may_pull(). pskb_inet_may_pull() se asegura de que los encabezados necesarios estén en skb->head. syzbot informó: ERROR: KMSAN: valor uninit en __INET_ECN_decapsulate include/net/inet_ecn.h:253 [en línea] ERROR: KMSAN: valor uninit en INET_ECN_decapsulate include/net/inet_ecn.h:275 [en línea] ERROR: KMSAN: uninit -valor en IP_ECN_decapsulate include/net/inet_ecn.h:302 [en línea] ERROR: KMSAN: valor uninit en ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [en línea ] INET_ECN_decapsulate include/net/inet_ecn.h:275 [en línea] IP_ECN_decapsulate include/net/inet_ecn.h:302 [en línea] ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409 __ipgre_rcv+0x9bc/0xbc0 net/ipv4/ ip_gre.c:389 ipgre_rcv net/ipv4/ip_gre.c:411 [en línea] gre_rcv+0x423/0x19f0 net/ipv4/ip_gre.c:447 gre_rcv+0x2a4/0x390 net/ipv4/gre_demux.c:163 ip_protocol_deliver_rcu+0x264/ 0x1300 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:314 [en línea] ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c: 254 dst_input include/net/dst.h:461 [en línea] ip_rcv_finish net/ipv4/ip_input.c:449 [en línea] NF_HOOK include/linux/netfilter.h:314 [en línea] ip_rcv+0x46f/0x760 net/ipv4/ip_input .c:569 __netif_receive_skb_one_core net/core/dev.c:5534 [en línea] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648 netif_receive_skb_internal net/core/dev.c:5734 [en línea] neto /core/dev.c:5793 tun_rx_batched+0x3ee/0x980 controladores/net/tun.c:1556 tun_get_user+0x53b9/0x66e0 controladores/net/tun.c:2009 tun_chr_write_iter+0x3af/0x5d0 controladores/net/tun.c:2055 call_write_iter include/linux/fs.h:2087 [en línea] new_sync_write fs/read_write.c:497 [en línea] vfs_write+0xb6b/0x1520 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs /read_write.c:655 [en línea] __se_sys_write fs/read_write.c:652 [en línea] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:52 [en línea] do_syscall_64+0xcf /0x1e0 arch/x86/entry/common.c:83 Entry_SYSCALL_64_after_hwframe+0x63/0x6b Uninit se creó en: __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590 alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133 alloc_pages+ 0x1be /0x1e0 mm/mempolicy.c:2204 skb_page_frag_refill+0x2bf/0x7c0 net/core/sock.c:2909 tun_build_skb drivers/net/tun.c:1686 [en línea] tun_get_user+0xe0a/0x66e0 drivers/net/tun.c:1826 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055 call_write_iter include/linux/fs.h:2087 [en línea] new_sync_write fs/read_write.c:497 [en línea] vfs_write+0xb6b/0x1520 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [en línea] __se_sys_write fs/read_write.c:652 [en línea] __x64_sys_write+0x93/0xd0 fs/read_write.c:652 do_syscall_x64 arch /x86 /entry/common.c:52 [en línea] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 Entry_SYSCALL_64_after_hwframe+0x63/0x6b • https://git.kernel.org/stable/c/c54419321455631079c7d6e60bc732dd0c5914c5 https://git.kernel.org/stable/c/27c1c98bd3b44b7c5f5c0ecfe1a1ec1240b73829 https://git.kernel.org/stable/c/ec6bb01e02cbd47781dd90775b631a1dc4bd9d2b https://git.kernel.org/stable/c/77fd5294ea09b21f6772ac954a121b87323cec80 https://git.kernel.org/stable/c/5c03387021cfa3336b97e0dcba38029917a8af2a https://git.kernel.org/stable/c/60044ab84836359534bd7153b92e9c1584140e4a https://git.kernel.org/stable/c/c4c857723b37c20651300b3de4ff25059848b4b0 https://git.kernel.org/stable/c/f6723d8dbfdc10c784a56748f86a9a3cd •
CVSS: 4.4EPSS: 0%CPEs: 9EXPL: 0CVE-2024-26880 – dm: call the resume method on internal suspend
https://notcve.org/view.php?id=CVE-2024-26880
In the Linux kernel, the following vulnerability has been resolved: dm: call the resume method on internal suspend There is this reported crash when experimenting with the lvm2 testsuite. The list corruption is caused by the fact that the postsuspend and resume methods were not paired correctly; there were two consecutive calls to the origin_postsuspend function. The second call attempts to remove the "hash_list" entry from a list, while it was already removed by the first call. Fix __dm_internal_resume so that it calls the preresume and resume methods of the table's targets. If a preresume method of some target fails, we are in a tricky situation. We can't return an error because dm_internal_resume isn't supposed to return errors. We can't return success, because then the "resume" and "postsuspend" methods would not be paired correctly. So, we set the DMF_SUSPENDED flag and we fake normal suspend - it may confuse userspace tools, but it won't cause a kernel crash. ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:56! invalid opcode: 0000 [#1] PREEMPT SMP CPU: 1 PID: 8343 Comm: dmsetup Not tainted 6.8.0-rc6 #4 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 RIP: 0010:__list_del_entry_valid_or_report+0x77/0xc0 <snip> RSP: 0018:ffff8881b831bcc0 EFLAGS: 00010282 RAX: 000000000000004e RBX: ffff888143b6eb80 RCX: 0000000000000000 RDX: 0000000000000001 RSI: ffffffff819053d0 RDI: 00000000ffffffff RBP: ffff8881b83a3400 R08: 00000000fffeffff R09: 0000000000000058 R10: 0000000000000000 R11: ffffffff81a24080 R12: 0000000000000001 R13: ffff88814538e000 R14: ffff888143bc6dc0 R15: ffffffffa02e4bb0 FS: 00000000f7c0f780(0000) GS:ffff8893f0a40000(0000) knlGS:0000000000000000 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 0000000057fb5000 CR3: 0000000143474000 CR4: 00000000000006b0 Call Trace: <TASK> ? • https://git.kernel.org/stable/c/ffcc39364160663cda1a3c358f4537302a92459b https://git.kernel.org/stable/c/69836d9329f0b4c58faaf3d886a7748ddb5bf718 https://git.kernel.org/stable/c/da7ece2197101b1469853e6b5e915be1e3896d52 https://git.kernel.org/stable/c/f89bd27709376d37ff883067193320c58a8c1d5a https://git.kernel.org/stable/c/03ad5ad53e51abf3a4c7538c1bc67a5982b41dc5 https://git.kernel.org/stable/c/ad10289f68f45649816cc68eb93f45fd5ec48a15 https://git.kernel.org/stable/c/15a3fc5c8774c17589dabfe1d642d40685c985af https://git.kernel.org/stable/c/ef02d8edf738557af2865c5bfb66a03c4 • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2024-26878 – quota: Fix potential NULL pointer dereference
https://notcve.org/view.php?id=CVE-2024-26878
In the Linux kernel, the following vulnerability has been resolved: quota: Fix potential NULL pointer dereference Below race may cause NULL pointer dereference P1 P2 dquot_free_inode quota_off drop_dquot_ref remove_dquot_ref dquots = i_dquot(inode) dquots = i_dquot(inode) srcu_read_lock dquots[cnt]) != NULL (1) dquots[type] = NULL (2) spin_lock(&dquots[cnt]->dq_dqb_lock) (3) .... If dquot_free_inode(or other routines) checks inode's quota pointers (1) before quota_off sets it to NULL(2) and use it (3) after that, NULL pointer dereference will be triggered. So let's fix it by using a temporary pointer to avoid this issue. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: cuota: corrige una posible desreferencia del puntero NULL La siguiente carrera puede causar una desreferencia del puntero NULL P1 P2 dquot_free_inode quote_off drop_dquot_ref remove_dquot_ref dquots = i_dquot(inode) dquots = i_dquot(inode) srcu_read_lock dquots[cnt]) != NULL (1) dquots[tipo] = NULL (2) spin_lock(&dquots[cnt]->dq_dqb_lock) (3) .... Si dquot_free_inode(u otras rutinas) verifica los punteros de cuota del inodo (1) antes de que cuota_off lo establezca a NULL(2) y usarlo (3) después de eso, se activará la desreferencia del puntero NULL. • https://git.kernel.org/stable/c/8514899c1a4edf802f03c408db901063aa3f05a1 https://git.kernel.org/stable/c/49669f8e7eb053f91d239df7b1bfb4500255a9d0 https://git.kernel.org/stable/c/61380537aa6dd32d8a723d98b8f1bd1b11d8fee0 https://git.kernel.org/stable/c/1ca72a3de915f87232c9a4cb9bebbd3af8ed3e25 https://git.kernel.org/stable/c/7f9e833fc0f9b47be503af012eb5903086939754 https://git.kernel.org/stable/c/40a673b4b07efd6f74ff3ab60f38b26aa91ee5d5 https://git.kernel.org/stable/c/f2649d98aa9ca8623149b3cb8df00c944f5655c7 https://git.kernel.org/stable/c/6afc9f4434fa8063aa768c2bf5bf98583 • CWE-476: NULL Pointer Dereference •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2024-26876 – drm/bridge: adv7511: fix crash on irq during probe
https://notcve.org/view.php?id=CVE-2024-26876
In the Linux kernel, the following vulnerability has been resolved: drm/bridge: adv7511: fix crash on irq during probe Moved IRQ registration down to end of adv7511_probe(). If an IRQ already is pending during adv7511_probe (before adv7511_cec_init) then cec_received_msg_ts could crash using uninitialized data: Unable to handle kernel read from unreadable memory at virtual address 00000000000003d5 Internal error: Oops: 96000004 [#1] PREEMPT_RT SMP Call trace: cec_received_msg_ts+0x48/0x990 [cec] adv7511_cec_irq_process+0x1cc/0x308 [adv7511] adv7511_irq_process+0xd8/0x120 [adv7511] adv7511_irq_handler+0x1c/0x30 [adv7511] irq_thread_fn+0x30/0xa0 irq_thread+0x14c/0x238 kthread+0x190/0x1a8 En el kernel de Linux, se resolvió la siguiente vulnerabilidad: drm/bridge: adv7511: corrige el fallo en irq durante la sonda Se movió el registro de IRQ al final de adv7511_probe(). Si ya hay una IRQ pendiente durante adv7511_probe (antes de adv7511_cec_init), entonces cec_received_msg_ts podría fallar usando datos no inicializados: No se puede manejar la lectura del kernel desde memoria ilegible en la dirección virtual 00000000000003d5 Error interno: Ups: 96000004 [#1] PREEMPT_RT SMP Seguimiento de llamadas: _ts+0x48 /0x990 [cec] adv7511_cec_irq_process+0x1cc/0x308 [adv7511] adv7511_irq_process+0xd8/0x120 [adv7511] adv7511_irq_handler+0x1c/0x30 [adv7511] irq_thread_fn+0x30/0xa0 leer+0x14c/0x238 khilo+0x190/0x1a8 • https://git.kernel.org/stable/c/3b1b975003e4a3da4b93ab032487a3ae4afca7b5 https://git.kernel.org/stable/c/955c1252930677762e0db2b6b9e36938c887445c https://git.kernel.org/stable/c/28a94271bd50e4cf498df0381f776f8ea40a289e https://git.kernel.org/stable/c/aeedaee5ef5468caf59e2bb1265c2116e0c9a924 •