CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-35875 – x86/coco: Require seeding RNG with RDRAND on CoCo systems
https://notcve.org/view.php?id=CVE-2024-35875
In the Linux kernel, the following vulnerability has been resolved: x86/coco: Require seeding RNG with RDRAND on CoCo systems There are few uses of CoCo that don't rely on working cryptography and hence a working RNG. Unfortunately, the CoCo threat model means that the VM host cannot be trusted and may actively work against guests to extract secrets or manipulate computation. Since a malicious host can modify or observe nearly all inputs to guests, the only remaining source of entropy for CoCo guests is RDRAND. If RDRAND is broken -- due to CPU hardware fault -- the RNG as a whole is meant to gracefully continue on gathering entropy from other sources, but since there aren't other sources on CoCo, this is catastrophic. This is mostly a concern at boot time when initially seeding the RNG, as after that the consequences of a broken RDRAND are much more theoretical. So, try at boot to seed the RNG using 256 bits of RDRAND output. If this fails, panic(). This will also trigger if the system is booted without RDRAND, as RDRAND is essential for a safe CoCo boot. Add this deliberately to be "just a CoCo x86 driver feature" and not part of the RNG itself. • https://git.kernel.org/stable/c/22943e4fe4b3a2dcbadc3d38d5bf840bbdbfe374 https://git.kernel.org/stable/c/453b5f2dec276c1bb4ea078bf8c0da57ee4627e5 https://git.kernel.org/stable/c/08044b08b37528b82f70a87576c692b4e4b7716e https://git.kernel.org/stable/c/99485c4c026f024e7cb82da84c7951dbe3deb584 https://access.redhat.com/security/cve/CVE-2024-35875 https://bugzilla.redhat.com/show_bug.cgi?id=2281727 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-35874 – aio: Fix null ptr deref in aio_complete() wakeup
https://notcve.org/view.php?id=CVE-2024-35874
In the Linux kernel, the following vulnerability has been resolved: aio: Fix null ptr deref in aio_complete() wakeup list_del_init_careful() needs to be the last access to the wait queue entry - it effectively unlocks access. Previously, finish_wait() would see the empty list head and skip taking the lock, and then we'd return - but the completion path would still attempt to do the wakeup after the task_struct pointer had been overwritten. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: aio: corrige el ptr deref null en aio_complete() wakeup list_del_init_careful() debe ser el último acceso a la entrada de la cola de espera; efectivamente desbloquea el acceso. Anteriormente, Finish_wait() veía el encabezado de la lista vacía y omitía tomar el bloqueo, y luego regresabamos, pero la ruta de finalización aún intentaría realizar la reactivación después de que se hubiera sobrescrito el puntero task_struct. • https://git.kernel.org/stable/c/71eb6b6b0ba93b1467bccff57b5de746b09113d2 https://git.kernel.org/stable/c/9678bcc6234d83759fe091c197f5017a32b468da https://git.kernel.org/stable/c/caeb4b0a11b3393e43f7fa8e0a5a18462acc66bd •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-35873 – riscv: Fix vector state restore in rt_sigreturn()
https://notcve.org/view.php?id=CVE-2024-35873
In the Linux kernel, the following vulnerability has been resolved: riscv: Fix vector state restore in rt_sigreturn() The RISC-V Vector specification states in "Appendix D: Calling Convention for Vector State" [1] that "Executing a system call causes all caller-saved vector registers (v0-v31, vl, vtype) and vstart to become unspecified.". In the RISC-V kernel this is called "discarding the vstate". Returning from a signal handler via the rt_sigreturn() syscall, vector discard is also performed. However, this is not an issue since the vector state should be restored from the sigcontext, and therefore not care about the vector discard. The "live state" is the actual vector register in the running context, and the "vstate" is the vector state of the task. A dirty live state, means that the vstate and live state are not in synch. When vectorized user_from_copy() was introduced, an bug sneaked in at the restoration code, related to the discard of the live state. An example when this go wrong: 1. A userland application is executing vector code 2. • https://git.kernel.org/stable/c/c2a658d419246108c9bf065ec347355de5ba8a05 https://git.kernel.org/stable/c/5b16d904e910183181b9d90efa957c787a8ac91b https://git.kernel.org/stable/c/c27fa53b858b4ee6552a719aa599c250cf98a586 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2024-35872 – mm/secretmem: fix GUP-fast succeeding on secretmem folios
https://notcve.org/view.php?id=CVE-2024-35872
In the Linux kernel, the following vulnerability has been resolved: mm/secretmem: fix GUP-fast succeeding on secretmem folios folio_is_secretmem() currently relies on secretmem folios being LRU folios, to save some cycles. However, folios might reside in a folio batch without the LRU flag set, or temporarily have their LRU flag cleared. Consequently, the LRU flag is unreliable for this purpose. In particular, this is the case when secretmem_fault() allocates a fresh page and calls filemap_add_folio()->folio_add_lru(). The folio might be added to the per-cpu folio batch and won't get the LRU flag set until the batch was drained using e.g., lru_add_drain(). Consequently, folio_is_secretmem() might not detect secretmem folios and GUP-fast can succeed in grabbing a secretmem folio, crashing the kernel when we would later try reading/writing to the folio, because the folio has been unmapped from the directmap. Fix it by removing that unreliable check. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: mm/secretmem: corrige el éxito rápido de GUP en folios secretmem folio_is_secretmem() actualmente depende de que los folios secretmem sean folios LRU, para guardar algunos ciclos. Sin embargo, las publicaciones pueden residir en un lote de publicaciones sin el indicador LRU establecido o tener su indicador LRU borrado temporalmente. • https://git.kernel.org/stable/c/1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 https://git.kernel.org/stable/c/6564b014af92b677c1f07c44d7f5b595d589cf6e https://git.kernel.org/stable/c/9c2b4b657739ecda38e3b383354a29566955ac48 https://git.kernel.org/stable/c/43fad1d0284de30159661d0badfc3cbaf7e6f8f8 https://git.kernel.org/stable/c/201e4aaf405dfd1308da54448654053004c579b5 https://git.kernel.org/stable/c/65291dcfcf8936e1b23cfd7718fdfde7cfaf7706 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2024-35871 – riscv: process: Fix kernel gp leakage
https://notcve.org/view.php?id=CVE-2024-35871
In the Linux kernel, the following vulnerability has been resolved: riscv: process: Fix kernel gp leakage childregs represents the registers which are active for the new thread in user context. For a kernel thread, childregs->gp is never used since the kernel gp is not touched by switch_to. For a user mode helper, the gp value can be observed in user space after execve or possibly by other means. [From the email thread] The /* Kernel thread */ comment is somewhat inaccurate in that it is also used for user_mode_helper threads, which exec a user process, e.g. /sbin/init or when /proc/sys/kernel/core_pattern is a pipe. Such threads do not have PF_KTHREAD set and are valid targets for ptrace etc. even before they exec. childregs is the *user* context during syscall execution and it is observable from userspace in at least five ways: 1. kernel_execve does not currently clear integer registers, so the starting register state for PID 1 and other user processes started by the kernel has sp = user stack, gp = kernel __global_pointer$, all other integer registers zeroed by the memset in the patch comment. This is a bug in its own right, but I'm unwilling to bet that it is the only way to exploit the issue addressed by this patch. 2. ptrace(PTRACE_GETREGSET): you can PTRACE_ATTACH to a user_mode_helper thread before it execs, but ptrace requires SIGSTOP to be delivered which can only happen at user/kernel boundaries. 3. • https://git.kernel.org/stable/c/7db91e57a0acde126a162ababfb1e0ab190130cb https://git.kernel.org/stable/c/9abc3e6f1116adb7a2d4fbb8ce20c37916976bf5 https://git.kernel.org/stable/c/dff6072124f6df77bfd36951fbd88565746980ef https://git.kernel.org/stable/c/f6583444d7e78dae750798552b65a2519ff3ca84 https://git.kernel.org/stable/c/00effef72c98294edb1efa87ffa0f6cfb61b36a4 https://git.kernel.org/stable/c/d8dcba0691b8e42bddb61aab201e4d918a08e5d9 https://git.kernel.org/stable/c/d14fa1fcf69db9d070e75f1c4425211fa619dfc8 https://lists.debian.org/debian-lts-announce/2024/06/ •