CVE-2024-41010 – bpf: Fix too early release of tcx_entry
https://notcve.org/view.php?id=CVE-2024-41010
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix too early release of tcx_entry Pedro Pinto and later independently also Hyunwoo Kim and Wongi Lee reported an issue that the tcx_entry can be released too early leading to a use after free (UAF) when an active old-style ingress or clsact qdisc with a shared tc block is later replaced by another ingress or clsact instance. Essentially, the sequence to trigger the UAF (one example) can be as follows: 1. A network namespace is created 2. An ingress qdisc is created. This allocates a tcx_entry, and &tcx_entry->miniq is stored in the qdisc's miniqp->p_miniq. At the same time, a tcf block with index 1 is created. 3. chain0 is attached to the tcf block. chain0 must be connected to the block linked to the ingress qdisc to later reach the function tcf_chain0_head_change_cb_del() which triggers the UAF. 4. • https://git.kernel.org/stable/c/e420bed025071a623d2720a92bc2245c84757ecb https://git.kernel.org/stable/c/230bb13650b0f186f540500fd5f5f7096a822a2a https://git.kernel.org/stable/c/f61ecf1bd5b562ebfd7d430ccb31619857e80857 https://git.kernel.org/stable/c/1cb6f0bae50441f4b4b32a28315853b279c7404e • CWE-416: Use After Free •
CVE-2024-41009 – bpf: Fix overrunning reservations in ringbuf
https://notcve.org/view.php?id=CVE-2024-41009
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix overrunning reservations in ringbuf The BPF ring buffer internally is implemented as a power-of-2 sized circular buffer, with two logical and ever-increasing counters: consumer_pos is the consumer counter to show which logical position the consumer consumed the data, and producer_pos which is the producer counter denoting the amount of data reserved by all producers. Each time a record is reserved, the producer that "owns" the record will successfully advance producer counter. In user space each time a record is read, the consumer of the data advanced the consumer counter once it finished processing. Both counters are stored in separate pages so that from user space, the producer counter is read-only and the consumer counter is read-write. One aspect that simplifies and thus speeds up the implementation of both producers and consumers is how the data area is mapped twice contiguously back-to-back in the virtual memory, allowing to not take any special measures for samples that have to wrap around at the end of the circular buffer data area, because the next page after the last data page would be first data page again, and thus the sample will still appear completely contiguous in virtual memory. Each record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for book-keeping the length and offset, and is inaccessible to the BPF program. Helpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ` for the BPF program to use. Bing-Jhong and Muhammad reported that it is however possible to make a second allocated memory chunk overlapping with the first chunk and as a result, the BPF program is now able to edit first chunk's header. For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to bpf_ringbuf_reserve() is made. • https://git.kernel.org/stable/c/457f44363a8894135c85b7a9afd2bd8196db24ab https://git.kernel.org/stable/c/be35504b959f2749bab280f4671e8df96dcf836f https://git.kernel.org/stable/c/0f98f40eb1ed52af8b81f61901b6c0289ff59de4 https://git.kernel.org/stable/c/d1b9df0435bc61e0b44f578846516df8ef476686 https://git.kernel.org/stable/c/511804ab701c0503b72eac08217eabfd366ba069 https://git.kernel.org/stable/c/47416c852f2a04d348ea66ee451cbdcf8119f225 https://git.kernel.org/stable/c/cfa1a2329a691ffd991fcf7248a57d752e712881 https://access.redhat.com/security/cve/CVE-2024-41009 • CWE-121: Stack-based Buffer Overflow CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2024-41007 – tcp: avoid too many retransmit packets
https://notcve.org/view.php?id=CVE-2024-41007
In the Linux kernel, the following vulnerability has been resolved: tcp: avoid too many retransmit packets If a TCP socket is using TCP_USER_TIMEOUT, and the other peer retracted its window to zero, tcp_retransmit_timer() can retransmit a packet every two jiffies (2 ms for HZ=1000), for about 4 minutes after TCP_USER_TIMEOUT has 'expired'. The fix is to make sure tcp_rtx_probe0_timed_out() takes icsk->icsk_user_timeout into account. Before blamed commit, the socket would not timeout after icsk->icsk_user_timeout, but would use standard exponential backoff for the retransmits. Also worth noting that before commit e89688e3e978 ("net: tcp: fix unexcepted socket die when snd_wnd is 0"), the issue would last 2 minutes instead of 4. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tcp: evitar demasiados paquetes de retransmisión Si un socket TCP está usando TCP_USER_TIMEOUT y el otro par retrajo su ventana a cero, tcp_retransmit_timer() puede retransmitir un paquete cada dos santiamén (2 ms). para HZ=1000), durante aproximadamente 4 minutos después de que TCP_USER_TIMEOUT haya 'expirado'. La solución es asegurarse de que tcp_rtx_probe0_timed_out() tenga en cuenta icsk->icsk_user_timeout. Antes de el commit culpable, el socket no expiraba después de icsk->icsk_user_timeout, sino que usaba un retroceso exponencial estándar para las retransmisiones. También vale la pena señalar que antes de commit e89688e3e978 ("net: tcp: fix unexcepted socket die cuando snd_wnd es 0"), el problema duraría 2 minutos en lugar de 4. • https://git.kernel.org/stable/c/b701a99e431db784714c32fc6b68123045714679 https://git.kernel.org/stable/c/7bb7670f92bfbd05fc41a8f9a8f358b7ffed65f4 https://git.kernel.org/stable/c/d2346fca5bed130dc712f276ac63450201d52969 https://git.kernel.org/stable/c/5d7e64d70a11d988553a08239c810a658e841982 https://git.kernel.org/stable/c/04317a2471c2f637b4c49cbd0e9c0d04a519f570 https://git.kernel.org/stable/c/e113cddefa27bbf5a79f72387b8fbd432a61a466 https://git.kernel.org/stable/c/dfcdd7f89e401d2c6616be90c76c2fac3fa98fde https://git.kernel.org/stable/c/66cb64a1d2239cd0309f9b5038b054625 • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVE-2024-41006 – netrom: Fix a memory leak in nr_heartbeat_expiry()
https://notcve.org/view.php?id=CVE-2024-41006
In the Linux kernel, the following vulnerability has been resolved: netrom: Fix a memory leak in nr_heartbeat_expiry() syzbot reported a memory leak in nr_create() [0]. Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.") added sock_hold() to the nr_heartbeat_expiry() function, where a) a socket has a SOCK_DESTROY flag or b) a listening socket has a SOCK_DEAD flag. But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor has already been closed and the nr_release() function has been called. So it makes no sense to hold the reference count because no one will call another nr_destroy_socket() and put it as in the case "b." nr_connect nr_establish_data_link nr_start_heartbeat nr_release switch (nr->state) case NR_STATE_3 nr->state = NR_STATE_2 sock_set_flag(sk, SOCK_DESTROY); nr_rx_frame nr_process_rx_frame switch (nr->state) case NR_STATE_2 nr_state2_machine() nr_disconnect() nr_sk(sk)->state = NR_STATE_0 sock_set_flag(sk, SOCK_DEAD) nr_heartbeat_expiry switch (nr->state) case NR_STATE_0 if (sock_flag(sk, SOCK_DESTROY) || (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) sock_hold() // ( !!! ) nr_destroy_socket() To fix the memory leak, let's call sock_hold() only for a listening socket. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller. [0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16 • https://git.kernel.org/stable/c/a31caf5779ace8fa98b0d454133808e082ee7a1b https://git.kernel.org/stable/c/fe9b9e621cebe6b7e83f7e954c70f8bb430520e5 https://git.kernel.org/stable/c/7de16d75b20ab13b75a7291f449a1b00090edfea https://git.kernel.org/stable/c/d2d3ab1b1de3302de2c85769121fd4f890e47ceb https://git.kernel.org/stable/c/51e394c6f81adbfe7c34d15f58b3d4d44f144acf https://git.kernel.org/stable/c/409db27e3a2eb5e8ef7226ca33be33361b3ed1c9 https://git.kernel.org/stable/c/e666990abb2e42dd4ba979b4706280a3664cfae7 https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c53 •
CVE-2024-41005 – netpoll: Fix race condition in netpoll_owner_active
https://notcve.org/view.php?id=CVE-2024-41005
In the Linux kernel, the following vulnerability has been resolved: netpoll: Fix race condition in netpoll_owner_active KCSAN detected a race condition in netpoll: BUG: KCSAN: data-race in net_rx_action / netpoll_send_skb write (marked) to 0xffff8881164168b0 of 4 bytes by interrupt on cpu 10: net_rx_action (./include/linux/netpoll.h:90 net/core/dev.c:6712 net/core/dev.c:6822) <snip> read to 0xffff8881164168b0 of 4 bytes by task 1 on cpu 2: netpoll_send_skb (net/core/netpoll.c:319 net/core/netpoll.c:345 net/core/netpoll.c:393) netpoll_send_udp (net/core/netpoll.c:?) <snip> value changed: 0x0000000a -> 0xffffffff This happens because netpoll_owner_active() needs to check if the current CPU is the owner of the lock, touching napi->poll_owner non atomically. The ->poll_owner field contains the current CPU holding the lock. Use an atomic read to check if the poll owner is the current CPU. • https://git.kernel.org/stable/c/43c0ca793a18578a0f5b305dd77fcf7ed99f1265 https://git.kernel.org/stable/c/efd29cd9c7b8369dfc7bcb34637e6bf1a188aa8e https://git.kernel.org/stable/c/96826b16ef9c6568d31a1f6ceaa266411a46e46c https://git.kernel.org/stable/c/3f1a155950a1685ffd0fd7175b3f671da8771f3d https://git.kernel.org/stable/c/a130e7da73ae93afdb4659842267eec734ffbd57 https://git.kernel.org/stable/c/c2e6a872bde9912f1a7579639c5ca3adf1003916 https://access.redhat.com/security/cve/CVE-2024-41005 https://bugzilla.redhat.com/show_bug.cgi?id=2297589 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •