CVSS: 9.1EPSS: 0%CPEs: 8EXPL: 0CVE-2024-27053 – wifi: wilc1000: fix RCU usage in connect path
https://notcve.org/view.php?id=CVE-2024-27053
In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: fix RCU usage in connect path With lockdep enabled, calls to the connect function from cfg802.11 layer lead to the following warning: ============================= WARNING: suspicious RCU usage 6.7.0-rc1-wt+ #333 Not tainted ----------------------------- drivers/net/wireless/microchip/wilc1000/hif.c:386 suspicious rcu_dereference_check() usage! [...] stack backtrace: CPU: 0 PID: 100 Comm: wpa_supplicant Not tainted 6.7.0-rc1-wt+ #333 Hardware name: Atmel SAMA5 unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x34/0x48 dump_stack_lvl from wilc_parse_join_bss_param+0x7dc/0x7f4 wilc_parse_join_bss_param from connect+0x2c4/0x648 connect from cfg80211_connect+0x30c/0xb74 cfg80211_connect from nl80211_connect+0x860/0xa94 nl80211_connect from genl_rcv_msg+0x3fc/0x59c genl_rcv_msg from netlink_rcv_skb+0xd0/0x1f8 netlink_rcv_skb from genl_rcv+0x2c/0x3c genl_rcv from netlink_unicast+0x3b0/0x550 netlink_unicast from netlink_sendmsg+0x368/0x688 netlink_sendmsg from ____sys_sendmsg+0x190/0x430 ____sys_sendmsg from ___sys_sendmsg+0x110/0x158 ___sys_sendmsg from sys_sendmsg+0xe8/0x150 sys_sendmsg from ret_fast_syscall+0x0/0x1c This warning is emitted because in the connect path, when trying to parse target BSS parameters, we dereference a RCU pointer whithout being in RCU critical section. Fix RCU dereference usage by moving it to a RCU read critical section. To avoid wrapping the whole wilc_parse_join_bss_param under the critical section, just use the critical section to copy ies data En el kernel de Linux, se resolvió la siguiente vulnerabilidad: wifi: wilc1000: corrige el uso de RCU en la ruta de conexión Con lockdep habilitado, las llamadas a la función de conexión desde la capa cfg802.11 generan la siguiente advertencia: ======== ====================== ADVERTENCIA: uso sospechoso de RCU 6.7.0-rc1-wt+ #333 No contaminado ------------- ---------------- drivers/net/wireless/microchip/wilc1000/hif.c:386 ¡uso sospechoso de rcu_dereference_check()! [...] pila backtrace: CPU: 0 PID: 100 Comm: wpa_supplicant No está contaminado 6.7.0-rc1-wt+ #333 Nombre de hardware: Atmel SAMA5 unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x34/0x48 dump_stack_lvl from wilc_parse_join_bss_para m +0x7dc/0x7f4 wilc_parse_join_bss_param desde connect+0x2c4/0x648 conectar desde cfg80211_connect+0x30c/0xb74 cfg80211_connect desde nl80211_connect+0x860/0xa94 nl80211_connect desde genl_rcv_msg+0x3fc /0x59c genl_rcv_msg de netlink_rcv_skb+0xd0/0x1f8 netlink_rcv_skb de genl_rcv+0x2c/0x3c genl_rcv de netlink_unicast+ 0x3b0/0x550 netlink_unicast de netlink_sendmsg+0x368/0x688 netlink_sendmsg de ____sys_sendmsg+0x190/0x430 ____sys_sendmsg de ___sys_sendmsg+0x110/0x158 ___sys_sendmsg de sys_sendmsg +0xe8/0x150 sys_sendmsg de ret_fast_syscall+0x0/0x1c Esta advertencia se emite porque en la ruta de conexión, al intentar Para analizar los parámetros BSS de destino, eliminamos la referencia a un puntero de RCU sin estar en la sección crítica de RCU. Corrija el uso de desreferenciación de RCU moviéndolo a una sección crítica de lectura de RCU. • https://git.kernel.org/stable/c/c460495ee072fc01a9b1e8d72c179510418cafac https://git.kernel.org/stable/c/e556006de4ea93abe2b46cba202a2556c544b8b2 https://git.kernel.org/stable/c/b4bbf38c350acb6500cbe667b1e2e68f896e4b38 https://git.kernel.org/stable/c/d80fc436751cfa6b02a8eda74eb6cce7dadfe5a2 https://git.kernel.org/stable/c/745003b5917b610352f52fe0d11ef658d6471ec2 https://git.kernel.org/stable/c/4bfd20d5f5c62b5495d6c0016ee6933bd3add7ce https://git.kernel.org/stable/c/5800ec78775c0cd646f71eb9bf8402fb794807de https://git.kernel.org/stable/c/dd50d3ead6e3707bb0a5df7cc832730c9 • CWE-476: NULL Pointer Dereference •
CVSS: 7.4EPSS: 0%CPEs: 7EXPL: 0CVE-2024-27052 – wifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work
https://notcve.org/view.php?id=CVE-2024-27052
In the Linux kernel, the following vulnerability has been resolved: wifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work The workqueue might still be running, when the driver is stopped. To avoid a use-after-free, call cancel_work_sync() in rtl8xxxu_stop(). En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: rtl8xxxu: agregue cancel_work_sync() para c2hcmd_work Es posible que la cola de trabajo aún esté ejecutándose cuando se detiene el controlador. Para evitar un use-after-free, llame a cancel_work_sync() en rtl8xxxu_stop(). A vulnerability was found in the Linux kernel's net rtl8xxxu_core.c driver, where a race condition can lead to a use-after-free situation in the rtl8xxxu_stop() function. • https://git.kernel.org/stable/c/e542e66b7c2ee2adeefdbb7f259f2f60cadf2819 https://git.kernel.org/stable/c/dddedfa3b29a63c2ca4336663806a6128b8545b4 https://git.kernel.org/stable/c/ac512507ac89c01ed6cd4ca53032f52cdb23ea59 https://git.kernel.org/stable/c/3518cea837de4d106efa84ddac18a07b6de1384e https://git.kernel.org/stable/c/156012667b85ca7305cb363790d3ae8519a6f41e https://git.kernel.org/stable/c/7059cdb69f8e1a2707dd1e2f363348b507ed7707 https://git.kernel.org/stable/c/58fe3bbddfec10c6b216096d8c0e517cd8463e3a https://git.kernel.org/stable/c/1213acb478a7181cd73eeaf00db430f1e • CWE-416: Use After Free •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-27051 – cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value
https://notcve.org/view.php?id=CVE-2024-27051
In the Linux kernel, the following vulnerability has been resolved: cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value cpufreq_cpu_get may return NULL. To avoid NULL-dereference check it and return 0 in case of error. Found by Linux Verification Center (linuxtesting.org) with SVACE. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: cpufreq: brcmstb-avs-cpufreq: agregar verificación para el valor de retorno de cpufreq_cpu_get cpufreq_cpu_get puede devolver NULL. Para evitar la desreferencia NULL, verifíquelo y devuelva 0 en caso de error. Encontrado por el Centro de verificación de Linux (linuxtesting.org) con SVACE. • https://git.kernel.org/stable/c/de322e085995b9417582d6f72229dadb5c09d163 https://git.kernel.org/stable/c/9127599c075caff234359950117018a010dd01db https://git.kernel.org/stable/c/d951cf510fb0df91d3abac0121a59ebbc63c0567 https://git.kernel.org/stable/c/e72160cb6e23b78b41999d6885a34ce8db536095 https://git.kernel.org/stable/c/b25b64a241d769e932a022e5c780cf135ef56035 https://git.kernel.org/stable/c/74b84d0d71180330efe67c82f973a87f828323e5 https://git.kernel.org/stable/c/e6e3e51ffba0784782b1a076d7441605697ea3c6 https://git.kernel.org/stable/c/f661017e6d326ee187db24194cabb013d •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-27050 – libbpf: Use OPTS_SET() macro in bpf_xdp_query()
https://notcve.org/view.php?id=CVE-2024-27050
In the Linux kernel, the following vulnerability has been resolved: libbpf: Use OPTS_SET() macro in bpf_xdp_query() When the feature_flags and xdp_zc_max_segs fields were added to the libbpf bpf_xdp_query_opts, the code writing them did not use the OPTS_SET() macro. This causes libbpf to write to those fields unconditionally, which means that programs compiled against an older version of libbpf (with a smaller size of the bpf_xdp_query_opts struct) will have its stack corrupted by libbpf writing out of bounds. The patch adding the feature_flags field has an early bail out if the feature_flags field is not part of the opts struct (via the OPTS_HAS) macro, but the patch adding xdp_zc_max_segs does not. For consistency, this fix just changes the assignments to both fields to use the OPTS_SET() macro. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: libbpf: use la macro OPTS_SET() en bpf_xdp_query() Cuando los campos feature_flags y xdp_zc_max_segs se agregaron a libbpf bpf_xdp_query_opts, el código que los escribió no usó la macro OPTS_SET(). Esto hace que libbpf escriba en esos campos incondicionalmente, lo que significa que los programas compilados con una versión anterior de libbpf (con un tamaño más pequeño de la estructura bpf_xdp_query_opts) tendrán su pila dañada por la escritura de libbpf fuera de los límites. El parche que agrega el campo feature_flags tiene un rescate anticipado si el campo feature_flags no es parte de la estructura opts (a través de la macro OPTS_HAS), pero el parche que agrega xdp_zc_max_segs no lo hace. • https://git.kernel.org/stable/c/13ce2daa259a3bfbc9a5aeeee8b9a87058703731 https://git.kernel.org/stable/c/fa5bef5e80c6a3321b2b1a7070436f3bc5daf07c https://git.kernel.org/stable/c/682ddd62abd4bdcee7584246903e7a2df005fe0d https://git.kernel.org/stable/c/cd3be9843247edb8fc6fcd8d8237cbce2bc19f5e https://git.kernel.org/stable/c/92a871ab9fa59a74d013bc04f321026a057618e7 • CWE-787: Out-of-bounds Write •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-27049 – wifi: mt76: mt7925e: fix use-after-free in free_irq()
https://notcve.org/view.php?id=CVE-2024-27049
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7925e: fix use-after-free in free_irq() From commit a304e1b82808 ("[PATCH] Debug shared irqs"), there is a test to make sure the shared irq handler should be able to handle the unexpected event after deregistration. For this case, let's apply MT76_REMOVED flag to indicate the device was removed and do not run into the resource access anymore. En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: wifi: mt76: mt7925e: fix use-after-free in free_irq() Desde el commit a304e1b82808 ("[PATCH] Depurar irqs compartidas"), existe una prueba para asegurarse de que El controlador de irq compartido debería poder manejar el evento inesperado después de la cancelación del registro. Para este caso, apliquemos el indicador MT76_REMOVED para indicar que el dispositivo fue eliminado y que ya no se puede acceder al recurso. A use-after-free flaw was found in free_irq() in the Linux kernel. • https://git.kernel.org/stable/c/c948b5da6bbec742b433138e3e3f9537a85af2e5 https://git.kernel.org/stable/c/84470b48af03a818039d587478b415cbcb264ff5 https://git.kernel.org/stable/c/6d9930096e1f13cf6d9aabfbf95d0e05fb04144f https://git.kernel.org/stable/c/a5a5f4413d91f395cb2d89829d376d7393ad48b9 https://access.redhat.com/security/cve/CVE-2024-27049 https://bugzilla.redhat.com/show_bug.cgi?id=2278429 •