CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-27415 – netfilter: bridge: confirm multicast packets before passing them up the stack
https://notcve.org/view.php?id=CVE-2024-27415
In the Linux kernel, the following vulnerability has been resolved: netfilter: bridge: confirm multicast packets before passing them up the stack conntrack nf_confirm logic cannot handle cloned skbs referencing the same nf_conn entry, which will happen for multicast (broadcast) frames on bridges. Example: macvlan0 | br0 / \ ethX ethY ethX (or Y) receives a L2 multicast or broadcast packet containing an IP packet, flow is not yet in conntrack table. 1. skb passes through bridge and fake-ip (br_netfilter)Prerouting. -> skb->_nfct now references a unconfirmed entry 2. skb is broad/mcast packet. bridge now passes clones out on each bridge interface. 3. skb gets passed up the stack. 4. In macvlan case, macvlan driver retains clone(s) of the mcast skb and schedules a work queue to send them out on the lower devices. The clone skb->_nfct is not a copy, it is the same entry as the original skb. The macvlan rx handler then returns RX_HANDLER_PASS. 5. Normal conntrack hooks (in NF_INET_LOCAL_IN) confirm the orig skb. The Macvlan broadcast worker and normal confirm path will race. This race will not happen if step 2 already confirmed a clone. In that case later steps perform skb_clone() with skb->_nfct already confirmed (in hash table). • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 https://git.kernel.org/stable/c/7c3f28599652acf431a2211168de4a583f30b6d5 https://git.kernel.org/stable/c/2b1414d5e94e477edff1d2c79030f1d742625ea0 https://git.kernel.org/stable/c/80cd0487f630b5382734997c3e5e3003a77db315 https://git.kernel.org/stable/c/cb734975b0ffa688ff6cc0eed463865bf07b6c01 https://git.kernel.org/stable/c/62e7151ae3eb465e0ab52a20c941ff33bb6332e9 https://access.redhat.com/security/cve/CVE-2024-27415 https://bugzilla.redhat.com/show_bug.cgi?id=2281101 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2024-27414 – rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back
https://notcve.org/view.php?id=CVE-2024-27414
In the Linux kernel, the following vulnerability has been resolved: rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back In the commit d73ef2d69c0d ("rtnetlink: let rtnl_bridge_setlink checks IFLA_BRIDGE_MODE length"), an adjustment was made to the old loop logic in the function `rtnl_bridge_setlink` to enable the loop to also check the length of the IFLA_BRIDGE_MODE attribute. However, this adjustment removed the `break` statement and led to an error logic of the flags writing back at the end of this function. if (have_flags) memcpy(nla_data(attr), &flags, sizeof(flags)); // attr should point to IFLA_BRIDGE_FLAGS NLA !!! Before the mentioned commit, the `attr` is granted to be IFLA_BRIDGE_FLAGS. However, this is not necessarily true fow now as the updated loop will let the attr point to the last NLA, even an invalid NLA which could cause overflow writes. This patch introduces a new variable `br_flag` to save the NLA pointer that points to IFLA_BRIDGE_FLAGS and uses it to resolve the mentioned error logic. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: rtnetlink: corrige la lógica de error de la reescritura de IFLA_BRIDGE_FLAGS En el commit d73ef2d69c0d ("rtnetlink: let rtnl_bridge_setlink comprueba la longitud de IFLA_BRIDGE_MODE"), se realizó un ajuste a la lógica de bucle anterior en la función ` rtnl_bridge_setlink` para permitir que el bucle también verifique la longitud del atributo IFLA_BRIDGE_MODE. Sin embargo, este ajuste eliminó la declaración "break" y generó una lógica de error en la escritura de los indicadores al final de esta función. if (have_flags) memcpy(nla_data(attr), &flags, sizeof(flags)); // attr debería apuntar a IFLA_BRIDGE_FLAGS NLA !!! • https://git.kernel.org/stable/c/ad46d4861ed36315d3d9e838723ba3e367ecc042 https://git.kernel.org/stable/c/abb0172fa8dc4a4ec51aa992b7269ed65959f310 https://git.kernel.org/stable/c/047508edd602921ee8bb0f2aa2100aa2e9bedc75 https://git.kernel.org/stable/c/8dfac8071d58447e5cace4c4c6fe493ce2f615f6 https://git.kernel.org/stable/c/d73ef2d69c0dba5f5a1cb9600045c873bab1fb7f https://git.kernel.org/stable/c/00757f58e37b2d9a6f99e15be484712390cd2bab https://git.kernel.org/stable/c/b9fbc44159dfc3e9a7073032752d9e03f5194a6f https://git.kernel.org/stable/c/882a51a10ecf24ce135d573afa0872aef •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2024-27413 – efi/capsule-loader: fix incorrect allocation size
https://notcve.org/view.php?id=CVE-2024-27413
In the Linux kernel, the following vulnerability has been resolved: efi/capsule-loader: fix incorrect allocation size gcc-14 notices that the allocation with sizeof(void) on 32-bit architectures is not enough for a 64-bit phys_addr_t: drivers/firmware/efi/capsule-loader.c: In function 'efi_capsule_open': drivers/firmware/efi/capsule-loader.c:295:24: error: allocation of insufficient size '4' for type 'phys_addr_t' {aka 'long long unsigned int'} with size '8' [-Werror=alloc-size] 295 | cap_info->phys = kzalloc(sizeof(void *), GFP_KERNEL); | ^ Use the correct type instead here. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: efi/capsule-loader: corrige el tamaño de asignación incorrecto gcc-14 advierte que la asignación con sizeof(void) en arquitecturas de 32 bits no es suficiente para phys_addr_t: drivers de 64 bits /firmware/efi/capsule-loader.c: En función 'efi_capsule_open': drivers/firmware/efi/capsule-loader.c:295:24: error: asignación de tamaño '4' insuficiente para el tipo 'phys_addr_t' {alias ' long long unsigned int'} con tamaño '8' [-Werror=alloc-size] 295 | cap_info->phys = kzalloc(sizeof(void *), GFP_KERNEL); | ^ Utilice el tipo correcto aquí. • https://git.kernel.org/stable/c/f24c4d478013d82bd1b943df566fff3561d52864 https://git.kernel.org/stable/c/95a362c9a6892085f714eb6e31eea6a0e3aa93bf https://git.kernel.org/stable/c/00cf21ac526011a29fc708f8912da446fac19f7b https://git.kernel.org/stable/c/950d4d74d311a18baed6878dbfba8180d7e5dddd https://git.kernel.org/stable/c/537e3f49dbe88881a6f0752beaa596942d9efd64 https://git.kernel.org/stable/c/4b73473c050a612fb4317831371073eda07c3050 https://git.kernel.org/stable/c/ddc547dd05a46720866c32022300f7376c40119f https://git.kernel.org/stable/c/11aabd7487857b8e7d768fefb092f66df •
CVSS: -EPSS: 0%CPEs: 10EXPL: 0CVE-2024-27412 – power: supply: bq27xxx-i2c: Do not free non existing IRQ
https://notcve.org/view.php?id=CVE-2024-27412
In the Linux kernel, the following vulnerability has been resolved: power: supply: bq27xxx-i2c: Do not free non existing IRQ The bq27xxx i2c-client may not have an IRQ, in which case client->irq will be 0. bq27xxx_battery_i2c_probe() already has an if (client->irq) check wrapping the request_threaded_irq(). But bq27xxx_battery_i2c_remove() unconditionally calls free_irq(client->irq) leading to: [ 190.310742] ------------[ cut here ]------------ [ 190.310843] Trying to free already-free IRQ 0 [ 190.310861] WARNING: CPU: 2 PID: 1304 at kernel/irq/manage.c:1893 free_irq+0x1b8/0x310 Followed by a backtrace when unbinding the driver. Add an if (client->irq) to bq27xxx_battery_i2c_remove() mirroring probe() to fix this. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: alimentación: suministro: bq27xxx-i2c: no liberar IRQ no existente Es posible que el cliente bq27xxx i2c no tenga una IRQ, en cuyo caso client->irq será 0. bq27xxx_battery_i2c_probe( ) ya tiene una verificación if (cliente->irq) que envuelve request_threaded_irq(). Pero bq27xxx_battery_i2c_remove() llama incondicionalmente a free_irq(cliente->irq) lo que lleva a: [190.310742] ------------[ cortar aquí ]------------ [ 190.310843] Intentando liberar IRQ 0 [190.310861] que ya está libre ADVERTENCIA: CPU: 2 PID: 1304 en kernel/irq/manage.c:1893 free_irq+0x1b8/0x310 Seguido de un seguimiento al desvincular el controlador. Agregue un if (cliente->irq) a bq27xxx_battery_i2c_remove() mirroring probe() para solucionar este problema. • https://git.kernel.org/stable/c/76d2ed844def0cb8704d766924b07b2a918b3e30 https://git.kernel.org/stable/c/dafe9136be7b7fc30f1f3ca410c15b7cc65bee44 https://git.kernel.org/stable/c/1da9a4b55a6688e3a30c16d0cf2e7c6a90a684fb https://git.kernel.org/stable/c/e01820a94aea99296e500f54b3f36a2985061045 https://git.kernel.org/stable/c/e65fee45687fa2109e03056a696dc7d68a151296 https://git.kernel.org/stable/c/444ff00734f3878cd54ddd1ed5e2e6dbea9326d5 https://git.kernel.org/stable/c/ca4a2ddd2e69ca82ca5992d4c49649b2cbac3b74 https://git.kernel.org/stable/c/28960625adaaf3fa3d83c8d3596661d25 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2024-27408 – dmaengine: dw-edma: eDMA: Add sync read before starting the DMA transfer in remote setup
https://notcve.org/view.php?id=CVE-2024-27408
In the Linux kernel, the following vulnerability has been resolved: dmaengine: dw-edma: eDMA: Add sync read before starting the DMA transfer in remote setup The Linked list element and pointer are not stored in the same memory as the eDMA controller register. If the doorbell register is toggled before the full write of the linked list a race condition error will occur. In remote setup we can only use a readl to the memory to assure the full write has occurred. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: dmaengine: dw-edma: eDMA: Añadida lectura sincronizada antes de iniciar la transferencia DMA en la configuración remota. El elemento de la lista vinculada y el puntero no se almacenan en la misma memoria que el registro del controlador eDMA. Si el registro del timbre se activa antes de la escritura completa de la lista vinculada, se producirá un error de condición de ejecución. • https://git.kernel.org/stable/c/7e4b8a4fbe2cecab0959e862604803d063f50029 https://git.kernel.org/stable/c/d24fe6d5a1cfdddb7a9ef56736ec501c4d0a5fd3 https://git.kernel.org/stable/c/f396b4df27cfe01a99f4b41f584c49e56477be3a https://git.kernel.org/stable/c/bbcc1c83f343e580c3aa1f2a8593343bf7b55bba •