CVE-2024-26901 – do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak
https://notcve.org/view.php?id=CVE-2024-26901
In the Linux kernel, the following vulnerability has been resolved: do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak syzbot identified a kernel information leak vulnerability in do_sys_name_to_handle() and issued the following report [1]. [1] "BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:40 instrument_copy_to_user include/linux/instrumented.h:114 [inline] _copy_to_user+0xbc/0x100 lib/usercopy.c:40 copy_to_user include/linux/uaccess.h:191 [inline] do_sys_name_to_handle fs/fhandle.c:73 [inline] __do_sys_name_to_handle_at fs/fhandle.c:112 [inline] __se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94 __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94 ... Uninit was created at: slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 slab_alloc_node mm/slub.c:3478 [inline] __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517 __do_kmalloc_node mm/slab_common.c:1006 [inline] __kmalloc+0x121/0x3c0 mm/slab_common.c:1020 kmalloc include/linux/slab.h:604 [inline] do_sys_name_to_handle fs/fhandle.c:39 [inline] __do_sys_name_to_handle_at fs/fhandle.c:112 [inline] __se_sys_name_to_handle_at+0x441/0xb10 fs/fhandle.c:94 __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94 ... Bytes 18-19 of 20 are uninitialized Memory access of size 20 starts at ffff888128a46380 Data copied to user address 0000000020000240" Per Chuck Lever's suggestion, use kzalloc() instead of kmalloc() to solve the problem. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: do_sys_name_to_handle(): use kzalloc() para reparar kernel-infoleak syzbot identificó una vulnerabilidad de fuga de información del kernel en do_sys_name_to_handle() y emitió el siguiente informe [1]. [1] "ERROR: KMSAN: kernel-infoleak en instrument_copy_to_user include/linux/instrumented.h:114 [en línea] ERROR: KMSAN: kernel-infoleak en _copy_to_user+0xbc/0x100 lib/usercopy.c:40 instrument_copy_to_user include/linux/ instrumented.h:114 [en línea] _copy_to_user+0xbc/0x100 lib/usercopy.c:40 copy_to_user include/linux/uaccess.h:191 [en línea] do_sys_name_to_handle fs/fhandle.c:73 [en línea] __do_sys_name_to_handle_at fs/fhandle.c :112 [en línea] __se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94 __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94 ... Uninit se creó en: slab_post_alloc_hook+0x129/0xa70 mm/slab.h: 768 losa_alloc_nodo mm/slub.c:3478 [en línea] __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517 __do_kmalloc_node mm/slab_common.c:1006 [en línea] __kmalloc+0x121/0x3c0 mm/slab_common.c:1020 kmalloc include/linux/ slab.h:604 [en línea] do_sys_name_to_handle fs/fhandle.c:39 [en línea] __do_sys_name_to_handle_at fs/fhandle.c:112 [en línea] __se_sys_name_to_handle_at+0x441/0xb10 fs/fhandle.c:94 _handle_at+0xe4/0x140 fs/fhandle .c:94 ... Los bytes 18-19 de 20 no están inicializados El acceso a la memoria de tamaño 20 comienza en ffff888128a46380 Datos copiados a la dirección de usuario 0000000020000240" Según la sugerencia de Chuck Lever, use kzalloc() en lugar de kmalloc() para resolver el problema. • https://git.kernel.org/stable/c/990d6c2d7aee921e3bce22b2d6a750fd552262be https://git.kernel.org/stable/c/4bac28f441e3cc9d3f1a84c8d023228a68d8a7c1 https://git.kernel.org/stable/c/772a7def9868091da3bcb0d6c6ff9f0c03d7fa8b https://git.kernel.org/stable/c/cde76b3af247f615447bcfecf610bb76c3529126 https://git.kernel.org/stable/c/423b6bdf19bbc5e1f7e7461045099917378f7e71 https://git.kernel.org/stable/c/e6450d5e46a737a008b4885aa223486113bf0ad6 https://git.kernel.org/stable/c/c1362eae861db28b1608b9dc23e49634fe87b63b https://git.kernel.org/stable/c/cba138f1ef37ec6f961baeab62f312ded • CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak') CWE-908: Use of Uninitialized Resource •
CVE-2024-26898 – aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts
https://notcve.org/view.php?id=CVE-2024-26898
In the Linux kernel, the following vulnerability has been resolved: aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts This patch is against CVE-2023-6270. The description of cve is: A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution. In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial code is finished. But the net_device ifp will still be used in later tx()->dev_queue_xmit() in kthread. • https://git.kernel.org/stable/c/7562f876cd93800f2f8c89445f2a563590b24e09 https://git.kernel.org/stable/c/ad80c34944d7175fa1f5c7a55066020002921a99 https://git.kernel.org/stable/c/1a54aa506b3b2f31496731039e49778f54eee881 https://git.kernel.org/stable/c/faf0b4c5e00bb680e8e43ac936df24d3f48c8e65 https://git.kernel.org/stable/c/7dd09fa80b0765ce68bfae92f4e2f395ccf0fba4 https://git.kernel.org/stable/c/74ca3ef68d2f449bc848c0a814cefc487bf755fa https://git.kernel.org/stable/c/eb48680b0255a9e8a9bdc93d6a55b11c31262e62 https://git.kernel.org/stable/c/079cba4f4e307c69878226fdf5228c20a • CWE-416: Use After Free •
CVE-2024-26894 – ACPI: processor_idle: Fix memory leak in acpi_processor_power_exit()
https://notcve.org/view.php?id=CVE-2024-26894
In the Linux kernel, the following vulnerability has been resolved: ACPI: processor_idle: Fix memory leak in acpi_processor_power_exit() After unregistering the CPU idle device, the memory associated with it is not freed, leading to a memory leak: unreferenced object 0xffff896282f6c000 (size 1024): comm "swapper/0", pid 1, jiffies 4294893170 hex dump (first 32 bytes): 00 00 00 00 0b 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 8836a742): [<ffffffff993495ed>] kmalloc_trace+0x29d/0x340 [<ffffffff9972f3b3>] acpi_processor_power_init+0xf3/0x1c0 [<ffffffff9972d263>] __acpi_processor_start+0xd3/0xf0 [<ffffffff9972d2bc>] acpi_processor_start+0x2c/0x50 [<ffffffff99805872>] really_probe+0xe2/0x480 [<ffffffff99805c98>] __driver_probe_device+0x78/0x160 [<ffffffff99805daf>] driver_probe_device+0x1f/0x90 [<ffffffff9980601e>] __driver_attach+0xce/0x1c0 [<ffffffff99803170>] bus_for_each_dev+0x70/0xc0 [<ffffffff99804822>] bus_add_driver+0x112/0x210 [<ffffffff99807245>] driver_register+0x55/0x100 [<ffffffff9aee4acb>] acpi_processor_driver_init+0x3b/0xc0 [<ffffffff990012d1>] do_one_initcall+0x41/0x300 [<ffffffff9ae7c4b0>] kernel_init_freeable+0x320/0x470 [<ffffffff99b231f6>] kernel_init+0x16/0x1b0 [<ffffffff99042e6d>] ret_from_fork+0x2d/0x50 Fix this by freeing the CPU idle device after unregistering it. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ACPI: procesador_idle: corrige la pérdida de memoria en acpi_processor_power_exit() Después de cancelar el registro del dispositivo de CPU inactivo, la memoria asociada con él no se libera, lo que genera una pérdida de memoria: objeto sin referencia 0xffff896282f6c000 (tamaño 1024): comunicación "swapper/0", pid 1, santiamén 4294893170 volcado hexadecimal (primeros 32 bytes): 00 00 00 00 0b 00 00 00 00 00 00 00 00 00 00 00 ........... ..... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ retroceso (crc 8836a742): [] kmalloc_trace+ 0x29d/0x340 [] acpi_processor_power_init+0xf3/0x1c0 [] __acpi_processor_start+0xd3/0xf0 [] acpi_processor_start+0x2c/0x50 [] realmente_probe+0xe2/0x480 [] __driver_probe_device+ 0x78/0x160 [] driver_probe_device+0x1f/0x90 [] __driver_attach+0xce/0x1c0 [] bus_for_each_dev+0x70/0xc0 [] bus_add_driver+0x112/0x210 [] driver_register+ 0x55/0x100 [] acpi_processor_driver_init+0x3b/0xc0 [] do_one_initcall+0x41/0x300 [] kernel_init_freeable+0x320/0x470 [] kernel_init+0x16/0x1b0 [] ret_from_fork+ 0x2d/0x50 Solucione este problema liberando el dispositivo de CPU inactivo después de cancelar su registro. • https://git.kernel.org/stable/c/3d339dcbb56d8d70c1b959aff87d74adc3a84eea https://git.kernel.org/stable/c/d351bcadab6caa6d8ce7159ff4b77e2da35c09fa https://git.kernel.org/stable/c/ea96bf3f80625cddba1391a87613356b1b45716d https://git.kernel.org/stable/c/c2a30c81bf3cb9033fa9f5305baf7c377075e2e5 https://git.kernel.org/stable/c/1cbaf4c793b0808532f4e7b40bc4be7cec2c78f2 https://git.kernel.org/stable/c/fad9bcd4d754cc689c19dc04d2c44b82c1a5d6c8 https://git.kernel.org/stable/c/3d48e5be107429ff5d824e7f2a00d1b610d36fbc https://git.kernel.org/stable/c/8d14a4d0afb49a5b8535d414c782bb334 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVE-2024-26884 – bpf: Fix hashtab overflow check on 32-bit arches
https://notcve.org/view.php?id=CVE-2024-26884
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix hashtab overflow check on 32-bit arches The hashtab code relies on roundup_pow_of_two() to compute the number of hash buckets, and contains an overflow check by checking if the resulting value is 0. However, on 32-bit arches, the roundup code itself can overflow by doing a 32-bit left-shift of an unsigned long value, which is undefined behaviour, so it is not guaranteed to truncate neatly. This was triggered by syzbot on the DEVMAP_HASH type, which contains the same check, copied from the hashtab code. So apply the same fix to hashtab, by moving the overflow check to before the roundup. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: corrige la comprobación de desbordamiento de hashtab en arcos de 32 bits. • https://git.kernel.org/stable/c/daaf427c6ab392bedcd018e326b2ffa1e1110cd6 https://git.kernel.org/stable/c/33ec04cadb77605b71d9298311919303d390c4d5 https://git.kernel.org/stable/c/92c81fbb3ed2e0dfc33a4183a67135e1ab566ace https://git.kernel.org/stable/c/64f00b4df0597590b199b62a37a165473bf658a6 https://git.kernel.org/stable/c/3b08cfc65f07b1132c1979d73f014ae6e04de55d https://git.kernel.org/stable/c/a83fdaeaea3677b83a53f72ace2d73a19bcd6d93 https://git.kernel.org/stable/c/8435f0961bf3dc65e204094349bd9aeaac1f8868 https://git.kernel.org/stable/c/d817f0d34d927f2deb17dadbfe212c9a6 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-190: Integer Overflow or Wraparound •
CVE-2024-26883 – bpf: Fix stackmap overflow check on 32-bit arches
https://notcve.org/view.php?id=CVE-2024-26883
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stackmap overflow check on 32-bit arches The stackmap code relies on roundup_pow_of_two() to compute the number of hash buckets, and contains an overflow check by checking if the resulting value is 0. However, on 32-bit arches, the roundup code itself can overflow by doing a 32-bit left-shift of an unsigned long value, which is undefined behaviour, so it is not guaranteed to truncate neatly. This was triggered by syzbot on the DEVMAP_HASH type, which contains the same check, copied from the hashtab code. The commit in the fixes tag actually attempted to fix this, but the fix did not account for the UB, so the fix only works on CPUs where an overflow does result in a neat truncation to zero, which is not guaranteed. Checking the value before rounding does not have this problem. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: bpf: corrige la verificación de desbordamiento del mapa de pila en arcos de 32 bits. • https://git.kernel.org/stable/c/063c722dd9d285d877e6fd499e753d6224f4c046 https://git.kernel.org/stable/c/7e3a6b820535eb395784060ae26c5af579528fa0 https://git.kernel.org/stable/c/8032bf2af9ce26b3a362b9711d15f626ab946a74 https://git.kernel.org/stable/c/6183f4d3a0a2ad230511987c6c362ca43ec0055f https://git.kernel.org/stable/c/253150830a012adfccf90afcebae8fda5b05a80f https://git.kernel.org/stable/c/766107351731ae223ebf60ca22bdfeb47ce6acc8 https://git.kernel.org/stable/c/d0e214acc59145ce25113f617311aa79dda39cb3 https://git.kernel.org/stable/c/21e5fa4688e1a4d3db6b72216231b2423 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •