Page 27 of 5535 results (0.010 seconds)

CVSS: -EPSS: 0%CPEs: 2EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: tracing/probes: Fix MAX_TRACE_ARGS limit handling When creating a trace_probe we would set nr_args prior to truncating the arguments to MAX_TRACE_ARGS. However, we would only initialize arguments up to the limit. This caused invalid memory access when attempting to set up probes with more than 128 fetchargs. BUG: kernel NULL pointer dereference, address: 0000000000000020 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 0 UID: 0 PID: 1769 Comm: cat Not tainted 6.11.0-rc7+ #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014 RIP: 0010:__set_print_fmt+0x134/0x330 Resolve the issue by applying the MAX_TRACE_ARGS limit earlier. Return an error when there are too many arguments instead of silently truncating. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: rastreo/sondas: Se corrige el manejo del límite MAX_TRACE_ARGS Al crear un trace_probe, estableceríamos nr_args antes de truncar los argumentos a MAX_TRACE_ARGS. Sin embargo, solo inicializaríamos los argumentos hasta el límite. • https://git.kernel.org/stable/c/035ba76014c096316fa809a46ce0a1b9af1cde0d https://git.kernel.org/stable/c/08ccd1a57c4d3882e9a877eb2dcc66e50a3b0279 https://git.kernel.org/stable/c/73f35080477e893aa6f4c8d388352b871b288fbc https://git.kernel.org/stable/c/6bc24db74fe4788cc7c2f30a113fc6aafba225a3 •

CVSS: -EPSS: 0%CPEs: 7EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: tracing: Consider the NULL character when validating the event length strlen() returns a string length excluding the null byte. If the string length equals to the maximum buffer length, the buffer will have no space for the NULL terminating character. This commit checks this condition and returns failure for it. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: rastreo: considerar el carácter NULL al validar la longitud del evento strlen() devuelve una longitud de cadena que excluye el byte nulo. Si la longitud de la cadena es igual a la longitud máxima del búfer, el búfer no tendrá espacio para el carácter de terminación NULL. Esta confirmación verifica esta condición y devuelve un error. • https://git.kernel.org/stable/c/dec65d79fd269d05427c8167090bfc9c3d0b56c4 https://git.kernel.org/stable/c/5e3231b352725ff4a3a0095e6035af674f2d8725 https://git.kernel.org/stable/c/02874ca52df2ca2423ba6122039315ed61c25972 https://git.kernel.org/stable/c/b86b0d6eea204116e4185acc35041ca4ff11a642 https://git.kernel.org/stable/c/f4ed40d1c669bba1a54407d8182acdc405683f29 https://git.kernel.org/stable/c/a14a075a14af8d622c576145455702591bdde09d https://git.kernel.org/stable/c/5fd942598ddeed9a212d1ff41f9f5b47bcc990a7 https://git.kernel.org/stable/c/0b6e2e22cb23105fcb171ab92f0f7516c •

CVSS: -EPSS: 0%CPEs: 3EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: netfilter: bpf: must hold reference on net namespace BUG: KASAN: slab-use-after-free in __nf_unregister_net_hook+0x640/0x6b0 Read of size 8 at addr ffff8880106fe400 by task repro/72= bpf_nf_link_release+0xda/0x1e0 bpf_link_free+0x139/0x2d0 bpf_link_release+0x68/0x80 __fput+0x414/0xb60 Eric says: It seems that bpf was able to defer the __nf_unregister_net_hook() after exit()/close() time. Perhaps a netns reference is missing, because the netns has been dismantled/freed already. bpf_nf_link_attach() does : link->net = net; But I do not see a reference being taken on net. Add such a reference and release it after hook unreg. Note that I was unable to get syzbot reproducer to work, so I do not know if this resolves this splat. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: bpf: debe contener referencia en el espacio de nombres net ERROR: KASAN: slab-use-after-free en __nf_unregister_net_hook+0x640/0x6b0 Lectura de tamaño 8 en la dirección ffff8880106fe400 por la tarea repro/72= bpf_nf_link_release+0xda/0x1e0 bpf_link_free+0x139/0x2d0 bpf_link_release+0x68/0x80 __fput+0x414/0xb60 Eric dice: Parece que bpf pudo diferir __nf_unregister_net_hook() después del tiempo de exit()/close(). Quizás falta una referencia a netns, porque netns ya se ha desmantelado/liberado. bpf_nf_link_attach() hace: link->net = net; Pero no veo que se tome ninguna referencia en net. Agregue dicha referencia y libérela después de anular el registro. Tenga en cuenta que no pude hacer que funcionara el reproductor syzbot, por lo que no sé si esto resuelve este problema. • https://git.kernel.org/stable/c/84601d6ee68ae820dec97450934797046d62db4b https://git.kernel.org/stable/c/f41bd93b3e0508edc7ba820357f949071dcc0acc https://git.kernel.org/stable/c/d0d7939543a1b3bb93af9a18d258a774daf8f162 https://git.kernel.org/stable/c/1230fe7ad3974f7bf6c78901473e039b34d4fb1f •

CVSS: -EPSS: 0%CPEs: 2EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: net: pse-pd: Fix out of bound for loop Adjust the loop limit to prevent out-of-bounds access when iterating over PI structures. The loop should not reach the index pcdev->nr_lines since we allocate exactly pcdev->nr_lines number of PI structures. This fix ensures proper bounds are maintained during iterations. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: pse-pd: Corregir bucle for fuera de los límites. Ajuste el límite del bucle para evitar el acceso fuera de los límites al iterar sobre estructuras PI. • https://git.kernel.org/stable/c/9be9567a7c59b7314ea776f56945fe3fc28efe99 https://git.kernel.org/stable/c/50ea68146d82f34b3ad80d8290ef8222136dedd7 https://git.kernel.org/stable/c/f2767a41959e60763949c73ee180e40c686e807e •

CVSS: -EPSS: 0%CPEs: 5EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: net: wwan: fix global oob in wwan_rtnl_policy The variable wwan_rtnl_link_ops assign a *bigger* maxtype which leads to a global out-of-bounds read when parsing the netlink attributes. Exactly same bug cause as the oob fixed in commit b33fb5b801c6 ("net: qualcomm: rmnet: fix global oob in rmnet_policy"). ================================================================== BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:388 [inline] BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x19d7/0x29a0 lib/nlattr.c:603 Read of size 1 at addr ffffffff8b09cb60 by task syz.1.66276/323862 CPU: 0 PID: 323862 Comm: syz.1.66276 Not tainted 6.1.70 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x177/0x231 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x14f/0x750 mm/kasan/report.c:395 kasan_report+0x139/0x170 mm/kasan/report.c:495 validate_nla lib/nlattr.c:388 [inline] __nla_validate_parse+0x19d7/0x29a0 lib/nlattr.c:603 __nla_parse+0x3c/0x50 lib/nlattr.c:700 nla_parse_nested_deprecated include/net/netlink.h:1269 [inline] __rtnl_newlink net/core/rtnetlink.c:3514 [inline] rtnl_newlink+0x7bc/0x1fd0 net/core/rtnetlink.c:3623 rtnetlink_rcv_msg+0x794/0xef0 net/core/rtnetlink.c:6122 netlink_rcv_skb+0x1de/0x420 net/netlink/af_netlink.c:2508 netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline] netlink_unicast+0x74b/0x8c0 net/netlink/af_netlink.c:1352 netlink_sendmsg+0x882/0xb90 net/netlink/af_netlink.c:1874 sock_sendmsg_nosec net/socket.c:716 [inline] __sock_sendmsg net/socket.c:728 [inline] ____sys_sendmsg+0x5cc/0x8f0 net/socket.c:2499 ___sys_sendmsg+0x21c/0x290 net/socket.c:2553 __sys_sendmsg net/socket.c:2582 [inline] __do_sys_sendmsg net/socket.c:2591 [inline] __se_sys_sendmsg+0x19e/0x270 net/socket.c:2589 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x45/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f67b19a24ad RSP: 002b:00007f67b17febb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f67b1b45f80 RCX: 00007f67b19a24ad RDX: 0000000000000000 RSI: 0000000020005e40 RDI: 0000000000000004 RBP: 00007f67b1a1e01d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffd2513764f R14: 00007ffd251376e0 R15: 00007f67b17fed40 </TASK> The buggy address belongs to the variable: wwan_rtnl_policy+0x20/0x40 The buggy address belongs to the physical page: page:ffffea00002c2700 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xb09c flags: 0xfff00000001000(reserved|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000001000 ffffea00002c2708 ffffea00002c2708 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner info is not present (never set?) Memory state around the buggy address: ffffffff8b09ca00: 05 f9 f9 f9 05 f9 f9 f9 00 01 f9 f9 00 01 f9 f9 ffffffff8b09ca80: 00 00 00 05 f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 >ffffffff8b09cb00: 00 00 00 00 05 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 ^ ffffffff8b09cb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== According to the comment of `nla_parse_nested_deprecated`, use correct size `IFLA_WWAN_MAX` here to fix this issue. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: wwan: fix global oob in wwan_rtnl_policy. La variable wwan_rtnl_link_ops asigna un maxtype *mayor* que lleva a una lectura global fuera de los límites al analizar los atributos netlink. • https://git.kernel.org/stable/c/88b710532e53de2466d1033fb1d5125aabf3215a https://git.kernel.org/stable/c/c9a0aed51977198df005d0a623090e38e2d77d7b https://git.kernel.org/stable/c/9683804e36668f6093fb06e202eed2f188ba437e https://git.kernel.org/stable/c/69076f8435c1c5dae5f814eaf4c361d1f00b22a3 https://git.kernel.org/stable/c/a3ffce63dcc0c208edd4d196e17baed22ebcb643 https://git.kernel.org/stable/c/47dd5447cab8ce30a847a0337d5341ae4c7476a7 •