CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-50124 – Bluetooth: ISO: Fix UAF on iso_sock_timeout
https://notcve.org/view.php?id=CVE-2024-50124
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix UAF on iso_sock_timeout conn->sk maybe have been unlinked/freed while waiting for iso_conn_lock so this checks if the conn->sk is still valid by checking if it part of iso_sk_list. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: ISO: Se corrigió que UAF en iso_sock_timeout conn->sk pudiera haberse desvinculado/liberado mientras se esperaba a iso_conn_lock, por lo que esto verifica si conn->sk aún es válido verificando si es parte de iso_sk_list. • https://git.kernel.org/stable/c/ccf74f2390d60a2f9a75ef496d2564abb478f46a https://git.kernel.org/stable/c/876ac72d535fa94f4ac57bba651987c6f990f646 https://git.kernel.org/stable/c/14bcb721d241e62fdd18f6f434a2ed2ab6e71a9b https://git.kernel.org/stable/c/d75aad1d3143ca68cda52ff80ac392e1bbd84325 https://git.kernel.org/stable/c/246b435ad668596aa0e2bbb9d491b6413861211a •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-50123 – bpf: Add the missing BPF_LINK_TYPE invocation for sockmap
https://notcve.org/view.php?id=CVE-2024-50123
In the Linux kernel, the following vulnerability has been resolved: bpf: Add the missing BPF_LINK_TYPE invocation for sockmap There is an out-of-bounds read in bpf_link_show_fdinfo() for the sockmap link fd. Fix it by adding the missing BPF_LINK_TYPE invocation for sockmap link Also add comments for bpf_link_type to prevent missing updates in the future. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: Agregue la invocación BPF_LINK_TYPE faltante para sockmap Hay una lectura fuera de los límites en bpf_link_show_fdinfo() para el fd del enlace sockmap. Arréglelo agregando la invocación BPF_LINK_TYPE faltante para el enlace sockmap Agregue también comentarios para bpf_link_type para evitar actualizaciones faltantes en el futuro. • https://git.kernel.org/stable/c/699c23f02c65cbfc3e638f14ce0d70c23a2e1f02 https://git.kernel.org/stable/c/6d79f12c0ce2bc8ff5f109093df1734bd6450615 https://git.kernel.org/stable/c/c2f803052bc7a7feb2e03befccc8e49b6ff1f5f5 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2024-50121 – nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net
https://notcve.org/view.php?id=CVE-2024-50121
In the Linux kernel, the following vulnerability has been resolved: nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net In the normal case, when we excute `echo 0 > /proc/fs/nfsd/threads`, the function `nfs4_state_destroy_net` in `nfs4_state_shutdown_net` will release all resources related to the hashed `nfs4_client`. If the `nfsd_client_shrinker` is running concurrently, the `expire_client` function will first unhash this client and then destroy it. This can lead to the following warning. Additionally, numerous use-after-free errors may occur as well. nfsd_client_shrinker echo 0 > /proc/fs/nfsd/threads expire_client nfsd_shutdown_net unhash_client ... nfs4_state_shutdown_net /* won't wait shrinker exit */ /* cancel_work(&nn->nfsd_shrinker_work) * nfsd_file for this /* won't destroy unhashed client1 */ * client1 still alive nfs4_state_destroy_net */ nfsd_file_cache_shutdown /* trigger warning */ kmem_cache_destroy(nfsd_file_slab) kmem_cache_destroy(nfsd_file_mark_slab) /* release nfsd_file and mark */ __destroy_client ==================================================================== BUG nfsd_file (Not tainted): Objects remaining in nfsd_file on __kmem_cache_shutdown() -------------------------------------------------------------------- CPU: 4 UID: 0 PID: 764 Comm: sh Not tainted 6.12.0-rc3+ #1 dump_stack_lvl+0x53/0x70 slab_err+0xb0/0xf0 __kmem_cache_shutdown+0x15c/0x310 kmem_cache_destroy+0x66/0x160 nfsd_file_cache_shutdown+0xac/0x210 [nfsd] nfsd_destroy_serv+0x251/0x2a0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e ==================================================================== BUG nfsd_file_mark (Tainted: G B W ): Objects remaining nfsd_file_mark on __kmem_cache_shutdown() -------------------------------------------------------------------- dump_stack_lvl+0x53/0x70 slab_err+0xb0/0xf0 __kmem_cache_shutdown+0x15c/0x310 kmem_cache_destroy+0x66/0x160 nfsd_file_cache_shutdown+0xc8/0x210 [nfsd] nfsd_destroy_serv+0x251/0x2a0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e To resolve this issue, cancel `nfsd_shrinker_work` using synchronous mode in nfs4_state_shutdown_net. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nfsd: cancelar nfsd_shrinker_work usando el modo de sincronización en nfs4_state_shutdown_net. • https://git.kernel.org/stable/c/7c24fa225081f31bc6da6a355c1ba801889ab29a https://git.kernel.org/stable/c/2bbf10861d51dae76c6da7113516d0071c782653 https://git.kernel.org/stable/c/958294a3eb82026fcfff20b0287a90e9c854785e https://git.kernel.org/stable/c/f3ea5ec83d1a827f074b2b660749817e0bf2b23e https://git.kernel.org/stable/c/f965dc0f099a54fca100acf6909abe52d0c85328 https://git.kernel.org/stable/c/add1df5eba163a3a6ece11cb85890e2e410baaea https://git.kernel.org/stable/c/d5ff2fb2e7167e9483846e34148e60c0c016a1f6 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2024-50120 – smb: client: Handle kstrdup failures for passwords
https://notcve.org/view.php?id=CVE-2024-50120
In the Linux kernel, the following vulnerability has been resolved: smb: client: Handle kstrdup failures for passwords In smb3_reconfigure(), after duplicating ctx->password and ctx->password2 with kstrdup(), we need to check for allocation failures. If ses->password allocation fails, return -ENOMEM. If ses->password2 allocation fails, free ses->password, set it to NULL, and return -ENOMEM. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: smb: cliente: Manejar errores de kstrdup para contraseñas. En smb3_reconfigure(), después de duplicar ctx->password y ctx->password2 con kstrdup(), debemos verificar si hay errores de asignación. Si la asignación de ses->password falla, devuelva -ENOMEM. Si la asignación de ses->password2 falla, libere ses->password, configúrelo en NULL y devuelva -ENOMEM. • https://git.kernel.org/stable/c/7e8cffa4f85e6839335d75e6b47f918d90c1d194 https://git.kernel.org/stable/c/c1eb537bf4560b3ad4df606c266c665624f3b502 https://git.kernel.org/stable/c/e78308a6dcab1e53b38b8dd952e69c515cd324d7 https://git.kernel.org/stable/c/2a0fc63f1f4fccfeb367d0c57b8a243cec60c26c https://git.kernel.org/stable/c/35dbac8c328d6afe937cd45ecd41d209d0b9f8b8 https://git.kernel.org/stable/c/35488799b0ab6e4327f82e1d9209a60805665b37 https://git.kernel.org/stable/c/9a5dd61151399ad5a5d69aad28ab164734c1e3bc •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-50119 – cifs: fix warning when destroy 'cifs_io_request_pool'
https://notcve.org/view.php?id=CVE-2024-50119
In the Linux kernel, the following vulnerability has been resolved: cifs: fix warning when destroy 'cifs_io_request_pool' There's a issue as follows: WARNING: CPU: 1 PID: 27826 at mm/slub.c:4698 free_large_kmalloc+0xac/0xe0 RIP: 0010:free_large_kmalloc+0xac/0xe0 Call Trace: <TASK> ? __warn+0xea/0x330 mempool_destroy+0x13f/0x1d0 init_cifs+0xa50/0xff0 [cifs] do_one_initcall+0xdc/0x550 do_init_module+0x22d/0x6b0 load_module+0x4e96/0x5ff0 init_module_from_file+0xcd/0x130 idempotent_init_module+0x330/0x620 __x64_sys_finit_module+0xb3/0x110 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Obviously, 'cifs_io_request_pool' is not created by mempool_create(). So just use mempool_exit() to revert 'cifs_io_request_pool'. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: cifs: se corrige la advertencia al destruir 'cifs_io_request_pool' Hay un problema como el siguiente: ADVERTENCIA: CPU: 1 PID: 27826 en mm/slub.c:4698 free_large_kmalloc+0xac/0xe0 RIP: 0010:free_large_kmalloc+0xac/0xe0 Rastreo de llamadas: ? Obviamente, 'cifs_io_request_pool' no es creado por mempool_create(). Entonces simplemente use mempool_exit() para revertir 'cifs_io_request_pool'. • https://git.kernel.org/stable/c/edea94a69730b74a8867bbafe742c3fc4e580722 https://git.kernel.org/stable/c/726416a253c51037636ecc65ad3dada3d02dcaea https://git.kernel.org/stable/c/2ce1007f42b8a6a0814386cb056feb28dc6d6091 •