Page 275 of 2022 results (0.012 seconds)

CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: netfilter: bridge: confirm multicast packets before passing them up the stack conntrack nf_confirm logic cannot handle cloned skbs referencing the same nf_conn entry, which will happen for multicast (broadcast) frames on bridges. Example: macvlan0 | br0 / \ ethX ethY ethX (or Y) receives a L2 multicast or broadcast packet containing an IP packet, flow is not yet in conntrack table. 1. skb passes through bridge and fake-ip (br_netfilter)Prerouting. -> skb->_nfct now references a unconfirmed entry 2. skb is broad/mcast packet. bridge now passes clones out on each bridge interface. 3. skb gets passed up the stack. 4. In macvlan case, macvlan driver retains clone(s) of the mcast skb and schedules a work queue to send them out on the lower devices. The clone skb->_nfct is not a copy, it is the same entry as the original skb. The macvlan rx handler then returns RX_HANDLER_PASS. 5. Normal conntrack hooks (in NF_INET_LOCAL_IN) confirm the orig skb. The Macvlan broadcast worker and normal confirm path will race. This race will not happen if step 2 already confirmed a clone. In that case later steps perform skb_clone() with skb->_nfct already confirmed (in hash table). • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 https://git.kernel.org/stable/c/7c3f28599652acf431a2211168de4a583f30b6d5 https://git.kernel.org/stable/c/2b1414d5e94e477edff1d2c79030f1d742625ea0 https://git.kernel.org/stable/c/80cd0487f630b5382734997c3e5e3003a77db315 https://git.kernel.org/stable/c/cb734975b0ffa688ff6cc0eed463865bf07b6c01 https://git.kernel.org/stable/c/62e7151ae3eb465e0ab52a20c941ff33bb6332e9 https://access.redhat.com/security/cve/CVE-2024-27415 https://bugzilla.redhat.com/show_bug.cgi?id=2281101 •

CVSS: -EPSS: 0%CPEs: 8EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back In the commit d73ef2d69c0d ("rtnetlink: let rtnl_bridge_setlink checks IFLA_BRIDGE_MODE length"), an adjustment was made to the old loop logic in the function `rtnl_bridge_setlink` to enable the loop to also check the length of the IFLA_BRIDGE_MODE attribute. However, this adjustment removed the `break` statement and led to an error logic of the flags writing back at the end of this function. if (have_flags) memcpy(nla_data(attr), &flags, sizeof(flags)); // attr should point to IFLA_BRIDGE_FLAGS NLA !!! Before the mentioned commit, the `attr` is granted to be IFLA_BRIDGE_FLAGS. However, this is not necessarily true fow now as the updated loop will let the attr point to the last NLA, even an invalid NLA which could cause overflow writes. This patch introduces a new variable `br_flag` to save the NLA pointer that points to IFLA_BRIDGE_FLAGS and uses it to resolve the mentioned error logic. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: rtnetlink: corrige la lógica de error de la reescritura de IFLA_BRIDGE_FLAGS En el commit d73ef2d69c0d ("rtnetlink: let rtnl_bridge_setlink comprueba la longitud de IFLA_BRIDGE_MODE"), se realizó un ajuste a la lógica de bucle anterior en la función ` rtnl_bridge_setlink` para permitir que el bucle también verifique la longitud del atributo IFLA_BRIDGE_MODE. Sin embargo, este ajuste eliminó la declaración "break" y generó una lógica de error en la escritura de los indicadores al final de esta función. if (have_flags) memcpy(nla_data(attr), &flags, sizeof(flags)); // attr debería apuntar a IFLA_BRIDGE_FLAGS NLA !!! • https://git.kernel.org/stable/c/ad46d4861ed36315d3d9e838723ba3e367ecc042 https://git.kernel.org/stable/c/abb0172fa8dc4a4ec51aa992b7269ed65959f310 https://git.kernel.org/stable/c/047508edd602921ee8bb0f2aa2100aa2e9bedc75 https://git.kernel.org/stable/c/8dfac8071d58447e5cace4c4c6fe493ce2f615f6 https://git.kernel.org/stable/c/d73ef2d69c0dba5f5a1cb9600045c873bab1fb7f https://git.kernel.org/stable/c/00757f58e37b2d9a6f99e15be484712390cd2bab https://git.kernel.org/stable/c/b9fbc44159dfc3e9a7073032752d9e03f5194a6f https://git.kernel.org/stable/c/882a51a10ecf24ce135d573afa0872aef •

CVSS: -EPSS: 0%CPEs: 9EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: efi/capsule-loader: fix incorrect allocation size gcc-14 notices that the allocation with sizeof(void) on 32-bit architectures is not enough for a 64-bit phys_addr_t: drivers/firmware/efi/capsule-loader.c: In function 'efi_capsule_open': drivers/firmware/efi/capsule-loader.c:295:24: error: allocation of insufficient size '4' for type 'phys_addr_t' {aka 'long long unsigned int'} with size '8' [-Werror=alloc-size] 295 | cap_info->phys = kzalloc(sizeof(void *), GFP_KERNEL); | ^ Use the correct type instead here. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: efi/capsule-loader: corrige el tamaño de asignación incorrecto gcc-14 advierte que la asignación con sizeof(void) en arquitecturas de 32 bits no es suficiente para phys_addr_t: drivers de 64 bits /firmware/efi/capsule-loader.c: En función 'efi_capsule_open': drivers/firmware/efi/capsule-loader.c:295:24: error: asignación de tamaño '4' insuficiente para el tipo 'phys_addr_t' {alias ' long long unsigned int'} con tamaño '8' [-Werror=alloc-size] 295 | cap_info->phys = kzalloc(sizeof(void *), GFP_KERNEL); | ^ Utilice el tipo correcto aquí. • https://git.kernel.org/stable/c/f24c4d478013d82bd1b943df566fff3561d52864 https://git.kernel.org/stable/c/95a362c9a6892085f714eb6e31eea6a0e3aa93bf https://git.kernel.org/stable/c/00cf21ac526011a29fc708f8912da446fac19f7b https://git.kernel.org/stable/c/950d4d74d311a18baed6878dbfba8180d7e5dddd https://git.kernel.org/stable/c/537e3f49dbe88881a6f0752beaa596942d9efd64 https://git.kernel.org/stable/c/4b73473c050a612fb4317831371073eda07c3050 https://git.kernel.org/stable/c/ddc547dd05a46720866c32022300f7376c40119f https://git.kernel.org/stable/c/11aabd7487857b8e7d768fefb092f66df •

CVSS: -EPSS: 0%CPEs: 10EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: power: supply: bq27xxx-i2c: Do not free non existing IRQ The bq27xxx i2c-client may not have an IRQ, in which case client->irq will be 0. bq27xxx_battery_i2c_probe() already has an if (client->irq) check wrapping the request_threaded_irq(). But bq27xxx_battery_i2c_remove() unconditionally calls free_irq(client->irq) leading to: [ 190.310742] ------------[ cut here ]------------ [ 190.310843] Trying to free already-free IRQ 0 [ 190.310861] WARNING: CPU: 2 PID: 1304 at kernel/irq/manage.c:1893 free_irq+0x1b8/0x310 Followed by a backtrace when unbinding the driver. Add an if (client->irq) to bq27xxx_battery_i2c_remove() mirroring probe() to fix this. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: alimentación: suministro: bq27xxx-i2c: no liberar IRQ no existente Es posible que el cliente bq27xxx i2c no tenga una IRQ, en cuyo caso client->irq será 0. bq27xxx_battery_i2c_probe( ) ya tiene una verificación if (cliente->irq) que envuelve request_threaded_irq(). Pero bq27xxx_battery_i2c_remove() llama incondicionalmente a free_irq(cliente->irq) lo que lleva a: [190.310742] ------------[ cortar aquí ]------------ [ 190.310843] Intentando liberar IRQ 0 [190.310861] que ya está libre ADVERTENCIA: CPU: 2 PID: 1304 en kernel/irq/manage.c:1893 free_irq+0x1b8/0x310 Seguido de un seguimiento al desvincular el controlador. Agregue un if (cliente->irq) a bq27xxx_battery_i2c_remove() mirroring probe() para solucionar este problema. • https://git.kernel.org/stable/c/76d2ed844def0cb8704d766924b07b2a918b3e30 https://git.kernel.org/stable/c/dafe9136be7b7fc30f1f3ca410c15b7cc65bee44 https://git.kernel.org/stable/c/1da9a4b55a6688e3a30c16d0cf2e7c6a90a684fb https://git.kernel.org/stable/c/e01820a94aea99296e500f54b3f36a2985061045 https://git.kernel.org/stable/c/e65fee45687fa2109e03056a696dc7d68a151296 https://git.kernel.org/stable/c/444ff00734f3878cd54ddd1ed5e2e6dbea9326d5 https://git.kernel.org/stable/c/ca4a2ddd2e69ca82ca5992d4c49649b2cbac3b74 https://git.kernel.org/stable/c/28960625adaaf3fa3d83c8d3596661d25 •

CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: reject iftype change with mesh ID change It's currently possible to change the mesh ID when the interface isn't yet in mesh mode, at the same time as changing it into mesh mode. This leads to an overwrite of data in the wdev->u union for the interface type it currently has, causing cfg80211_change_iface() to do wrong things when switching. We could probably allow setting an interface to mesh while setting the mesh ID at the same time by doing a different order of operations here, but realistically there's no userspace that's going to do this, so just disallow changes in iftype when setting mesh ID. En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: wifi: nl80211: rechazar cambio de tipo con cambio de ID de malla Actualmente es posible cambiar el ID de malla cuando la interfaz aún no está en modo malla, al mismo tiempo que se cambia a modo malla. Esto lleva a una sobrescritura de datos en la unión wdev->u para el tipo de interfaz que tiene actualmente, causando que cfg80211_change_iface() haga cosas incorrectas al cambiar. Probablemente podríamos permitir configurar una interfaz para malla mientras configuramos la ID de malla al mismo tiempo haciendo un orden diferente de operaciones aquí, pero en realidad no hay ningún espacio de usuario que vaya a hacer esto, así que simplemente no permita cambios en iftype al configurar la ID de malla. • https://git.kernel.org/stable/c/7b0a0e3c3a88260b6fcb017e49f198463aa62ed1 https://git.kernel.org/stable/c/d38d31bbbb9dc0d4d71a45431eafba03d0bc150d https://git.kernel.org/stable/c/0cfbb26ee5e7b3d6483a73883f9f6157bca22ec9 https://git.kernel.org/stable/c/99eb2159680af8786104dac80528acd5acd45980 https://git.kernel.org/stable/c/063715c33b4c37587aeca2c83cf08ead0c542995 https://git.kernel.org/stable/c/930e826962d9f01dcd2220176134427358d112f2 https://git.kernel.org/stable/c/177d574be4b58f832354ab1ef5a297aa0c9aa2df https://git.kernel.org/stable/c/a2add961a5ed25cfd6a74f9ffb9e7ab6d •