CVE-2024-35784 – btrfs: fix deadlock with fiemap and extent locking
https://notcve.org/view.php?id=CVE-2024-35784
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock with fiemap and extent locking While working on the patchset to remove extent locking I got a lockdep splat with fiemap and pagefaulting with my new extent lock replacement lock. This deadlock exists with our normal code, we just don't have lockdep annotations with the extent locking so we've never noticed it. Since we're copying the fiemap extent to user space on every iteration we have the chance of pagefaulting. Because we hold the extent lock for the entire range we could mkwrite into a range in the file that we have mmap'ed. This would deadlock with the following stack trace [<0>] lock_extent+0x28d/0x2f0 [<0>] btrfs_page_mkwrite+0x273/0x8a0 [<0>] do_page_mkwrite+0x50/0xb0 [<0>] do_fault+0xc1/0x7b0 [<0>] __handle_mm_fault+0x2fa/0x460 [<0>] handle_mm_fault+0xa4/0x330 [<0>] do_user_addr_fault+0x1f4/0x800 [<0>] exc_page_fault+0x7c/0x1e0 [<0>] asm_exc_page_fault+0x26/0x30 [<0>] rep_movs_alternative+0x33/0x70 [<0>] _copy_to_user+0x49/0x70 [<0>] fiemap_fill_next_extent+0xc8/0x120 [<0>] emit_fiemap_extent+0x4d/0xa0 [<0>] extent_fiemap+0x7f8/0xad0 [<0>] btrfs_fiemap+0x49/0x80 [<0>] __x64_sys_ioctl+0x3e1/0xb50 [<0>] do_syscall_64+0x94/0x1a0 [<0>] entry_SYSCALL_64_after_hwframe+0x6e/0x76 I wrote an fstest to reproduce this deadlock without my replacement lock and verified that the deadlock exists with our existing locking. To fix this simply don't take the extent lock for the entire duration of the fiemap. This is safe in general because we keep track of where we are when we're searching the tree, so if an ordered extent updates in the middle of our fiemap call we'll still emit the correct extents because we know what offset we were on before. The only place we maintain the lock is searching delalloc. Since the delalloc stuff can change during writeback we want to lock the extent range so we have a consistent view of delalloc at the time we're checking to see if we need to set the delalloc flag. With this patch applied we no longer deadlock with my testcase. • https://git.kernel.org/stable/c/ded566b4637f1b6b4c9ba74e7d0b8493e93f19cf https://git.kernel.org/stable/c/89bca7fe6382d61e88c67a0b0e7bce315986fb8b https://git.kernel.org/stable/c/b0ad381fa7690244802aed119b478b4bdafc31dd •
CVE-2024-27436 – ALSA: usb-audio: Stop parsing channels bits when all channels are found.
https://notcve.org/view.php?id=CVE-2024-27436
In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Stop parsing channels bits when all channels are found. If a usb audio device sets more bits than the amount of channels it could write outside of the map array. En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: ALSA: usb-audio: deja de analizar bits de canales cuando se encuentran todos los canales. Si un dispositivo de audio USB establece más bits que la cantidad de canales, podría escribir fuera de la matriz del mapa. • https://git.kernel.org/stable/c/04324ccc75f96b3ed7aad1c866d1b7925e977bdf https://git.kernel.org/stable/c/7e2c1b0f6dd9abde9e60f0f9730026714468770f https://git.kernel.org/stable/c/6d5dc96b154be371df0d62ecb07efe400701ed8a https://git.kernel.org/stable/c/5cd466673b34bac369334f66cbe14bb77b7d7827 https://git.kernel.org/stable/c/9af1658ba293458ca6a13f70637b9654fa4be064 https://git.kernel.org/stable/c/629af0d5fe94a35f498ba2c3f19bd78bfa591be6 https://git.kernel.org/stable/c/22cad1b841a63635a38273b799b4791f202ade72 https://git.kernel.org/stable/c/c8a24fd281dcdf3c926413dafbafcf35c • CWE-787: Out-of-bounds Write •
CVE-2024-27419 – netrom: Fix data-races around sysctl_net_busy_read
https://notcve.org/view.php?id=CVE-2024-27419
In the Linux kernel, the following vulnerability has been resolved: netrom: Fix data-races around sysctl_net_busy_read We need to protect the reader reading the sysctl value because the value can be changed concurrently. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netrom: corrige carreras de datos alrededor de sysctl_net_busy_read Necesitamos proteger al lector que lee el valor de sysctl porque el valor se puede cambiar simultáneamente. • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 https://git.kernel.org/stable/c/d623fd5298d95b65d27ef5a618ebf39541074856 https://git.kernel.org/stable/c/f9055fa2b2931261d5f89948ee5bc315b6a22d4a https://git.kernel.org/stable/c/bbf950a6e96a91cf8cf0c71117b94ed3fafc9dd3 https://git.kernel.org/stable/c/0866afaff19d8460308b022345ed116a12b1d0e1 https://git.kernel.org/stable/c/43464808669ba9d23996f0b6d875450191687caf https://git.kernel.org/stable/c/34cab94f7473e7b09f5205d4583fb5096cb63b5b https://git.kernel.org/stable/c/16d71319e29d5825ab53f263b59fdd8dc •
CVE-2024-27416 – Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST
https://notcve.org/view.php?id=CVE-2024-27416
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST If we received HCI_EV_IO_CAPA_REQUEST while HCI_OP_READ_REMOTE_EXT_FEATURES is yet to be responded assume the remote does support SSP since otherwise this event shouldn't be generated. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: Bluetooth: hci_event: Corrige el manejo de HCI_EV_IO_CAPA_REQUEST Si recibimos HCI_EV_IO_CAPA_REQUEST mientras HCI_OP_READ_REMOTE_EXT_FEATURES aún no se ha respondido, supongamos que el control remoto admite SSP ya que, de lo contrario, este evento no debería generarse. • https://git.kernel.org/stable/c/ccb8618c972f941ebc6b2b9db491025b3369efcb https://git.kernel.org/stable/c/1769ac55dbf3114d5bf79f11bd5dca80ee263f9c https://git.kernel.org/stable/c/40a33a129d99639921ce00d274cca44ba282f1ac https://git.kernel.org/stable/c/1ef071526848cc3109ade63268854cd7c20ece0c https://git.kernel.org/stable/c/25e5d2883002e235f3378b8592aad14aeeef898c https://git.kernel.org/stable/c/c7f59461f5a78994613afc112cdd73688aef9076 https://git.kernel.org/stable/c/2c7f9fda663a1b31a61744ffc456bdb89c4efc7f https://git.kernel.org/stable/c/746dbb0fc6392eca23de27f8aa9d13979 •
CVE-2024-27415 – netfilter: bridge: confirm multicast packets before passing them up the stack
https://notcve.org/view.php?id=CVE-2024-27415
In the Linux kernel, the following vulnerability has been resolved: netfilter: bridge: confirm multicast packets before passing them up the stack conntrack nf_confirm logic cannot handle cloned skbs referencing the same nf_conn entry, which will happen for multicast (broadcast) frames on bridges. Example: macvlan0 | br0 / \ ethX ethY ethX (or Y) receives a L2 multicast or broadcast packet containing an IP packet, flow is not yet in conntrack table. 1. skb passes through bridge and fake-ip (br_netfilter)Prerouting. -> skb->_nfct now references a unconfirmed entry 2. skb is broad/mcast packet. bridge now passes clones out on each bridge interface. 3. skb gets passed up the stack. 4. In macvlan case, macvlan driver retains clone(s) of the mcast skb and schedules a work queue to send them out on the lower devices. The clone skb->_nfct is not a copy, it is the same entry as the original skb. The macvlan rx handler then returns RX_HANDLER_PASS. 5. Normal conntrack hooks (in NF_INET_LOCAL_IN) confirm the orig skb. The Macvlan broadcast worker and normal confirm path will race. This race will not happen if step 2 already confirmed a clone. In that case later steps perform skb_clone() with skb->_nfct already confirmed (in hash table). • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 https://git.kernel.org/stable/c/7c3f28599652acf431a2211168de4a583f30b6d5 https://git.kernel.org/stable/c/2b1414d5e94e477edff1d2c79030f1d742625ea0 https://git.kernel.org/stable/c/80cd0487f630b5382734997c3e5e3003a77db315 https://git.kernel.org/stable/c/cb734975b0ffa688ff6cc0eed463865bf07b6c01 https://git.kernel.org/stable/c/62e7151ae3eb465e0ab52a20c941ff33bb6332e9 https://access.redhat.com/security/cve/CVE-2024-27415 https://bugzilla.redhat.com/show_bug.cgi?id=2281101 •