CVE-2024-26845 – scsi: target: core: Add TMF to tmr_list handling
https://notcve.org/view.php?id=CVE-2024-26845
In the Linux kernel, the following vulnerability has been resolved: scsi: target: core: Add TMF to tmr_list handling An abort that is responded to by iSCSI itself is added to tmr_list but does not go to target core. A LUN_RESET that goes through tmr_list takes a refcounter on the abort and waits for completion. However, the abort will be never complete because it was not started in target core. Unable to locate ITT: 0x05000000 on CID: 0 Unable to locate RefTaskTag: 0x05000000 on CID: 0. wait_for_tasks: Stopping tmf LUN_RESET with tag 0x0 ref_task_tag 0x0 i_state 34 t_state ISTATE_PROCESSING refcnt 2 transport_state active,stop,fabric_stop wait for tasks: tmf LUN_RESET with tag 0x0 ref_task_tag 0x0 i_state 34 t_state ISTATE_PROCESSING refcnt 2 transport_state active,stop,fabric_stop ... INFO: task kworker/0:2:49 blocked for more than 491 seconds. task:kworker/0:2 state:D stack: 0 pid: 49 ppid: 2 flags:0x00000800 Workqueue: events target_tmr_work [target_core_mod] Call Trace: __switch_to+0x2c4/0x470 _schedule+0x314/0x1730 schedule+0x64/0x130 schedule_timeout+0x168/0x430 wait_for_completion+0x140/0x270 target_put_cmd_and_wait+0x64/0xb0 [target_core_mod] core_tmr_lun_reset+0x30/0xa0 [target_core_mod] target_tmr_work+0xc8/0x1b0 [target_core_mod] process_one_work+0x2d4/0x5d0 worker_thread+0x78/0x6c0 To fix this, only add abort to tmr_list if it will be handled by target core. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: scsi: target: core: agregar TMF al manejo de tmr_list. Una cancelación a la que responde iSCSI se agrega a tmr_list pero no va al núcleo de destino. • https://git.kernel.org/stable/c/425a571a7e6fc389954cf2564e1edbba3740e171 https://git.kernel.org/stable/c/11f3fe5001ed05721e641f0ecaa7a73b7deb245d https://git.kernel.org/stable/c/168ed59170de1fd7274080fe102216162d6826cf https://git.kernel.org/stable/c/a9849b67b4402a12eb35eadc9306c1ef9847d53d https://git.kernel.org/stable/c/e717bd412001495f17400bfc09f606f1b594ef5a https://git.kernel.org/stable/c/36bc5040c863b44af06094b22f1e50059227b9cb https://git.kernel.org/stable/c/bd508f96b5fef96d8a0ce9cbb211d82bcfc2341f https://git.kernel.org/stable/c/83ab68168a3d990d5ff39ab030ad5754c •
CVE-2024-26844 – block: Fix WARNING in _copy_from_iter
https://notcve.org/view.php?id=CVE-2024-26844
In the Linux kernel, the following vulnerability has been resolved: block: Fix WARNING in _copy_from_iter Syzkaller reports a warning in _copy_from_iter because an iov_iter is supposedly used in the wrong direction. The reason is that syzcaller managed to generate a request with a transfer direction of SG_DXFER_TO_FROM_DEV. This instructs the kernel to copy user buffers into the kernel, read into the copied buffers and then copy the data back to user space. Thus the iovec is used in both directions. Detect this situation in the block layer and construct a new iterator with the correct direction for the copy-in. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bloque: Reparar ADVERTENCIA en _copy_from_iter Syzkaller informa una advertencia en _copy_from_iter porque supuestamente se usa un iov_iter en la dirección incorrecta. La razón es que syzcaller logró generar una solicitud con una dirección de transferencia de SG_DXFER_TO_FROM_DEV. • https://git.kernel.org/stable/c/8fc80874103a5c20aebdc2401361aa01c817f75b https://git.kernel.org/stable/c/0f1bae071de9967602807472921829a54b2e5956 https://git.kernel.org/stable/c/cbaf9be337f7da25742acfce325119e3395b1f1b https://git.kernel.org/stable/c/13f3956eb5681a4045a8dfdef48df5dc4d9f58a6 •
CVE-2024-26843 – efi: runtime: Fix potential overflow of soft-reserved region size
https://notcve.org/view.php?id=CVE-2024-26843
In the Linux kernel, the following vulnerability has been resolved: efi: runtime: Fix potential overflow of soft-reserved region size md_size will have been narrowed if we have >= 4GB worth of pages in a soft-reserved region. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: efi: runtime: corrige el posible desbordamiento del tamaño de la región reservada por software. md_size se habrá reducido si tenemos >= 4 GB de páginas en una región reservada por software. A flaw was found in the Linux kernel. Due to an integer overflow, certain EFI-related memory reservations might receive a size other than expected, leading to a denial of service. • https://git.kernel.org/stable/c/4fff3d735baea104017f2e3c245e27cdc79f2426 https://git.kernel.org/stable/c/4aa36b62c3eaa869860bf78b1146e9f2b5f782a9 https://git.kernel.org/stable/c/700c3f642c32721f246e09d3a9511acf40ae42be https://git.kernel.org/stable/c/cf3d6813601fe496de7f023435e31bfffa74ae70 https://git.kernel.org/stable/c/156cb12ffdcf33883304f0db645e1eadae712fe0 https://git.kernel.org/stable/c/de1034b38a346ef6be25fe8792f5d1e0684d5ff4 https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html https://access.redhat.com/security/cve/CVE-2024 • CWE-121: Stack-based Buffer Overflow •
CVE-2024-26842 – scsi: ufs: core: Fix shift issue in ufshcd_clear_cmd()
https://notcve.org/view.php?id=CVE-2024-26842
In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix shift issue in ufshcd_clear_cmd() When task_tag >= 32 (in MCQ mode) and sizeof(unsigned int) == 4, 1U << task_tag will out of bounds for a u32 mask. Fix this up to prevent SHIFT_ISSUE (bitwise shifts that are out of bounds for their data type). [name:debug_monitors&]Unexpected kernel BRK exception at EL1 [name:traps&]Internal error: BRK handler: 00000000f2005514 [#1] PREEMPT SMP [name:mediatek_cpufreq_hw&]cpufreq stop DVFS log done [name:mrdump&]Kernel Offset: 0x1ba5800000 from 0xffffffc008000000 [name:mrdump&]PHYS_OFFSET: 0x80000000 [name:mrdump&]pstate: 22400005 (nzCv daif +PAN -UAO) [name:mrdump&]pc : [0xffffffdbaf52bb2c] ufshcd_clear_cmd+0x280/0x288 [name:mrdump&]lr : [0xffffffdbaf52a774] ufshcd_wait_for_dev_cmd+0x3e4/0x82c [name:mrdump&]sp : ffffffc0081471b0 <snip> Workqueue: ufs_eh_wq_0 ufshcd_err_handler Call trace: dump_backtrace+0xf8/0x144 show_stack+0x18/0x24 dump_stack_lvl+0x78/0x9c dump_stack+0x18/0x44 mrdump_common_die+0x254/0x480 [mrdump] ipanic_die+0x20/0x30 [mrdump] notify_die+0x15c/0x204 die+0x10c/0x5f8 arm64_notify_die+0x74/0x13c do_debug_exception+0x164/0x26c el1_dbg+0x64/0x80 el1h_64_sync_handler+0x3c/0x90 el1h_64_sync+0x68/0x6c ufshcd_clear_cmd+0x280/0x288 ufshcd_wait_for_dev_cmd+0x3e4/0x82c ufshcd_exec_dev_cmd+0x5bc/0x9ac ufshcd_verify_dev_init+0x84/0x1c8 ufshcd_probe_hba+0x724/0x1ce0 ufshcd_host_reset_and_restore+0x260/0x574 ufshcd_reset_and_restore+0x138/0xbd0 ufshcd_err_handler+0x1218/0x2f28 process_one_work+0x5fc/0x1140 worker_thread+0x7d8/0xe20 kthread+0x25c/0x468 ret_from_fork+0x10/0x20 En el kernel de Linux, se resolvió la siguiente vulnerabilidad: scsi: ufs: core: solucione el problema de cambio en ufshcd_clear_cmd() Cuando task_tag >= 32 (en modo MCQ) y sizeof(unsigned int) == 4, 1U << task_tag será fuera de los límites para una máscara u32. Solucione esto para evitar SHIFT_ISSUE (desplazamientos bit a bit que están fuera de los límites de su tipo de datos). [nombre:debug_monitors&]Excepción inesperada de BRK del kernel en EL1 [nombre:traps&]Error interno: controlador BRK: 00000000f2005514 [#1] PREEMPT SMP [nombre:mediatek_cpufreq_hw&]cpufreq detiene el registro DVFS hecho [nombre:mrdump&]Kernel Offset: 0x1ba5800000 de 0xffffffc0 08000000 [nombre:mrdump&]PHYS_OFFSET: 0x80000000 [nombre:mrdump&]pstate: 22400005 (nzCv daif +PAN -UAO) [nombre:mrdump&]pc: [0xffffffdbaf52bb2c] ufshcd_clear_cmd+0x280/0x288 [nombre:mrdump&]lr: [0xffffffdbaf52 a774] ufshcd_wait_for_dev_cmd +0x3e4/0x82c [nombre:mrdump&]sp: ffffffc0081471b0 Cola de trabajo: ufs_eh_wq_0 ufshcd_err_handler Rastreo de llamadas: dump_backtrace+0xf8/0x144 show_stack+0x18/0x24 dump_stack_lvl+0x78/0x9c dump_stack+0x1 8/0x44 mrdump_common_die+0x254/0x480 [mrdump] ipanic_die+0x20/0x30 [mrdump] notify_die+0x15c/0x204 die+0x10c/0x5f8 arm64_notify_die+0x74/0x13c do_debug_exception+0x164/0x26c el1_dbg+0x64/0x80 el1h_64_sync_handler+0x3c/0x90 el 1h_64_sync+0x68/0x6c ufshcd_clear_cmd+0x280/0x288 ufshcd_wait_for_dev_cmd+ 0x3e4/0x82c ufshcd_exec_dev_cmd+0x5bc/0x9ac ufshcd_verify_dev_init+0x84/0x1c8 ufshcd_probe_hba+0x724/0x1ce0 ufshcd_host_reset_and_restore+0x260/0x574 ufshcd_reset_and_restore+0x13 8/0xbd0 ufshcd_err_handler+0x1218/0x2f28 proceso_one_work+0x5fc/0x1140 trabajador_thread+0x7d8/0xe20 kthread+0x25c/0x468 ret_from_fork+ 0x10/0x20 • https://git.kernel.org/stable/c/7ac9e18f5d66087cd22751c5c5bf0090eb0038fe https://git.kernel.org/stable/c/a992425d18e5f7c48931121993c6c69426f2a8fb https://git.kernel.org/stable/c/b513d30d59bb383a6a5d6b533afcab2cee99a8f8 •
CVE-2024-26840 – cachefiles: fix memory leak in cachefiles_add_cache()
https://notcve.org/view.php?id=CVE-2024-26840
In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix memory leak in cachefiles_add_cache() The following memory leak was reported after unbinding /dev/cachefiles: ================================================================== unreferenced object 0xffff9b674176e3c0 (size 192): comm "cachefilesd2", pid 680, jiffies 4294881224 hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc ea38a44b): [<ffffffff8eb8a1a5>] kmem_cache_alloc+0x2d5/0x370 [<ffffffff8e917f86>] prepare_creds+0x26/0x2e0 [<ffffffffc002eeef>] cachefiles_determine_cache_security+0x1f/0x120 [<ffffffffc00243ec>] cachefiles_add_cache+0x13c/0x3a0 [<ffffffffc0025216>] cachefiles_daemon_write+0x146/0x1c0 [<ffffffff8ebc4a3b>] vfs_write+0xcb/0x520 [<ffffffff8ebc5069>] ksys_write+0x69/0xf0 [<ffffffff8f6d4662>] do_syscall_64+0x72/0x140 [<ffffffff8f8000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0x76 ================================================================== Put the reference count of cache_cred in cachefiles_daemon_unbind() to fix the problem. And also put cache_cred in cachefiles_add_cache() error branch to avoid memory leaks. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: cachefiles: corrige la pérdida de memoria en cachefiles_add_cache() Se informó la siguiente pérdida de memoria después de desvincular /dev/cachefiles: ================= ==================================================== objeto sin referencia 0xffff9b674176e3c0 (tamaño 192): comm "cachefilesd2", pid 680, jiffies 4294881224 volcado hexadecimal (primeros 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ retroceso (crc ea38a44b): [ ] kmem_cache_alloc+0x2d5/0x370 [] prepare_creds+0x26/0x2e0 [] cachefiles_determine_cache_security+0x1f/0x120 [] cachefiles_add_cache+0x13c/0x 3a0 [] cachefiles_daemon_write+0x146/0x1c0 [ ] vfs_write+0xcb/0x520 [] ksys_write+0x69/0xf0 [] do_syscall_64+0x72/0x140 [] Entry_SYSCALL_64_after_hwframe+0x6e/0x76 =============== ==================================================== == Coloque el recuento de referencias de cache_cred en cachefiles_daemon_unbind() para solucionar el problema. Y también coloque cache_cred en la rama de error cachefiles_add_cache() para evitar pérdidas de memoria. • https://git.kernel.org/stable/c/9ae326a69004dea8af2dae4fde58de27db700a8d https://git.kernel.org/stable/c/cb5466783793e66272624cf71925ae1d1ba32083 https://git.kernel.org/stable/c/037d5a949b0455540ef9aab34c10ddf54b65d285 https://git.kernel.org/stable/c/43eccc5823732ba6daab2511ed32dfc545a666d8 https://git.kernel.org/stable/c/94965be37add0983672e48ecb33cdbda92b62579 https://git.kernel.org/stable/c/8b218e2f0a27a9f09428b1847b4580640b9d1e58 https://git.kernel.org/stable/c/38e921616320d159336b0ffadb09e9fb4945c7c3 https://git.kernel.org/stable/c/9cac69912052a4def571fedf1cb9bb4ec • CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak') •