CVE-2024-36917 – block: fix overflow in blk_ioctl_discard()
https://notcve.org/view.php?id=CVE-2024-36917
In the Linux kernel, the following vulnerability has been resolved: block: fix overflow in blk_ioctl_discard() There is no check for overflow of 'start + len' in blk_ioctl_discard(). Hung task occurs if submit an discard ioctl with the following param: start = 0x80000000000ff000, len = 0x8000000000fff000; Add the overflow validation now. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bloque: corrige el desbordamiento en blk_ioctl_discard() No hay verificación de desbordamiento de 'start + len' en blk_ioctl_discard(). La tarea bloqueada ocurre si envía un ioctl de descarte con el siguiente parámetro: start = 0x80000000000ff000, len = 0x8000000000fff000; Agregue la validación de desbordamiento ahora. • https://git.kernel.org/stable/c/d30a2605be9d5132d95944916e8f578fcfe4f976 https://git.kernel.org/stable/c/8a26198186e97ee5fc4b42fde82629cff8c75cd6 https://git.kernel.org/stable/c/e1d38cde2b7b0fbd1c48082e7a98c37d750af59b https://git.kernel.org/stable/c/507d526a98c355e6f3fb2c47aacad44a69784bee https://git.kernel.org/stable/c/22d24a544b0d49bbcbd61c8c0eaf77d3c9297155 https://access.redhat.com/security/cve/CVE-2024-36917 https://bugzilla.redhat.com/show_bug.cgi?id=2284519 • CWE-190: Integer Overflow or Wraparound •
CVE-2024-36916 – blk-iocost: avoid out of bounds shift
https://notcve.org/view.php?id=CVE-2024-36916
In the Linux kernel, the following vulnerability has been resolved: blk-iocost: avoid out of bounds shift UBSAN catches undefined behavior in blk-iocost, where sometimes iocg->delay is shifted right by a number that is too large, resulting in undefined behavior on some architectures. [ 186.556576] ------------[ cut here ]------------ UBSAN: shift-out-of-bounds in block/blk-iocost.c:1366:23 shift exponent 64 is too large for 64-bit type 'u64' (aka 'unsigned long long') CPU: 16 PID: 0 Comm: swapper/16 Tainted: G S E N 6.9.0-0_fbk700_debug_rc2_kbuilder_0_gc85af715cac0 #1 Hardware name: Quanta Twin Lakes MP/Twin Lakes Passive MP, BIOS F09_3A23 12/08/2020 Call Trace: <IRQ> dump_stack_lvl+0x8f/0xe0 __ubsan_handle_shift_out_of_bounds+0x22c/0x280 iocg_kick_delay+0x30b/0x310 ioc_timer_fn+0x2fb/0x1f80 __run_timer_base+0x1b6/0x250 ... Avoid that undefined behavior by simply taking the "delay = 0" branch if the shift is too large. I am not sure what the symptoms of an undefined value delay will be, but I suspect it could be more than a little annoying to debug. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: blk-iocost: evita cambios fuera de los límites UBSAN detecta un comportamiento indefinido en blk-iocost, donde a veces iocg->delay se desplaza hacia la derecha en un número demasiado grande, lo que resulta en un estado indefinido. comportamiento en algunas arquitecturas. [186.556576] ------------[ cortar aquí ]------------ UBSAN: desplazamiento fuera de los límites en block/blk-iocost.c:1366 :23 exponente de desplazamiento 64 es demasiado grande para el tipo de 64 bits 'u64' (también conocido como 'unsigned long long') CPU: 16 PID: 0 Comm: swapper/16 Tainted: GSEN 6.9.0-0_fbk700_debug_rc2_kbuilder_0_gc85af715cac0 #1 Nombre de hardware: Quanta Twin Lakes MP/Twin Lakes MP pasivo, BIOS F09_3A23 08/12/2020 Seguimiento de llamadas: dump_stack_lvl+0x8f/0xe0 __ubsan_handle_shift_out_of_bounds+0x22c/0x280 iocg_kick_delay+0x30b/0x310 ioc_timer_fn+0x2fb/0x 1f80 __run_timer_base+0x1b6/0x250 ... Evitar ese comportamiento indefinido simplemente tomando la rama "retraso = 0" si el cambio es demasiado grande. No estoy seguro de cuáles serán los síntomas de un retraso de valor indefinido, pero sospecho que podría ser más que molesto depurarlo. • https://git.kernel.org/stable/c/7caa47151ab2e644dd221f741ec7578d9532c9a3 https://git.kernel.org/stable/c/62accf6c1d7b433752cb3591bba8967b7a801ad5 https://git.kernel.org/stable/c/844fc023e9f14a4fb1de5ae1eaefafd6d69c5fa1 https://git.kernel.org/stable/c/f6add0a6f78dc6360b822ca4b6f9f2f14174c8ca https://git.kernel.org/stable/c/ce0e99cae00e3131872936713b7f55eefd53ab86 https://git.kernel.org/stable/c/488dc6808cb8369685f18cee81e88e7052ac153b https://git.kernel.org/stable/c/beaa51b36012fad5a4d3c18b88a617aea7a9b96d https://lists.debian.org/debian-lts-announce/2024/06/ •
CVE-2024-36915 – nfc: llcp: fix nfc_llcp_setsockopt() unsafe copies
https://notcve.org/view.php?id=CVE-2024-36915
In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: fix nfc_llcp_setsockopt() unsafe copies syzbot reported unsafe calls to copy_from_sockptr() [1] Use copy_safe_from_sockptr() instead. [1] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255 Read of size 4 at addr ffff88801caa1ec3 by task syz-executor459/5078 CPU: 0 PID: 5078 Comm: syz-executor459 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] copy_from_sockptr include/linux/sockptr.h:55 [inline] nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255 do_sock_setsockopt+0x3b1/0x720 net/socket.c:2311 __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [inline] __se_sys_setsockopt net/socket.c:2340 [inline] __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 do_syscall_64+0xfd/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 RIP: 0033:0x7f7fac07fd89 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff660eb788 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f7fac07fd89 RDX: 0000000000000000 RSI: 0000000000000118 RDI: 0000000000000004 RBP: 0000000000000000 R08: 0000000000000002 R09: 0000000000000000 R10: 0000000020000a80 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 En el kernel de Linux, se resolvió la siguiente vulnerabilidad: nfc: llcp: corrige nfc_llcp_setsockopt() copias inseguras syzbot informó llamadas inseguras a copy_from_sockptr() [1] Utilice copy_safe_from_sockptr() en su lugar. [1] ERROR: KASAN: losa fuera de los límites en copy_from_sockptr_offset include/linux/sockptr.h:49 [en línea] ERROR: KASAN: losa fuera de los límites en copy_from_sockptr include/linux/sockptr.h:55 [en línea] ERROR: KASAN: losa fuera de los límites en nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255 Lectura de tamaño 4 en la dirección ffff88801caa1ec3 por tarea syz-executor459/5078 CPU: 0 PID: 5078 Comm : syz-executor459 No contaminado 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 27/03/2024 Seguimiento de llamadas: __dump_stack lib/dump_stack.c:88 [en línea] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [en línea] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan /report.c:601 copy_from_sockptr_offset include/linux/sockptr.h:49 [en línea] copy_from_sockptr include/linux/sockptr.h:55 [en línea] nfc_llcp_setsockopt+0x6c2/0x850 net/nfc/llcp_sock.c:255 do_sock_setsockopt+0x3b 1/ 0x720 net/socket.c:2311 __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [en línea] __se_sys_setsockopt net/socket.c:2340 [en línea] xb5/0xd0 red/zócalo .c:2340 do_syscall_64+0xfd/0x240 Entry_SYSCALL_64_after_hwframe+0x6d/0x75 RIP: 0033:0x7f7fac07fd89 Código: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 0 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff660eb788 EFLAGS: 000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f7fac07fd89 RDX: 0000000000000000 RSI: 0000000000000118 RDI: 0000000000000004 RBP: 000000000 0000000 R08: 0000000000000002 R09: 0000000000000000 R10: 0000000020000a80 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000 000000000 R14: 0000000000000000 R15: 0000000000000000 • https://git.kernel.org/stable/c/298609e7069ce74542a2253a39ccc9717f1d877a https://git.kernel.org/stable/c/0f106133203021533cb753e80d75896f4ad222f8 https://git.kernel.org/stable/c/29dc0ea979d433dd3c26abc8fa971550bdc05107 https://git.kernel.org/stable/c/7a87441c9651ba37842f4809224aca13a554a26f •
CVE-2024-36914 – drm/amd/display: Skip on writeback when it's not applicable
https://notcve.org/view.php?id=CVE-2024-36914
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Skip on writeback when it's not applicable [WHY] dynamic memory safety error detector (KASAN) catches and generates error messages "BUG: KASAN: slab-out-of-bounds" as writeback connector does not support certain features which are not initialized. [HOW] Skip them when connector type is DRM_MODE_CONNECTOR_WRITEBACK. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: drm/amd/display: omitir la reescritura cuando no sea aplicable [POR QUÉ] el detector de errores de seguridad de memoria dinámica (KASAN) detecta y genera mensajes de error "ERROR: KASAN: slab-out- of-bounds" como conector de reescritura no admite ciertas funciones que no están inicializadas. [CÓMO] Omítelos cuando el tipo de conector sea DRM_MODE_CONNECTOR_WRITEBACK. • https://git.kernel.org/stable/c/87de0a741ef6d93fcb99983138a0d89a546a043c https://git.kernel.org/stable/c/951a498fa993c5501994ec2df97c9297b02488c7 https://git.kernel.org/stable/c/e9baa7110e9f3756bd5a812af376c288d9be894d https://git.kernel.org/stable/c/ecedd99a9369fb5cde601ae9abd58bca2739f1ae •
CVE-2024-36913 – Drivers: hv: vmbus: Leak pages if set_memory_encrypted() fails
https://notcve.org/view.php?id=CVE-2024-36913
In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: vmbus: Leak pages if set_memory_encrypted() fails In CoCo VMs it is possible for the untrusted host to cause set_memory_encrypted() or set_memory_decrypted() to fail such that an error is returned and the resulting memory is shared. Callers need to take care to handle these errors to avoid returning decrypted (shared) memory to the page allocator, which could lead to functional or security issues. VMBus code could free decrypted pages if set_memory_encrypted()/decrypted() fails. Leak the pages if this happens. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Controladores: hv: vmbus: páginas de fuga si falla set_memory_encrypted() En máquinas virtuales CoCo, es posible que el host que no es de confianza provoque que set_memory_encrypted() o set_memory_decrypted() falle de manera que se produzca un error se devuelve y la memoria resultante se comparte. Las personas que llaman deben tener cuidado al manejar estos errores para evitar devolver memoria descifrada (compartida) al asignador de páginas, lo que podría provocar problemas funcionales o de seguridad. • https://git.kernel.org/stable/c/6123a4e8e25bd40cf44db14694abac00e6b664e6 https://git.kernel.org/stable/c/e813a0fc2e597146e9cebea61ced9c796d4e308f https://git.kernel.org/stable/c/03f5a999adba062456c8c818a683beb1b498983a • CWE-1258: Exposure of Sensitive System Information Due to Uncleared Debug Information •