Page 28 of 3132 results (0.008 seconds)

CVSS: 7.8EPSS: 0%CPEs: 10EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_sock_timeout conn->sk maybe have been unlinked/freed while waiting for sco_conn_lock so this checks if the conn->sk is still valid by checking if it part of sco_sk_list. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Bluetooth: SCO: Se corrige que UAF en sco_sock_timeout conn->sk pueda haberse desvinculado/liberado mientras se esperaba sco_conn_lock, por lo que esto verifica si conn->sk aún es válido verificando si es parte de sco_sk_list. • https://git.kernel.org/stable/c/ba316be1b6a00db7126ed9a39f9bee434a508043 https://git.kernel.org/stable/c/fea63ccd928c01573306983346588b26cffb5572 https://git.kernel.org/stable/c/48669c81a65628ef234cbdd91b9395952c7c27fe https://git.kernel.org/stable/c/37d7ae2b0578f2373674a755402ee722e96edc08 https://git.kernel.org/stable/c/a1073aad497d0d071a71f61b721966a176d50c08 https://git.kernel.org/stable/c/ec1f74319bb35c1c90c25014ec0f6ea6c3ca2134 https://git.kernel.org/stable/c/b657bba82ff6a007d84fd076bd73b11131726a2b https://git.kernel.org/stable/c/9ddda5d967e84796e7df1b54a55f36b4b • CWE-416: Use After Free •

CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net In the normal case, when we excute `echo 0 > /proc/fs/nfsd/threads`, the function `nfs4_state_destroy_net` in `nfs4_state_shutdown_net` will release all resources related to the hashed `nfs4_client`. If the `nfsd_client_shrinker` is running concurrently, the `expire_client` function will first unhash this client and then destroy it. This can lead to the following warning. Additionally, numerous use-after-free errors may occur as well. nfsd_client_shrinker echo 0 > /proc/fs/nfsd/threads expire_client nfsd_shutdown_net unhash_client ... nfs4_state_shutdown_net /* won't wait shrinker exit */ /* cancel_work(&nn->nfsd_shrinker_work) * nfsd_file for this /* won't destroy unhashed client1 */ * client1 still alive nfs4_state_destroy_net */ nfsd_file_cache_shutdown /* trigger warning */ kmem_cache_destroy(nfsd_file_slab) kmem_cache_destroy(nfsd_file_mark_slab) /* release nfsd_file and mark */ __destroy_client ==================================================================== BUG nfsd_file (Not tainted): Objects remaining in nfsd_file on __kmem_cache_shutdown() -------------------------------------------------------------------- CPU: 4 UID: 0 PID: 764 Comm: sh Not tainted 6.12.0-rc3+ #1 dump_stack_lvl+0x53/0x70 slab_err+0xb0/0xf0 __kmem_cache_shutdown+0x15c/0x310 kmem_cache_destroy+0x66/0x160 nfsd_file_cache_shutdown+0xac/0x210 [nfsd] nfsd_destroy_serv+0x251/0x2a0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e ==================================================================== BUG nfsd_file_mark (Tainted: G B W ): Objects remaining nfsd_file_mark on __kmem_cache_shutdown() -------------------------------------------------------------------- dump_stack_lvl+0x53/0x70 slab_err+0xb0/0xf0 __kmem_cache_shutdown+0x15c/0x310 kmem_cache_destroy+0x66/0x160 nfsd_file_cache_shutdown+0xc8/0x210 [nfsd] nfsd_destroy_serv+0x251/0x2a0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1a5/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e To resolve this issue, cancel `nfsd_shrinker_work` using synchronous mode in nfs4_state_shutdown_net. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nfsd: cancelar nfsd_shrinker_work usando el modo de sincronización en nfs4_state_shutdown_net. • https://git.kernel.org/stable/c/7c24fa225081f31bc6da6a355c1ba801889ab29a https://git.kernel.org/stable/c/2bbf10861d51dae76c6da7113516d0071c782653 https://git.kernel.org/stable/c/958294a3eb82026fcfff20b0287a90e9c854785e https://git.kernel.org/stable/c/f3ea5ec83d1a827f074b2b660749817e0bf2b23e https://git.kernel.org/stable/c/f965dc0f099a54fca100acf6909abe52d0c85328 https://git.kernel.org/stable/c/add1df5eba163a3a6ece11cb85890e2e410baaea https://git.kernel.org/stable/c/d5ff2fb2e7167e9483846e34148e60c0c016a1f6 • CWE-416: Use After Free •

CVSS: -EPSS: 0%CPEs: 8EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: drm/amd: Guard against bad data for ATIF ACPI method If a BIOS provides bad data in response to an ATIF method call this causes a NULL pointer dereference in the caller. ``` ? show_regs (arch/x86/kernel/dumpstack.c:478 (discriminator 1)) ? __die (arch/x86/kernel/dumpstack.c:423 arch/x86/kernel/dumpstack.c:434) ? page_fault_oops (arch/x86/mm/fault.c:544 (discriminator 2) arch/x86/mm/fault.c:705 (discriminator 2)) ? do_user_addr_fault (arch/x86/mm/fault.c:440 (discriminator 1) arch/x86/mm/fault.c:1232 (discriminator 1)) ? • https://git.kernel.org/stable/c/d38ceaf99ed015f2a0b9af3499791bd3a3daae21 https://git.kernel.org/stable/c/58556dcbd5606a5daccaee73b2130bc16b48e025 https://git.kernel.org/stable/c/43b4fa6e0e238c6e2662f4fb61d9f51c2785fb1d https://git.kernel.org/stable/c/234682910971732cd4da96fd95946e296e486b38 https://git.kernel.org/stable/c/6032287747f874b52dc8b9d7490e2799736e035f https://git.kernel.org/stable/c/cd67af3c1762de4c2483ae4dbdd98f9ea8fa56e3 https://git.kernel.org/stable/c/975ede2a7bec52b5da1428829b3439667c8a234b https://git.kernel.org/stable/c/1d7175f9c57b1abf9ecfbdfd53ea76076 •

CVSS: -EPSS: 0%CPEs: 8EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix kernel bug due to missing clearing of buffer delay flag Syzbot reported that after nilfs2 reads a corrupted file system image and degrades to read-only, the BUG_ON check for the buffer delay flag in submit_bh_wbc() may fail, causing a kernel bug. This is because the buffer delay flag is not cleared when clearing the buffer state flags to discard a page/folio or a buffer head. So, fix this. This became necessary when the use of nilfs2's own page clear routine was expanded. This state inconsistency does not occur if the buffer is written normally by log writing. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nilfs2: se corrige un error del kernel debido a la falta de limpieza del indicador de retraso del búfer Syzbot informó que después de que nilfs2 lee una imagen de sistema de archivos corrupta y se degrada a solo lectura, la comprobación BUG_ON para el indicador de retraso del búfer en submission_bh_wbc() puede fallar, lo que provoca un error del kernel. Esto se debe a que el indicador de retraso del búfer no se borra al borrar los indicadores de estado del búfer para descartar una página/folio o un encabezado de búfer. • https://git.kernel.org/stable/c/8c26c4e2694a163d525976e804d81cd955bbb40c https://git.kernel.org/stable/c/033bc52f35868c2493a2d95c56ece7fc155d7cb3 https://git.kernel.org/stable/c/412a30b1b28d6073ba29c46a2b0f324c5936293f https://git.kernel.org/stable/c/9f2ab98371c2f2488bf3bf3f9b2a73510545e9c1 https://git.kernel.org/stable/c/822203f6355f4b322d21e7115419f6b98284be25 https://git.kernel.org/stable/c/27524f65621f490184f2ace44cd8e5f3685af4a3 https://git.kernel.org/stable/c/743c78d455e784097011ea958b27396001181567 https://git.kernel.org/stable/c/c6f58ff2d4c552927fe9a187774e668eb •

CVSS: 4.7EPSS: 0%CPEs: 6EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory Ignore nCR3[4:0] when loading PDPTEs from memory for nested SVM, as bits 4:0 of CR3 are ignored when PAE paging is used, and thus VMRUN doesn't enforce 32-byte alignment of nCR3. In the absolute worst case scenario, failure to ignore bits 4:0 can result in an out-of-bounds read, e.g. if the target page is at the end of a memslot, and the VMM isn't using guard pages. Per the APM: The CR3 register points to the base address of the page-directory-pointer table. The page-directory-pointer table is aligned on a 32-byte boundary, with the low 5 address bits 4:0 assumed to be 0. And the SDM's much more explicit: 4:0 Ignored Note, KVM gets this right when loading PDPTRs, it's only the nSVM flow that is broken. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: nSVM: Ignorar nCR3[4:0] al cargar PDPTE desde la memoria Ignorar nCR3[4:0] al cargar PDPTE desde la memoria para SVM anidado, ya que los bits 4:0 de CR3 se ignoran cuando se utiliza la paginación PAE y, por lo tanto, VMRUN no aplica la alineación de 32 bytes de nCR3. En el peor de los casos, no ignorar los bits 4:0 puede dar como resultado una lectura fuera de los límites, por ejemplo, si la página de destino está al final de un memslot y el VMM no está utilizando páginas de protección. Según el APM: El registro CR3 apunta a la dirección base de la tabla de punteros de directorio de páginas. • https://git.kernel.org/stable/c/e4e517b4be019787ada4cbbce2f04570c21b0cbd https://git.kernel.org/stable/c/76ce386feb14ec9a460784fcd495d8432acce7a5 https://git.kernel.org/stable/c/58cb697d80e669c56197f703e188867c8c54c494 https://git.kernel.org/stable/c/6876793907cbe19d42e9edc8c3315a21e06c32ae https://git.kernel.org/stable/c/2c4adc9b192a0815fe58a62bc0709449416cc884 https://git.kernel.org/stable/c/426682afec71ea3f889b972d038238807b9443e4 https://git.kernel.org/stable/c/f559b2e9c5c5308850544ab59396b7d53cfc67bd https://access.redhat.com/security/cve/CVE-2024-50115 • CWE-125: Out-of-bounds Read •