CVE-2024-35861 – smb: client: fix potential UAF in cifs_signal_cifsd_for_reconnect()
https://notcve.org/view.php?id=CVE-2024-35861
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_signal_cifsd_for_reconnect() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: smb: cliente: corrige UAF potencial en cifs_signal_cifsd_for_reconnect() Omita las sesiones que se están eliminando (estado == SES_EXITING) para evitar UAF. • https://git.kernel.org/stable/c/7e8360ac8774e19b0b25f44fff84a105bb2417e4 https://git.kernel.org/stable/c/2cfff21732132e363b4cc275d63ea98f1af726c1 https://git.kernel.org/stable/c/f9a96a7ad1e8d25dc6662bc7552e0752de74a20d https://git.kernel.org/stable/c/e0e50401cc3921c9eaf1b0e667db174519ea939f •
CVE-2024-35860 – bpf: support deferring bpf_link dealloc to after RCU grace period
https://notcve.org/view.php?id=CVE-2024-35860
In the Linux kernel, the following vulnerability has been resolved: bpf: support deferring bpf_link dealloc to after RCU grace period BPF link for some program types is passed as a "context" which can be used by those BPF programs to look up additional information. E.g., for multi-kprobes and multi-uprobes, link is used to fetch BPF cookie values. Because of this runtime dependency, when bpf_link refcnt drops to zero there could still be active BPF programs running accessing link data. This patch adds generic support to defer bpf_link dealloc callback to after RCU GP, if requested. This is done by exposing two different deallocation callbacks, one synchronous and one deferred. If deferred one is provided, bpf_link_free() will schedule dealloc_deferred() callback to happen after RCU GP. BPF is using two flavors of RCU: "classic" non-sleepable one and RCU tasks trace one. The latter is used when sleepable BPF programs are used. bpf_link_free() accommodates that by checking underlying BPF program's sleepable flag, and goes either through normal RCU GP only for non-sleepable, or through RCU tasks trace GP *and* then normal RCU GP (taking into account rcu_trace_implies_rcu_gp() optimization), if BPF program is sleepable. We use this for multi-kprobe and multi-uprobe links, which dereference link during program run. • https://git.kernel.org/stable/c/0dcac272540613d41c05e89679e4ddb978b612f1 https://git.kernel.org/stable/c/876941f533e7b47fc69977fc4551c02f2d18af97 https://git.kernel.org/stable/c/5d8d447777564b35f67000e7838e7ccb64d525c8 https://git.kernel.org/stable/c/1a80dbcb2dbaf6e4c216e62e30fa7d3daa8001ce •
CVE-2024-35857 – icmp: prevent possible NULL dereferences from icmp_build_probe()
https://notcve.org/view.php?id=CVE-2024-35857
In the Linux kernel, the following vulnerability has been resolved: icmp: prevent possible NULL dereferences from icmp_build_probe() First problem is a double call to __in_dev_get_rcu(), because the second one could return NULL. if (__in_dev_get_rcu(dev) && __in_dev_get_rcu(dev)->ifa_list) Second problem is a read from dev->ip6_ptr with no NULL check: if (!list_empty(&rcu_dereference(dev->ip6_ptr)->addr_list)) Use the correct RCU API to fix these. v2: add missing include <net/addrconf.h> En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: icmp: evita posibles desreferencias a NULL por parte de icmp_build_probe(). El primer problema es una doble llamada a __in_dev_get_rcu(), porque la segunda podría devolver NULL. if (__in_dev_get_rcu(dev) && __in_dev_get_rcu(dev)->ifa_list) El segundo problema es una lectura de dev->ip6_ptr sin verificación NULL: if (!list_empty(&rcu_dereference(dev->ip6_ptr)->addr_list)) Use el correcto API de RCU para solucionarlos. v2: agregar falta incluir • https://git.kernel.org/stable/c/d329ea5bd8845f0b196bf41b18b6173340d6e0e4 https://git.kernel.org/stable/c/23b7ee4a8d559bf38eac7ce5bb2f6ebf76f9c401 https://git.kernel.org/stable/c/599c9ad5e1d43f5c12d869f5fd406ba5d8c55270 https://git.kernel.org/stable/c/d68dc711d84fdcf698e5d45308c3ddeede586350 https://git.kernel.org/stable/c/3e2979bf080c40da4f7c93aff8575ab8bc62b767 https://git.kernel.org/stable/c/c58e88d49097bd12dfcfef4f075b43f5d5830941 https://access.redhat.com/security/cve/CVE-2024-35857 https://bugzilla.redhat.com/show_bug.cgi?id=2281247 •
CVE-2024-35855 – mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update
https://notcve.org/view.php?id=CVE-2024-35855
In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update The rule activity update delayed work periodically traverses the list of configured rules and queries their activity from the device. As part of this task it accesses the entry pointed by 'ventry->entry', but this entry can be changed concurrently by the rehash delayed work, leading to a use-after-free [1]. Fix by closing the race and perform the activity query under the 'vregion->lock' mutex. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140 Read of size 8 at addr ffff8881054ed808 by task kworker/0:18/181 CPU: 0 PID: 181 Comm: kworker/0:18 Not tainted 6.9.0-rc2-custom-00781-gd5ab772d32f7 #2 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxsw_core mlxsw_sp_acl_rule_activity_update_work Call Trace: <TASK> dump_stack_lvl+0xc6/0x120 print_report+0xce/0x670 kasan_report+0xd7/0x110 mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140 mlxsw_sp_acl_rule_activity_update_work+0x219/0x400 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1039: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __kmalloc+0x19c/0x360 mlxsw_sp_acl_tcam_entry_create+0x7b/0x1f0 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x30d/0xb50 mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 Freed by task 1039: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 poison_slab_object+0x102/0x170 __kasan_slab_free+0x14/0x30 kfree+0xc1/0x290 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3d7/0xb50 mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mlxsw: spectrum_acl_tcam: corrige posible use after free durante la actualización de la actividad. El trabajo retrasado de la actualización de la actividad de la regla recorre periódicamente la lista de reglas configuradas y consulta su actividad desde el dispositivo. Como parte de esta tarea, accede a la entrada señalada por 'ventry->entry', pero esta entrada puede cambiarse simultáneamente mediante el trabajo retrasado del rehash, lo que lleva a un use after free [1]. Para solucionarlo, cierre la ejecución y realice la consulta de actividad en el mutex 'vregion->lock'. [1] ERROR: KASAN: slab-use-after-free en mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140 Lectura del tamaño 8 en la dirección ffff8881054ed808 por tarea kworker/0:18/181 CPU: 0 PID: 181 Comm: kworker/0:18 Not tainted 6.9.0-rc2-custom-00781-gd5ab772d32f7 #2 Nombre del hardware: Mellanox Technologies Ltd. • https://git.kernel.org/stable/c/2bffc5322fd8679e879cd6370881ee50cf141ada https://git.kernel.org/stable/c/1b73f6e4ea770410a937a8db98f77e52594d23a0 https://git.kernel.org/stable/c/e24d2487424779c02760ff50cd9021b8676e19ef https://git.kernel.org/stable/c/c17976b42d546ee118ca300db559630ee96fb758 https://git.kernel.org/stable/c/b996e8699da810e4c915841d6aaef761007f933a https://git.kernel.org/stable/c/feabdac2057e863d0e140a2adf3d232eb4882db4 https://git.kernel.org/stable/c/b183b915beef818a25e3154d719ca015a1ae0770 https://git.kernel.org/stable/c/79b5b4b18bc85b19d3a518483f9abbbe6 •
CVE-2024-35854 – mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash
https://notcve.org/view.php?id=CVE-2024-35854
In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash The rehash delayed work migrates filters from one region to another according to the number of available credits. The migrated from region is destroyed at the end of the work if the number of credits is non-negative as the assumption is that this is indicative of migration being complete. This assumption is incorrect as a non-negative number of credits can also be the result of a failed migration. The destruction of a region that still has filters referencing it can result in a use-after-free [1]. Fix by not destroying the region if migration failed. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230 Read of size 8 at addr ffff8881735319e8 by task kworker/0:31/3858 CPU: 0 PID: 3858 Comm: kworker/0:31 Tainted: G W 6.9.0-rc2-custom-00782-gf2275c2157d8 #5 Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019 Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work Call Trace: <TASK> dump_stack_lvl+0xc6/0x120 print_report+0xce/0x670 kasan_report+0xd7/0x110 mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230 mlxsw_sp_acl_ctcam_entry_del+0x2e/0x70 mlxsw_sp_acl_atcam_entry_del+0x81/0x210 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3cd/0xb50 mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 174: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 __kmalloc+0x19c/0x360 mlxsw_sp_acl_tcam_region_create+0xdf/0x9c0 mlxsw_sp_acl_tcam_vregion_rehash_work+0x954/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 Freed by task 7: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 poison_slab_object+0x102/0x170 __kasan_slab_free+0x14/0x30 kfree+0xc1/0x290 mlxsw_sp_acl_tcam_region_destroy+0x272/0x310 mlxsw_sp_acl_tcam_vregion_rehash_work+0x731/0x1300 process_one_work+0x8eb/0x19b0 worker_thread+0x6c9/0xf70 kthread+0x2c9/0x3b0 ret_from_fork+0x4d/0x80 ret_from_fork_asm+0x1a/0x30 En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: mlxsw: spectrum_acl_tcam: Corrige posible use after free durante el rehash El trabajo retrasado del rehash migra filtros de una región a otra según la cantidad de créditos disponibles. La región que ha migrado se destruye al final del trabajo si el número de créditos no es negativo, ya que se supone que esto es indicativo de que la migración se ha completado. Esta suposición es incorrecta ya que una cantidad no negativa de créditos también puede ser el resultado de una migración fallida. • https://git.kernel.org/stable/c/c9c9af91f1d9a636aecc55302c792538e549a430 https://git.kernel.org/stable/c/e118e7ea24d1392878ef85926627c6bc640c4388 https://git.kernel.org/stable/c/a429a912d6c779807f4d72a6cc0a1efaaa3613e1 https://git.kernel.org/stable/c/4c89642ca47fb620914780c7c51d8d1248201121 https://git.kernel.org/stable/c/813e2ab753a8f8c243a39ede20c2e0adc15f3887 https://git.kernel.org/stable/c/311eeaa7b9e26aba5b3d57b09859f07d8e9fc049 https://git.kernel.org/stable/c/a02687044e124f8ccb427cd3632124a4e1a7d7c1 https://git.kernel.org/stable/c/54225988889931467a9b55fdbef534079 • CWE-416: Use After Free •