CVE-2024-35976 – xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING
https://notcve.org/view.php?id=CVE-2024-35976
In the Linux kernel, the following vulnerability has been resolved: xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING syzbot reported an illegal copy in xsk_setsockopt() [1] Make sure to validate setsockopt() @optlen parameter. [1] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420 Read of size 4 at addr ffff888028c6cde3 by task syz-executor.0/7549 CPU: 0 PID: 7549 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] copy_from_sockptr include/linux/sockptr.h:55 [inline] xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420 do_sock_setsockopt+0x3af/0x720 net/socket.c:2311 __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [inline] __se_sys_setsockopt net/socket.c:2340 [inline] __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 RIP: 0033:0x7fb40587de69 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fb40665a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00007fb4059abf80 RCX: 00007fb40587de69 RDX: 0000000000000005 RSI: 000000000000011b RDI: 0000000000000006 RBP: 00007fb4058ca47a R08: 0000000000000002 R09: 0000000000000000 R10: 0000000020001980 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fb4059abf80 R15: 00007fff57ee4d08 </TASK> Allocated by task 7549: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:370 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slub.c:3966 [inline] __kmalloc+0x233/0x4a0 mm/slub.c:3979 kmalloc include/linux/slab.h:632 [inline] __cgroup_bpf_run_filter_setsockopt+0xd2f/0x1040 kernel/bpf/cgroup.c:1869 do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293 __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [inline] __se_sys_setsockopt net/socket.c:2340 [inline] __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 The buggy address belongs to the object at ffff888028c6cde0 which belongs to the cache kmalloc-8 of size 8 The buggy address is located 1 bytes to the right of allocated 2-byte region [ffff888028c6cde0, ffff888028c6cde2) The buggy address belongs to the physical page: page:ffffea0000a31b00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888028c6c9c0 pfn:0x28c6c anon flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 00fff00000000800 ffff888014c41280 0000000000000000 dead000000000001 raw: ffff888028c6c9c0 0000000080800057 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 6648, tgid 6644 (syz-executor.0), ts 133906047828, free_ts 133859922223 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533 prep_new_page mm/page_alloc.c: ---truncated--- En el kernel de Linux, se resolvió la siguiente vulnerabilidad: xsk: validar la entrada del usuario para XDP_{UMEM|COMPLETION}_FILL_RING syzbot informó una copia ilegal en xsk_setsockopt() [1] Asegúrese de validar el parámetro @optlen setsockopt(). [1] BUG: KASAN: losa fuera de límites en copy_from_sockptr_offset include/linux/sockptr.h:49 [en línea] ERROR: KASAN: losa fuera de límites en copy_from_sockptr include/linux/sockptr.h:55 [en línea] ERROR: KASAN: losa fuera de límites en xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420 Lectura de tamaño 4 en la dirección ffff888028c6cde3 mediante la tarea syz-executor.0/7549 CPU: 0 PID: 7549 Comm: syz-executor.0 No contaminado 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 27/03/2024 Seguimiento de llamadas: __dump_stack lib/dump_stack .c:88 [en línea] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [en línea] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/ 0x180 mm/kasan/report.c:601 copy_from_sockptr_offset include/linux/sockptr.h:49 [en línea] copy_from_sockptr include/linux/sockptr.h:55 [en línea] xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420 do_sock_setsockopt+0x3af/0x720 net/socket.c:2311 __sys_setsockopt+0x1ae/0x250 net/socket.c:2334 __do_sys_setsockopt net/socket.c:2343 [en línea] __se_sys_setsockopt net/socket.c:2340 [en línea] x64_sys_setsockopt+0xb5/ 0xd0 net/socket.c:2340 do_syscall_64+0xfb/0x240 Entry_SYSCALL_64_after_hwframe+0x6d/0x75 RIP: 0033:0x7fb40587de69 Código: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 0c8 EFLAGS: 00000246 ORIG_RAX : 0000000000000036 RAX: ffffffffffffffda RBX: 00007fb4059abf80 RCX: 00007fb40587de69 RDX: 0000000000000005 RSI: 000000000000011b RDI: 000000000 0000006 RBP: 00007fb4058ca47a R08: 0000000000000002 R09: 0000000000000000 R10: 0000000020001980 R11: 0000000000000246 R12: 000000000 0000000 R13: 000000000000000b R14: 00007fb4059abf80 R15: 00007fff57ee4d08 Asignado por tarea 7549: kasan_save_stack mm/kasan/common.c:47 [en línea] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 veneno_kmalloc_redzone mm/kasan/common.c:370 [en línea] __kasan_kmalloc+0x98/ 0xb0 mm/kasan/common.c:387 kasan_kmalloc include/linux/kasan.h:211 [en línea] __do_kmalloc_node mm/slub.c:3966 [en línea] __kmalloc+0x233/0x4a0 mm/slub.c:3979 kmalloc include/linux /slab.h:632 [en línea] __cgroup_bpf_run_filter_setsockopt+0xd2f/0x1040 kernel/bpf/cgroup.c:1869 do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293 __sys_setsockopt+0x1ae/0x250 334 __do_sys_setsockopt net/ socket.c:2343 [en línea] __se_sys_setsockopt net/socket.c:2340 [en línea] __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340 do_syscall_64+0xfb/0x240 Entry_SYSCALL_64_after_hwframe+0x6d/0x75 El error la dirección pertenece al objeto en ffff888028c6cde0 que pertenece al caché kmalloc-8 de tamaño 8 La dirección con errores se encuentra 1 byte a la derecha de la región asignada de 2 bytes [ffff888028c6cde0, ffff888028c6cde2) La dirección con errores pertenece a la página física: página:ffffea0000a31b00 refcount:1 mapcount:0 Mapeo: 00000000000000000000 ÍNDICE: 0xffff888028c6c9c0 pfn: 0x28c6c Anon Flags: 0xffff00000000800 (Slab | Node = 0 | Zone = 1 | LastCpupid = 0x7ff) Page_Type: 0xffffffffffff () RAW: 00FFF000000800 0000000000000000 Dead000000000001 Raw: FFFFF888028C6C9C0 000000000080800057 00000001FFFFFFFFFFFFFFF 0000000000000000 Página arrojada porque: Kasan : mal acceso detectado page_owner rastrea la página como página asignada por última vez mediante orden 0, migrar tipo Inamovible, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 6648, tgid 6644 (syz-executor.0), ts 133906047828, free_ts 133859922223 set _page_owner incluye /linux/page_owner.h:31 [en línea] post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533 prep_new_page mm/page_alloc.c: ---truncado--- • https://git.kernel.org/stable/c/423f38329d267969130fb6f2c685f73d72687558 https://git.kernel.org/stable/c/beb99266830520e15fbc6ca8cc5a5240d76851fd https://git.kernel.org/stable/c/0b45c25d60e38f5c2cb6823f886773a34323306d https://git.kernel.org/stable/c/a82984b3c6a7e8c7937dba6e857ddf829d149417 https://git.kernel.org/stable/c/f0a068de65d5b7358e9aff792716afa9333f3922 https://git.kernel.org/stable/c/2a523f14a3f53b46ff0e1fafd215b0bc5f6783aa https://git.kernel.org/stable/c/b143e19dc28c3211f050f7848d87d9b0a170e10c https://git.kernel.org/stable/c/2eb979fbb2479bcd7e049f2f9978b6590 • CWE-787: Out-of-bounds Write •
CVE-2024-35975 – octeontx2-pf: Fix transmit scheduler resource leak
https://notcve.org/view.php?id=CVE-2024-35975
In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: Fix transmit scheduler resource leak Inorder to support shaping and scheduling, Upon class creation Netdev driver allocates trasmit schedulers. The previous patch which added support for Round robin scheduling has a bug due to which driver is not freeing transmit schedulers post class deletion. This patch fixes the same. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: octeontx2-pf: corrige la fuga de recursos del programador de transmisión. Para admitir la configuración y la programación, al crear la clase, el controlador Netdev asigna programadores de transmisión. El parche anterior que agregó soporte para la programación por turnos tiene un error debido a que el controlador no libera los programadores de transmisión después de la eliminación de la clase. Este parche soluciona lo mismo. • https://git.kernel.org/stable/c/47a9656f168a4b76a1e069ed8a67924ea8c1ac43 https://git.kernel.org/stable/c/7af5582ea67209a23e44be9a9612ba7897be1f47 https://git.kernel.org/stable/c/b34fe77a1b18654233e4e54b334fcaeddf487100 https://git.kernel.org/stable/c/bccb798e07f8bb8b91212fe8ed1e421685449076 •
CVE-2024-35974 – block: fix q->blkg_list corruption during disk rebind
https://notcve.org/view.php?id=CVE-2024-35974
In the Linux kernel, the following vulnerability has been resolved: block: fix q->blkg_list corruption during disk rebind Multiple gendisk instances can allocated/added for single request queue in case of disk rebind. blkg may still stay in q->blkg_list when calling blkcg_init_disk() for rebind, then q->blkg_list becomes corrupted. Fix the list corruption issue by: - add blkg_init_queue() to initialize q->blkg_list & q->blkcg_mutex only - move calling blkg_init_queue() into blk_alloc_queue() The list corruption should be started since commit f1c006f1c685 ("blk-cgroup: synchronize pd_free_fn() from blkg_free_workfn() and blkcg_deactivate_policy()") which delays removing blkg from q->blkg_list into blkg_free_workfn(). En el kernel de Linux, se resolvió la siguiente vulnerabilidad: bloque: corrige la corrupción de q->blkg_list durante la revinculación del disco. Se pueden asignar/agregar múltiples instancias de gendisk para una única cola de solicitudes en caso de volver a vincular el disco. Es posible que blkg aún permanezca en q->blkg_list cuando se llama a blkcg_init_disk() para volver a vincular, entonces q->blkg_list se corrompe. Solucione el problema de corrupción de la lista: - agregue blkg_init_queue() para inicializar q->blkg_list & q->blkcg_mutex solamente - mueva la llamada a blkg_init_queue() a blk_alloc_queue() La corrupción de la lista debe iniciarse desde la confirmación f1c006f1c685 ("blk-cgroup: sincronizar pd_free_fn() de blkg_free_workfn() y blkcg_deactivate_policy()") que retrasa la eliminación de blkg de q->blkg_list en blkg_free_workfn(). • https://git.kernel.org/stable/c/1059699f87eb0b3aa9d574b91a572d534897134a https://git.kernel.org/stable/c/740ffad95ca8033bd6e080ed337655b13b4d38ac https://git.kernel.org/stable/c/858c489d81d659af17a4d11cfaad2afb42e47a76 https://git.kernel.org/stable/c/8b8ace080319a866f5dfe9da8e665ae51d971c54 •
CVE-2024-35973 – geneve: fix header validation in geneve[6]_xmit_skb
https://notcve.org/view.php?id=CVE-2024-35973
In the Linux kernel, the following vulnerability has been resolved: geneve: fix header validation in geneve[6]_xmit_skb syzbot is able to trigger an uninit-value in geneve_xmit() [1] Problem : While most ip tunnel helpers (like ip_tunnel_get_dsfield()) uses skb_protocol(skb, true), pskb_inet_may_pull() is only using skb->protocol. If anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol, pskb_inet_may_pull() does nothing at all. If a vlan tag was provided by the caller (af_packet in the syzbot case), the network header might not point to the correct location, and skb linear part could be smaller than expected. Add skb_vlan_inet_prepare() to perform a complete mac validation. Use this in geneve for the moment, I suspect we need to adopt this more broadly. v4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest - Only call __vlan_get_protocol() for vlan types. v2,v3 - Addressed Sabrina comments on v1 and v2 [1] BUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline] BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030 geneve_xmit_skb drivers/net/geneve.c:910 [inline] geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030 __netdev_start_xmit include/linux/netdevice.h:4903 [inline] netdev_start_xmit include/linux/netdevice.h:4917 [inline] xmit_one net/core/dev.c:3531 [inline] dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547 __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335 dev_queue_xmit include/linux/netdevice.h:3091 [inline] packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3081 [inline] packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 __sys_sendto+0x685/0x830 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was created at: slab_post_alloc_hook mm/slub.c:3804 [inline] slab_alloc_node mm/slub.c:3845 [inline] kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577 __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1318 [inline] alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504 sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795 packet_alloc_skb net/packet/af_packet.c:2930 [inline] packet_snd net/packet/af_packet.c:3024 [inline] packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 __sys_sendto+0x685/0x830 net/socket.c:2191 __do_sys_sendto net/socket.c:2203 [inline] __se_sys_sendto net/socket.c:2199 [inline] __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 CPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: geneve: corrige la validación del encabezado en geneve[6]_xmit_skb syzbot puede activar un valor uninit en geneve_xmit() [1] Problema: mientras que la mayoría de los asistentes de túnel IP (como ip_tunnel_get_dsfield( )) usa skb_protocol(skb, true), pskb_inet_may_pull() solo usa skb->protocol. Si se encuentra algo más que ETH_P_IPV6 o ETH_P_IP en skb->protocol, pskb_inet_may_pull() no hace nada en absoluto. Si la persona que llama proporcionó una etiqueta vlan (af_packet en el caso de syzbot), es posible que el encabezado de la red no apunte a la ubicación correcta y que la parte lineal de skb sea más pequeña de lo esperado. Agregue skb_vlan_inet_prepare() para realizar una validación completa de Mac. Utilice esto en Ginebra por el momento. • https://git.kernel.org/stable/c/35385daa8db320d2d9664930c28e732578b0d7de https://git.kernel.org/stable/c/6f92124d74419797fadfbcd5b7a72c384a6413ad https://git.kernel.org/stable/c/71ad9260c001b217d704cda88ecea251b2d367da https://git.kernel.org/stable/c/d13f048dd40e8577260cd43faea8ec9b77520197 https://git.kernel.org/stable/c/9a51e36ebf433adf59c051bec33f5aa54640bb4d https://git.kernel.org/stable/c/21815f28af8081b258552c111774ff320cf38d38 https://git.kernel.org/stable/c/43be590456e1f3566054ce78ae2dbb68cbe1a536 https://git.kernel.org/stable/c/d3adf11d7993518a39bd02b383cfe657c •
CVE-2024-35972 – bnxt_en: Fix possible memory leak in bnxt_rdma_aux_device_init()
https://notcve.org/view.php?id=CVE-2024-35972
In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix possible memory leak in bnxt_rdma_aux_device_init() If ulp = kzalloc() fails, the allocated edev will leak because it is not properly assigned and the cleanup path will not be able to free it. Fix it by assigning it properly immediately after allocation. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: bnxt_en: corrige una posible pérdida de memoria en bnxt_rdma_aux_device_init() Si ulp = kzalloc() falla, el edev asignado se perderá porque no está asignado correctamente y la ruta de limpieza no podrá liberarlo. Solucionarlo asignándolo correctamente inmediatamente después de la asignación. • https://git.kernel.org/stable/c/30343221132430c24b468493c861f71e2bad131f https://git.kernel.org/stable/c/c60ed825530b8c0cc2b524efd39b1d696ec54004 https://git.kernel.org/stable/c/10a9d6a7513f93d7faffcb341af0aa42be8218fe https://git.kernel.org/stable/c/7ac10c7d728d75bc9daaa8fade3c7a3273b9a9ff • CWE-401: Missing Release of Memory after Effective Lifetime •