CVSS: -EPSS: 0%CPEs: 10EXPL: 0CVE-2021-47294 – netrom: Decrease sock refcount when sock timers expire
https://notcve.org/view.php?id=CVE-2021-47294
In the Linux kernel, the following vulnerability has been resolved: netrom: Decrease sock refcount when sock timers expire Commit 63346650c1a9 ("netrom: switch to sock timer API") switched to use sock timer API. It replaces mod_timer() by sk_reset_timer(), and del_timer() by sk_stop_timer(). Function sk_reset_timer() will increase the refcount of sock if it is called on an inactive timer, hence, in case the timer expires, we need to decrease the refcount ourselves in the handler, otherwise, the sock refcount will be unbalanced and the sock will never be freed. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: netrom: Disminuir el recuento de sock cuando caducan los temporizadores de sock. La confirmación 63346650c1a9 ("netrom: cambiar a API de temporizador de sock") cambió para usar la API de temporizador de sock. Reemplaza mod_timer() por sk_reset_timer() y del_timer() por sk_stop_timer(). • https://git.kernel.org/stable/c/ce29e8a259de767f7210d346ad2b031cb8ab2732 https://git.kernel.org/stable/c/baa9e32336bf6d0d74a7c3486d2a27feaf57cd5f https://git.kernel.org/stable/c/0adf571fa34b27bd0b97b408cc0f0dc54b72f0eb https://git.kernel.org/stable/c/2c6b572458a9127e8070df13fa7f115c29ab1d92 https://git.kernel.org/stable/c/63346650c1a94a92be61a57416ac88c0a47c4327 https://git.kernel.org/stable/c/f1d9a1f2ef6ff17293d21d5e6b80e04bea0cf508 https://git.kernel.org/stable/c/519e8a22a454b1f1baa3a151b184fe51bc18e178 https://git.kernel.org/stable/c/853262355518cd1247515b74e83fabf03 •
CVSS: 4.2EPSS: 0%CPEs: 5EXPL: 0CVE-2021-47293 – net/sched: act_skbmod: Skip non-Ethernet packets
https://notcve.org/view.php?id=CVE-2021-47293
In the Linux kernel, the following vulnerability has been resolved: net/sched: act_skbmod: Skip non-Ethernet packets Currently tcf_skbmod_act() assumes that packets use Ethernet as their L2 protocol, which is not always the case. As an example, for CAN devices: $ ip link add dev vcan0 type vcan $ ip link set up vcan0 $ tc qdisc add dev vcan0 root handle 1: htb $ tc filter add dev vcan0 parent 1: protocol ip prio 10 \ matchall action skbmod swap mac Doing the above silently corrupts all the packets. Do not perform skbmod actions for non-Ethernet packets. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/sched: act_skbmod: omitir paquetes que no sean Ethernet. Actualmente, tcf_skbmod_act() asume que los paquetes usan Ethernet como protocolo L2, lo cual no siempre es el caso. • https://git.kernel.org/stable/c/86da71b57383d40993cb90baafb3735cffe5d800 https://git.kernel.org/stable/c/e4fdca366806f6bab374d1a95e626a10a3854b0c https://git.kernel.org/stable/c/a88414fb1117f2fe65fb88e45ba694e1d09d5024 https://git.kernel.org/stable/c/071729150be9e1d1b851b70efb6d91ee9269d57b https://git.kernel.org/stable/c/34f1e1f657fae2891b485a3b2b95fe4d2aef9f0d https://git.kernel.org/stable/c/727d6a8b7ef3d25080fad228b2c4a1d4da5999c6 https://access.redhat.com/security/cve/CVE-2021-47293 https://bugzilla.redhat.com/show_bug.cgi?id=2282504 • CWE-20: Improper Input Validation •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47292 – io_uring: fix memleak in io_init_wq_offload()
https://notcve.org/view.php?id=CVE-2021-47292
In the Linux kernel, the following vulnerability has been resolved: io_uring: fix memleak in io_init_wq_offload() I got memory leak report when doing fuzz test: BUG: memory leak unreferenced object 0xffff888107310a80 (size 96): comm "syz-executor.6", pid 4610, jiffies 4295140240 (age 20.135s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... backtrace: [<000000001974933b>] kmalloc include/linux/slab.h:591 [inline] [<000000001974933b>] kzalloc include/linux/slab.h:721 [inline] [<000000001974933b>] io_init_wq_offload fs/io_uring.c:7920 [inline] [<000000001974933b>] io_uring_alloc_task_context+0x466/0x640 fs/io_uring.c:7955 [<0000000039d0800d>] __io_uring_add_tctx_node+0x256/0x360 fs/io_uring.c:9016 [<000000008482e78c>] io_uring_add_tctx_node fs/io_uring.c:9052 [inline] [<000000008482e78c>] __do_sys_io_uring_enter fs/io_uring.c:9354 [inline] [<000000008482e78c>] __se_sys_io_uring_enter fs/io_uring.c:9301 [inline] [<000000008482e78c>] __x64_sys_io_uring_enter+0xabc/0xc20 fs/io_uring.c:9301 [<00000000b875f18f>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<00000000b875f18f>] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 [<000000006b0a8484>] entry_SYSCALL_64_after_hwframe+0x44/0xae CPU0 CPU1 io_uring_enter io_uring_enter io_uring_add_tctx_node io_uring_add_tctx_node __io_uring_add_tctx_node __io_uring_add_tctx_node io_uring_alloc_task_context io_uring_alloc_task_context io_init_wq_offload io_init_wq_offload hash = kzalloc hash = kzalloc ctx->hash_map = hash ctx->hash_map = hash <- one of the hash is leaked When calling io_uring_enter() in parallel, the 'hash_map' will be leaked, add uring_lock to protect 'hash_map'. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: io_uring: corrige memleak en io_init_wq_offload(). Recibí un informe de pérdida de memoria al realizar la prueba fuzz: BUG: pérdida de memoria objeto sin referencia 0xffff888107310a80 (tamaño 96): comm "syz-executor.6" , pid 4610, sjiffies 4295140240 (edad 20,135 s) volcado hexadecimal (primeros 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................. 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... backtrace: [<000000001974933b>] kmalloc include/linux/slab.h:591 [en línea] [<000000001974933b>] kzalloc include/linux/slab.h:721 [en línea] [<000000001974933b>] io_init_wq_offload fs/io_uring.c:7920 [en línea] [<000000001974933b>] _context+0x466/0x640 fs/io_uring .c:7955 [<0000000039d0800d>] __io_uring_add_tctx_node+0x256/0x360 fs/io_uring.c:9016 [<000000008482e78c>] io_uring_add_tctx_node fs/io_uring.c:9052 [en línea] 0000008482e78c>] __do_sys_io_uring_enter fs/io_uring.c:9354 [en línea] [<000000008482e78c>] __se_sys_io_uring_enter fs/io_uring.c:9301 [en línea] [<000000008482e78c>] __x64_sys_io_uring_enter+0xabc/0xc20 fs/io_uring.c:9301 [<00000000b 875f18f>] do_syscall_x64 arch/x86/entry/common. c:50 [en línea] [<00000000b875f18f>] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 [<000000006b0a8484>] Entry_SYSCALL_64_after_hwframe+0x44/0xae CPU0 CPU1 io_uring_enter io_uring_enter io_uring_add_tctx_node io_uring_add_tctx_node __io_uring_add_tctx_node __io_uring_add_tctx_node io_uring_alloc_task_context io_uring_alloc_task_context io_init_wq_offload io_init_wq_offload hash = kzalloc hash = kzalloc ctx->hash_map = hash ctx->hash_map = hash <- uno de los hash se filtra Al llamar a io_uring_enter() en paralelo, se filtrará el 'hash_map', agregue uring_lock para proteger 'hash_map'. • https://git.kernel.org/stable/c/e941894eae31b52f0fd9bdb3ce20620afa152f45 https://git.kernel.org/stable/c/502731a03f27cba1513fbbff77e508185ffce5bb https://git.kernel.org/stable/c/362a9e65289284f36403058eea2462d0330c1f24 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2021-47291 – ipv6: fix another slab-out-of-bounds in fib6_nh_flush_exceptions
https://notcve.org/view.php?id=CVE-2021-47291
In the Linux kernel, the following vulnerability has been resolved: ipv6: fix another slab-out-of-bounds in fib6_nh_flush_exceptions While running the self-tests on a KASAN enabled kernel, I observed a slab-out-of-bounds splat very similar to the one reported in commit 821bbf79fe46 ("ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions"). We additionally need to take care of fib6_metrics initialization failure when the caller provides an nh. The fix is similar, explicitly free the route instead of calling fib6_info_release on a half-initialized object. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ipv6: corrige otra slab fuera de los límites en fib6_nh_flush_exceptions. Mientras ejecutaba las autopruebas en un kernel habilitado para KASAN, observé una slab fuera de los límites muy similar al informado en la confirmación 821bbf79fe46 ("ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions"). Además, debemos ocuparnos del error de inicialización de fib6_metrics cuando la persona que llama proporciona un nh. La solución es similar: libera explícitamente la ruta en lugar de llamar a fib6_info_release en un objeto medio inicializado. • https://git.kernel.org/stable/c/f88d8ea67fbdbac7a64bfa6ed9a2ba27bb822f74 https://git.kernel.org/stable/c/830251361425c5be044db4d826aaf304ea3d14c6 https://git.kernel.org/stable/c/ce8fafb68051fba52546f8bbe8621f7641683680 https://git.kernel.org/stable/c/115784bcccf135c3a3548098153413d76f16aae0 https://git.kernel.org/stable/c/8fb4792f091e608a0a1d353dfdf07ef55a719db5 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2021-47290 – scsi: target: Fix NULL dereference on XCOPY completion
https://notcve.org/view.php?id=CVE-2021-47290
In the Linux kernel, the following vulnerability has been resolved: scsi: target: Fix NULL dereference on XCOPY completion CPU affinity control added with commit 39ae3edda325 ("scsi: target: core: Make completion affinity configurable") makes target_complete_cmd() queue work on a CPU based on se_tpg->se_tpg_wwn->cmd_compl_affinity state. LIO's EXTENDED COPY worker is a special case in that read/write cmds are dispatched using the global xcopy_pt_tpg, which carries a NULL se_tpg_wwn pointer following initialization in target_xcopy_setup_pt(). The NULL xcopy_pt_tpg->se_tpg_wwn pointer is dereferenced on completion of any EXTENDED COPY initiated read/write cmds. E.g using the libiscsi SCSI.ExtendedCopy.Simple test: BUG: kernel NULL pointer dereference, address: 00000000000001a8 RIP: 0010:target_complete_cmd+0x9d/0x130 [target_core_mod] Call Trace: fd_execute_rw+0x148/0x42a [target_core_file] ? __dynamic_pr_debug+0xa7/0xe0 ? target_check_reservation+0x5b/0x940 [target_core_mod] __target_execute_cmd+0x1e/0x90 [target_core_mod] transport_generic_new_cmd+0x17c/0x330 [target_core_mod] target_xcopy_issue_pt_cmd+0x9/0x60 [target_core_mod] target_xcopy_read_source.isra.7+0x10b/0x1b0 [target_core_mod] ? target_check_fua+0x40/0x40 [target_core_mod] ? • https://git.kernel.org/stable/c/39ae3edda325e9cf9e978c9788affe88231f3b34 https://git.kernel.org/stable/c/e7732c5a19a15a62b0b23fd683a639b0483e1f40 https://git.kernel.org/stable/c/a47fa41381a09e5997afd762664db4f5f6657e03 •