CVE-2023-52848 – f2fs: fix to drop meta_inode's page cache in f2fs_put_super()
https://notcve.org/view.php?id=CVE-2023-52848
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to drop meta_inode's page cache in f2fs_put_super() syzbot reports a kernel bug as below: F2FS-fs (loop1): detect filesystem reference count leak during umount, type: 10, count: 1 kernel BUG at fs/f2fs/super.c:1639! CPU: 0 PID: 15451 Comm: syz-executor.1 Not tainted 6.5.0-syzkaller-09338-ge0152e7481c6 #0 RIP: 0010:f2fs_put_super+0xce1/0xed0 fs/f2fs/super.c:1639 Call Trace: generic_shutdown_super+0x161/0x3c0 fs/super.c:693 kill_block_super+0x3b/0x70 fs/super.c:1646 kill_f2fs_super+0x2b7/0x3d0 fs/f2fs/super.c:4879 deactivate_locked_super+0x9a/0x170 fs/super.c:481 deactivate_super+0xde/0x100 fs/super.c:514 cleanup_mnt+0x222/0x3d0 fs/namespace.c:1254 task_work_run+0x14d/0x240 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x210/0x240 kernel/entry/common.c:204 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x1d/0x60 kernel/entry/common.c:296 do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd In f2fs_put_super(), it tries to do sanity check on dirty and IO reference count of f2fs, once there is any reference count leak, it will trigger panic. The root case is, during f2fs_put_super(), if there is any IO error in f2fs_wait_on_all_pages(), we missed to truncate meta_inode's page cache later, result in panic, fix this case. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: f2fs: corrección para eliminar el caché de la página de meta_inode en f2fs_put_super() syzbot informa un error en el kernel como se muestra a continuación: F2FS-fs (loop1): detecta pérdida del recuento de referencias del sistema de archivos durante el desmontaje, escriba: 10 , recuento: ¡1 BUG del kernel en fs/f2fs/super.c:1639! CPU: 0 PID: 15451 Comm: syz-executor.1 No contaminado 6.5.0-syzkaller-09338-ge0152e7481c6 #0 RIP: 0010:f2fs_put_super+0xce1/0xed0 fs/f2fs/super.c:1639 Seguimiento de llamadas: generic_shutdown_super+0x161 /0x3c0 fs/super.c:693 kill_block_super+0x3b/0x70 fs/super.c:1646 kill_f2fs_super+0x2b7/0x3d0 fs/f2fs/super.c:4879 deactivate_locked_super+0x9a/0x170 fs/super.c:481 deactivate_super+0xde /0x100 fs/super.c:514 cleanup_mnt+0x222/0x3d0 fs/namespace.c:1254 task_work_run+0x14d/0x240 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [en línea] exit_to_user_mode_loop kernel/entry /common.c:171 [en línea] exit_to_user_mode_prepare+0x210/0x240 kernel/entry/common.c:204 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [en línea] syscall_exit_to_user_mode+0x1d/0x60 kernel/entry/common.c:296 do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:86 Entry_SYSCALL_64_after_hwframe+0x63/0xcd En f2fs_put_super(), intenta realizar una verificación de cordura en el recuento de referencias sucias y de IO de f2fs, una vez que hay alguna fuga en el recuento de referencias, provocará pánico. El caso raíz es que, durante f2fs_put_super(), si hay algún error de IO en f2fs_wait_on_all_pages(), no pudimos truncar el caché de la página de meta_inode más tarde, lo que generó pánico, solucionemos este caso. • https://git.kernel.org/stable/c/20872584b8c0b006c007da9588a272c9e28d2e18 https://git.kernel.org/stable/c/0e2577074b459bba7f4016f4d725ede37d48bb22 https://git.kernel.org/stable/c/eb42e1862aa7934c2c21890097ce4993c5e0d192 https://git.kernel.org/stable/c/10b2a6c0dade67b5a2b2d17fb75c457ea1985fad https://git.kernel.org/stable/c/a4639380bbe66172df329f8b54aa7d2e943f0f64 •
CVE-2023-52847 – media: bttv: fix use after free error due to btv->timeout timer
https://notcve.org/view.php?id=CVE-2023-52847
In the Linux kernel, the following vulnerability has been resolved: media: bttv: fix use after free error due to btv->timeout timer There may be some a race condition between timer function bttv_irq_timeout and bttv_remove. The timer is setup in probe and there is no timer_delete operation in remove function. When it hit kfree btv, the function might still be invoked, which will cause use after free bug. This bug is found by static analysis, it may be false positive. Fix it by adding del_timer_sync invoking to the remove function. cpu0 cpu1 bttv_probe ->timer_setup ->bttv_set_dma ->mod_timer; bttv_remove ->kfree(btv); ->bttv_irq_timeout ->USE btv En el kernel de Linux, se resolvió la siguiente vulnerabilidad: medio: bttv: corrección de uso después de error gratuito debido a btv->timeout timer. Puede haber alguna condición de ejecución entre la función del temporizador bttv_irq_timeout y bttv_remove. El temporizador está configurado en la sonda y no hay ninguna operación timer_delete en la función de eliminación. • https://git.kernel.org/stable/c/162e6376ac58440beb6a2d2ee294f5d88ea58dd1 https://git.kernel.org/stable/c/bbc3b8dd2cb7817e703f112d988e4f4728f0f2a9 https://git.kernel.org/stable/c/b35fdade92c5058a5e727e233fe263b828de2c9a https://git.kernel.org/stable/c/2f3d9198cdae1cb079ec8652f4defacd481eab2b https://git.kernel.org/stable/c/51c94256a83fe4e17406c66ff3e1ad7d242d8574 https://git.kernel.org/stable/c/20568d06f6069cb835e05eed432edf962645d226 https://git.kernel.org/stable/c/1871014d6ef4812ad11ef7d838d73ce09d632267 https://git.kernel.org/stable/c/847599fffa528b2cdec4e21b6bf7586da • CWE-416: Use After Free •
CVE-2023-52846 – hsr: Prevent use after free in prp_create_tagged_frame()
https://notcve.org/view.php?id=CVE-2023-52846
In the Linux kernel, the following vulnerability has been resolved: hsr: Prevent use after free in prp_create_tagged_frame() The prp_fill_rct() function can fail. In that situation, it frees the skb and returns NULL. Meanwhile on the success path, it returns the original skb. So it's straight forward to fix bug by using the returned value. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: hsr: impedir el uso después de liberar en prp_create_tagged_frame(). • https://git.kernel.org/stable/c/451d8123f89791bb628277c0bdb4cae34a3563e6 https://git.kernel.org/stable/c/ddf4e04e946aaa6c458b8b6829617cc44af2bffd https://git.kernel.org/stable/c/a1a485e45d24b1cd8fe834fd6f1b06e2903827da https://git.kernel.org/stable/c/6086258bd5ea7b5c706ff62da42b8e271b2401db https://git.kernel.org/stable/c/1787b9f0729d318d67cf7c5a95f0c3dba9a7cc18 https://git.kernel.org/stable/c/d103fb6726904e353b4773188ee3d3acb4078363 https://git.kernel.org/stable/c/876f8ab52363f649bcc74072157dfd7adfbabc0d •
CVE-2023-52845 – tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING
https://notcve.org/view.php?id=CVE-2023-52845
In the Linux kernel, the following vulnerability has been resolved: tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING syzbot reported the following uninit-value access issue [1]: ===================================================== BUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline] BUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756 strlen lib/string.c:418 [inline] strstr+0xb8/0x2f0 lib/string.c:756 tipc_nl_node_reset_link_stats+0x3ea/0xb50 net/tipc/node.c:2595 genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline] genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066 netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545 genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075 netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline] netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368 netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910 sock_sendmsg_nosec net/socket.c:730 [inline] sock_sendmsg net/socket.c:753 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595 __sys_sendmsg net/socket.c:2624 [inline] __do_sys_sendmsg net/socket.c:2633 [inline] __se_sys_sendmsg net/socket.c:2631 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Uninit was created at: slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559 __alloc_skb+0x318/0x740 net/core/skbuff.c:650 alloc_skb include/linux/skbuff.h:1286 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline] netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885 sock_sendmsg_nosec net/socket.c:730 [inline] sock_sendmsg net/socket.c:753 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595 __sys_sendmsg net/socket.c:2624 [inline] __do_sys_sendmsg net/socket.c:2633 [inline] __se_sys_sendmsg net/socket.c:2631 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd TIPC bearer-related names including link names must be null-terminated strings. If a link name which is not null-terminated is passed through netlink, strstr() and similar functions can cause buffer overrun. This causes the above issue. This patch changes the nla_policy for bearer-related names from NLA_STRING to NLA_NUL_STRING. This resolves the issue by ensuring that only null-terminated strings are accepted as bearer-related names. syzbot reported similar uninit-value issue related to bearer names [2]. The root cause of this issue is that a non-null-terminated bearer name was passed. • https://git.kernel.org/stable/c/7be57fc6918470ecacd16b89c0d4f73d8fc265c4 https://git.kernel.org/stable/c/6744008c354bca2e4686a5b6056ee6b535d9f67d https://git.kernel.org/stable/c/2426425d686b43adbc4f2f4a367b494f06f159d6 https://git.kernel.org/stable/c/2199260c42e6fbc5af8adae3bf78e623407c91b0 https://git.kernel.org/stable/c/b33d130f07f1decd756b849ab03c23d11d4dd294 https://git.kernel.org/stable/c/3907b89cd17fcc23e9a80789c36856f00ece0ba8 https://git.kernel.org/stable/c/4c731e98fe4d678e87ba3e4d45d3cf0a5a193dc4 https://git.kernel.org/stable/c/abc1582119e8c4af14cedb0db6541fd60 • CWE-476: NULL Pointer Dereference •
CVE-2023-52844 – media: vidtv: psi: Add check for kstrdup
https://notcve.org/view.php?id=CVE-2023-52844
In the Linux kernel, the following vulnerability has been resolved: media: vidtv: psi: Add check for kstrdup Add check for the return value of kstrdup() and return the error if it fails in order to avoid NULL pointer dereference. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: media: vidtv: psi: Agregar verificación para kstrdup. Agregue verificación para el valor de retorno de kstrdup() y devuelva el error si falla para evitar la desreferencia al puntero NULL. • https://git.kernel.org/stable/c/7a7899f6f58e3270ccfd200ee63ebced5ddba3c9 https://git.kernel.org/stable/c/3387490c89b10aeb4e71d78b65dbc9ba4b2385b9 https://git.kernel.org/stable/c/d17269fb9161995303985ab2fe6f16cfb72152f9 https://git.kernel.org/stable/c/5c26aae3723965c291c65dd2ecad6a3240d422b0 https://git.kernel.org/stable/c/5cfcc8de7d733a1137b86954cc28ce99972311ad https://git.kernel.org/stable/c/a51335704a3f90eaf23a6864faefca34b382490a https://git.kernel.org/stable/c/76a2c5df6ca8bd8ada45e953b8c72b746f42918d • CWE-476: NULL Pointer Dereference •