CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26636 – llc: make llc_ui_sendmsg() more robust against bonding changes
https://notcve.org/view.php?id=CVE-2024-26636
18 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: llc: make llc_ui_sendmsg() more robust against bonding changes syzbot was able to trick llc_ui_sendmsg(), allocating an skb with no headroom, but subsequently trying to push 14 bytes of Ethernet header [1] Like some others, llc_ui_sendmsg() releases the socket lock before calling sock_alloc_send_skb(). Then it acquires it again, but does not redo all the sanity checks that were performed. This fix: - Uses LL_RESERVED_SPACE() to reserve spac... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26635 – llc: Drop support for ETH_P_TR_802_2.
https://notcve.org/view.php?id=CVE-2024-26635
18 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: llc: Drop support for ETH_P_TR_802_2. syzbot reported an uninit-value bug below. [0] llc supports ETH_P_802_2 (0x0004) and used to support ETH_P_TR_802_2 (0x0011), and syzbot abused the latter to trigger the bug. write$tun(r0, &(0x7f0000000040)={@val={0x0, 0x11}, @val, @mpls={[], @llc={@snap={0xaa, 0x1, ')', "90e5dd"}}}}, 0x16) llc_conn_handler() initialises local variables {saddr,daddr}.mac based on skb in llc_pdu_decode_sa()/llc_pdu_decod... • https://git.kernel.org/stable/c/211ed865108e24697b44bee5daac502ee6bdd4a4 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2024-26634 – net: fix removing a namespace with conflicting altnames
https://notcve.org/view.php?id=CVE-2024-26634
18 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: net: fix removing a namespace with conflicting altnames Mark reports a BUG() when a net namespace is removed. kernel BUG at net/core/dev.c:11520! Physical interfaces moved outside of init_net get "refunded" to init_net when that namespace disappears. The main interface name may get overwritten in the process if it would have conflicted. We need to also discard all conflicting altnames. Recent fixes addressed ensuring that altnames get moved... • https://git.kernel.org/stable/c/673edcffa0960fc154085d639e10f80b6317d3bd •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2023-52616 – crypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init
https://notcve.org/view.php?id=CVE-2023-52616
18 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: crypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init When the mpi_ec_ctx structure is initialized, some fields are not cleared, causing a crash when referencing the field when the structure was released. Initially, this issue was ignored because memory for mpi_ec_ctx is allocated with the __GFP_ZERO flag. For example, this error will be triggered when calculating the Za value for SM2 separately. En el kernel de Linux, se resolvió ... • https://git.kernel.org/stable/c/d58bb7e55a8a65894cc02f27c3e2bf9403e7c40f •
CVSS: 4.4EPSS: 0%CPEs: 8EXPL: 0CVE-2023-52615 – hwrng: core - Fix page fault dead lock on mmap-ed hwrng
https://notcve.org/view.php?id=CVE-2023-52615
18 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: hwrng: core - Fix page fault dead lock on mmap-ed hwrng There is a dead-lock in the hwrng device read path. This triggers when the user reads from /dev/hwrng into memory also mmap-ed from /dev/hwrng. The resulting page fault triggers a recursive read which then dead-locks. Fix this by using a stack buffer when calling copy_to_user. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: hwrng: core: soluciona el bloqueo de falla de ... • https://git.kernel.org/stable/c/9996508b3353063f2d6c48c1a28a84543d72d70b • CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.4EPSS: 0%CPEs: 6EXPL: 0CVE-2023-52614 – PM / devfreq: Fix buffer overflow in trans_stat_show
https://notcve.org/view.php?id=CVE-2023-52614
18 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Fix buffer overflow in trans_stat_show Fix buffer overflow in trans_stat_show(). Convert simple snprintf to the more secure scnprintf with size of PAGE_SIZE. Add condition checking if we are exceeding PAGE_SIZE and exit early from loop. Also add at the end a warning that we exceeded PAGE_SIZE and that stats is disabled. Return -EFBIG in the case where we don't have enough space to write the full transition table. • https://git.kernel.org/stable/c/e552bbaf5b987f57c43e6981a452b8a3c700b1ae • CWE-121: Stack-based Buffer Overflow •
CVSS: 5.5EPSS: 0%CPEs: 15EXPL: 0CVE-2024-26633 – ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()
https://notcve.org/view.php?id=CVE-2024-26633
18 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() syzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken. Reading frag_off can only be done if we pulled enough bytes to skb->head. Currently we might access garbage. [1] BUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0 ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0 ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline] ip6_tnl_start_xmit+0xab2/0x1a70 net/i... • https://git.kernel.org/stable/c/fbfa743a9d2a0ffa24251764f10afc13eb21e739 • CWE-20: Improper Input Validation •
CVSS: 4.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-26632 – block: Fix iterating over an empty bio with bio_for_each_folio_all
https://notcve.org/view.php?id=CVE-2024-26632
18 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: block: Fix iterating over an empty bio with bio_for_each_folio_all If the bio contains no data, bio_first_folio() calls page_folio() on a NULL pointer and oopses. Move the test that we've reached the end of the bio from bio_next_folio() to bio_first_folio(). [axboe: add unlikely() to error case] En el kernel de Linux, se resolvió la siguiente vulnerabilidad: bloque: corrige la iteración sobre una biografía vacía con bio_for_each_folio_all S... • https://git.kernel.org/stable/c/640d1930bef4f87ec8d8d2b05f0f6edc1dfcf662 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-26631 – ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work
https://notcve.org/view.php?id=CVE-2024-26631
18 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work idev->mc_ifc_count can be written over without proper locking. Originally found by syzbot [1], fix this issue by encapsulating calls to mld_ifc_stop_work() (and mld_gq_stop_work() for good measure) with mutex_lock() and mutex_unlock() accordingly as these functions should only be called with mc_lock per their declarations. [1] BUG: KCSAN: data-race in ipv6_mc_down / mld_ifc_work writ... • https://git.kernel.org/stable/c/2d9a93b4902be6a5504b5941dd15e9cd776aadca • CWE-414: Missing Lock Check •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-52613 – drivers/thermal/loongson2_thermal: Fix incorrect PTR_ERR() judgment
https://notcve.org/view.php?id=CVE-2023-52613
18 Mar 2024 — In the Linux kernel, the following vulnerability has been resolved: drivers/thermal/loongson2_thermal: Fix incorrect PTR_ERR() judgment PTR_ERR() returns -ENODEV when thermal-zones are undefined, and we need -ENODEV as the right value for comparison. Otherwise, tz->type is NULL when thermal-zones is undefined, resulting in the following error: [ 12.290030] CPU 1 Unable to handle kernel paging request at virtual address fffffffffffffff1, era == 900000000355f410, ra == 90000000031579b8 [ 12.302877] Oops[#1]: ... • https://git.kernel.org/stable/c/e7e3a7c35791fe7a70997883fb8ada5866a40f4d •