CVE-2024-35871 – riscv: process: Fix kernel gp leakage
https://notcve.org/view.php?id=CVE-2024-35871
In the Linux kernel, the following vulnerability has been resolved: riscv: process: Fix kernel gp leakage childregs represents the registers which are active for the new thread in user context. For a kernel thread, childregs->gp is never used since the kernel gp is not touched by switch_to. For a user mode helper, the gp value can be observed in user space after execve or possibly by other means. [From the email thread] The /* Kernel thread */ comment is somewhat inaccurate in that it is also used for user_mode_helper threads, which exec a user process, e.g. /sbin/init or when /proc/sys/kernel/core_pattern is a pipe. Such threads do not have PF_KTHREAD set and are valid targets for ptrace etc. even before they exec. childregs is the *user* context during syscall execution and it is observable from userspace in at least five ways: 1. kernel_execve does not currently clear integer registers, so the starting register state for PID 1 and other user processes started by the kernel has sp = user stack, gp = kernel __global_pointer$, all other integer registers zeroed by the memset in the patch comment. This is a bug in its own right, but I'm unwilling to bet that it is the only way to exploit the issue addressed by this patch. 2. ptrace(PTRACE_GETREGSET): you can PTRACE_ATTACH to a user_mode_helper thread before it execs, but ptrace requires SIGSTOP to be delivered which can only happen at user/kernel boundaries. 3. • https://git.kernel.org/stable/c/7db91e57a0acde126a162ababfb1e0ab190130cb https://git.kernel.org/stable/c/9abc3e6f1116adb7a2d4fbb8ce20c37916976bf5 https://git.kernel.org/stable/c/dff6072124f6df77bfd36951fbd88565746980ef https://git.kernel.org/stable/c/f6583444d7e78dae750798552b65a2519ff3ca84 https://git.kernel.org/stable/c/00effef72c98294edb1efa87ffa0f6cfb61b36a4 https://git.kernel.org/stable/c/d8dcba0691b8e42bddb61aab201e4d918a08e5d9 https://git.kernel.org/stable/c/d14fa1fcf69db9d070e75f1c4425211fa619dfc8 https://lists.debian.org/debian-lts-announce/2024/06/ •
CVE-2024-35870 – smb: client: fix UAF in smb2_reconnect_server()
https://notcve.org/view.php?id=CVE-2024-35870
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix UAF in smb2_reconnect_server() The UAF bug is due to smb2_reconnect_server() accessing a session that is already being teared down by another thread that is executing __cifs_put_smb_ses(). This can happen when (a) the client has connection to the server but no session or (b) another thread ends up setting @ses->ses_status again to something different than SES_EXITING. To fix this, we need to make sure to unconditionally set @ses->ses_status to SES_EXITING and prevent any other threads from setting a new status while we're still tearing it down. The following can be reproduced by adding some delay to right after the ipc is freed in __cifs_put_smb_ses() - which will give smb2_reconnect_server() worker a chance to run and then accessing @ses->ipc: kinit ... mount.cifs //srv/share /mnt/1 -o sec=krb5,nohandlecache,echo_interval=10 [disconnect srv] ls /mnt/1 &>/dev/null sleep 30 kdestroy [reconnect srv] sleep 10 umount /mnt/1 ... CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed CIFS: VFS: \\srv Send error in SessSetup = -126 CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed CIFS: VFS: \\srv Send error in SessSetup = -126 general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc2 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39 04/01/2014 Workqueue: cifsiod smb2_reconnect_server [cifs] RIP: 0010:__list_del_entry_valid_or_report+0x33/0xf0 Code: 4f 08 48 85 d2 74 42 48 85 c9 74 59 48 b8 00 01 00 00 00 00 ad de 48 39 c2 74 61 48 b8 22 01 00 00 00 00 74 69 <48> 8b 01 48 39 f8 75 7b 48 8b 72 08 48 39 c6 0f 85 88 00 00 00 b8 RSP: 0018:ffffc900001bfd70 EFLAGS: 00010a83 RAX: dead000000000122 RBX: ffff88810da53838 RCX: 6b6b6b6b6b6b6b6b RDX: 6b6b6b6b6b6b6b6b RSI: ffffffffc02f6878 RDI: ffff88810da53800 RBP: ffff88810da53800 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff88810c064000 R13: 0000000000000001 R14: ffff88810c064000 R15: ffff8881039cc000 FS: 0000000000000000(0000) GS:ffff888157c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe3728b1000 CR3: 000000010caa4000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? die_addr+0x36/0x90 ? exc_general_protection+0x1c1/0x3f0 ? asm_exc_general_protection+0x26/0x30 ? • https://git.kernel.org/stable/c/755fe68cd4b59e1d2a2dd3286177fd4404f57fed https://git.kernel.org/stable/c/6202996a1c1887e83d0b3b0fcd86d0e5e6910ea0 https://git.kernel.org/stable/c/45f2beda1f1bc3d962ec07db1ccc3197c25499a5 https://git.kernel.org/stable/c/24a9799aa8efecd0eb55a75e35f9d8e6400063aa https://access.redhat.com/security/cve/CVE-2024-35870 https://bugzilla.redhat.com/show_bug.cgi?id=2281740 • CWE-416: Use After Free •
CVE-2024-35869 – smb: client: guarantee refcounted children from parent session
https://notcve.org/view.php?id=CVE-2024-35869
In the Linux kernel, the following vulnerability has been resolved: smb: client: guarantee refcounted children from parent session Avoid potential use-after-free bugs when walking DFS referrals, mounting and performing DFS failover by ensuring that all children from parent @tcon->ses are also refcounted. They're all needed across the entire DFS mount. Get rid of @tcon->dfs_ses_list while we're at it, too. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: smb: cliente: garantiza que los hijos recontados desde la sesión principal Evite posibles errores de use after free al recorrer referencias DFS, montar y realizar la conmutación por error de DFS asegurándose de que todos los hijos del padre @tcon- >ses también se cuentan nuevamente. Todos son necesarios en todo el montaje DFS. • https://git.kernel.org/stable/c/645f332c6b63499cc76197f9b6bffcc659ba64cc https://git.kernel.org/stable/c/e1db9ae87b7148c021daee1fcc4bc71b2ac58a79 https://git.kernel.org/stable/c/062a7f0ff46eb57aff526897bd2bebfdb1d3046a https://access.redhat.com/security/cve/CVE-2024-35869 https://bugzilla.redhat.com/show_bug.cgi?id=2281742 • CWE-416: Use After Free •
CVE-2024-35868 – smb: client: fix potential UAF in cifs_stats_proc_write()
https://notcve.org/view.php?id=CVE-2024-35868
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_stats_proc_write() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: smb: cliente: corrige UAF potencial en cifs_stats_proc_write() Omita las sesiones que se están eliminando (estado == SES_EXITING) para evitar UAF. • https://git.kernel.org/stable/c/8fefd166fcb368c5fcf48238e3f7c8af829e0a72 https://git.kernel.org/stable/c/cf03020c56d3ed28c4942280957a007b5e9544f7 https://git.kernel.org/stable/c/5b5475ce69f02ecc1b13ea23106e5b89c690429b https://git.kernel.org/stable/c/d3da25c5ac84430f89875ca7485a3828150a7e0a •
CVE-2024-35867 – smb: client: fix potential UAF in cifs_stats_proc_show()
https://notcve.org/view.php?id=CVE-2024-35867
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_stats_proc_show() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: smb: cliente: corrige UAF potencial en cifs_stats_proc_show() Omita las sesiones que se están eliminando (estado == SES_EXITING) para evitar UAF. • https://git.kernel.org/stable/c/16b7d785775eb03929766819415055e367398f49 https://git.kernel.org/stable/c/c3cf8b74c57924c0985e49a1fdf02d3395111f39 https://git.kernel.org/stable/c/1e12f0d5c66f07c934041621351973a116fa13c7 https://git.kernel.org/stable/c/0865ffefea197b437ba78b5dd8d8e256253efd65 http://www.openwall.com/lists/oss-security/2024/05/29/2 http://www.openwall.com/lists/oss-security/2024/05/30/1 http://www.openwall.com/lists/oss-security/2024/05/30/2 https://access.redhat.com/security/cve/CVE-2024-358 •