CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2024-56644 – net/ipv6: release expired exception dst cached in socket
https://notcve.org/view.php?id=CVE-2024-56644
In the Linux kernel, the following vulnerability has been resolved: net/ipv6: release expired exception dst cached in socket Dst objects get leaked in ip6_negative_advice() when this function is executed for an expired IPv6 route located in the exception table. There are several conditions that must be fulfilled for the leak to occur: * an ICMPv6 packet indicating a change of the MTU for the path is received, resulting in an exception dst being created * a TCP connection that uses the exception dst for routing packets must start timing out so that TCP begins retransmissions * after the exception dst expires, the FIB6 garbage collector must not run before TCP executes ip6_negative_advice() for the expired exception dst When TCP executes ip6_negative_advice() for an exception dst that has expired and if no other socket holds a reference to the exception dst, the refcount of the exception dst is 2, which corresponds to the increment made by dst_init() and the increment made by the TCP socket for which the connection is timing out. The refcount made by the socket is never released. The refcount of the dst is decremented in sk_dst_reset() but that decrement is counteracted by a dst_hold() intentionally placed just before the sk_dst_reset() in ip6_negative_advice(). After ip6_negative_advice() has finished, there is no other object tied to the dst. • https://git.kernel.org/stable/c/54c1a859efd9fd6cda05bc700315ba2519c14eba https://git.kernel.org/stable/c/9c93e9c757c7d3d96027a06b9b4c4e37ca87ded7 https://git.kernel.org/stable/c/a95808252e8acc0123bacd2dff8b9af10bc145b7 https://git.kernel.org/stable/c/b90d061345bb8cd51fece561a800bae1c95448a6 https://git.kernel.org/stable/c/0b8903e6c881f72c6849d4952de742c656eb5ab9 https://git.kernel.org/stable/c/535add1e9f274502209cb997801208bbe1ae6c6f https://git.kernel.org/stable/c/f43d12fd0fa8ee5b9caf8a3927e10d06431764d2 https://git.kernel.org/stable/c/8b591bd522b71c42a82898290e35d32b4 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-56643 – dccp: Fix memory leak in dccp_feat_change_recv
https://notcve.org/view.php?id=CVE-2024-56643
In the Linux kernel, the following vulnerability has been resolved: dccp: Fix memory leak in dccp_feat_change_recv If dccp_feat_push_confirm() fails after new value for SP feature was accepted without reconciliation ('entry == NULL' branch), memory allocated for that value with dccp_feat_clone_sp_val() is never freed. Here is the kmemleak stack for this: unreferenced object 0xffff88801d4ab488 (size 8): comm "syz-executor310", pid 1127, jiffies 4295085598 (age 41.666s) hex dump (first 8 bytes): 01 b4 4a 1d 80 88 ff ff ..J..... backtrace: [<00000000db7cabfe>] kmemdup+0x23/0x50 mm/util.c:128 [<0000000019b38405>] kmemdup include/linux/string.h:465 [inline] [<0000000019b38405>] dccp_feat_clone_sp_val net/dccp/feat.c:371 [inline] [<0000000019b38405>] dccp_feat_clone_sp_val net/dccp/feat.c:367 [inline] [<0000000019b38405>] dccp_feat_change_recv net/dccp/feat.c:1145 [inline] [<0000000019b38405>] dccp_feat_parse_options+0x1196/0x2180 net/dccp/feat.c:1416 [<00000000b1f6d94a>] dccp_parse_options+0xa2a/0x1260 net/dccp/options.c:125 [<0000000030d7b621>] dccp_rcv_state_process+0x197/0x13d0 net/dccp/input.c:650 [<000000001f74c72e>] dccp_v4_do_rcv+0xf9/0x1a0 net/dccp/ipv4.c:688 [<00000000a6c24128>] sk_backlog_rcv include/net/sock.h:1041 [inline] [<00000000a6c24128>] __release_sock+0x139/0x3b0 net/core/sock.c:2570 [<00000000cf1f3a53>] release_sock+0x54/0x1b0 net/core/sock.c:3111 [<000000008422fa23>] inet_wait_for_connect net/ipv4/af_inet.c:603 [inline] [<000000008422fa23>] __inet_stream_connect+0x5d0/0xf70 net/ipv4/af_inet.c:696 [<0000000015b6f64d>] inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:735 [<0000000010122488>] __sys_connect_file+0x15c/0x1a0 net/socket.c:1865 [<00000000b4b70023>] __sys_connect+0x165/0x1a0 net/socket.c:1882 [<00000000f4cb3815>] __do_sys_connect net/socket.c:1892 [inline] [<00000000f4cb3815>] __se_sys_connect net/socket.c:1889 [inline] [<00000000f4cb3815>] __x64_sys_connect+0x6e/0xb0 net/socket.c:1889 [<00000000e7b1e839>] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 [<0000000055e91434>] entry_SYSCALL_64_after_hwframe+0x67/0xd1 Clean up the allocated memory in case of dccp_feat_push_confirm() failure and bail out with an error reset code. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. • https://git.kernel.org/stable/c/e77b8363b2ea7c0d89919547c1a8b0562f298b57 https://git.kernel.org/stable/c/623be080ab3c13d71570bd32f7202a8efa8e2252 https://git.kernel.org/stable/c/c99507fff94b926fc92279c92d80f229c91cb85d https://git.kernel.org/stable/c/bc3d4423def1a9412a0ae454cb4477089ab79276 https://git.kernel.org/stable/c/6ff67909ee2ffad911e3122616df41dee23ff4f6 https://git.kernel.org/stable/c/d3ec686a369fae5034303061f003cd3f94ddfd23 https://git.kernel.org/stable/c/9ee68b0f23706a77f53c832457b9384178b76421 https://git.kernel.org/stable/c/22be4727a8f898442066bcac34f8a1ad0 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2024-56637 – netfilter: ipset: Hold module reference while requesting a module
https://notcve.org/view.php?id=CVE-2024-56637
In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: Hold module reference while requesting a module User space may unload ip_set.ko while it is itself requesting a set type backend module, leading to a kernel crash. The race condition may be provoked by inserting an mdelay() right after the nfnl_unlock() call. • https://git.kernel.org/stable/c/a7b4f989a629493bb4ec4a354def784d440b32c4 https://git.kernel.org/stable/c/e5e2d3024753fdaca818b822e3827614bacbdccf https://git.kernel.org/stable/c/6099b5d3e37145484fac4b8b4070c3f1abfb3519 https://git.kernel.org/stable/c/0e67805e805c1f3edd6f43adbe08ea14b552694b https://git.kernel.org/stable/c/5bae60a933ba5d16eed55c6b279be51bcbbc79b0 https://git.kernel.org/stable/c/90bf312a6b6b3d6012137f6776a4052ee85e0340 https://git.kernel.org/stable/c/ba5e070f36682d07ca7ad2a953e6c9d96be19dca https://git.kernel.org/stable/c/456f010bfaefde84d3390c755eedb1b0a •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-56631 – scsi: sg: Fix slab-use-after-free read in sg_release()
https://notcve.org/view.php?id=CVE-2024-56631
In the Linux kernel, the following vulnerability has been resolved: scsi: sg: Fix slab-use-after-free read in sg_release() Fix a use-after-free bug in sg_release(), detected by syzbot with KASAN: BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5838 __mutex_unlock_slowpath+0xe2/0x750 kernel/locking/mutex.c:912 sg_release+0x1f4/0x2e0 drivers/scsi/sg.c:407 In sg_release(), the function kref_put(&sfp->f_ref, sg_remove_sfp) is called before releasing the open_rel_lock mutex. The kref_put() call may decrement the reference count of sfp to zero, triggering its cleanup through sg_remove_sfp(). This cleanup includes scheduling deferred work via sg_remove_sfp_usercontext(), which ultimately frees sfp. After kref_put(), sg_release() continues to unlock open_rel_lock and may reference sfp or sdp. If sfp has already been freed, this results in a slab-use-after-free error. Move the kref_put(&sfp->f_ref, sg_remove_sfp) call after unlocking the open_rel_lock mutex. This ensures: - No references to sfp or sdp occur after the reference count is decremented. - Cleanup functions such as sg_remove_sfp() and sg_remove_sfp_usercontext() can safely execute without impacting the mutex handling in sg_release(). The fix has been tested and validated by syzbot. • https://git.kernel.org/stable/c/cc833acbee9db5ca8c6162b015b4c93863c6f821 https://git.kernel.org/stable/c/3a27c0defb0315760100f8b1adc7c4acbe04c884 https://git.kernel.org/stable/c/59b30afa578637169e2819536bb66459fdddc39d https://git.kernel.org/stable/c/1f5e2f1ca5875728fcf62bc1a054707444ab4960 https://git.kernel.org/stable/c/f10593ad9bc36921f623361c9e3dd96bd52d85ee •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-56627 – ksmbd: fix Out-of-Bounds Read in ksmbd_vfs_stream_read
https://notcve.org/view.php?id=CVE-2024-56627
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Out-of-Bounds Read in ksmbd_vfs_stream_read An offset from client could be a negative value, It could lead to an out-of-bounds read from the stream_buf. Note that this issue is coming when setting 'vfs objects = streams_xattr parameter' in ksmbd.conf. • https://git.kernel.org/stable/c/de4d790dcf53be41736239d7ee63849a16ff5d10 https://git.kernel.org/stable/c/27de4295522e9a33e4a3fc72f7b8193df9eebe41 https://git.kernel.org/stable/c/81eed631935f2c52cdaf6691c6d48e0b06e8ad73 https://git.kernel.org/stable/c/fc342cf86e2dc4d2edb0fc2ff5e28b6c7845adb9 •