CVE-2024-41016 – ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()
https://notcve.org/view.php?id=CVE-2024-41016
In the Linux kernel, the following vulnerability has been resolved: ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry() xattr in ocfs2 maybe 'non-indexed', which saved with additional space requested. It's better to check if the memory is out of bound before memcmp, although this possibility mainly comes from crafted poisonous images. • https://git.kernel.org/stable/c/e2b3d7a9d019d4d1a0da6c3ea64a1ff79c99c090 https://git.kernel.org/stable/c/e8f9c4af7af7e9e4cd09c0251c7936593147419f https://git.kernel.org/stable/c/57a3d89831fcaa2cdbe024b47c7c36d5a56c3637 https://git.kernel.org/stable/c/c031d286eceb82f72f8623b7f4abd2aa491bfb5e https://git.kernel.org/stable/c/cfb926051fab19b10d1e65976211f364aa820180 https://git.kernel.org/stable/c/c726dea9d0c806d64c26fcef483b1fb9474d8c5e https://git.kernel.org/stable/c/e4ffea01adf3323c821b6f37e9577d2d400adbaa https://git.kernel.org/stable/c/af77c4fc1871847b528d58b7fdafb4aa1 •
CVE-2024-41015 – ocfs2: add bounds checking to ocfs2_check_dir_entry()
https://notcve.org/view.php?id=CVE-2024-41015
In the Linux kernel, the following vulnerability has been resolved: ocfs2: add bounds checking to ocfs2_check_dir_entry() This adds sanity checks for ocfs2_dir_entry to make sure all members of ocfs2_dir_entry don't stray beyond valid memory region. • https://git.kernel.org/stable/c/13d38c00df97289e6fba2e54193959293fd910d2 https://git.kernel.org/stable/c/564d23cc5b216211e1694d53f7e45959396874d0 https://git.kernel.org/stable/c/77495e5da5cb110a8fed27b052c77853fe282176 https://git.kernel.org/stable/c/53de17ad01cb5f6f8426f597e9d5c87d4cf53bb7 https://git.kernel.org/stable/c/fd65685594ee707cbf3ddf22ebb73697786ac114 https://git.kernel.org/stable/c/e05a24289db90f76ff606086aadd62d068a88dcd https://git.kernel.org/stable/c/624b380074f0dc209fb8706db3295c735079f34c https://git.kernel.org/stable/c/edb2e67dd4626b06fd7eb37252d506791 •
CVE-2024-41014 – xfs: add bounds checking to xlog_recover_process_data
https://notcve.org/view.php?id=CVE-2024-41014
In the Linux kernel, the following vulnerability has been resolved: xfs: add bounds checking to xlog_recover_process_data There is a lack of verification of the space occupied by fixed members of xlog_op_header in the xlog_recover_process_data. We can create a crafted image to trigger an out of bounds read by following these steps: 1) Mount an image of xfs, and do some file operations to leave records 2) Before umounting, copy the image for subsequent steps to simulate abnormal exit. Because umount will ensure that tail_blk and head_blk are the same, which will result in the inability to enter xlog_recover_process_data 3) Write a tool to parse and modify the copied image in step 2 4) Make the end of the xlog_op_header entries only 1 byte away from xlog_rec_header->h_size 5) xlog_rec_header->h_num_logops++ 6) Modify xlog_rec_header->h_crc Fix: Add a check to make sure there is sufficient space to access fixed members of xlog_op_header. • https://git.kernel.org/stable/c/d1e3efe783365db59da88f08a2e0bfe1cc95b143 https://git.kernel.org/stable/c/7cd9f0a33e738cd58876f1bc8d6c1aa5bc4fc8c1 https://git.kernel.org/stable/c/fb63435b7c7dc112b1ae1baea5486e0a6e27b196 https://access.redhat.com/security/cve/CVE-2024-41014 https://bugzilla.redhat.com/show_bug.cgi?id=2300297 • CWE-125: Out-of-bounds Read •
CVE-2024-41013 – xfs: don't walk off the end of a directory data block
https://notcve.org/view.php?id=CVE-2024-41013
In the Linux kernel, the following vulnerability has been resolved: xfs: don't walk off the end of a directory data block This adds sanity checks for xfs_dir2_data_unused and xfs_dir2_data_entry to make sure don't stray beyond valid memory region. Before patching, the loop simply checks that the start offset of the dup and dep is within the range. So in a crafted image, if last entry is xfs_dir2_data_unused, we can change dup->length to dup->length-1 and leave 1 byte of space. In the next traversal, this space will be considered as dup or dep. We may encounter an out of bound read when accessing the fixed members. In the patch, we make sure that the remaining bytes large enough to hold an unused entry before accessing xfs_dir2_data_unused and xfs_dir2_data_unused is XFS_DIR2_DATA_ALIGN byte aligned. • https://git.kernel.org/stable/c/0c7fcdb6d06cdf8b19b57c17605215b06afa864a https://access.redhat.com/security/cve/CVE-2024-41013 https://bugzilla.redhat.com/show_bug.cgi?id=2300296 • CWE-125: Out-of-bounds Read •
CVE-2024-41091 – tun: add missing verification for short frame
https://notcve.org/view.php?id=CVE-2024-41091
In the Linux kernel, the following vulnerability has been resolved: tun: add missing verification for short frame The cited commit missed to check against the validity of the frame length in the tun_xdp_one() path, which could cause a corrupted skb to be sent downstack. Even before the skb is transmitted, the tun_xdp_one-->eth_type_trans() may access the Ethernet header although it can be less than ETH_HLEN. Once transmitted, this could either cause out-of-bound access beyond the actual length, or confuse the underlayer with incorrect or inconsistent header length in the skb metadata. In the alternative path, tun_get_user() already prohibits short frame which has the length less than Ethernet header size from being transmitted for IFF_TAP. This is to drop any frame shorter than the Ethernet header size just like how tun_get_user() does. CVE: CVE-2024-41091 A denial of service (DoS) attack was found in the mlx5 driver in the Linux kernel. A KVM guest VM using virtio-net can crash the host by sending a short packet, for example, size < ETH_HLEN. The packet may traverse through vhost-net, macvtap, and vlan without any validation or drop. • https://git.kernel.org/stable/c/043d222f93ab8c76b56a3b315cd8692e35affb6c https://git.kernel.org/stable/c/32b0aaba5dbc85816898167d9b5d45a22eae82e9 https://git.kernel.org/stable/c/6100e0237204890269e3f934acfc50d35fd6f319 https://git.kernel.org/stable/c/589382f50b4a5d90d16d8bc9dcbc0e927a3e39b2 https://git.kernel.org/stable/c/ad6b3f622ccfb4bfedfa53b6ebd91c3d1d04f146 https://git.kernel.org/stable/c/d5ad89b7d01ed4e66fd04734fc63d6e78536692a https://git.kernel.org/stable/c/a9d1c27e2ee3b0ea5d40c105d6e728fc114470bb https://git.kernel.org/stable/c/8418f55302fa1d2eeb73e16e345167e54 • CWE-20: Improper Input Validation •