CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-27394 – tcp: Fix Use-After-Free in tcp_ao_connect_init
https://notcve.org/view.php?id=CVE-2024-27394
In the Linux kernel, the following vulnerability has been resolved: tcp: Fix Use-After-Free in tcp_ao_connect_init Since call_rcu, which is called in the hlist_for_each_entry_rcu traversal of tcp_ao_connect_init, is not part of the RCU read critical section, it is possible that the RCU grace period will pass during the traversal and the key will be free. To prevent this, it should be changed to hlist_for_each_entry_safe. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tcp: Fix Use-After-Free en tcp_ao_connect_init Dado que call_rcu, que se llama en el recorrido hlist_for_each_entry_rcu de tcp_ao_connect_init, no forma parte de la sección crítica de lectura de RCU, es posible que el El período de gracia de RCU transcurrirá durante el recorrido y la clave quedará gratuita. Para evitar esto, se debe cambiar a hlist_for_each_entry_safe. • https://git.kernel.org/stable/c/7c2ffaf21bd67f73d21560995ce17eaf5fc1d37f https://git.kernel.org/stable/c/ca4fb6c6764b3f75b4f5aa81db1536291897ff7f https://git.kernel.org/stable/c/80e679b352c3ce5158f3f778cfb77eb767e586fb • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-27393 – xen-netfront: Add missing skb_mark_for_recycle
https://notcve.org/view.php?id=CVE-2024-27393
In the Linux kernel, the following vulnerability has been resolved: xen-netfront: Add missing skb_mark_for_recycle Notice that skb_mark_for_recycle() is introduced later than fixes tag in commit 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling"). It is believed that fixes tag were missing a call to page_pool_release_page() between v5.9 to v5.14, after which is should have used skb_mark_for_recycle(). Since v6.6 the call page_pool_release_page() were removed (in commit 535b9c61bdef ("net: page_pool: hide page_pool_release_page()") and remaining callers converted (in commit 6bfef2ec0172 ("Merge branch 'net-page_pool-remove-page_pool_release_page'")). This leak became visible in v6.8 via commit dba1b8a7ab68 ("mm/page_pool: catch page_pool memory leaks"). En el kernel de Linux, se resolvió la siguiente vulnerabilidad: xen-netfront: agrega skb_mark_for_recycle faltante. Tenga en cuenta que skb_mark_for_recycle() se introduce más tarde que la etiqueta de corrección en el commit 6a5bcd84e886 ("page_pool: permitir que los controladores indiquen el reciclaje de SKB"). Se cree que a la etiqueta de correcciones le faltaba una llamada a page_pool_release_page() entre v5.9 y v5.14, después de lo cual debería haber usado skb_mark_for_recycle(). Desde v6.6, la llamada page_pool_release_page() se eliminó (en el commit 535b9c61bdef ("net: page_pool: hide page_pool_release_page()") y las personas que llaman restantes se convirtieron (en el commit 6bfef2ec0172 ("Merge Branch 'net-page_pool-remove-page_pool_release_page'") ). • https://git.kernel.org/stable/c/6c5aa6fc4defc2a0977a2c59e4710d50fa1e834c https://git.kernel.org/stable/c/4143b9479caa29bb2380f3620dcbe16ea84eb3b1 https://git.kernel.org/stable/c/7c1250796b6c262b505a46192f4716b8c6a6a8c6 https://git.kernel.org/stable/c/27aa3e4b3088426b7e34584274ad45b5afaf7629 https://git.kernel.org/stable/c/c8b7b2f158d9d4fb89cd2f68244af154f7549bb4 https://git.kernel.org/stable/c/037965402a010898d34f4e35327d22c0a95cd51f http://www.openwall.com/lists/oss-security/2024/05/08/4 http://xenbits.xen.org/xsa/advisory-457.html https:& •
CVSS: -EPSS: 0%CPEs: 8EXPL: 1CVE-2023-52654 – io_uring/af_unix: disable sending io_uring over sockets
https://notcve.org/view.php?id=CVE-2023-52654
In the Linux kernel, the following vulnerability has been resolved: io_uring/af_unix: disable sending io_uring over sockets File reference cycles have caused lots of problems for io_uring in the past, and it still doesn't work exactly right and races with unix_stream_read_generic(). The safest fix would be to completely disallow sending io_uring files via sockets via SCM_RIGHT, so there are no possible cycles invloving registered files and thus rendering SCM accounting on the io_uring side unnecessary. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: io_uring/af_unix: deshabilita el envío de io_uring a través de sockets Los ciclos de referencia de archivos han causado muchos problemas para io_uring en el pasado, y todavía no funciona exactamente correctamente y corre con unix_stream_read_generic(). La solución más segura sería no permitir por completo el envío de archivos io_uring a través de sockets a través de SCM_RIGHT, de modo que no haya ciclos posibles que involucren archivos registrados y, por lo tanto, hagan innecesaria la contabilidad SCM en el lado io_uring. • https://github.com/FoxyProxys/CVE-2023-52654 https://git.kernel.org/stable/c/04df9719df1865f6770af9bc7880874af0e594b2 https://git.kernel.org/stable/c/c378c479c5175833bb22ff71974cda47d7b05401 https://git.kernel.org/stable/c/813d8fe5d30388f73a21d3a2bf46b0a1fd72498c https://git.kernel.org/stable/c/0091bfc81741b8d3aeb3b7ab8636f911b2de6e80 https://git.kernel.org/stable/c/b4293c01ee0d0ecdd3cb5801e13f62271144667a https://git.kernel.org/stable/c/75e94c7e8859e58aadc15a98cc9704edff47d4f2 https://git.kernel.org/stable/c/18824f592aad4124d79751bbc1500ea86ac3ff29 https:/& •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-27392 – nvme: host: fix double-free of struct nvme_id_ns in ns_update_nuse()
https://notcve.org/view.php?id=CVE-2024-27392
In the Linux kernel, the following vulnerability has been resolved: nvme: host: fix double-free of struct nvme_id_ns in ns_update_nuse() When nvme_identify_ns() fails, it frees the pointer to the struct nvme_id_ns before it returns. However, ns_update_nuse() calls kfree() for the pointer even when nvme_identify_ns() fails. This results in KASAN double-free, which was observed with blktests nvme/045 with proposed patches [1] on the kernel v6.8-rc7. Fix the double-free by skipping kfree() when nvme_identify_ns() fails. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: nvme: host: corrige la doble liberación de la estructura nvme_id_ns en ns_update_nuse() Cuando nvme_identify_ns() falla, libera el puntero a la estructura nvme_id_ns antes de que regrese. • https://git.kernel.org/stable/c/a1a825ab6a60380240ca136596732fdb80bad87a https://git.kernel.org/stable/c/534f9dc7fe495b3f9cc84363898ac50c5a25fccb https://git.kernel.org/stable/c/8d0d2447394b13fb22a069f0330f9c49b7fff9d3 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2024-27391 – wifi: wilc1000: do not realloc workqueue everytime an interface is added
https://notcve.org/view.php?id=CVE-2024-27391
In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: do not realloc workqueue everytime an interface is added Commit 09ed8bfc5215 ("wilc1000: Rename workqueue from "WILC_wq" to "NETDEV-wq"") moved workqueue creation in wilc_netdev_ifc_init in order to set the interface name in the workqueue name. However, while the driver needs only one workqueue, the wilc_netdev_ifc_init is called each time we add an interface over a phy, which in turns overwrite the workqueue with a new one. This can be observed with the following commands: for i in $(seq 0 10) do iw phy phy0 interface add wlan1 type managed iw dev wlan1 del done ps -eo pid,comm|grep wlan 39 kworker/R-wlan0 98 kworker/R-wlan1 102 kworker/R-wlan1 105 kworker/R-wlan1 108 kworker/R-wlan1 111 kworker/R-wlan1 114 kworker/R-wlan1 117 kworker/R-wlan1 120 kworker/R-wlan1 123 kworker/R-wlan1 126 kworker/R-wlan1 129 kworker/R-wlan1 Fix this leakage by putting back hif_workqueue allocation in wilc_cfg80211_init. Regarding the workqueue name, it is indeed relevant to set it lowercase, however it is not attached to a specific netdev, so enforcing netdev name in the name is not so relevant. Still, enrich the name with the wiphy name to make it clear which phy is using the workqueue. • https://git.kernel.org/stable/c/09ed8bfc5215ad5aac91c50008277b5586b9ef24 https://git.kernel.org/stable/c/515cc676dfbce40d93c92b1ff3c1070e917f4e52 https://git.kernel.org/stable/c/4041c60a9d543b3ad50225385b072ba68e96166e https://git.kernel.org/stable/c/90ae293d1d255f622318fce6eeea2e18f9fde5c1 https://git.kernel.org/stable/c/9ab0c303ccabfd6bdce14432792d41090070008c https://git.kernel.org/stable/c/328efda22af81130c2ad981c110518cb29ff2f1d •