CVE-2024-26754 – gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()
https://notcve.org/view.php?id=CVE-2024-26754
In the Linux kernel, the following vulnerability has been resolved: gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp() The gtp_net_ops pernet operations structure for the subsystem must be registered before registering the generic netlink family. Syzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 1 PID: 5826 Comm: gtp Not tainted 6.8.0-rc3-std-def-alt1 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014 RIP: 0010:gtp_genl_dump_pdp+0x1be/0x800 [gtp] Code: c6 89 c6 e8 64 e9 86 df 58 45 85 f6 0f 85 4e 04 00 00 e8 c5 ee 86 df 48 8b 54 24 18 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 de 05 00 00 48 8b 44 24 18 4c 8b 30 4c 39 f0 74 RSP: 0018:ffff888014107220 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff88800fcda588 R14: 0000000000000001 R15: 0000000000000000 FS: 00007f1be4eb05c0(0000) GS:ffff88806ce80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f1be4e766cf CR3: 000000000c33e000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> ? show_regs+0x90/0xa0 ? die_addr+0x50/0xd0 ? exc_general_protection+0x148/0x220 ? asm_exc_general_protection+0x22/0x30 ? • https://git.kernel.org/stable/c/459aa660eb1d8ce67080da1983bb81d716aa5a69 https://git.kernel.org/stable/c/f0ecdfa679189d26aedfe24212d4e69e42c2c861 https://git.kernel.org/stable/c/f8cbd1791900b5d96466eede8e9439a5b9ca4de7 https://git.kernel.org/stable/c/2e534fd15e5c2ca15821c897352cf0e8a3e30dca https://git.kernel.org/stable/c/a576308800be28f2eaa099e7caad093b97d66e77 https://git.kernel.org/stable/c/3963f16cc7643b461271989b712329520374ad2a https://git.kernel.org/stable/c/ba6b8b02a3314e62571a540efa96560888c5f03e https://git.kernel.org/stable/c/5013bd54d283eda5262c9ae3bcc966d01 •
CVE-2024-26752 – l2tp: pass correct message length to ip6_append_data
https://notcve.org/view.php?id=CVE-2024-26752
In the Linux kernel, the following vulnerability has been resolved: l2tp: pass correct message length to ip6_append_data l2tp_ip6_sendmsg needs to avoid accounting for the transport header twice when splicing more data into an already partially-occupied skbuff. To manage this, we check whether the skbuff contains data using skb_queue_empty when deciding how much data to append using ip6_append_data. However, the code which performed the calculation was incorrect: ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0; ...due to C operator precedence, this ends up setting ulen to transhdrlen for messages with a non-zero length, which results in corrupted packets on the wire. Add parentheses to correct the calculation in line with the original intent. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: l2tp: pasa la longitud correcta del mensaje a ip6_append_data l2tp_ip6_sendmsg necesita evitar tener en cuenta el encabezado de transporte dos veces al unir más datos en un skbuff ya parcialmente ocupado. Para gestionar esto, verificamos si skbuff contiene datos usando skb_queue_empty al decidir cuántos datos agregar usando ip6_append_data. Sin embargo, el código que realizó el cálculo era incorrecto: ulen = len + skb_queue_empty(&sk->sk_write_queue)? • https://git.kernel.org/stable/c/559d697c5d072593d22b3e0bd8b8081108aeaf59 https://git.kernel.org/stable/c/1fc793d68d50dee4782ef2e808913d5dd880bcc6 https://git.kernel.org/stable/c/96b2e1090397217839fcd6c9b6d8f5d439e705ed https://git.kernel.org/stable/c/cd1189956393bf850b2e275e37411855d3bd86bb https://git.kernel.org/stable/c/f6a7182179c0ed788e3755ee2ed18c888ddcc33f https://git.kernel.org/stable/c/9d4c75800f61e5d75c1659ba201b6c0c7ead3070 https://git.kernel.org/stable/c/7626b9fed53092aa2147978070e610ecb61af844 https://git.kernel.org/stable/c/fe80658c08e3001c80c5533cd41abfbb0 •
CVE-2024-26751 – ARM: ep93xx: Add terminator to gpiod_lookup_table
https://notcve.org/view.php?id=CVE-2024-26751
In the Linux kernel, the following vulnerability has been resolved: ARM: ep93xx: Add terminator to gpiod_lookup_table Without the terminator, if a con_id is passed to gpio_find() that does not exist in the lookup table the function will not stop looping correctly, and eventually cause an oops. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ARM: ep93xx: Agregar terminador a gpiod_lookup_table Sin el terminador, si se pasa un con_id a gpio_find() que no existe en la tabla de búsqueda, la función no dejará de repetirse correctamente y eventualmente causará un oops • https://git.kernel.org/stable/c/b2e63555592f81331c8da3afaa607d8cf83e8138 https://git.kernel.org/stable/c/9e200a06ae2abb321939693008290af32b33dd6e https://git.kernel.org/stable/c/999a8bb70da2946336327b4480824d1691cae1fa https://git.kernel.org/stable/c/70d92abbe29692a3de8697ae082c60f2d21ab482 https://git.kernel.org/stable/c/eec6cbbfa1e8d685cc245cfd5626d0715a127a48 https://git.kernel.org/stable/c/786f089086b505372fb3f4f008d57e7845fff0d8 https://git.kernel.org/stable/c/97ba7c1f9c0a2401e644760d857b2386aa895997 https://git.kernel.org/stable/c/6abe0895b63c20de06685c8544b908c7e •
CVE-2024-26747 – usb: roles: fix NULL pointer issue when put module's reference
https://notcve.org/view.php?id=CVE-2024-26747
In the Linux kernel, the following vulnerability has been resolved: usb: roles: fix NULL pointer issue when put module's reference In current design, usb role class driver will get usb_role_switch parent's module reference after the user get usb_role_switch device and put the reference after the user put the usb_role_switch device. However, the parent device of usb_role_switch may be removed before the user put the usb_role_switch. If so, then, NULL pointer issue will be met when the user put the parent module's reference. This will save the module pointer in structure of usb_role_switch. Then, we don't need to find module by iterating long relations. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: roles: soluciona el problema del puntero NULL al colocar la referencia del módulo. • https://git.kernel.org/stable/c/5c54fcac9a9de559b444ac63ec3cd82f1d157a0b https://git.kernel.org/stable/c/7b169e33a3bc9040e06988b2bc15e83d2af80358 https://git.kernel.org/stable/c/e279bf8e51893e1fe160b3d8126ef2dd00f661e1 https://git.kernel.org/stable/c/ef982fc41055fcebb361a92288d3225783d12913 https://git.kernel.org/stable/c/0158216805ca7e498d07de38840d2732166ae5fa https://git.kernel.org/stable/c/4b45829440b1b208948b39cc71f77a37a2536734 https://git.kernel.org/stable/c/01f82de440f2ab07c259b7573371e1c42e5565db https://git.kernel.org/stable/c/1c9be13846c0b2abc2480602f8ef42136 •
CVE-2024-26744 – RDMA/srpt: Support specifying the srpt_service_guid parameter
https://notcve.org/view.php?id=CVE-2024-26744
In the Linux kernel, the following vulnerability has been resolved: RDMA/srpt: Support specifying the srpt_service_guid parameter Make loading ib_srpt with this parameter set work. The current behavior is that setting that parameter while loading the ib_srpt kernel module triggers the following kernel crash: BUG: kernel NULL pointer dereference, address: 0000000000000000 Call Trace: <TASK> parse_one+0x18c/0x1d0 parse_args+0xe1/0x230 load_module+0x8de/0xa60 init_module_from_file+0x8b/0xd0 idempotent_init_module+0x181/0x240 __x64_sys_finit_module+0x5a/0xb0 do_syscall_64+0x5f/0xe0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: RDMA/srpt: admite la especificación del parámetro srpt_service_guid. Hace que la carga de ib_srpt con este conjunto de parámetros funcione. El comportamiento actual es que configurar ese parámetro mientras se carga el módulo del kernel ib_srpt desencadena el siguiente fallo del kernel: ERROR: desreferencia del puntero NULL del kernel, dirección: 0000000000000000 Seguimiento de llamadas: parse_one+0x18c/0x1d0 parse_args+0xe1/0x230 load_module+0x8de/ 0xa60 init_module_from_file+0x8b/0xd0 idempotent_init_module+0x181/0x240 __x64_sys_finit_module+0x5a/0xb0 do_syscall_64+0x5f/0xe0 Entry_SYSCALL_64_after_hwframe+0x6e/0x76 A flaw was foundin the Linux Kernel when specifying the srpt_service_guid parameter, which may lead to kernel crash. • https://git.kernel.org/stable/c/a42d985bd5b234da8b61347a78dc3057bf7bb94d https://git.kernel.org/stable/c/84f1dac960cfa210a3b7a7522e6c2320ae91932b https://git.kernel.org/stable/c/5a5c039dac1b1b7ba3e91c791f4421052bf79b82 https://git.kernel.org/stable/c/989af2f29342a9a7c7515523d879b698ac8465f4 https://git.kernel.org/stable/c/aee4dcfe17219fe60f2821923adea98549060af8 https://git.kernel.org/stable/c/fe2a73d57319feab4b3b175945671ce43492172f https://git.kernel.org/stable/c/c99a827d3cff9f84e1cb997b7cc6386d107aa74d https://git.kernel.org/stable/c/fdfa083549de5d50ebf7f6811f3375778 • CWE-476: NULL Pointer Dereference •