CVE-2024-50089 – unicode: Don't special case ignorable code points
https://notcve.org/view.php?id=CVE-2024-50089
In the Linux kernel, the following vulnerability has been resolved: unicode: Don't special case ignorable code points We don't need to handle them separately. Instead, just let them decompose/casefold to themselves. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: unicode: No aplicar mayúsculas y minúsculas especiales a los puntos de código que se puedan ignorar. No necesitamos manejarlos por separado. En su lugar, simplemente dejamos que se descompongan o se conviertan en mayúsculas y minúsculas por sí mismos. • https://git.kernel.org/stable/c/18b5f47e7da46d3a0d7331e48befcaf151ed2ddf https://git.kernel.org/stable/c/39fffca572844d733b137a0ff9eacd67b9b0c8e3 https://git.kernel.org/stable/c/651b954cd8d5b0a358ceb47c93876bb6201224e4 https://git.kernel.org/stable/c/21526498d25e54bda3c650f756493d63fd9131b7 https://git.kernel.org/stable/c/ac20736861f3c9c8e0a78273a4c57e9bcb0d8cc6 https://git.kernel.org/stable/c/876d3577a5b353e482d9228d45fa0d82bf1af53a https://git.kernel.org/stable/c/5c26d2f1d3f5e4be3e196526bead29ecb139cf91 •
CVE-2024-50088 – btrfs: fix uninitialized pointer free in add_inode_ref()
https://notcve.org/view.php?id=CVE-2024-50088
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix uninitialized pointer free in add_inode_ref() The add_inode_ref() function does not initialize the "name" struct when it is declared. If any of the following calls to "read_one_inode() returns NULL, dir = read_one_inode(root, parent_objectid); if (!dir) { ret = -ENOENT; goto out; } inode = read_one_inode(root, inode_objectid); if (!inode) { ret = -EIO; goto out; } then "name.name" would be freed on "out" before being initialized. out: ... kfree(name.name); This issue was reported by Coverity with CID 1526744. • https://git.kernel.org/stable/c/1cf474cd474bc5d3ef63086ffd009a87a5b7bb2e https://git.kernel.org/stable/c/e43eec81c5167b655b72c781b0e75e62a05e415e https://git.kernel.org/stable/c/12cf028381aa19bc38465341512c280256e8d82d https://git.kernel.org/stable/c/e11ce03b58743bf1e096c48fcaa7e6f08eb75dfa https://git.kernel.org/stable/c/a941f3d5b1469c60a7e70e775584f110b47e0d16 https://git.kernel.org/stable/c/66691c6e2f18d2aa4b22ffb624b9bdc97e9979e4 •
CVE-2024-50087 – btrfs: fix uninitialized pointer free on read_alloc_one_name() error
https://notcve.org/view.php?id=CVE-2024-50087
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix uninitialized pointer free on read_alloc_one_name() error The function read_alloc_one_name() does not initialize the name field of the passed fscrypt_str struct if kmalloc fails to allocate the corresponding buffer. Thus, it is not guaranteed that fscrypt_str.name is initialized when freeing it. This is a follow-up to the linked patch that fixes the remaining instances of the bug introduced by commit e43eec81c516 ("btrfs: use struct qstr instead of name and namelen pairs"). • https://git.kernel.org/stable/c/1cf474cd474bc5d3ef63086ffd009a87a5b7bb2e https://git.kernel.org/stable/c/e43eec81c5167b655b72c781b0e75e62a05e415e https://git.kernel.org/stable/c/b37de9491f140a0ff125c27dd1050185c3accbc1 https://git.kernel.org/stable/c/7fc7c47b9ba0cf2d192f2117a64b24881b0b577f https://git.kernel.org/stable/c/1ec28de5e476913ae51f909660b4447eddb28838 https://git.kernel.org/stable/c/2ab5e243c2266c841e0f6904fad1514b18eaf510 •
CVE-2024-50086 – ksmbd: fix user-after-free from session log off
https://notcve.org/view.php?id=CVE-2024-50086
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix user-after-free from session log off There is racy issue between smb2 session log off and smb2 session setup. It will cause user-after-free from session log off. This add session_lock when setting SMB2_SESSION_EXPIRED and referece count to session struct not to free session while it is being used. • https://git.kernel.org/stable/c/0f62358ce85b2d4c949ef1b648be01b29cec667a https://git.kernel.org/stable/c/a9839c37fd813b432988f58a9d9dd59253d3eb2c https://git.kernel.org/stable/c/5511999e9615e4318e9142d23b29bd1597befc08 https://git.kernel.org/stable/c/ee371898b53a9b9b51c02d22a8c31bfb86d45f0d https://git.kernel.org/stable/c/7aa8804c0b67b3cb263a472d17f2cb50d7f1a930 •
CVE-2024-50085 – mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow
https://notcve.org/view.php?id=CVE-2024-50085
In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow Syzkaller reported this splat: ================================================================== BUG: KASAN: slab-use-after-free in mptcp_pm_nl_rm_addr_or_subflow+0xb44/0xcc0 net/mptcp/pm_netlink.c:881 Read of size 4 at addr ffff8880569ac858 by task syz.1.2799/14662 CPU: 0 UID: 0 PID: 14662 Comm: syz.1.2799 Not tainted 6.12.0-rc2-syzkaller-00307-g36c254515dc6 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 mptcp_pm_nl_rm_addr_or_subflow+0xb44/0xcc0 net/mptcp/pm_netlink.c:881 mptcp_pm_nl_rm_subflow_received net/mptcp/pm_netlink.c:914 [inline] mptcp_nl_remove_id_zero_address+0x305/0x4a0 net/mptcp/pm_netlink.c:1572 mptcp_pm_nl_del_addr_doit+0x5c9/0x770 net/mptcp/pm_netlink.c:1603 genl_family_rcv_msg_doit+0x202/0x2f0 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x565/0x800 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x165/0x410 net/netlink/af_netlink.c:2551 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline] netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1357 netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg net/socket.c:744 [inline] ____sys_sendmsg+0x9ae/0xb40 net/socket.c:2607 ___sys_sendmsg+0x135/0x1e0 net/socket.c:2661 __sys_sendmsg+0x117/0x1f0 net/socket.c:2690 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e RIP: 0023:0xf7fe4579 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 RSP: 002b:00000000f574556c EFLAGS: 00000296 ORIG_RAX: 0000000000000172 RAX: ffffffffffffffda RBX: 000000000000000b RCX: 0000000020000140 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> Allocated by task 5387: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kmalloc_noprof include/linux/slab.h:878 [inline] kzalloc_noprof include/linux/slab.h:1014 [inline] subflow_create_ctx+0x87/0x2a0 net/mptcp/subflow.c:1803 subflow_ulp_init+0xc3/0x4d0 net/mptcp/subflow.c:1956 __tcp_set_ulp net/ipv4/tcp_ulp.c:146 [inline] tcp_set_ulp+0x326/0x7f0 net/ipv4/tcp_ulp.c:167 mptcp_subflow_create_socket+0x4ae/0x10a0 net/mptcp/subflow.c:1764 __mptcp_subflow_connect+0x3cc/0x1490 net/mptcp/subflow.c:1592 mptcp_pm_create_subflow_or_signal_addr+0xbda/0x23a0 net/mptcp/pm_netlink.c:642 mptcp_pm_nl_fully_established net/mptcp/pm_netlink.c:650 [inline] mptcp_pm_nl_work+0x3a1/0x4f0 net/mptcp/pm_netlink.c:943 mptcp_worker+0x15a/0x1240 net/mptcp/protocol.c:2777 process_one_work+0x958/0x1b30 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/ke ---truncated--- • https://git.kernel.org/stable/c/35b31f5549ede4070566b949781e83495906b43d https://git.kernel.org/stable/c/85b866e4c4e63a1d7afb58f1e24273caad03d0b7 https://git.kernel.org/stable/c/d20bf2c96d7ffd171299b32f562f70e5bf5dc608 https://git.kernel.org/stable/c/1c1f721375989579e46741f59523e39ec9b2a9bd https://git.kernel.org/stable/c/2060f1efab370b496c4903b840844ecaff324c3c https://git.kernel.org/stable/c/35301636439138b821f1f6169bd00d348ebd388a https://git.kernel.org/stable/c/da3343bc0839b180fd9af9c27fa456d8231409f9 https://git.kernel.org/stable/c/7b2e478abab0b3a33515433a6af563aeb •