CVE-2024-26955 – nilfs2: prevent kernel bug at submit_bh_wbc()
https://notcve.org/view.php?id=CVE-2024-26955
In the Linux kernel, the following vulnerability has been resolved: nilfs2: prevent kernel bug at submit_bh_wbc() Fix a bug where nilfs_get_block() returns a successful status when searching and inserting the specified block both fail inconsistently. If this inconsistent behavior is not due to a previously fixed bug, then an unexpected race is occurring, so return a temporary error -EAGAIN instead. This prevents callers such as __block_write_begin_int() from requesting a read into a buffer that is not mapped, which would cause the BUG_ON check for the BH_Mapped flag in submit_bh_wbc() to fail. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: nilfs2: previene el error del kernel en submit_bh_wbc(). Se corrige un error por el cual nilfs_get_block() devuelve un estado exitoso cuando la búsqueda y la inserción del bloque especificado fallan de manera inconsistente. Si este comportamiento inconsistente no se debe a un error solucionado previamente, entonces se está produciendo una ejecución inesperada, por lo que se devuelve un error temporal -EAGAIN. • https://git.kernel.org/stable/c/1f5abe7e7dbcd83e73212c6cb135a6106cea6a0b https://git.kernel.org/stable/c/91e4c4595fae5e87069e44687ae879091783c183 https://git.kernel.org/stable/c/32eaee72e96590a75445c8a6c7c1057673b47e07 https://git.kernel.org/stable/c/f0fe7ad5aff4f0fcf988913313c497de85f1e186 https://git.kernel.org/stable/c/ca581d237f3b8539c044205bb003de71d75d227c https://git.kernel.org/stable/c/192e9f9078c96be30b31c4b44d6294b24520fce5 https://git.kernel.org/stable/c/0c8aa4cfda4e4adb15d5b6536d155eca9c9cd44c https://git.kernel.org/stable/c/48d443d200237782dc82e6b60663ec414 •
CVE-2024-26954 – ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()
https://notcve.org/view.php?id=CVE-2024-26954
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16() If ->NameOffset of smb2_create_req is smaller than Buffer offset of smb2_create_req, slab-out-of-bounds read can happen from smb2_open. This patch set the minimum value of the name offset to the buffer offset to validate name length of smb2_create_req(). En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ksmbd: corrige slab-out-of-bounds en smb_strndup_from_utf16() Si ->NameOffset de smb2_create_req es menor que el desplazamiento del búfer de smb2_create_req, puede ocurrir una lectura de slab-out-of-bounds de smb2_open. Este parche establece el valor mínimo del desplazamiento del nombre en el desplazamiento del búfer para validar la longitud del nombre de smb2_create_req(). • https://git.kernel.org/stable/c/3b8da67191e938a63d2736dabb4ac5d337e5de57 https://git.kernel.org/stable/c/4f97e6a9d62cb1fce82fbf4baff44b83221bc178 https://git.kernel.org/stable/c/a80a486d72e20bd12c335bcd38b6e6f19356b0aa •
CVE-2024-26952 – ksmbd: fix potencial out-of-bounds when buffer offset is invalid
https://notcve.org/view.php?id=CVE-2024-26952
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potencial out-of-bounds when buffer offset is invalid I found potencial out-of-bounds when buffer offset fields of a few requests is invalid. This patch set the minimum value of buffer offset field to ->Buffer offset to validate buffer length. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ksmbd: corrige posibles límites cuando el desplazamiento del búfer no es válido. Encontré posibles límites cuando los campos de desplazamiento del búfer de algunas solicitudes no son válidos. Este parche establece el valor mínimo del campo de compensación del búfer en ->Desplazamiento del búfer para validar la longitud del búfer. • https://git.kernel.org/stable/c/39bdc4197acf2ed13269167ccf093ee28cfa2a4e https://git.kernel.org/stable/c/2dcda336b6e80b72d58d30d40f2fad9724e5fe63 https://git.kernel.org/stable/c/0c5541b4c980626fa3cab16ba1a451757778bbb5 https://git.kernel.org/stable/c/c6cd2e8d2d9aa7ee35b1fa6a668e32a22a9753da • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-125: Out-of-bounds Read •
CVE-2024-26951 – wireguard: netlink: check for dangling peer via is_dead instead of empty list
https://notcve.org/view.php?id=CVE-2024-26951
In the Linux kernel, the following vulnerability has been resolved: wireguard: netlink: check for dangling peer via is_dead instead of empty list If all peers are removed via wg_peer_remove_all(), rather than setting peer_list to empty, the peer is added to a temporary list with a head on the stack of wg_peer_remove_all(). If a netlink dump is resumed and the cursored peer is one that has been removed via wg_peer_remove_all(), it will iterate from that peer and then attempt to dump freed peers. Fix this by instead checking peer->is_dead, which was explictly created for this purpose. Also move up the device_update_lock lockdep assertion, since reading is_dead relies on that. It can be reproduced by a small script like: echo "Setting config..." ip link add dev wg0 type wireguard wg setconf wg0 /big-config ( while true; do echo "Showing config..." wg showconf wg0 > /dev/null done ) & sleep 4 wg setconf wg0 <(printf "[Peer]\nPublicKey=$(wg genkey)\n") Resulting in: BUG: KASAN: slab-use-after-free in __lock_acquire+0x182a/0x1b20 Read of size 8 at addr ffff88811956ec70 by task wg/59 CPU: 2 PID: 59 Comm: wg Not tainted 6.8.0-rc2-debug+ #5 Call Trace: <TASK> dump_stack_lvl+0x47/0x70 print_address_description.constprop.0+0x2c/0x380 print_report+0xab/0x250 kasan_report+0xba/0xf0 __lock_acquire+0x182a/0x1b20 lock_acquire+0x191/0x4b0 down_read+0x80/0x440 get_peer+0x140/0xcb0 wg_get_device_dump+0x471/0x1130 En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wireguard: netlink: verifique si hay pares pendientes a través de is_dead en lugar de una lista vacía. • https://git.kernel.org/stable/c/e7096c131e5161fa3b8e52a650d7719d2857adfd https://git.kernel.org/stable/c/f52be46e3e6ecefc2539119784324f0cbc09620a https://git.kernel.org/stable/c/710a177f347282eea162aec8712beb1f42d5ad87 https://git.kernel.org/stable/c/b7cea3a9af0853fdbb1b16633a458f991dde6aac https://git.kernel.org/stable/c/13d107794304306164481d31ce33f8fdb25a9c04 https://git.kernel.org/stable/c/7bedfe4cfa38771840a355970e4437cd52d4046b https://git.kernel.org/stable/c/302b2dfc013baca3dea7ceda383930d9297d231d https://git.kernel.org/stable/c/55b6c738673871c9b0edae05d0c97995c •
CVE-2024-26950 – wireguard: netlink: access device through ctx instead of peer
https://notcve.org/view.php?id=CVE-2024-26950
In the Linux kernel, the following vulnerability has been resolved: wireguard: netlink: access device through ctx instead of peer The previous commit fixed a bug that led to a NULL peer->device being dereferenced. It's actually easier and faster performance-wise to instead get the device from ctx->wg. This semantically makes more sense too, since ctx->wg->peer_allowedips.seq is compared with ctx->allowedips_seq, basing them both in ctx. This also acts as a defence in depth provision against freed peers. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: wireguard: netlink: acceda al dispositivo a través de ctx en lugar de peer. el commit anterior solucionó un error que provocaba que se desreferenciara un dispositivo NULL peer->. • https://git.kernel.org/stable/c/e7096c131e5161fa3b8e52a650d7719d2857adfd https://git.kernel.org/stable/c/493aa6bdcffd90a4f82aa614fe4f4db0641b4068 https://git.kernel.org/stable/c/4be453271a882c8ebc28df3dbf9e4d95e6ac42f5 https://git.kernel.org/stable/c/09c3fa70f65175861ca948cb2f0f791e666c90e5 https://git.kernel.org/stable/c/c991567e6c638079304cc15dff28748e4a3c4a37 https://git.kernel.org/stable/c/93bcc1752c69bb309f4d8cfaf960ef1faeb34996 https://git.kernel.org/stable/c/d44bd323d8bb8031eef4bdc44547925998a11e47 https://git.kernel.org/stable/c/71cbd32e3db82ea4a74e3ef9aeeaa6971 •