CVSS: 4.4EPSS: 0%CPEs: 5EXPL: 0CVE-2024-26769 – nvmet-fc: avoid deadlock on delete association path
https://notcve.org/view.php?id=CVE-2024-26769
In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: avoid deadlock on delete association path When deleting an association the shutdown path is deadlocking because we try to flush the nvmet_wq nested. Avoid this by deadlock by deferring the put work into its own work item. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nvmet-fc: evita el punto muerto al eliminar la ruta de asociación Al eliminar una asociación, la ruta de cierre se bloquea porque intentamos vaciar el nvmet_wq anidado. Evite este punto muerto al diferir el trabajo colocado en su propio elemento de trabajo. • https://git.kernel.org/stable/c/5e0bc09a52b6169ce90f7ac6e195791adb16cec4 https://git.kernel.org/stable/c/9e6987f8937a7bd7516aa52f25cb7e12c0c92ee8 https://git.kernel.org/stable/c/eaf0971fdabf2a93c1429dc6bedf3bbe85dffa30 https://git.kernel.org/stable/c/1d86f79287206deec36d63b89c741cf542b6cadd https://git.kernel.org/stable/c/710c69dbaccdac312e32931abcb8499c1525d397 https://access.redhat.com/security/cve/CVE-2024-26769 https://bugzilla.redhat.com/show_bug.cgi?id=2273180 • CWE-833: Deadlock •
CVSS: 4.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-26767 – drm/amd/display: fixed integer types and null check locations
https://notcve.org/view.php?id=CVE-2024-26767
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fixed integer types and null check locations [why]: issues fixed: - comparison with wider integer type in loop condition which can cause infinite loops - pointer dereference before null check En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/amd/display: tipos de enteros fijos y ubicaciones de verificación nula [por qué]: problemas solucionados: - comparación con un tipo de entero más amplio en condición de bucle que puede causar bucles infinitos - desreferencia del puntero antes cheque nulo • https://git.kernel.org/stable/c/71783d1ff65204d69207fd156d4b2eb1d3882375 https://git.kernel.org/stable/c/beea9ab9080cd2ef46296070bb327af066ee09d7 https://git.kernel.org/stable/c/0484e05d048b66d01d1f3c1d2306010bb57d8738 https://access.redhat.com/security/cve/CVE-2024-26767 https://bugzilla.redhat.com/show_bug.cgi?id=2273185 • CWE-170: Improper Null Termination •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2024-26766 – IB/hfi1: Fix sdma.h tx->num_descs off-by-one error
https://notcve.org/view.php?id=CVE-2024-26766
In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix sdma.h tx->num_descs off-by-one error Unfortunately the commit `fd8958efe877` introduced another error causing the `descs` array to overflow. This reults in further crashes easily reproducible by `sendmsg` system call. [ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI [ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1] -- [ 1080.974535] Call Trace: [ 1080.976990] <TASK> [ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1] [ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1] [ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1] [ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib] [ 1081.046978] dev_hard_start_xmit+0xc4/0x210 -- [ 1081.148347] __sys_sendmsg+0x59/0xa0 crash> ipoib_txreq 0xffff9cfeba229f00 struct ipoib_txreq { txreq = { list = { next = 0xffff9cfeba229f00, prev = 0xffff9cfeba229f00 }, descp = 0xffff9cfeba229f40, coalesce_buf = 0x0, wait = 0xffff9cfea4e69a48, complete = 0xffffffffc0fe0760 <hfi1_ipoib_sdma_complete>, packet_len = 0x46d, tlen = 0x0, num_desc = 0x0, desc_limit = 0x6, next_descq_idx = 0x45c, coalesce_idx = 0x0, flags = 0x0, descs = {{ qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63) }, { qw = { 0x3800014231b108, 0x4} }, { qw = { 0x310000e4ee0fcf0, 0x8} }, { qw = { 0x3000012e9f8000, 0x8} }, { qw = { 0x59000dfb9d0000, 0x8} }, { qw = { 0x78000e02e40000, 0x8} }} }, sdma_hdr = 0x400300015528b000, <<< invalid pointer in the tx request structure sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62) complete = 0x0, priv = 0x0, txq = 0xffff9cfea4e69880, skb = 0xffff9d099809f400 } If an SDMA send consists of exactly 6 descriptors and requires dword padding (in the 7th descriptor), the sdma_txreq descriptor array is not properly expanded and the packet will overflow into the container structure. This results in a panic when the send completion runs. The exact panic varies depending on what elements of the container structure get corrupted. The fix is to use the correct expression in _pad_sdma_tx_descs() to test the need to expand the descriptor array. With this patch the crashes are no longer reproducible and the machine is stable. • https://git.kernel.org/stable/c/d1c1ee052d25ca23735eea912f843bc7834781b4 https://git.kernel.org/stable/c/40ac5cb6cbb01afa40881f78b4d2f559fb7065c4 https://git.kernel.org/stable/c/6cf8f3d690bb5ad31ef0f41a6206ecf5a068d179 https://git.kernel.org/stable/c/bd57756a7e43c7127d0eca1fc5868e705fd0f7ba https://git.kernel.org/stable/c/eeaf35f4e3b360162081de5e744cf32d6d1b0091 https://git.kernel.org/stable/c/fd8958efe8779d3db19c9124fce593ce681ac709 https://git.kernel.org/stable/c/0ef9594936d1f078e8599a1cf683b052df2bec00 https://git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc110 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26764 – fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio
https://notcve.org/view.php?id=CVE-2024-26764
In the Linux kernel, the following vulnerability has been resolved: fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio If kiocb_set_cancel_fn() is called for I/O submitted via io_uring, the following kernel warning appears: WARNING: CPU: 3 PID: 368 at fs/aio.c:598 kiocb_set_cancel_fn+0x9c/0xa8 Call trace: kiocb_set_cancel_fn+0x9c/0xa8 ffs_epfile_read_iter+0x144/0x1d0 io_read+0x19c/0x498 io_issue_sqe+0x118/0x27c io_submit_sqes+0x25c/0x5fc __arm64_sys_io_uring_enter+0x104/0xab0 invoke_syscall+0x58/0x11c el0_svc_common+0xb4/0xf4 do_el0_svc+0x2c/0xb0 el0_svc+0x2c/0xa4 el0t_64_sync_handler+0x68/0xb4 el0t_64_sync+0x1a4/0x1a8 Fix this by setting the IOCB_AIO_RW flag for read and write I/O that is submitted by libaio. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: fs/aio: restringe kiocb_set_cancel_fn() a E/S enviadas a través de libaio. Si se llama a kiocb_set_cancel_fn() para E/S enviadas a través de io_uring, aparece la siguiente advertencia del kernel: ADVERTENCIA: CPU : 3 PID: 368 en fs/aio.c:598 kiocb_set_cancel_fn+0x9c/0xa8 Rastreo de llamadas: kiocb_set_cancel_fn+0x9c/0xa8 ffs_epfile_read_iter+0x144/0x1d0 io_read+0x19c/0x498 io_issue_sqe+0x118/0x27c io_submit_sqes+0x25c/0x5fc __arm64_sys_io_uring_enter+0x104/ 0xab0 invoke_syscall+0x58/0x11c el0_svc_common+0xb4/0xf4 do_el0_svc+0x2c/0xb0 el0_svc+0x2c/0xa4 el0t_64_sync_handler+0x68/0xb4 el0t_64_sync+0x1a4/0x1a8 Solucionar esto configurando el IOC Bandera B_AIO_RW para E/S de lectura y escritura enviada por libaio . • https://git.kernel.org/stable/c/337b543e274fe7a8f47df3c8293cc6686ffa620f https://git.kernel.org/stable/c/b4eea7a05ee0ab5ab0514421e6ba8c5d249cf942 https://git.kernel.org/stable/c/ea1cd64d59f22d6d13f367d62ec6e27b9344695f https://git.kernel.org/stable/c/d7b6fa97ec894edd02f64b83e5e72e1aa352f353 https://git.kernel.org/stable/c/18f614369def2a11a52f569fe0f910b199d13487 https://git.kernel.org/stable/c/e7e23fc5d5fe422827c9a43ecb579448f73876c7 https://git.kernel.org/stable/c/1dc7d74fe456944a9b1c57bd776280249f441ac6 https://git.kernel.org/stable/c/b820de741ae48ccf50dd95e297889c286 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26763 – dm-crypt: don't modify the data when using authenticated encryption
https://notcve.org/view.php?id=CVE-2024-26763
In the Linux kernel, the following vulnerability has been resolved: dm-crypt: don't modify the data when using authenticated encryption It was said that authenticated encryption could produce invalid tag when the data that is being encrypted is modified [1]. So, fix this problem by copying the data into the clone bio first and then encrypt them inside the clone bio. This may reduce performance, but it is needed to prevent the user from corrupting the device by writing data with O_DIRECT and modifying them at the same time. [1] https://lore.kernel.org/all/20240207004723.GA35324@sol.localdomain/T/ En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: dm-crypt: no modifica los datos cuando se utiliza cifrado autenticado Se dijo que el cifrado autenticado podría producir etiquetas no válidas cuando se modifican los datos que se están cifrando [1]. Entonces, solucione este problema copiando primero los datos en la biografía del clon y luego cifrándolos dentro de la biografía del clon. Esto puede reducir el rendimiento, pero es necesario para evitar que el usuario dañe el dispositivo escribiendo datos con O_DIRECT y modificándolos al mismo tiempo. [1] https://lore.kernel.org/all/20240207004723.GA35324@sol.localdomain/T/ • https://git.kernel.org/stable/c/43a202bd552976497474ae144942e32cc5f34d7e https://git.kernel.org/stable/c/0dccbb93538fe89a86c6de31d4b1c8c560848eaa https://git.kernel.org/stable/c/3c652f6fa1e1f9f02c3fbf359d260ad153ec5f90 https://git.kernel.org/stable/c/1a4371db68a31076afbe56ecce34fbbe6c80c529 https://git.kernel.org/stable/c/e08c2a8d27e989f0f5b0888792643027d7e691e6 https://git.kernel.org/stable/c/64ba01a365980755732972523600a961c4266b75 https://git.kernel.org/stable/c/d9e3763a505e50ba3bd22846f2a8db99429fb857 https://git.kernel.org/stable/c/50c70240097ce41fe6bce6478b8047828 •