CVE-2024-35907 – mlxbf_gige: call request_irq() after NAPI initialized
https://notcve.org/view.php?id=CVE-2024-35907
In the Linux kernel, the following vulnerability has been resolved: mlxbf_gige: call request_irq() after NAPI initialized The mlxbf_gige driver encounters a NULL pointer exception in mlxbf_gige_open() when kdump is enabled. The sequence to reproduce the exception is as follows: a) enable kdump b) trigger kdump via "echo c > /proc/sysrq-trigger" c) kdump kernel executes d) kdump kernel loads mlxbf_gige module e) the mlxbf_gige module runs its open() as the the "oob_net0" interface is brought up f) mlxbf_gige module will experience an exception during its open(), something like: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000086000004 EC = 0x21: IABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault user pgtable: 4k pages, 48-bit VAs, pgdp=00000000e29a4000 [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000086000004 [#1] SMP CPU: 0 PID: 812 Comm: NetworkManager Tainted: G OE 5.15.0-1035-bluefield #37-Ubuntu Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.6.0.13024 Jan 19 2024 pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : 0x0 lr : __napi_poll+0x40/0x230 sp : ffff800008003e00 x29: ffff800008003e00 x28: 0000000000000000 x27: 00000000ffffffff x26: ffff000066027238 x25: ffff00007cedec00 x24: ffff800008003ec8 x23: 000000000000012c x22: ffff800008003eb7 x21: 0000000000000000 x20: 0000000000000001 x19: ffff000066027238 x18: 0000000000000000 x17: ffff578fcb450000 x16: ffffa870b083c7c0 x15: 0000aaab010441d0 x14: 0000000000000001 x13: 00726f7272655f65 x12: 6769675f6662786c x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa870b0842398 x8 : 0000000000000004 x7 : fe5a48b9069706ea x6 : 17fdb11fc84ae0d2 x5 : d94a82549d594f35 x4 : 0000000000000000 x3 : 0000000000400100 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000066027238 Call trace: 0x0 net_rx_action+0x178/0x360 __do_softirq+0x15c/0x428 __irq_exit_rcu+0xac/0xec irq_exit+0x18/0x2c handle_domain_irq+0x6c/0xa0 gic_handle_irq+0xec/0x1b0 call_on_irq_stack+0x20/0x2c do_interrupt_handler+0x5c/0x70 el1_interrupt+0x30/0x50 el1h_64_irq_handler+0x18/0x2c el1h_64_irq+0x7c/0x80 __setup_irq+0x4c0/0x950 request_threaded_irq+0xf4/0x1bc mlxbf_gige_request_irqs+0x68/0x110 [mlxbf_gige] mlxbf_gige_open+0x5c/0x170 [mlxbf_gige] __dev_open+0x100/0x220 __dev_change_flags+0x16c/0x1f0 dev_change_flags+0x2c/0x70 do_setlink+0x220/0xa40 __rtnl_newlink+0x56c/0x8a0 rtnl_newlink+0x58/0x84 rtnetlink_rcv_msg+0x138/0x3c4 netlink_rcv_skb+0x64/0x130 rtnetlink_rcv+0x20/0x30 netlink_unicast+0x2ec/0x360 netlink_sendmsg+0x278/0x490 __sock_sendmsg+0x5c/0x6c ____sys_sendmsg+0x290/0x2d4 ___sys_sendmsg+0x84/0xd0 __sys_sendmsg+0x70/0xd0 __arm64_sys_sendmsg+0x2c/0x40 invoke_syscall+0x78/0x100 el0_svc_common.constprop.0+0x54/0x184 do_el0_svc+0x30/0xac el0_svc+0x48/0x160 el0t_64_sync_handler+0xa4/0x12c el0t_64_sync+0x1a4/0x1a8 Code: bad PC value ---[ end trace 7d1c3f3bf9d81885 ]--- Kernel panic - not syncing: Oops: Fatal exception in interrupt Kernel Offset: 0x2870a7a00000 from 0xffff800008000000 PHYS_OFFSET: 0x80000000 CPU features: 0x0,000005c1,a3332a5a Memory Limit: none ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]--- The exception happens because there is a pending RX interrupt before the call to request_irq(RX IRQ) executes. Then, the RX IRQ handler fires immediately after this request_irq() completes. The ---truncated--- En el kernel de Linux, se resolvió la siguiente vulnerabilidad: mlxbf_gige: llame a request_irq() después de inicializar NAPI. El controlador mlxbf_gige encuentra una excepción de puntero NULL en mlxbf_gige_open() cuando kdump está habilitado. • https://git.kernel.org/stable/c/f92e1869d74e1acc6551256eb084a1c14a054e19 https://git.kernel.org/stable/c/a583117668ddb86e98f2e11c7caa3db0e6df52a3 https://git.kernel.org/stable/c/24444af5ddf729376b90db0f135fa19973cb5dab https://git.kernel.org/stable/c/867a2f598af6a645c865d1101b58c5e070c6dd9e https://git.kernel.org/stable/c/8feb1652afe9c5d019059a55c90f70690dce0f52 https://git.kernel.org/stable/c/f7442a634ac06b953fc1f7418f307b25acd4cfbc https://access.redhat.com/security/cve/CVE-2024-35907 https://bugzilla.redhat.com/show_bug.cgi?id=2281647 •
CVE-2024-35905 – bpf: Protect against int overflow for stack access size
https://notcve.org/view.php?id=CVE-2024-35905
In the Linux kernel, the following vulnerability has been resolved: bpf: Protect against int overflow for stack access size This patch re-introduces protection against the size of access to stack memory being negative; the access size can appear negative as a result of overflowing its signed int representation. This should not actually happen, as there are other protections along the way, but we should protect against it anyway. One code path was missing such protections (fixed in the previous patch in the series), causing out-of-bounds array accesses in check_stack_range_initialized(). This patch causes the verification of a program with such a non-sensical access size to fail. This check used to exist in a more indirect way, but was inadvertendly removed in a833a17aeac7. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf: Protección contra desbordamiento int para el tamaño de acceso a la pila. • https://git.kernel.org/stable/c/afea95d319ccb4ad2060dece9ac5e2e364dec543 https://git.kernel.org/stable/c/02962684258eb53f414a8a59854767be526e6abb https://git.kernel.org/stable/c/b1d4d54d32ce6342f5faffe71bae736540ce7cb5 https://git.kernel.org/stable/c/08b91babccbb168353f8d43fea0ed28a4cad568c https://git.kernel.org/stable/c/a833a17aeac73b33f79433d7cee68d5cafd71e4f https://git.kernel.org/stable/c/1858b8a331937f3976d8482cd5f6e1f945294ad3 https://git.kernel.org/stable/c/9970e059af471478455f9534e8c3db82f8c5496d https://git.kernel.org/stable/c/37dc1718dc0c4392dbfcb9adec22a776e •
CVE-2024-35904 – selinux: avoid dereference of garbage after mount failure
https://notcve.org/view.php?id=CVE-2024-35904
In the Linux kernel, the following vulnerability has been resolved: selinux: avoid dereference of garbage after mount failure In case kern_mount() fails and returns an error pointer return in the error branch instead of continuing and dereferencing the error pointer. While on it drop the never read static variable selinuxfs_mount. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: selinux: evita la desreferenciación de basura después de un error de montaje En caso de que kern_mount() falle y devuelva un puntero de error en la rama de error en lugar de continuar y desreferenciar el puntero de error. Mientras está en él, suelte la variable estática nunca leída selinuxfs_mount. • https://git.kernel.org/stable/c/0619f0f5e36f12e100ef294f5980cfe7c93ff23e https://git.kernel.org/stable/c/477ed6789eb9f3f4d3568bb977f90c863c12724e https://git.kernel.org/stable/c/68784a5d01b8868ff85a7926676b6729715fff3c https://git.kernel.org/stable/c/37801a36b4d68892ce807264f784d818f8d0d39b http://www.openwall.com/lists/oss-security/2024/05/30/1 http://www.openwall.com/lists/oss-security/2024/05/30/2 https://access.redhat.com/security/cve/CVE-2024-35904 https://bugzilla.redhat.com/show_bug.cgi?id=2281655 •
CVE-2024-35903 – x86/bpf: Fix IP after emitting call depth accounting
https://notcve.org/view.php?id=CVE-2024-35903
In the Linux kernel, the following vulnerability has been resolved: x86/bpf: Fix IP after emitting call depth accounting Adjust the IP passed to `emit_patch` so it calculates the correct offset for the CALL instruction if `x86_call_depth_emit_accounting` emits code. Otherwise we will skip some instructions and most likely crash. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: x86/bpf: corrige la IP después de emitir la contabilidad de profundidad de llamadas. Ajuste la IP pasada a `emit_patch` para que calcule el desplazamiento correcto para la instrucción CALL si `x86_call_ Depth_emit_accounting` emite código. De lo contrario, nos saltaremos algunas instrucciones y lo más probable es que fallemos. • https://git.kernel.org/stable/c/b2e9dfe54be4d023124d588d6f03d16a9c0d2507 https://git.kernel.org/stable/c/3f9d57c771656bfd651e22edcfdb5f60e62542d4 https://git.kernel.org/stable/c/81166178cf0a0062a22b1b3b5368183d39577028 https://git.kernel.org/stable/c/9d98aa088386aee3db1b7b60b800c0fde0654a4a •
CVE-2024-35902 – net/rds: fix possible cp null dereference
https://notcve.org/view.php?id=CVE-2024-35902
In the Linux kernel, the following vulnerability has been resolved: net/rds: fix possible cp null dereference cp might be null, calling cp->cp_conn would produce null dereference [Simon Horman adds:] Analysis: * cp is a parameter of __rds_rdma_map and is not reassigned. * The following call-sites pass a NULL cp argument to __rds_rdma_map() - rds_get_mr() - rds_get_mr_for_dest * Prior to the code above, the following assumes that cp may be NULL (which is indicative, but could itself be unnecessary) trans_private = rs->rs_transport->get_mr( sg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL, args->vec.addr, args->vec.bytes, need_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED); * The code modified by this patch is guarded by IS_ERR(trans_private), where trans_private is assigned as per the previous point in this analysis. The only implementation of get_mr that I could locate is rds_ib_get_mr() which can return an ERR_PTR if the conn (4th) argument is NULL. * ret is set to PTR_ERR(trans_private). rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL. Thus ret may be -ENODEV in which case the code in question will execute. Conclusion: * cp may be NULL at the point where this patch adds a check; this patch does seem to address a possible bug En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/rds: corrige la posible desreferencia nula de cp cp podría ser nulo, llamar a cp->cp_conn produciría una desreferencia nula [Simon Horman agrega:] Análisis: * cp es un parámetro de __rds_rdma_map y no es reasignado. * Los siguientes sitios de llamadas pasan un argumento cp NULL a __rds_rdma_map() - rds_get_mr() - rds_get_mr_for_dest * Antes del código anterior, lo siguiente supone que cp puede ser NULL (lo cual es indicativo, pero podría ser innecesario) trans_private = rs ->rs_transport->get_mr( sg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL, args->vec.addr, args->vec.bytes, need_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED); * El código modificado por este parche está custodiado por IS_ERR(trans_private), donde trans_private se asigna según el punto anterior de este análisis. • https://git.kernel.org/stable/c/786854141057751bc08eb26f1b02e97c1631c8f4 https://git.kernel.org/stable/c/997efea2bf3a4adb96c306b9ad6a91442237bf5b https://git.kernel.org/stable/c/9dfc15a10dfd44f8ff7f27488651cb5be6af83c2 https://git.kernel.org/stable/c/b562ebe21ed9adcf42242797dd6cb75beef12bf0 https://git.kernel.org/stable/c/998fd719e6d6468b930ac0c44552ea9ff8b07b80 https://git.kernel.org/stable/c/2b505d05280739ce31d5708da840f42df827cb85 https://git.kernel.org/stable/c/c055fc00c07be1f0df7375ab0036cebd1106ed38 https://git.kernel.org/stable/c/907761307469adecb02461a14120e9a18 •