CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-26599 – pwm: Fix out-of-bounds access in of_pwm_single_xlate()
https://notcve.org/view.php?id=CVE-2024-26599
In the Linux kernel, the following vulnerability has been resolved: pwm: Fix out-of-bounds access in of_pwm_single_xlate() With args->args_count == 2 args->args[2] is not defined. Actually the flags are contained in args->args[1]. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: pwm: corrige el acceso fuera de los límites en of_pwm_single_xlate() Con args->args_count == 2 args->args[2] no está definido. En realidad, las banderas están contenidas en args->args[1]. • https://git.kernel.org/stable/c/3ab7b6ac5d829e60c3b89d415811ff1c9f358c8e https://git.kernel.org/stable/c/7b85554c7c2aee91171e038e4d5442ffa130b282 https://git.kernel.org/stable/c/e5f2b4b62977fb6c2efcbc5779e0c9dce18215f7 https://git.kernel.org/stable/c/bae45b7ebb31984b63b13c3519fd724b3ce92123 https://git.kernel.org/stable/c/a297d07b9a1e4fb8cda25a4a2363a507d294b7c9 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2024-26598 – KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache
https://notcve.org/view.php?id=CVE-2024-26598
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache There is a potential UAF scenario in the case of an LPI translation cache hit racing with an operation that invalidates the cache, such as a DISCARD ITS command. The root of the problem is that vgic_its_check_cache() does not elevate the refcount on the vgic_irq before dropping the lock that serializes refcount changes. Have vgic_its_check_cache() raise the refcount on the returned vgic_irq and add the corresponding decrement after queueing the interrupt. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: arm64: vgic-its: Evite posibles UAF en la caché de traducción LPI. Existe un escenario potencial de UAF en el caso de que un caché de traducción LPI se acelere con una operación que invalide la caché, como un comando DISCARD ITS. La raíz del problema es que vgic_its_check_cache() no eleva el refcount en vgic_irq antes de eliminar el bloqueo que serializa los cambios de refcount. • https://git.kernel.org/stable/c/d04acadb6490aa3314f9c9e087691e55de153b88 https://git.kernel.org/stable/c/ba7be666740847d967822bed15500656b26bc703 https://git.kernel.org/stable/c/12c2759ab1343c124ed46ba48f27bd1ef5d2dff4 https://git.kernel.org/stable/c/dba788e25f05209adf2b0175eb1691dc89fb1ba6 https://git.kernel.org/stable/c/65b201bf3e9af1b0254243a5881390eda56f72d1 https://git.kernel.org/stable/c/dd3956a1b3dd11f46488c928cb890d6937d1ca80 https://git.kernel.org/stable/c/ad362fe07fecf0aba839ff2cc59a3617bd42c33f https://lists.debian.org/debian-lts-announce/2024/06/ • CWE-416: Use After Free •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2024-26597 – net: qualcomm: rmnet: fix global oob in rmnet_policy
https://notcve.org/view.php?id=CVE-2024-26597
In the Linux kernel, the following vulnerability has been resolved: net: qualcomm: rmnet: fix global oob in rmnet_policy The variable rmnet_link_ops assign a *bigger* maxtype which leads to a global out-of-bounds read when parsing the netlink attributes. See bug trace below: ================================================================== BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline] BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 Read of size 1 at addr ffffffff92c438d0 by task syz-executor.6/84207 CPU: 0 PID: 84207 Comm: syz-executor.6 Tainted: G N 6.1.0 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x172/0x475 mm/kasan/report.c:395 kasan_report+0xbb/0x1c0 mm/kasan/report.c:495 validate_nla lib/nlattr.c:386 [inline] __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 __nla_parse+0x3e/0x50 lib/nlattr.c:697 nla_parse_nested_deprecated include/net/netlink.h:1248 [inline] __rtnl_newlink+0x50a/0x1880 net/core/rtnetlink.c:3485 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3594 rtnetlink_rcv_msg+0x43c/0xd70 net/core/rtnetlink.c:6091 netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0x154/0x190 net/socket.c:734 ____sys_sendmsg+0x6df/0x840 net/socket.c:2482 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536 __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fdcf2072359 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fdcf13e3168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fdcf219ff80 RCX: 00007fdcf2072359 RDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003 RBP: 00007fdcf20bd493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffbb8d7bdf R14: 00007fdcf13e3300 R15: 0000000000022000 </TASK> The buggy address belongs to the variable: rmnet_policy+0x30/0xe0 The buggy address belongs to the physical page: page:0000000065bdeb3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x155243 flags: 0x200000000001000(reserved|node=0|zone=2) raw: 0200000000001000 ffffea00055490c8 ffffea00055490c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffffff92c43780: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 07 ffffffff92c43800: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 06 f9 f9 f9 >ffffffff92c43880: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 ^ ffffffff92c43900: 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9 ffffffff92c43980: 00 00 00 07 f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 According to the comment of `nla_parse_nested_deprecated`, the maxtype should be len(destination array) - 1. Hence use `IFLA_RMNET_MAX` here. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: qualcomm: rmnet: fix global oob in rmnet_policy La variable rmnet_link_ops asigna un maxtype *más grande* que conduce a una lectura global fuera de los límites al analizar los atributos de netlink. Vea el seguimiento del error a continuación: =============================================== ===================== ERROR: KASAN: global-fuera de los límites en validar_nla lib/nlattr.c:386 [en línea] ERROR: KASAN: global- fuera de los límites en __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 Lectura de tamaño 1 en addr ffffffff92c438d0 por tarea syz-executor.6/84207 CPU: 0 PID: 84207 Comm: syz-executor.6 Contaminado: GN 6.1.0 #3 Nombre del hardware: PC estándar QEMU (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 01/04/2014 Seguimiento de llamadas: __dump_stack lib/dump_stack.c:88 [en línea] dump_stack_lvl +0x8b/0xb3 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [en línea] print_report+0x172/0x475 mm/kasan/report.c:395 kasan_report+0xbb/0x1c0 mm/kasan/report.c :495 validar_nla lib/nlattr.c:386 [en línea] __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 __nla_parse+0x3e/0x50 lib/nlattr.c:697 nla_parse_nested_deprecated include/net/netlink.h:1248 [en línea] __rtnl_newlink+0x50a/0x1880 net/core/rtnetlink.c:3485 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3594 rtnetlink_rcv_msg+0x43c/0xd70 net/core/rtnetlink.c:6091 netlink_rcv_skb+0x14f/0x410 net/ enlace de red /af_netlink.c:2540 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [en línea] netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/ socket.c:714 [en línea] sock_sendmsg+0x154/0x190 net/socket.c:734 ____sys_sendmsg+0x6df/0x840 net/socket.c:2482 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536 __sys_sendmsg+0xf3 /0x1c0 neto /socket.c:2565 do_syscall_x64 arch/x86/entry/common.c:50 [en línea] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 Entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fdcf2072359 Código: 2 8 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ffff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fdcf13e3168 EFLAGS: 00000246 ORIG_RAX: 0000000000000002e RAX: ffffffffffffffda RBX: 00007fdcf21 9ff80 RCX: 00007fdcf2072359 RDX: 00000000000000000 RSI: 0000000020000200 RDI: 00000000000000003 RBP: 00007fdcf20bd493 R08: 000000000000000000 R09: 0000000000000000 R10: 00000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffbb8d7bdf R14: 00007fdcf13e3300 R 15: 0000000000022000 La dirección con errores pertenece a la variable: rmnet_policy+0x30/0xe0 La dirección con errores pertenece a la página física: página:0000000065bdeb3c refcount:1 mapcount:0 mapeo:0000000000000000 índice:0x0 pfn:0x155243 banderas: 0x200000000001000(reservado|nodo=0|zona=2) raw: 0200000000001000 ffffea00055490c8 ffffea00055490c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 página volcada porque: kasan: mal acceso detectado Estado de la memoria alrededor de la dirección del error: ffffffff92c43780: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 07 ffffffff92c43800: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 06 f9 f9 f9 >ffffffff92c438 80: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 ^ ffffffff92c43900: 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9 f9 ffffffff92c43980: 00 00 00 07 f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 Según según el comentario de `nla_parse_nested_deprecated`, el tipo máximo debe ser len (matriz de destino) - 1. • https://git.kernel.org/stable/c/14452ca3b5ce304fb2fea96dbc9ca1e4e7978551 https://git.kernel.org/stable/c/093dab655808207f7a9f54cf156240aeafc70590 https://git.kernel.org/stable/c/02467ab8b404d80429107588e0f3425cf5fcd2e5 https://git.kernel.org/stable/c/2295c22348faf795e1ccdf618f6eb7afdb2f7447 https://git.kernel.org/stable/c/3b5254862258b595662a0ccca6e9eeb88d6e7468 https://git.kernel.org/stable/c/ee1dc3bf86f2df777038506b139371a9add02534 https://git.kernel.org/stable/c/c4734535034672f59f2652e1e0058c490da62a5c https://git.kernel.org/stable/c/17d06a5c44d8fd2e8e61bac295b091534 • CWE-125: Out-of-bounds Read •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-26596 – net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events
https://notcve.org/view.php?id=CVE-2024-26596
In the Linux kernel, the following vulnerability has been resolved: net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events After the blamed commit, we started doing this dereference for every NETDEV_CHANGEUPPER and NETDEV_PRECHANGEUPPER event in the system. static inline struct dsa_port *dsa_user_to_port(const struct net_device *dev) { struct dsa_user_priv *p = netdev_priv(dev); return p->dp; } Which is obviously bogus, because not all net_devices have a netdev_priv() of type struct dsa_user_priv. But struct dsa_user_priv is fairly small, and p->dp means dereferencing 8 bytes starting with offset 16. Most drivers allocate that much private memory anyway, making our access not fault, and we discard the bogus data quickly afterwards, so this wasn't caught. But the dummy interface is somewhat special in that it calls alloc_netdev() with a priv size of 0. So every netdev_priv() dereference is invalid, and we get this when we emit a NETDEV_PRECHANGEUPPER event with a VLAN as its new upper: $ ip link add dummy1 type dummy $ ip link add link dummy1 name dummy1.100 type vlan id 100 [ 43.309174] ================================================================== [ 43.316456] BUG: KASAN: slab-out-of-bounds in dsa_user_prechangeupper+0x30/0xe8 [ 43.323835] Read of size 8 at addr ffff3f86481d2990 by task ip/374 [ 43.330058] [ 43.342436] Call trace: [ 43.366542] dsa_user_prechangeupper+0x30/0xe8 [ 43.371024] dsa_user_netdevice_event+0xb38/0xee8 [ 43.375768] notifier_call_chain+0xa4/0x210 [ 43.379985] raw_notifier_call_chain+0x24/0x38 [ 43.384464] __netdev_upper_dev_link+0x3ec/0x5d8 [ 43.389120] netdev_upper_dev_link+0x70/0xa8 [ 43.393424] register_vlan_dev+0x1bc/0x310 [ 43.397554] vlan_newlink+0x210/0x248 [ 43.401247] rtnl_newlink+0x9fc/0xe30 [ 43.404942] rtnetlink_rcv_msg+0x378/0x580 Avoid the kernel oops by dereferencing after the type check, as customary. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net: dsa: corrige la desreferencia de netdev_priv() antes de verificar los eventos de dispositivos de red que no son DSA Después del compromiso culpable, comenzamos a hacer esta desreferencia para cada evento NETDEV_CHANGEUPPER y NETDEV_PRECHANGEUPPER en el sistema. estructura estática en línea dsa_port *dsa_user_to_port(const struct net_device *dev) { struct dsa_user_priv *p = netdev_priv(dev); devolver p->dp; } Lo cual es obviamente falso, porque no todos los net_devices tienen un netdev_priv() de tipo struct dsa_user_priv. • https://git.kernel.org/stable/c/4c3f80d22b2eca911143ce656fa45c4699ff5bf4 https://git.kernel.org/stable/c/69a1e2d938dbbfcff0e064269adf60ad26dbb102 https://git.kernel.org/stable/c/dbd909c20c11f0d29c0054d41e0d1f668a60e8c8 https://git.kernel.org/stable/c/844f104790bd69c2e4dbb9ee3eba46fde1fcea7b •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-26595 – mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path
https://notcve.org/view.php?id=CVE-2024-26595
In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path When calling mlxsw_sp_acl_tcam_region_destroy() from an error path after failing to attach the region to an ACL group, we hit a NULL pointer dereference upon 'region->group->tcam' [1]. Fix by retrieving the 'tcam' pointer using mlxsw_sp_acl_to_tcam(). [1] BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] RIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0 [...] Call Trace: mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20 mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0 mlxsw_sp_acl_rule_add+0x47/0x240 mlxsw_sp_flower_replace+0x1a9/0x1d0 tc_setup_cb_add+0xdc/0x1c0 fl_hw_replace_filter+0x146/0x1f0 fl_change+0xc17/0x1360 tc_new_tfilter+0x472/0xb90 rtnetlink_rcv_msg+0x313/0x3b0 netlink_rcv_skb+0x58/0x100 netlink_unicast+0x244/0x390 netlink_sendmsg+0x1e4/0x440 ____sys_sendmsg+0x164/0x260 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xc0 do_syscall_64+0x40/0xe0 entry_SYSCALL_64_after_hwframe+0x63/0x6b En el kernel de Linux, se resolvió la siguiente vulnerabilidad: mlxsw: espectro_acl_tcam: corrige la desreferencia del puntero NULL en la ruta de error Al llamar a mlxsw_sp_acl_tcam_region_destroy() desde una ruta de error después de no poder adjuntar la región a un grupo de ACL, alcanzamos una desreferencia del puntero NULL al 'región->grupo->tcam' [1]. Solucione recuperando el puntero 'tcam' usando mlxsw_sp_acl_to_tcam(). [1] ERROR: desreferencia del puntero NULL del kernel, dirección: 0000000000000000 [...] RIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0 [...] Seguimiento de llamadas: mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20 mlxsw_sp_acl_tcam_ventry_add+0 x25/0xe0 mlxsw_sp_acl_rule_add+0x47/0x240 mlxsw_sp_flower_replace+0x1a9/0x1d0 tc_setup_cb_add+0xdc/0x1c0 fl_hw_replace_filter+0x146/0x1f0 fl_change+0xc17/0x1360 tc_new_tfilter+0x472/0xb90 rtnetlink_rcv_msg+0x313/0x3b 0 netlink_rcv_skb+0x58/0x100 netlink_unicast+0x244/0x390 netlink_sendmsg+0x1e4/0x440 ____sys_sendmsg+0x164/0x260 ___sys_sendmsg+0x9a/0xe0 __sys_sendmsg+0x7a/0xc0 do_syscall_64+0x40/0xe0 Entry_SYSCALL_64_after_hwframe+0x63/0x6b A flaw was found in the Linux kernel, where a faulty error handler in the driver for certain Mellanox hardware could lead to a null pointer reference. This issue affects system stability. • https://git.kernel.org/stable/c/22a677661f5624539d394f681276171f92d714df https://git.kernel.org/stable/c/817840d125a370626895df269c50c923b79b0a39 https://git.kernel.org/stable/c/d0a1efe417c97a1e9b914056ee6b86f1ef75fe1f https://git.kernel.org/stable/c/efeb7dfea8ee10cdec11b6b6ba4e405edbe75809 https://access.redhat.com/security/cve/CVE-2024-26595 https://bugzilla.redhat.com/show_bug.cgi?id=2265799 • CWE-476: NULL Pointer Dereference •