CVE-2024-26928 – smb: client: fix potential UAF in cifs_debug_files_proc_show()
https://notcve.org/view.php?id=CVE-2024-26928
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_debug_files_proc_show() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: smb: cliente: corrige UAF potencial en cifs_debug_files_proc_show() Omita las sesiones que se están eliminando (estado == SES_EXITING) para evitar UAF. • https://git.kernel.org/stable/c/229042314602db62559ecacba127067c22ee7b88 https://git.kernel.org/stable/c/a65f2b56334ba4dc30bd5ee9ce5b2691b973344d https://git.kernel.org/stable/c/3402faf78b2516b0af1259baff50cc8453ef0bd1 https://git.kernel.org/stable/c/ca545b7f0823f19db0f1148d59bc5e1a56634502 •
CVE-2024-26927 – ASoC: SOF: Add some bounds checking to firmware data
https://notcve.org/view.php?id=CVE-2024-26927
In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Add some bounds checking to firmware data Smatch complains about "head->full_size - head->header_size" can underflow. To some extent, we're always going to have to trust the firmware a bit. However, it's easy enough to add a check for negatives, and let's add a upper bounds check as well. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ASoC: SOF: agregue algunas comprobaciones de los límites a los datos del firmware. Smatch se queja de que "head->full_size - head->header_size" puede desbordarse. • https://git.kernel.org/stable/c/d2458baa799fff377660d86323dd20a3f4deecb4 https://git.kernel.org/stable/c/d133d67e7e724102d1e53009c4f88afaaf3e167c https://git.kernel.org/stable/c/ced7df8b3c5c4751244cad79011e86cf1f809153 https://git.kernel.org/stable/c/044e220667157fb9d59320341badec59cf45ba48 https://git.kernel.org/stable/c/9eeb8e1231f6450c574c1db979122e171a1813ab https://git.kernel.org/stable/c/98f681b0f84cfc3a1d83287b77697679e0398306 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVE-2024-26926 – binder: check offset alignment in binder_get_object()
https://notcve.org/view.php?id=CVE-2024-26926
In the Linux kernel, the following vulnerability has been resolved: binder: check offset alignment in binder_get_object() Commit 6d98eb95b450 ("binder: avoid potential data leakage when copying txn") introduced changes to how binder objects are copied. In doing so, it unintentionally removed an offset alignment check done through calls to binder_alloc_copy_from_buffer() -> check_buffer(). These calls were replaced in binder_get_object() with copy_from_user(), so now an explicit offset alignment check is needed here. This avoids later complications when unwinding the objects gets harder. It is worth noting this check existed prior to commit 7a67a39320df ("binder: add function to copy binder object from buffer"), likely removed due to redundancy at the time. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: Binder: verifique la alineación de desplazamiento en binder_get_object() El commit 6d98eb95b450 ("binder: evite posibles fugas de datos al copiar txn") introdujo cambios en la forma en que se copian los objetos de Binder. Al hacerlo, eliminó involuntariamente una verificación de alineación de desplazamiento realizada mediante llamadas a binder_alloc_copy_from_buffer() -> check_buffer(). • https://git.kernel.org/stable/c/c056a6ba35e00ae943e377eb09abd77a6915b31a https://git.kernel.org/stable/c/23e9d815fad84c1bee3742a8de4bd39510435362 https://git.kernel.org/stable/c/7a9ad4aceb0226b391c9d3b8e4ac2e7d438b6bde https://git.kernel.org/stable/c/6d98eb95b450a75adb4516a1d33652dc78d2b20c https://git.kernel.org/stable/c/66e12f5b3a9733f941893a00753b10498724607d https://git.kernel.org/stable/c/68a28f551e4690db2b27b3db716c7395f6fada12 https://git.kernel.org/stable/c/48a1f83ca9c68518b1a783c62e6a8223144fa9fc https://git.kernel.org/stable/c/a2fd6dbc98be1105a1d8e9e31575da887 •
CVE-2024-26925 – netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path
https://notcve.org/view.php?id=CVE-2024-26925
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: nf_tables: libera mutex después de nft_gc_seq_end de la ruta de cancelación. El mutex de confirmación no debe liberarse durante la sección crítica entre nft_gc_seq_begin() y nft_gc_seq_end(); de lo contrario, el trabajador asíncrono de GC podría recopilar objetos caducados y obtener el bloqueo de confirmación liberado dentro de la misma secuencia de GC. nf_tables_module_autoload() libera temporalmente el mutex para cargar las dependencias del módulo, luego vuelve a reproducir la transacción nuevamente. Muévalo al final de la fase de cancelación después de llamar a nft_gc_seq_end(). A flaw was found in the Linux kernel’s Netfilter nf_tables module. • https://git.kernel.org/stable/c/4b6346dc1edfb9839d6edee7360ed31a22fa6c95 https://git.kernel.org/stable/c/23292bdfda5f04e704a843b8f97b0eb95ace1ca6 https://git.kernel.org/stable/c/b44a459c6561595ed7c3679599c5279204132b33 https://git.kernel.org/stable/c/5d319f7a81431c6bb32eb4dc7d7975f99e2c8c66 https://git.kernel.org/stable/c/720344340fb9be2765bbaab7b292ece0a4570eae https://git.kernel.org/stable/c/f85ca36090cbb252bcbc95fc74c2853fc792694f https://git.kernel.org/stable/c/e07e68823116563bdbc49cef185cda6f463bc534 https://git.kernel.org/stable/c/61ac7284346c32f9a8c8ceac56102f791 • CWE-667: Improper Locking •
CVE-2024-26924 – netfilter: nft_set_pipapo: do not free live element
https://notcve.org/view.php?id=CVE-2024-26924
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: do not free live element Pablo reports a crash with large batches of elements with a back-to-back add/remove pattern. Quoting Pablo: add_elem("00000000") timeout 100 ms ... add_elem("0000000X") timeout 100 ms del_elem("0000000X") <---------------- delete one that was just added ... add_elem("00005000") timeout 100 ms 1) nft_pipapo_remove() removes element 0000000X Then, KASAN shows a splat. Looking at the remove function there is a chance that we will drop a rule that maps to a non-deactivated element. Removal happens in two steps, first we do a lookup for key k and return the to-be-removed element and mark it as inactive in the next generation. Then, in a second step, the element gets removed from the set/map. The _remove function does not work correctly if we have more than one element that share the same key. This can happen if we insert an element into a set when the set already holds an element with same key, but the element mapping to the existing key has timed out or is not active in the next generation. In such case its possible that removal will unmap the wrong element. If this happens, we will leak the non-deactivated element, it becomes unreachable. The element that got deactivated (and will be freed later) will remain reachable in the set data structure, this can result in a crash when such an element is retrieved during lookup (stale pointer). Add a check that the fully matching key does in fact map to the element that we have marked as inactive in the deactivation step. If not, we need to continue searching. Add a bug/warn trap at the end of the function as well, the remove function must not ever be called with an invisible/unreachable/non-existent element. v2: avoid uneeded temporary variable (Stefano) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: nft_set_pipapo: no liberar elemento activo Pablo informa un bloqueo con grandes lotes de elementos con un patrón de agregar/eliminar consecutivos. Citando a Pablo: add_elem("00000000") timeout 100 ms ... add_elem("0000000X") timeout 100 ms del_elem("0000000X") <---------------- elimina uno que se acaba de agregar... add_elem("00005000") tiempo de espera 100 ms 1) nft_pipapo_remove() elimina el elemento 0000000X Luego, KASAN muestra un símbolo. Al observar la función de eliminación, existe la posibilidad de que eliminemos una regla que se asigne a un elemento no desactivado. La eliminación se realiza en dos pasos: primero buscamos la clave k, devolvemos el elemento que se va a eliminar y lo marcamos como inactivo en la próxima generación. • https://git.kernel.org/stable/c/3c4287f62044a90e73a561aa05fc46e62da173da https://git.kernel.org/stable/c/e3b887a9c11caf8357a821260e095f2a694a34f2 https://git.kernel.org/stable/c/7a1679e2d9bfa3b5f8755c2c7113e54b7d42bd46 https://git.kernel.org/stable/c/41d8fdf3afaff312e17466e4ab732937738d5644 https://git.kernel.org/stable/c/ebf7c9746f073035ee26209e38c3a1170f7b349a https://git.kernel.org/stable/c/14b001ba221136c15f894577253e8db535b99487 https://git.kernel.org/stable/c/3cfc9ec039af60dbd8965ae085b2c2ccdcfbe1cc https://lists.debian.org/debian-lts-announce/2024/06/ • CWE-476: NULL Pointer Dereference •