CVE-2021-3348 – kernel: Use-after-free in ndb_queue_rq() in drivers/block/nbd.c
https://notcve.org/view.php?id=CVE-2021-3348
nbd_add_socket in drivers/block/nbd.c in the Linux kernel through 5.10.12 has an ndb_queue_rq use-after-free that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup, aka CID-b98e762e3d71. En la función nbd_add_socket en el archivo drivers/block/nbd.c en el kernel de Linux versiones hasta 5.10.12, presenta un uso de la memoria previamente liberada de ndb_queue_rq que podría ser desencadenado por atacantes locales (con acceso al dispositivo nbd) por medio de una petición de E/S en un punto determinado durante la configuración del dispositivo, también se conoce como CID-b98e762e3d71 A use after free flaw in the Linux kernel network block device (NBD) subsystem was found in the way user calls an ioctl NBD_SET_SOCK at a certain point during device setup. • http://www.openwall.com/lists/oss-security/2021/02/01/1 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b98e762e3d71e893b221f871825dc64694cfb258 https://lists.debian.org/debian-lts-announce/2021/03/msg00035.html https://www.openwall.com/lists/oss-security/2021/01/28/3 https://access.redhat.com/security/cve/CVE-2021-3348 https://bugzilla.redhat.com/show_bug.cgi?id=1921958 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-416: Use After Free •
CVE-2021-3347 – kernel: Use after free via PI futex state
https://notcve.org/view.php?id=CVE-2021-3347
An issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free during fault handling, allowing local users to execute code in the kernel, aka CID-34b1a1ce1458. Se detectó un problema en el kernel de Linux versiones hasta 5.10.11. Los futexes de PI presentan un uso de la memoria previamente liberada de la pila del kernel durante el manejo de fallos, permitiendo a usuarios locales ejecutar código en el kernel, también se conoce como CID-34b1a1ce1458 A flaw was found in the Linux kernel. A use-after-free memory flaw in the Fast Userspace Mutexes functionality allowing a local user to crash the system or escalate their privileges on the system. • http://www.openwall.com/lists/oss-security/2021/01/29/4 http://www.openwall.com/lists/oss-security/2021/01/29/5 http://www.openwall.com/lists/oss-security/2021/02/01/4 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=04b79c55201f02ffd675e1231d731365e335c307 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=12bb3f7f1b03d5913b3f9d4236a488aa7774dfe9 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/ • CWE-416: Use After Free •
CVE-2020-25669
https://notcve.org/view.php?id=CVE-2020-25669
A vulnerability was found in the Linux Kernel where the function sunkbd_reinit having been scheduled by sunkbd_interrupt before sunkbd being freed. Though the dangling pointer is set to NULL in sunkbd_disconnect, there is still an alias in sunkbd_reinit causing Use After Free. Se encontró una vulnerabilidad en el Kernel de Linux donde la función sunkbd_reinit habiendo sido programada por la función sunkbd_interrupt antes de que sunkbd fuera liberada. Aunque el puntero colgante está establecido en NULL en la función sunkbd_disconnect, todavía se presenta un alias en sunkbd_reinit causando un Uso de la Memoria Previamente Liberada • http://www.openwall.com/lists/oss-security/2020/11/05/2 http://www.openwall.com/lists/oss-security/2020/11/20/5 https://github.com/torvalds/linux/commit/77e70d351db7de07a46ac49b87a6c3c7a60fca7e https://lists.debian.org/debian-lts-announce/2020/12/msg00015.html https://lists.debian.org/debian-lts-announce/2020/12/msg00027.html https://security.netapp.com/advisory/ntap-20210702-0006 https://www.openwall.com/lists/oss-security/2020/11/05/2%2C https://www.openwall.com/lists/oss- • CWE-416: Use After Free •
CVE-2021-3178
https://notcve.org/view.php?id=CVE-2021-3178
fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS. NOTE: some parties argue that such a subdirectory export is not intended to prevent this attack; see also the exports(5) no_subtree_check default behavior ** EN DISPUTA ** en el archivo fs/nfsd/nfs3xdr.c en el kernel de Linux versiones hasta 5.10.8, cuando se presenta una exportación NFS de un subdirectorio de un sistema de archivos, permite a atacantes remotos saltar otras partes del sistema de archivos por medio de READDIRPLUS. NOTA: algunas terceros argumentan que tal exportación de subdirectorios no intenta impedir este ataque; véase también el comportamiento predeterminado de no_subtree_check de exports(5) • https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=51b2ee7d006a736a9126e8111d1f24e4fd0afaa6 https://lists.debian.org/debian-lts-announce/2021/03/msg00010.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5SGB7TNDVQEOJ7NVTGX56UWHDNQM5TRC https://patchwork.kernel.org/project/linux-nfs/patch/20210111210129.GA11652%40fieldses.org • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2020-28374 – kernel: SCSI target (LIO) write to any block on ILO backstore
https://notcve.org/view.php?id=CVE-2020-28374
In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier checking in the LIO SCSI target code can be used by remote attackers to read or write files via directory traversal in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the attacker has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are proxied via an attacker-selected backstore. En el archivo drivers/target/target_core_xcopy.c en el kernel de Linux versiones anteriores a 5.10.7, unos atacantes remotos pueden usar una comprobación del identificador insuficiente en el código de destino LIO SCSI para leer o escribir archivos por medio de un salto de directorio en una petición XCOPY, también se conoce como CID-2896c93811e3. Por ejemplo, un ataque puede ocurrir en una red si el atacante presenta acceso a un iSCSI LUN. • http://packetstormsecurity.com/files/161229/Kernel-Live-Patch-Security-Notice-LSN-0074-1.html http://www.openwall.com/lists/oss-security/2021/01/13/2 http://www.openwall.com/lists/oss-security/2021/01/13/5 https://bugzilla.suse.com/attachment.cgi?id=844938 https://bugzilla.suse.com/show_bug.cgi?id=1178372 https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.7 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2896c93811e39d63a4d9b63ccf12a8fbc226 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •