CVE-2024-27063 – leds: trigger: netdev: Fix kernel panic on interface rename trig notify
https://notcve.org/view.php?id=CVE-2024-27063
In the Linux kernel, the following vulnerability has been resolved: leds: trigger: netdev: Fix kernel panic on interface rename trig notify Commit d5e01266e7f5 ("leds: trigger: netdev: add additional specific link speed mode") in the various changes, reworked the way to set the LINKUP mode in commit cee4bd16c319 ("leds: trigger: netdev: Recheck NETDEV_LED_MODE_LINKUP on dev rename") and moved it to a generic function. This changed the logic where, in the previous implementation the dev from the trigger event was used to check if the carrier was ok, but in the new implementation with the generic function, the dev in trigger_data is used instead. This is problematic and cause a possible kernel panic due to the fact that the dev in the trigger_data still reference the old one as the new one (passed from the trigger event) still has to be hold and saved in the trigger_data struct (done in the NETDEV_REGISTER case). On calling of get_device_state(), an invalid net_dev is used and this cause a kernel panic. To handle this correctly, move the call to get_device_state() after the new net_dev is correctly set in trigger_data (in the NETDEV_REGISTER case) and correctly parse the new dev. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: leds: trigger: netdev: corrige el pánico del kernel al cambiar el nombre de la interfaz, notifica el trigono. Commit d5e01266e7f5 ("leds: trigger: netdev: agrega un modo de velocidad de enlace específico adicional") en los diversos cambios, reelaborados la forma de configurar el modo LINKUP en el commit cee4bd16c319 ("leds: trigger: netdev: Recheck NETDEV_LED_MODE_LINKUP on dev rename") y lo moví a una función genérica. Esto cambió la lógica donde, en la implementación anterior, se usaba el desarrollo del evento desencadenante para verificar si el operador estaba bien, pero en la nueva implementación con la función genérica, se usa el desarrollo en trigger_data. Esto es problemático y causa un posible pánico en el kernel debido al hecho de que el desarrollador en trigger_data aún hace referencia al anterior, ya que el nuevo (pasado desde el evento desencadenante) aún debe retenerse y guardarse en la estructura trigger_data (hecho en el caso NETDEV_REGISTER). • https://git.kernel.org/stable/c/d5e01266e7f5fa12400d4c8aa4e86fe89dcc61e9 https://git.kernel.org/stable/c/10f2af1af8ab8a7064f193446abd5579d3def7e3 https://git.kernel.org/stable/c/acd025c7a7d151261533016a6ca2d38f2de04e87 https://git.kernel.org/stable/c/3f360227cb46edb2cd2494128e1e06ed5768a62e https://git.kernel.org/stable/c/415798bc07dd1c1ae3a656aa026580816e0b9fe8 •
CVE-2024-27058 – tmpfs: fix race on handling dquot rbtree
https://notcve.org/view.php?id=CVE-2024-27058
In the Linux kernel, the following vulnerability has been resolved: tmpfs: fix race on handling dquot rbtree A syzkaller reproducer found a race while attempting to remove dquot information from the rb tree. Fetching the rb_tree root node must also be protected by the dqopt->dqio_sem, otherwise, giving the right timing, shmem_release_dquot() will trigger a warning because it couldn't find a node in the tree, when the real reason was the root node changing before the search starts: Thread 1 Thread 2 - shmem_release_dquot() - shmem_{acquire,release}_dquot() - fetch ROOT - Fetch ROOT - acquire dqio_sem - wait dqio_sem - do something, triger a tree rebalance - release dqio_sem - acquire dqio_sem - start searching for the node, but from the wrong location, missing the node, and triggering a warning. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: tmpfs: corrige la ejecución al manejar dquot rbtree Un reproductor syzkaller encontró una ejecución al intentar eliminar información de dquot del árbol rb. La recuperación del nodo raíz de rb_tree también debe estar protegida por dqopt->dqio_sem; de lo contrario, si se da el momento adecuado, shmem_release_dquot() activará una advertencia porque no pudo encontrar un nodo en el árbol, cuando la verdadera razón era el nodo raíz. cambiando antes de que comience la búsqueda: Hilo 1 Hilo 2 - shmem_release_dquot() - shmem_{acquire,release}_dquot() - buscar ROOT - Obtener ROOT - adquirir dqio_sem - esperar dqio_sem - hacer algo, activar un reequilibrio de árbol - liberar dqio_sem - adquirir dqio_sem - comienza a buscar el nodo, pero desde la ubicación incorrecta, pierde el nodo y genera una advertencia. • https://git.kernel.org/stable/c/eafc474e202978ac735c551d5ee1eb8c02e2be54 https://git.kernel.org/stable/c/c7077f43f30d817d10a9f8245e51576ac114b2f0 https://git.kernel.org/stable/c/617d55b90e73c7b4aa2733ca6cc3f9b72d1124bb https://git.kernel.org/stable/c/f82f184874d2761ebaa60dccf577921a0dbb3810 https://git.kernel.org/stable/c/0a69b6b3a026543bc215ccc866d0aea5579e6ce2 •
CVE-2024-27054 – s390/dasd: fix double module refcount decrement
https://notcve.org/view.php?id=CVE-2024-27054
In the Linux kernel, the following vulnerability has been resolved: s390/dasd: fix double module refcount decrement Once the discipline is associated with the device, deleting the device takes care of decrementing the module's refcount. Doing it manually on this error path causes refcount to artificially decrease on each error while it should just stay the same. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: s390/dasd: corrige la disminución del doble recuento del módulo Una vez que la disciplina está asociada con el dispositivo, eliminar el dispositivo se encarga de disminuir el recuento del módulo. Hacerlo manualmente en esta ruta de error hace que el recuento disminuya artificialmente en cada error, mientras que debería permanecer igual. • https://git.kernel.org/stable/c/c020d722b110a44c613ef71e657e6dd4116e09d9 https://git.kernel.org/stable/c/edbdb0d94143db46edd373cc93e433832d29fe19 https://git.kernel.org/stable/c/ad999aa18103fa038787b6a8a55020abcf34df1a https://git.kernel.org/stable/c/ec09bcab32fc4765e0cc97e1b72cdd067135f37e https://git.kernel.org/stable/c/fa18aa507ea71d8914b6acb2c94db311c757c650 https://git.kernel.org/stable/c/ebc5a3bd79e54f98c885c26f0862a27a02c487c5 https://git.kernel.org/stable/c/c3116e62ddeff79cae342147753ce596f01fcf06 •
CVE-2024-27053 – wifi: wilc1000: fix RCU usage in connect path
https://notcve.org/view.php?id=CVE-2024-27053
In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: fix RCU usage in connect path With lockdep enabled, calls to the connect function from cfg802.11 layer lead to the following warning: ============================= WARNING: suspicious RCU usage 6.7.0-rc1-wt+ #333 Not tainted ----------------------------- drivers/net/wireless/microchip/wilc1000/hif.c:386 suspicious rcu_dereference_check() usage! [...] stack backtrace: CPU: 0 PID: 100 Comm: wpa_supplicant Not tainted 6.7.0-rc1-wt+ #333 Hardware name: Atmel SAMA5 unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x34/0x48 dump_stack_lvl from wilc_parse_join_bss_param+0x7dc/0x7f4 wilc_parse_join_bss_param from connect+0x2c4/0x648 connect from cfg80211_connect+0x30c/0xb74 cfg80211_connect from nl80211_connect+0x860/0xa94 nl80211_connect from genl_rcv_msg+0x3fc/0x59c genl_rcv_msg from netlink_rcv_skb+0xd0/0x1f8 netlink_rcv_skb from genl_rcv+0x2c/0x3c genl_rcv from netlink_unicast+0x3b0/0x550 netlink_unicast from netlink_sendmsg+0x368/0x688 netlink_sendmsg from ____sys_sendmsg+0x190/0x430 ____sys_sendmsg from ___sys_sendmsg+0x110/0x158 ___sys_sendmsg from sys_sendmsg+0xe8/0x150 sys_sendmsg from ret_fast_syscall+0x0/0x1c This warning is emitted because in the connect path, when trying to parse target BSS parameters, we dereference a RCU pointer whithout being in RCU critical section. Fix RCU dereference usage by moving it to a RCU read critical section. To avoid wrapping the whole wilc_parse_join_bss_param under the critical section, just use the critical section to copy ies data En el kernel de Linux, se resolvió la siguiente vulnerabilidad: wifi: wilc1000: corrige el uso de RCU en la ruta de conexión Con lockdep habilitado, las llamadas a la función de conexión desde la capa cfg802.11 generan la siguiente advertencia: ======== ====================== ADVERTENCIA: uso sospechoso de RCU 6.7.0-rc1-wt+ #333 No contaminado ------------- ---------------- drivers/net/wireless/microchip/wilc1000/hif.c:386 ¡uso sospechoso de rcu_dereference_check()! [...] pila backtrace: CPU: 0 PID: 100 Comm: wpa_supplicant No está contaminado 6.7.0-rc1-wt+ #333 Nombre de hardware: Atmel SAMA5 unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x34/0x48 dump_stack_lvl from wilc_parse_join_bss_para m +0x7dc/0x7f4 wilc_parse_join_bss_param desde connect+0x2c4/0x648 conectar desde cfg80211_connect+0x30c/0xb74 cfg80211_connect desde nl80211_connect+0x860/0xa94 nl80211_connect desde genl_rcv_msg+0x3fc /0x59c genl_rcv_msg de netlink_rcv_skb+0xd0/0x1f8 netlink_rcv_skb de genl_rcv+0x2c/0x3c genl_rcv de netlink_unicast+ 0x3b0/0x550 netlink_unicast de netlink_sendmsg+0x368/0x688 netlink_sendmsg de ____sys_sendmsg+0x190/0x430 ____sys_sendmsg de ___sys_sendmsg+0x110/0x158 ___sys_sendmsg de sys_sendmsg +0xe8/0x150 sys_sendmsg de ret_fast_syscall+0x0/0x1c Esta advertencia se emite porque en la ruta de conexión, al intentar Para analizar los parámetros BSS de destino, eliminamos la referencia a un puntero de RCU sin estar en la sección crítica de RCU. Corrija el uso de desreferenciación de RCU moviéndolo a una sección crítica de lectura de RCU. • https://git.kernel.org/stable/c/c460495ee072fc01a9b1e8d72c179510418cafac https://git.kernel.org/stable/c/e556006de4ea93abe2b46cba202a2556c544b8b2 https://git.kernel.org/stable/c/b4bbf38c350acb6500cbe667b1e2e68f896e4b38 https://git.kernel.org/stable/c/d80fc436751cfa6b02a8eda74eb6cce7dadfe5a2 https://git.kernel.org/stable/c/745003b5917b610352f52fe0d11ef658d6471ec2 https://git.kernel.org/stable/c/4bfd20d5f5c62b5495d6c0016ee6933bd3add7ce https://git.kernel.org/stable/c/5800ec78775c0cd646f71eb9bf8402fb794807de https://git.kernel.org/stable/c/dd50d3ead6e3707bb0a5df7cc832730c9 • CWE-476: NULL Pointer Dereference •
CVE-2024-27052 – wifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work
https://notcve.org/view.php?id=CVE-2024-27052
In the Linux kernel, the following vulnerability has been resolved: wifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work The workqueue might still be running, when the driver is stopped. To avoid a use-after-free, call cancel_work_sync() in rtl8xxxu_stop(). En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: rtl8xxxu: agregue cancel_work_sync() para c2hcmd_work Es posible que la cola de trabajo aún esté ejecutándose cuando se detiene el controlador. Para evitar un use-after-free, llame a cancel_work_sync() en rtl8xxxu_stop(). A vulnerability was found in the Linux kernel's net rtl8xxxu_core.c driver, where a race condition can lead to a use-after-free situation in the rtl8xxxu_stop() function. • https://git.kernel.org/stable/c/e542e66b7c2ee2adeefdbb7f259f2f60cadf2819 https://git.kernel.org/stable/c/dddedfa3b29a63c2ca4336663806a6128b8545b4 https://git.kernel.org/stable/c/ac512507ac89c01ed6cd4ca53032f52cdb23ea59 https://git.kernel.org/stable/c/3518cea837de4d106efa84ddac18a07b6de1384e https://git.kernel.org/stable/c/156012667b85ca7305cb363790d3ae8519a6f41e https://git.kernel.org/stable/c/7059cdb69f8e1a2707dd1e2f363348b507ed7707 https://git.kernel.org/stable/c/58fe3bbddfec10c6b216096d8c0e517cd8463e3a https://git.kernel.org/stable/c/1213acb478a7181cd73eeaf00db430f1e • CWE-416: Use After Free •