CVE-2024-35894 – mptcp: prevent BPF accessing lowat from a subflow socket.
https://notcve.org/view.php?id=CVE-2024-35894
In the Linux kernel, the following vulnerability has been resolved: mptcp: prevent BPF accessing lowat from a subflow socket. Alexei reported the following splat: WARNING: CPU: 32 PID: 3276 at net/mptcp/subflow.c:1430 subflow_data_ready+0x147/0x1c0 Modules linked in: dummy bpf_testmod(O) [last unloaded: bpf_test_no_cfi(O)] CPU: 32 PID: 3276 Comm: test_progs Tainted: GO 6.8.0-12873-g2c43c33bfd23 Call Trace: <TASK> mptcp_set_rcvlowat+0x79/0x1d0 sk_setsockopt+0x6c0/0x1540 __bpf_setsockopt+0x6f/0x90 bpf_sock_ops_setsockopt+0x3c/0x90 bpf_prog_509ce5db2c7f9981_bpf_test_sockopt_int+0xb4/0x11b bpf_prog_dce07e362d941d2b_bpf_test_socket_sockopt+0x12b/0x132 bpf_prog_348c9b5faaf10092_skops_sockopt+0x954/0xe86 __cgroup_bpf_run_filter_sock_ops+0xbc/0x250 tcp_connect+0x879/0x1160 tcp_v6_connect+0x50c/0x870 mptcp_connect+0x129/0x280 __inet_stream_connect+0xce/0x370 inet_stream_connect+0x36/0x50 bpf_trampoline_6442491565+0x49/0xef inet_stream_connect+0x5/0x50 __sys_connect+0x63/0x90 __x64_sys_connect+0x14/0x20 The root cause of the issue is that bpf allows accessing mptcp-level proto_ops from a tcp subflow scope. Fix the issue detecting the problematic call and preventing any action. En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: mptcp: impide que BPF acceda a lowat desde un socket de subflujo. Alexei informó el siguiente símbolo: ADVERTENCIA: CPU: 32 PID: 3276 en net/mptcp/subflow.c:1430 subflow_data_ready+0x147/0x1c0 Módulos vinculados en: ficticio bpf_testmod(O) [última descarga: bpf_test_no_cfi(O)] CPU: 32 PID: 3276 Comunicaciones: test_progs Contaminado: GO 6.8.0-12873-g2c43c33bfd23 Seguimiento de llamadas: mptcp_set_rcvlowat+0x79/0x1d0 sk_setsockopt+0x6c0/0x1540 __bpf_setsockopt+0x6f/0x90 ock_ops_setsockopt+0x3c/0x90 bpf_prog_509ce5db2c7f9981_bpf_test_sockopt_int+0xb4/0x11b bpf_prog_dce07e362d941d2b_bpf_test_socket_sockopt+0x12b /0x132 bpf_prog_348c9b5faaf10092_skops_sockopt+0x954/0xe86 __cgroup_bpf_run_filter_sock_ops+0xbc/0x250 tcp_connect+0x879/0x1160 tcp_v6_connect+0x50c/0x870 x129/0x280 __inet_stream_connect+0xce/0x370 inet_stream_connect+0x36/0x50 bpf_trampoline_6442491565+0x49/0xef inet_stream_connect+0x5/0x50 __sys_connect+0x63 /0x90 __x64_sys_connect+0x14/0x20 La causa principal del problema es que bpf permite acceder a proto_ops de nivel mptcp desde un alcance de subflujo tcp. Solucione el problema al detectar la llamada problemática y evitar cualquier acción. • https://git.kernel.org/stable/c/5684ab1a0effbfeb706f47d85785f653005b97b1 https://git.kernel.org/stable/c/3ffb1ab698376f09cc33101c07c1be229389fe29 https://git.kernel.org/stable/c/fcf4692fa39e86a590c14a4af2de704e1d20a3b5 https://git.kernel.org/stable/c/ee3c845787b621cfe82c2e52c513024a9d7a78f5 https://access.redhat.com/security/cve/CVE-2024-35894 https://bugzilla.redhat.com/show_bug.cgi?id=2281679 •
CVE-2024-35893 – net/sched: act_skbmod: prevent kernel-infoleak
https://notcve.org/view.php?id=CVE-2024-35893
In the Linux kernel, the following vulnerability has been resolved: net/sched: act_skbmod: prevent kernel-infoleak syzbot found that tcf_skbmod_dump() was copying four bytes from kernel stack to user space [1]. The issue here is that 'struct tc_skbmod' has a four bytes hole. We need to clear the structure before filling fields. [1] BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline] BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline] BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline] BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline] BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 instrument_copy_to_user include/linux/instrumented.h:114 [inline] copy_to_user_iter lib/iov_iter.c:24 [inline] iterate_ubuf include/linux/iov_iter.h:29 [inline] iterate_and_advance2 include/linux/iov_iter.h:245 [inline] iterate_and_advance include/linux/iov_iter.h:271 [inline] _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 copy_to_iter include/linux/uio.h:196 [inline] simple_copy_to_iter net/core/datagram.c:532 [inline] __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420 skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546 skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline] netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962 sock_recvmsg_nosec net/socket.c:1046 [inline] sock_recvmsg+0x2c4/0x340 net/socket.c:1068 __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242 __do_sys_recvfrom net/socket.c:2260 [inline] __se_sys_recvfrom net/socket.c:2256 [inline] __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was stored to memory at: pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253 netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317 netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351 nlmsg_unicast include/net/netlink.h:1144 [inline] nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610 rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741 rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline] tcf_add_notify net/sched/act_api.c:2048 [inline] tcf_action_add net/sched/act_api.c:2071 [inline] tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119 rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595 netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559 rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613 netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline] netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361 netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:745 ____sys_sendmsg+0x877/0xb60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 [inline] __do_sys_sendmsg net/socket.c:2676 [inline] __se_sys_sendmsg net/socket.c:2674 [inline] __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was stored to memory at: __nla_put lib/nlattr.c:1041 [inline] nla_put+0x1c6/0x230 lib/nlattr.c:1099 tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256 tcf_action_dump_old net/sched/act_api.c:1191 [inline] tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227 tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251 tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628 tcf_add_notify_msg net/sched/act_api.c:2023 [inline] tcf_add_notify net/sched/act_api.c:2042 [inline] tcf_action_add net/sched/act_api.c:2071 [inline] tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119 rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595 netlink_rcv_skb+0x375/0x650 net/netlink/af_netli ---truncated--- En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net/sched: act_skbmod: prevent kernel-infoleak syzbot encontró que tcf_skbmod_dump() estaba copiando cuatro bytes de la pila del kernel al espacio de usuario [1]. El problema aquí es que 'struct tc_skbmod' tiene un agujero de cuatro bytes. Necesitamos borrar la estructura antes de completar los campos. [1] ERROR: KMSAN: kernel-infoleak en instrument_copy_to_user include/linux/instrumented.h:114 [en línea] ERROR: KMSAN: kernel-infoleak en copy_to_user_iter lib/iov_iter.c:24 [en línea] ERROR: KMSAN: kernel-infoleak en iterate_ubuf include/linux/iov_iter.h:29 [en línea] ERROR: KMSAN: kernel-infoleak en iterate_and_advance2 include/linux/iov_iter.h:245 [en línea] ERROR: KMSAN: kernel-infoleak en iterate_and_advance include/linux/iov_iter. h:271 [en línea] ERROR: KMSAN: kernel-infoleak en _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185 instrument_copy_to_user include/linux/instrumented.h:114 [en línea] copy_to_user_iter lib/iov_iter.c:24 [en línea] iterate_ubuf include/linux/iov_iter.h:29 [en línea] iterate_and_advance2 include/linux/iov_iter.h:245 [en línea] iterate_and_advance include/linux/iov_iter.h:271 [en línea] _copy_to_iter+0x366/0x2520 lib/iov_iter.c: 185 copy_to_iter include/linux/uio.h:196 [en línea] simple_copy_to_iter net/core/datagram.c:532 [en línea] __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420 skb_copy_datagram_iter+0x5c/0x200 net/core/ datagram.c:546 skb_copy_datagram_msg include/linux/skbuff.h:4050 [en línea] netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962 sock_recvmsg_nosec net/socket.c:1046 [en línea] 0 neto/ socket.c:1068 __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242 __do_sys_recvfrom net/socket.c:2260 [en línea] __se_sys_recvfrom net/socket.c:2256 [en línea] __x64_sys_recvfrom+0x126/0x1d0 net/ enchufe.c: 2256 do_syscall_64+0xd5/0x1f0 Entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit se almacenó en la memoria en: pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253 netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:13 17 netlink_unicast+0x9f/ 0x1260 net/netlink/af_netlink.c:1351 nlmsg_unicast include/net/netlink.h:1144 [en línea] nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610 rtnetlink_send+0x73/0x90 net/core/rtnetlink.c: 741 rtnetlink_maybe_send include/linux/rtnetlink.h:17 [en línea] tcf_add_notify net/sched/act_api.c:2048 [en línea] tcf_action_add net/sched/act_api.c:2071 [en línea] tc_ctl_action+0x146e/0x19d0 net/sched/act_api .c:2119 rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595 netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559 rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613 netlink_unicast_kernel net / enlace de red /af_netlink.c:1335 [en línea] netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361 netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905 sock_sendmsg_nosec net/socket.c:730 __sock_sendmsg + 0x30f/0x380 net/socket.c:745 ____sys_sendmsg+0x877/0xb60 net/socket.c:2584 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638 __sys_sendmsg net/socket.c:2667 __do_sys_ enviar mensaje de red/socket. c:2676 [en línea] __se_sys_sendmsg net/socket.c:2674 [en línea] __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674 do_syscall_64+0xd5/0x1f0 Entry_SYSCALL_64_after_hwframe+0x6d/0x75 se almacenó en la memoria en: __nla_put lib/nlattr .c:1041 [en línea] nla_put+0x1c6/0x230 lib/nlattr.c:1099 tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256 tcf_action_dump_old net/sched/act_api.c:1191 tcf_action_dump_1+0x85 mi/ 0x970 net/sched/act_api.c:1227 tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251 tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628 tcf_add_notify_msg net/sched/act_api.c:2023 [en línea ] tcf_add_notify net/sched/act_api.c: 2042 [inline] tcf_action_add net/sched/act_api.c: 2071 [inline] tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c: 2119 rtnetlink_rcv_msg+0x177/0x1900 rtnetlink.c:6595 netlink_rcv_skb+0x375/0x650 net/netlink/af_netli ---truncado--- • https://git.kernel.org/stable/c/86da71b57383d40993cb90baafb3735cffe5d800 https://git.kernel.org/stable/c/f190a4aa03cbd518bd9c62a66e1233984f5fd2ec https://git.kernel.org/stable/c/f356eb2fb567e0931143ac1769ac802d3b3e2077 https://git.kernel.org/stable/c/5e45dc4408857305f4685abfd7a528a1e58b51b5 https://git.kernel.org/stable/c/a097fc199ab5f4b5392c5144034c0d2148b55a14 https://git.kernel.org/stable/c/55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366 https://git.kernel.org/stable/c/729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924 https://git.kernel.org/stable/c/7bb2c7103d8c13b06a57bf997b8cdbe93 •
CVE-2024-35892 – net/sched: fix lockdep splat in qdisc_tree_reduce_backlog()
https://notcve.org/view.php?id=CVE-2024-35892
In the Linux kernel, the following vulnerability has been resolved: net/sched: fix lockdep splat in qdisc_tree_reduce_backlog() qdisc_tree_reduce_backlog() is called with the qdisc lock held, not RTNL. We must use qdisc_lookup_rcu() instead of qdisc_lookup() syzbot reported: WARNING: suspicious RCU usage 6.1.74-syzkaller #0 Not tainted ----------------------------- net/sched/sch_api.c:305 suspicious rcu_dereference_protected() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 3 locks held by udevd/1142: #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline] #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline] #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: net_tx_action+0x64a/0x970 net/core/dev.c:5282 #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:350 [inline] #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: net_tx_action+0x754/0x970 net/core/dev.c:5297 #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline] #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline] #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: qdisc_tree_reduce_backlog+0x84/0x580 net/sched/sch_api.c:792 stack backtrace: CPU: 1 PID: 1142 Comm: udevd Not tainted 6.1.74-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Call Trace: <TASK> [<ffffffff85b85f14>] __dump_stack lib/dump_stack.c:88 [inline] [<ffffffff85b85f14>] dump_stack_lvl+0x1b1/0x28f lib/dump_stack.c:106 [<ffffffff85b86007>] dump_stack+0x15/0x1e lib/dump_stack.c:113 [<ffffffff81802299>] lockdep_rcu_suspicious+0x1b9/0x260 kernel/locking/lockdep.c:6592 [<ffffffff84f0054c>] qdisc_lookup+0xac/0x6f0 net/sched/sch_api.c:305 [<ffffffff84f037c3>] qdisc_tree_reduce_backlog+0x243/0x580 net/sched/sch_api.c:811 [<ffffffff84f5b78c>] pfifo_tail_enqueue+0x32c/0x4b0 net/sched/sch_fifo.c:51 [<ffffffff84fbcf63>] qdisc_enqueue include/net/sch_generic.h:833 [inline] [<ffffffff84fbcf63>] netem_dequeue+0xeb3/0x15d0 net/sched/sch_netem.c:723 [<ffffffff84eecab9>] dequeue_skb net/sched/sch_generic.c:292 [inline] [<ffffffff84eecab9>] qdisc_restart net/sched/sch_generic.c:397 [inline] [<ffffffff84eecab9>] __qdisc_run+0x249/0x1e60 net/sched/sch_generic.c:415 [<ffffffff84d7aa96>] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125 [<ffffffff84d85d29>] net_tx_action+0x7c9/0x970 net/core/dev.c:5313 [<ffffffff85e002bd>] __do_softirq+0x2bd/0x9bd kernel/softirq.c:616 [<ffffffff81568bca>] invoke_softirq kernel/softirq.c:447 [inline] [<ffffffff81568bca>] __irq_exit_rcu+0xca/0x230 kernel/softirq.c:700 [<ffffffff81568ae9>] irq_exit_rcu+0x9/0x20 kernel/softirq.c:712 [<ffffffff85b89f52>] sysvec_apic_timer_interrupt+0x42/0x90 arch/x86/kernel/apic/apic.c:1107 [<ffffffff85c00ccb>] asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:656 En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net/sched: corrige lockdep splat en qdisc_tree_reduce_backlog() qdisc_tree_reduce_backlog() se llama con el bloqueo de qdisc retenido, no con RTNL. Debemos usar qdisc_lookup_rcu() en lugar de qdisc_lookup() syzbot informó: ADVERTENCIA: uso sospechoso de RCU 6.1.74-syzkaller #0 No contaminado ---------------------- ------- ¡net/sched/sch_api.c:305 uso sospechoso de rcu_dereference_protected()! otra información que podría ayudarnos a depurar esto: rcu_scheduler_active = 2, debug_locks = 1 3 bloqueos mantenidos por udevd/1142: #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, en: rcu_lock_acquire include/linux /rcupdate.h:306 [en línea] #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, en: rcu_read_lock include/linux/rcupdate.h:747 [en línea] #0: ffffffff87c729a0 (rcu_read_lock ){....}-{1:2}, en: net_tx_action+0x64a/0x970 net/core/dev.c:5282 #1: ffff888171861108 (&sch->q.lock){+.-.}-{ 2:2}, en: spin_lock include/linux/spinlock.h:350 [en línea] #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, en: net_tx_action+0x754 /0x970 net/core/dev.c:5297 #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, en: rcu_lock_acquire include/linux/rcupdate.h:306 [en línea] #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, en: rcu_read_lock include/linux/rcupdate.h:747 [en línea] #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2} , en: qdisc_tree_reduce_backlog+0x84/0x580 net/sched/sch_api.c:792 stack backtrace: CPU: 1 PID: 1142 Comm: udevd Not tainted 6.1.74-syzkaller #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 25/01/2024 Seguimiento de llamadas: [] __dump_stack lib/dump_stack.c:88 [en línea] [] dump_stack_lvl+0x1b1/0x28f lib/dump_stack.c:106 [ ] dump_stack+0x15/0x1e lib/dump_stack.c:113 [] lockdep_rcu_suspicious+0x1b9/0x260 kernel/locking/lockdep.c:6592 [] qdisc_lookup+0xac/0x6f0 net/sched/sch_a foto.c: 305 [] qdisc_tree_reduce_backlog+0x243/0x580 net/sched/sch_api.c:811 [] pfifo_tail_enqueue+0x32c/0x4b0 net/sched/sch_fifo.c:51 [ ] qdisc_enqueue incluye/net/sch_generic .h:833 [en línea] [] netem_dequeue+0xeb3/0x15d0 net/sched/sch_netem.c:723 [] dequeue_skb net/sched/sch_generic.c:292 [en línea] [] qdisc_restart net/sched/sch_generic.c:397 [en línea] [] __qdisc_run+0x249/0x1e60 net/sched/sch_generic.c:415 [] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125 [] net_tx_action+0x7c9/0x970 net/core/dev.c:5313 [] __do_softirq+0x2bd/0x9bd kernel/softirq.c:616 [] invoke_softirq kernel/softirq.c: 447 [ en línea] [] __irq_exit_rcu+0xca/0x230 kernel/softirq.c:700 [] irq_exit_rcu+0x9/0x20 kernel/softirq.c:712 [] sysvec_apic_timer_interrupt+0 x42/0x90 arco/x86/ kernel/apic/apic.c:1107 [] asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:656 • https://git.kernel.org/stable/c/9d9a38b5639fcefacc1e977567fb4b4e4a74d0b3 https://git.kernel.org/stable/c/d636fc5dd692c8f4e00ae6e0359c0eceeb5d9bdb https://git.kernel.org/stable/c/3a4741bb13caf482b877b10ac1bcf7390cad7077 https://git.kernel.org/stable/c/b7d1ce2cc7192e8a037faa3f5d3ba72c25976460 https://git.kernel.org/stable/c/c040b99461a5bfc14c2d0cbb1780fcc3a4706c7e https://git.kernel.org/stable/c/07696415526bee0607e495017369c7303a4792e1 https://git.kernel.org/stable/c/7eb322360b0266481e560d1807ee79e0cef5742b https://access.redhat.com/security/cve/CVE-2024-35892 •
CVE-2024-35891 – net: phy: micrel: Fix potential null pointer dereference
https://notcve.org/view.php?id=CVE-2024-35891
In the Linux kernel, the following vulnerability has been resolved: net: phy: micrel: Fix potential null pointer dereference In lan8814_get_sig_rx() and lan8814_get_sig_tx() ptp_parse_header() may return NULL as ptp_header due to abnormal packet type or corrupted packet. Fix this bug by adding ptp_header check. Found by Linux Verification Center (linuxtesting.org) with SVACE. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net: phy: micrel: corrige una posible desreferencia del puntero null en lan8814_get_sig_rx() y lan8814_get_sig_tx() ptp_parse_header() puede devolver NULL como ptp_header debido a un tipo de paquete anormal o a un paquete dañado. Corrija este error agregando ptp_header check. Encontrado por el Centro de verificación de Linux (linuxtesting.org) con SVACE. • https://git.kernel.org/stable/c/ece19502834d84ece2e056db28257ca2aa6e4d48 https://git.kernel.org/stable/c/10608161696c2768f53426642f78a42bcaaa53e8 https://git.kernel.org/stable/c/95c1016a2d92c4c28a9d1b6d09859c00b19c0ea4 https://git.kernel.org/stable/c/49767b0df276f12e3e7184601e09ee7430e252dc https://git.kernel.org/stable/c/96c155943a703f0655c0c4cab540f67055960e91 •
CVE-2024-35890 – gro: fix ownership transfer
https://notcve.org/view.php?id=CVE-2024-35890
In the Linux kernel, the following vulnerability has been resolved: gro: fix ownership transfer If packets are GROed with fraglist they might be segmented later on and continue their journey in the stack. In skb_segment_list those skbs can be reused as-is. This is an issue as their destructor was removed in skb_gro_receive_list but not the reference to their socket, and then they can't be orphaned. Fix this by also removing the reference to the socket. For example this could be observed, kernel BUG at include/linux/skbuff.h:3131! (skb_orphan) RIP: 0010:ip6_rcv_core+0x11bc/0x19a0 Call Trace: ipv6_list_rcv+0x250/0x3f0 __netif_receive_skb_list_core+0x49d/0x8f0 netif_receive_skb_list_internal+0x634/0xd40 napi_complete_done+0x1d2/0x7d0 gro_cell_poll+0x118/0x1f0 A similar construction is found in skb_gro_receive, apply the same change there. • https://git.kernel.org/stable/c/5e10da5385d20c4bae587bc2921e5fdd9655d5fc https://git.kernel.org/stable/c/d225b0ac96dc40d7e8ae2bc227eb2c56e130975f https://git.kernel.org/stable/c/2eeab8c47c3c0276e0746bc382f405c9a236a5ad https://git.kernel.org/stable/c/fc126c1d51e9552eacd2d717b9ffe9262a8a4cd6 https://git.kernel.org/stable/c/5b3b67f731296027cceb3efad881ae281213f86f https://git.kernel.org/stable/c/ed4cccef64c1d0d5b91e69f7a8a6697c3a865486 https://access.redhat.com/security/cve/CVE-2024-35890 https://bugzilla.redhat.com/show_bug.cgi?id=2281689 •