Page 38 of 4339 results (0.007 seconds)

CVSS: -EPSS: 0%CPEs: 9EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: add missing range check in bitmap_ip_uadt When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists, the values of ip and ip_to are slightly swapped. Therefore, the range check for ip should be done later, but this part is missing and it seems that the vulnerability occurs. So we should add missing range checks and remove unnecessary range checks. • https://git.kernel.org/stable/c/72205fc68bd13109576aa6c4c12c740962d28a6c https://git.kernel.org/stable/c/3c20b5948f119ae61ee35ad8584d666020c91581 https://git.kernel.org/stable/c/78b0f2028f1043227a8eb0c41944027fc6a04596 https://git.kernel.org/stable/c/2e151b8ca31607d14fddc4ad0f14da0893e1a7c7 https://git.kernel.org/stable/c/e67471437ae9083fa73fa67eee1573fec1b7c8cf https://git.kernel.org/stable/c/7ffef5e5d5eeecd9687204a5ec2d863752aafb7e https://git.kernel.org/stable/c/856023ef032d824309abd5c747241dffa33aae8c https://git.kernel.org/stable/c/591efa494a1cf649f50a35def649c43ae •

CVSS: -EPSS: 0%CPEs: 10EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: netlink: terminate outstanding dump on socket close Netlink supports iterative dumping of data. It provides the families the following ops: - start - (optional) kicks off the dumping process - dump - actual dump helper, keeps getting called until it returns 0 - done - (optional) pairs with .start, can be used for cleanup The whole process is asynchronous and the repeated calls to .dump don't actually happen in a tight loop, but rather are triggered in response to recvmsg() on the socket. This gives the user full control over the dump, but also means that the user can close the socket without getting to the end of the dump. To make sure .start is always paired with .done we check if there is an ongoing dump before freeing the socket, and if so call .done. The complication is that sockets can get freed from BH and .done is allowed to sleep. So we use a workqueue to defer the call, when needed. Unfortunately this does not work correctly. What we defer is not the cleanup but rather releasing a reference on the socket. We have no guarantee that we own the last reference, if someone else holds the socket they may release it in BH and we're back to square one. The whole dance, however, appears to be unnecessary. Only the user can interact with dumps, so we can clean up when socket is closed. And close always happens in process context. • https://git.kernel.org/stable/c/ed5d7788a934a4b6d6d025e948ed4da496b4f12e https://git.kernel.org/stable/c/baaf0c65bc8ea9c7a404b09bc8cc3b8a1e4f18df https://git.kernel.org/stable/c/25d9b4bb64ea964769087fc5ae09aee9c838d759 https://git.kernel.org/stable/c/114a61d8d94ae3a43b82446cf737fd757021b834 https://git.kernel.org/stable/c/598c956b62699c3753929602560d8df322e60559 https://git.kernel.org/stable/c/6e3f2c512d2b7dbd247485b1dd9e43e4210a18f4 https://git.kernel.org/stable/c/d2fab3d66cc16cfb9e3ea1772abe6b79b71fa603 https://git.kernel.org/stable/c/4e87a52133284afbd40fb522dbf96e258 •

CVSS: -EPSS: 0%CPEs: 7EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: kTLS, Fix incorrect page refcounting The kTLS tx handling code is using a mix of get_page() and page_ref_inc() APIs to increment the page reference. But on the release path (mlx5e_ktls_tx_handle_resync_dump_comp()), only put_page() is used. This is an issue when using pages from large folios: the get_page() references are stored on the folio page while the page_ref_inc() references are stored directly in the given page. On release the folio page will be dereferenced too many times. This was found while doing kTLS testing with sendfile() + ZC when the served file was read from NFS on a kernel with NFS large folios support (commit 49b29a573da8 ("nfs: add support for large folios")). En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/mlx5e: kTLS, Fix wrong page refcounting El código de manejo de tx de kTLS usa una combinación de API get_page() y page_ref_inc() para incrementar la referencia de página. Pero en la ruta de lanzamiento (mlx5e_ktls_tx_handle_resync_dump_comp()), solo se usa put_page(). • https://git.kernel.org/stable/c/84d1bb2b139e0184b1754aa1b5776186b475fce8 https://git.kernel.org/stable/c/a0ddb20a748b122ea86003485f7992fa5e84cc95 https://git.kernel.org/stable/c/ffad2ac8c859c1c1a981fe9c4f7ff925db684a43 https://git.kernel.org/stable/c/c7b97f9e794d8e2bbaa50e1d6c230196fd214b5e https://git.kernel.org/stable/c/69fbd07f17b0fdaf8970bc705f5bf115c297839d https://git.kernel.org/stable/c/93a14620b97c911489a5b008782f3d9b0c4aeff4 https://git.kernel.org/stable/c/2723e8b2cbd486cb96e5a61b22473f7fd62e18df https://git.kernel.org/stable/c/dd6e972cc5890d91d6749bb48e3912721 •

CVSS: -EPSS: 0%CPEs: 7EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: mm: revert "mm: shmem: fix data-race in shmem_getattr()" Revert d949d1d14fa2 ("mm: shmem: fix data-race in shmem_getattr()") as suggested by Chuck [1]. It is causing deadlocks when accessing tmpfs over NFS. As Hugh commented, "added just to silence a syzbot sanitizer splat: added where there has never been any practical problem". En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm: revert "mm: shmem: fix data-race in shmem_getattr()" Revert d949d1d14fa2 ("mm: shmem: fix data-race in shmem_getattr()") como lo sugirió Chuck [1]. Está causando bloqueos al acceder a tmpfs a través de NFS. Como comentó Hugh, "agregado solo para silenciar un splat de sanitizador de syzbot: agregado donde nunca ha habido ningún problema práctico". • https://git.kernel.org/stable/c/9fb9703cd43ee20a6de8ccdef991677b7274cec0 https://git.kernel.org/stable/c/7cc30ada84323be19395094d567579536e0d187e https://git.kernel.org/stable/c/bda1a99a0dd644f31a87d636ac624eeb975cb65a https://git.kernel.org/stable/c/3d9528484480e8f4979b3a347930ed383be99f89 https://git.kernel.org/stable/c/82cae1e30bd940253593c2d4f16d88343d1358f4 https://git.kernel.org/stable/c/edd1f905050686fdc4cfe233d818469fdf7d5ff8 https://git.kernel.org/stable/c/ffd56612566bc23877c8f45def2801f3324a222a https://git.kernel.org/stable/c/36b537e8f302f670c7cf35d88a3a29444 •

CVSS: -EPSS: 0%CPEs: 7EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN Hide KVM's pt_mode module param behind CONFIG_BROKEN, i.e. disable support for virtualizing Intel PT via guest/host mode unless BROKEN=y. There are myriad bugs in the implementation, some of which are fatal to the guest, and others which put the stability and health of the host at risk. For guest fatalities, the most glaring issue is that KVM fails to ensure tracing is disabled, and *stays* disabled prior to VM-Enter, which is necessary as hardware disallows loading (the guest's) RTIT_CTL if tracing is enabled (enforced via a VMX consistency check). Per the SDM: If the logical processor is operating with Intel PT enabled (if IA32_RTIT_CTL.TraceEn = 1) at the time of VM entry, the "load IA32_RTIT_CTL" VM-entry control must be 0. On the host side, KVM doesn't validate the guest CPUID configuration provided by userspace, and even worse, uses the guest configuration to decide what MSRs to save/load at VM-Enter and VM-Exit. E.g. configuring guest CPUID to enumerate more address ranges than are supported in hardware will result in KVM trying to passthrough, save, and load non-existent MSRs, which generates a variety of WARNs, ToPA ERRORs in the host, a potential deadlock, etc. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: VMX: oculta la virtualización de Intel PT (modo invitado/host) detrás de CONFIG_BROKEN Oculta el parámetro del módulo pt_mode de KVM detrás de CONFIG_BROKEN, es decir, deshabilita la compatibilidad con la virtualización de Intel PT a través del modo invitado/host a menos que BROKEN=y. • https://git.kernel.org/stable/c/f99e3daf94ff35dd4a878d32ff66e1fd35223ad6 https://git.kernel.org/stable/c/c3742319d021f5aa3a0a8c828485fee14753f6de https://git.kernel.org/stable/c/d4b42f926adcce4e5ec193c714afd9d37bba8e5b https://git.kernel.org/stable/c/b8a1d572478b6f239061ee9578b2451bf2f021c2 https://git.kernel.org/stable/c/e6716f4230a8784957273ddd27326264b27b9313 https://git.kernel.org/stable/c/d28b059ee4779b5102c5da6e929762520510e406 https://git.kernel.org/stable/c/b91bb0ce5cd7005b376eac690ec664c1b56372ec https://git.kernel.org/stable/c/aa0d42cacf093a6fcca872edc954f6f81 •