Page 380 of 2049 results (0.011 seconds)

CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix memleak in map from abort path The delete set command does not rely on the transaction object for element removal, therefore, a combination of delete element + delete set from the abort path could result in restoring twice the refcount of the mapping. Check for inactive element in the next generation for the delete element command in the abort path, skip restoring state if next generation bit has been already cleared. This is similar to the activate logic using the set walk iterator. [ 6170.286929] ------------[ cut here ]------------ [ 6170.286939] WARNING: CPU: 6 PID: 790302 at net/netfilter/nf_tables_api.c:2086 nf_tables_chain_destroy+0x1f7/0x220 [nf_tables] [ 6170.287071] Modules linked in: [...] [ 6170.287633] CPU: 6 PID: 790302 Comm: kworker/6:2 Not tainted 6.9.0-rc3+ #365 [ 6170.287768] RIP: 0010:nf_tables_chain_destroy+0x1f7/0x220 [nf_tables] [ 6170.287886] Code: df 48 8d 7d 58 e8 69 2e 3b df 48 8b 7d 58 e8 80 1b 37 df 48 8d 7d 68 e8 57 2e 3b df 48 8b 7d 68 e8 6e 1b 37 df 48 89 ef eb c4 <0f> 0b 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 0f [ 6170.287895] RSP: 0018:ffff888134b8fd08 EFLAGS: 00010202 [ 6170.287904] RAX: 0000000000000001 RBX: ffff888125bffb28 RCX: dffffc0000000000 [ 6170.287912] RDX: 0000000000000003 RSI: ffffffffa20298ab RDI: ffff88811ebe4750 [ 6170.287919] RBP: ffff88811ebe4700 R08: ffff88838e812650 R09: fffffbfff0623a55 [ 6170.287926] R10: ffffffff8311d2af R11: 0000000000000001 R12: ffff888125bffb10 [ 6170.287933] R13: ffff888125bffb10 R14: dead000000000122 R15: dead000000000100 [ 6170.287940] FS: 0000000000000000(0000) GS:ffff888390b00000(0000) knlGS:0000000000000000 [ 6170.287948] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 6170.287955] CR2: 00007fd31fc00710 CR3: 0000000133f60004 CR4: 00000000001706f0 [ 6170.287962] Call Trace: [ 6170.287967] <TASK> [ 6170.287973] ? __warn+0x9f/0x1a0 [ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables] [ 6170.288092] ? report_bug+0x1b1/0x1e0 [ 6170.287986] ? • https://git.kernel.org/stable/c/591054469b3eef34bc097c30fae8ededddf8d796 https://git.kernel.org/stable/c/a1bd2a38a1c6388fc8556816dc203c3e9dc52237 https://git.kernel.org/stable/c/49d0e656d19dfb2d4d7c230e4a720d37b3decff6 https://git.kernel.org/stable/c/86a1471d7cde792941109b93b558b5dc078b9ee9 https://access.redhat.com/security/cve/CVE-2024-27011 https://bugzilla.redhat.com/show_bug.cgi?id=2278277 •

CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: net/sched: Fix mirred deadlock on device recursion When the mirred action is used on a classful egress qdisc and a packet is mirrored or redirected to self we hit a qdisc lock deadlock. See trace below. [..... other info removed for brevity....] [ 82.890906] [ 82.890906] ============================================ [ 82.890906] WARNING: possible recursive locking detected [ 82.890906] 6.8.0-05205-g77fadd89fe2d-dirty #213 Tainted: G W [ 82.890906] -------------------------------------------- [ 82.890906] ping/418 is trying to acquire lock: [ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at: __dev_queue_xmit+0x1778/0x3550 [ 82.890906] [ 82.890906] but task is already holding lock: [ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at: __dev_queue_xmit+0x1778/0x3550 [ 82.890906] [ 82.890906] other info that might help us debug this: [ 82.890906] Possible unsafe locking scenario: [ 82.890906] [ 82.890906] CPU0 [ 82.890906] ---- [ 82.890906] lock(&sch->q.lock); [ 82.890906] lock(&sch->q.lock); [ 82.890906] [ 82.890906] *** DEADLOCK *** [ 82.890906] [..... other info removed for brevity....] Example setup (eth0->eth0) to recreate tc qdisc add dev eth0 root handle 1: htb default 30 tc filter add dev eth0 handle 1: protocol ip prio 2 matchall \ action mirred egress redirect dev eth0 Another example(eth0->eth1->eth0) to recreate tc qdisc add dev eth0 root handle 1: htb default 30 tc filter add dev eth0 handle 1: protocol ip prio 2 matchall \ action mirred egress redirect dev eth1 tc qdisc add dev eth1 root handle 1: htb default 30 tc filter add dev eth1 handle 1: protocol ip prio 2 matchall \ action mirred egress redirect dev eth0 We fix this by adding an owner field (CPU id) to struct Qdisc set after root qdisc is entered. When the softirq enters it a second time, if the qdisc owner is the same CPU, the packet is dropped to break the loop. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net/sched: corrige el punto muerto reflejado en la recursividad del dispositivo Cuando la acción reflejada se utiliza en una qdisc de salida con clase y un paquete se refleja o redirige a uno mismo, llegamos a un punto muerto de bloqueo de qdisc. Vea el rastro a continuación. [..... otra información eliminada por brevedad....] [ 82.890906] [ 82.890906] ============================= ================ [82.890906] ADVERTENCIA: posible bloqueo recursivo detectado [82.890906] 6.8.0-05205-g77fadd89fe2d-dirty #213 Contaminado: GW [82.890906] ----- --------------------------------------- [ 82.890906] ping/418 está intentando adquirir el bloqueo : [ 82.890906] ffff888006994110 (&amp;sch-&gt;q.lock){+.-.}-{3:3}, en: __dev_queue_xmit+0x1778/0x3550 [ 82.890906] [ 82.890906] pero la tarea ya mantiene el bloqueo: [ 82.890906] 88006994110 (&amp;sch-&gt;q.lock){+.-.}-{3:3}, en: __dev_queue_xmit+0x1778/0x3550 [ 82.890906] [ 82.890906] otra información que podría ayudarnos a depurar esto: [ 82.890906] Posible escenario de bloqueo inseguro : [ 82.890906] [ 82.890906] CPU0 [ 82.890906] ---- [ 82.890906] bloqueo(&amp;sch-&gt;q.lock); [ 82.890906] bloqueo(&amp;sch-&gt;q.lock); [ 82.890906] [ 82.890906] *** DEADLOCK *** [ 82.890906] [..... otra información eliminada por brevedad....] Ejemplo de configuración (eth0-&gt;eth0) para recrear tc qdisc agregar dev eth0 identificador raíz 1 : htb default 30 tc filter add dev eth0 handle 1: protocolo ip prio 2 matchall \ action mirred egress redirigir dev eth0 Otro ejemplo (eth0-&gt;eth1-&gt;eth0) para recrear tc qdisc add dev eth0 root handle 1: htb default 30 tc filtro agregar dev eth0 identificador 1: protocolo ip prio 2 matchall \ acción redirección de salida reflejada dev eth1 tc qdisc agregar dev eth1 identificador raíz 1: htb predeterminado 30 tc filtro agregar dev eth1 identificador 1: protocolo ip prio 2 matchall \ acción duplicada redirección de salida dev eth0 Solucionamos esto agregando un campo de propietario (ID de CPU) a la estructura Qdisc establecida después de ingresar la qdisc raíz. • https://git.kernel.org/stable/c/e578d9c02587d57bfa7b560767c698a668a468c6 https://git.kernel.org/stable/c/e6b90468da4dae2281a6e381107f411efb48b0ef https://git.kernel.org/stable/c/0f022d32c3eca477fbf79a205243a6123ed0fe11 https://access.redhat.com/security/cve/CVE-2024-27010 https://bugzilla.redhat.com/show_bug.cgi?id=2278279 •

CVSS: -EPSS: 0%CPEs: 5EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: s390/cio: fix race condition during online processing A race condition exists in ccw_device_set_online() that can cause the online process to fail, leaving the affected device in an inconsistent state. As a result, subsequent attempts to set that device online fail with return code ENODEV. The problem occurs when a path verification request arrives after a wait for final device state completed, but before the result state is evaluated. Fix this by ensuring that the CCW-device lock is held between determining final state and checking result state. Note that since: commit 2297791c92d0 ("s390/cio: dont unregister subchannel from child-drivers") path verification requests are much more likely to occur during boot, resulting in an increased chance of this race condition occurring. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: s390/cio: corrige la condición de ejecución durante el procesamiento en línea Existe una condición de ejecución en ccw_device_set_online() que puede causar que el proceso en línea falle, dejando el dispositivo afectado en un estado inconsistente. Como resultado, los intentos posteriores de configurar ese dispositivo en línea fallan con el código de retorno ENODEV. El problema se produce cuando llega una solicitud de verificación de ruta después de que se complete la espera hasta que se complete el estado final del dispositivo, pero antes de que se evalúe el estado del resultado. • https://git.kernel.org/stable/c/2297791c92d04a154ad29ba5a073f9f627982110 https://git.kernel.org/stable/c/3076b3c38a704e10df5e143c213653309d532538 https://git.kernel.org/stable/c/559f3a6333397ab6cd4a696edd65a70b6be62c6e https://git.kernel.org/stable/c/2df56f4ea769ff81e51bbb05699989603bde9c49 https://git.kernel.org/stable/c/a4234decd0fe429832ca81c4637be7248b88b49e https://git.kernel.org/stable/c/2d8527f2f911fab84aec04df4788c0c23af3df48 •

CVSS: -EPSS: 0%CPEs: 8EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: drm: nv04: Fix out of bounds access When Output Resource (dcb->or) value is assigned in fabricate_dcb_output(), there may be out of bounds access to dac_users array in case dcb->or is zero because ffs(dcb->or) is used as index there. The 'or' argument of fabricate_dcb_output() must be interpreted as a number of bit to set, not value. Utilize macros from 'enum nouveau_or' in calls instead of hardcoding. Found by Linux Verification Center (linuxtesting.org) with SVACE. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: drm: nv04: corregir el acceso fuera de los límites Cuando se asigna el valor del recurso de salida (dcb-&gt;or) en fabricate_dcb_output(), puede haber acceso fuera de los límites a la matriz dac_users en caso de que dcb-&gt;or es cero porque ffs(dcb-&gt;or) se usa como índice allí. El argumento 'o' de fabricate_dcb_output() debe interpretarse como un número de bits a configurar, no como un valor. Utilice macros de 'enum nouveau_or' en las llamadas en lugar de codificarlas. Encontrado por el Centro de verificación de Linux (linuxtesting.org) con SVACE. • https://git.kernel.org/stable/c/2e5702aff39532662198459726c624d5eadbdd78 https://git.kernel.org/stable/c/c2b97f26f081ceec3298151481687071075a25cb https://git.kernel.org/stable/c/5050ae879a828d752b439e3827aac126709da6d1 https://git.kernel.org/stable/c/097c7918fcfa1dee233acfd1f3029f00c3bc8062 https://git.kernel.org/stable/c/df0991da7db846f7fa4ec6740350f743d3b69b04 https://git.kernel.org/stable/c/5fd4b090304e450aa0e7cc9cc2b4873285c6face https://git.kernel.org/stable/c/6690cc2732e2a8d0eaca44dcbac032a4b0148042 https://git.kernel.org/stable/c/26212da39ee14a52c76a202c6ae5153a8 •

CVSS: -EPSS: 0%CPEs: 2EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: userfaultfd: change src_folio after ensuring it's unpinned in UFFDIO_MOVE Commit d7a08838ab74 ("mm: userfaultfd: fix unexpected change to src_folio when UFFDIO_MOVE fails") moved the src_folio->{mapping, index} changing to after clearing the page-table and ensuring that it's not pinned. This avoids failure of swapout+migration and possibly memory corruption. However, the commit missed fixing it in the huge-page case. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: userfaultfd: cambie src_folio después de asegurarse de que no esté fijado en UFFDIO_MOVE Commit d7a08838ab74 ("mm: userfaultfd: corrija el cambio inesperado en src_folio cuando UFFDIO_MOVE falla") movió src_folio-&gt;{mapping, index} cambiando a después de borrar la tabla de páginas y asegurarse de que no esté fijada. Esto evita fallos en el intercambio+migración y posiblemente daños en la memoria. Sin embargo, la confirmación no solucionó el problema en el caso de la página enorme. • https://git.kernel.org/stable/c/adef440691bab824e39c1b17382322d195e1fab0 https://git.kernel.org/stable/c/df5f6e683e7f21a15d8be6e7a0c7a46436963ebe https://git.kernel.org/stable/c/c0205eaf3af9f5db14d4b5ee4abacf4a583c3c50 •