CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-26582 – net: tls: fix use-after-free with partial reads and async decrypt
https://notcve.org/view.php?id=CVE-2024-26582
In the Linux kernel, the following vulnerability has been resolved: net: tls: fix use-after-free with partial reads and async decrypt tls_decrypt_sg doesn't take a reference on the pages from clear_skb, so the put_page() in tls_decrypt_done releases them, and we trigger a use-after-free in process_rx_list when we try to read from the partially-read skb. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: tls: corrige el use-after-free con lecturas parciales y descifrado asíncrono tls_decrypt_sg no toma una referencia en las páginas de clear_skb, por lo que put_page() en tls_decrypt_done las libera y activamos un use-after-free en Process_rx_list cuando intentamos leer desde el skb parcialmente leído. A use-after-free vulnerability was found in the tls subsystem of the Linux kernel. The tls_decrypt_sg() function doesn't take references on the pages from clear_skb, so the put_page() in tls_decrypt_done() releases them and a use-after-free can be triggered in process_rx_list when trying to read from the partially-read skb. This issue could lead to a denial of service condition or code execution. • https://git.kernel.org/stable/c/fd31f3996af2627106e22a9f8072764fede51161 https://git.kernel.org/stable/c/20b4ed034872b4d024b26e2bc1092c3f80e5db96 https://git.kernel.org/stable/c/d684763534b969cca1022e2a28645c7cc91f7fa5 https://git.kernel.org/stable/c/754c9bab77a1b895b97bd99d754403c505bc79df https://git.kernel.org/stable/c/32b55c5ff9103b8508c1e04bfa5a08c64e7a925f https://access.redhat.com/security/cve/CVE-2024-26582 https://bugzilla.redhat.com/show_bug.cgi?id=2265518 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2023-52439 – uio: Fix use-after-free in uio_open
https://notcve.org/view.php?id=CVE-2023-52439
In the Linux kernel, the following vulnerability has been resolved: uio: Fix use-after-free in uio_open core-1 core-2 ------------------------------------------------------- uio_unregister_device uio_open idev = idr_find() device_unregister(&idev->dev) put_device(&idev->dev) uio_device_release get_device(&idev->dev) kfree(idev) uio_free_minor(minor) uio_release put_device(&idev->dev) kfree(idev) ------------------------------------------------------- In the core-1 uio_unregister_device(), the device_unregister will kfree idev when the idev->dev kobject ref is 1. But after core-1 device_unregister, put_device and before doing kfree, the core-2 may get_device. Then: 1. After core-1 kfree idev, the core-2 will do use-after-free for idev. 2. When core-2 do uio_release and put_device, the idev will be double freed. To address this issue, we can get idev atomic & inc idev reference with minor_lock. • https://git.kernel.org/stable/c/57c5f4df0a5a0ee83df799991251e2ee93a5e4e9 https://git.kernel.org/stable/c/13af019c87f2d90e663742cb1a819834048842ae https://git.kernel.org/stable/c/3174e0f7de1ba392dc191625da83df02d695b60c https://git.kernel.org/stable/c/e93da893d52d82d57fc0db2ca566024e0f26ff50 https://git.kernel.org/stable/c/5e0be1229ae199ebb90b33102f74a0f22d152570 https://git.kernel.org/stable/c/5cf604ee538ed0c467abe3b4cda5308a6398f0f7 https://git.kernel.org/stable/c/17a8519cb359c3b483fb5c7367efa9a8a508bdea https://git.kernel.org/stable/c/35f102607054faafe78d2a6994b18d5d9 • CWE-415: Double Free CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2023-52438 – binder: fix use-after-free in shinker's callback
https://notcve.org/view.php?id=CVE-2023-52438
In the Linux kernel, the following vulnerability has been resolved: binder: fix use-after-free in shinker's callback The mmap read lock is used during the shrinker's callback, which means that using alloc->vma pointer isn't safe as it can race with munmap(). As of commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap") the mmap lock is downgraded after the vma has been isolated. I was able to reproduce this issue by manually adding some delays and triggering page reclaiming through the shrinker's debug sysfs. The following KASAN report confirms the UAF: ================================================================== BUG: KASAN: slab-use-after-free in zap_page_range_single+0x470/0x4b8 Read of size 8 at addr ffff356ed50e50f0 by task bash/478 CPU: 1 PID: 478 Comm: bash Not tainted 6.6.0-rc5-00055-g1c8b86a3799f-dirty #70 Hardware name: linux,dummy-virt (DT) Call trace: zap_page_range_single+0x470/0x4b8 binder_alloc_free_page+0x608/0xadc __list_lru_walk_one+0x130/0x3b0 list_lru_walk_node+0xc4/0x22c binder_shrink_scan+0x108/0x1dc shrinker_debugfs_scan_write+0x2b4/0x500 full_proxy_write+0xd4/0x140 vfs_write+0x1ac/0x758 ksys_write+0xf0/0x1dc __arm64_sys_write+0x6c/0x9c Allocated by task 492: kmem_cache_alloc+0x130/0x368 vm_area_alloc+0x2c/0x190 mmap_region+0x258/0x18bc do_mmap+0x694/0xa60 vm_mmap_pgoff+0x170/0x29c ksys_mmap_pgoff+0x290/0x3a0 __arm64_sys_mmap+0xcc/0x144 Freed by task 491: kmem_cache_free+0x17c/0x3c8 vm_area_free_rcu_cb+0x74/0x98 rcu_core+0xa38/0x26d4 rcu_core_si+0x10/0x1c __do_softirq+0x2fc/0xd24 Last potentially related work creation: __call_rcu_common.constprop.0+0x6c/0xba0 call_rcu+0x10/0x1c vm_area_free+0x18/0x24 remove_vma+0xe4/0x118 do_vmi_align_munmap.isra.0+0x718/0xb5c do_vmi_munmap+0xdc/0x1fc __vm_munmap+0x10c/0x278 __arm64_sys_munmap+0x58/0x7c Fix this issue by performing instead a vma_lookup() which will fail to find the vma that was isolated before the mmap lock downgrade. Note that this option has better performance than upgrading to a mmap write lock which would increase contention. Plus, mmap_write_trylock() has been recently removed anyway. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: binder: corrige el use-after-free en la devolución de llamada de shinker. • https://git.kernel.org/stable/c/dd2283f2605e3b3e9c61bcae844b34f2afa4813f https://git.kernel.org/stable/c/a53e15e592b4dcc91c3a3b8514e484a0bdbc53a3 https://git.kernel.org/stable/c/c8c1158ffb007197f31f9d9170cf13e4f34cbb5c https://git.kernel.org/stable/c/8ad4d580e8aff8de2a4d57c5930fcc29f1ffd4a6 https://git.kernel.org/stable/c/9fa04c93f24138747807fe75b5591bb680098f56 https://git.kernel.org/stable/c/a49087ab93508b60d9b8add91707a22dda832869 https://git.kernel.org/stable/c/e074686e993ff1be5f21b085a3b1b4275ccd5727 https://git.kernel.org/stable/c/3f489c2067c5824528212b0fc18b28d51 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2023-52436 – f2fs: explicitly null-terminate the xattr list
https://notcve.org/view.php?id=CVE-2023-52436
In the Linux kernel, the following vulnerability has been resolved: f2fs: explicitly null-terminate the xattr list When setting an xattr, explicitly null-terminate the xattr list. This eliminates the fragile assumption that the unused xattr space is always zeroed. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: f2fs: termina explícitamente en nulo la lista xattr Al configurar un xattr, termina explícitamente en nulo la lista xattr. Esto elimina la frágil suposición de que el espacio xattr no utilizado siempre se pone a cero. • https://git.kernel.org/stable/c/16ae3132ff7746894894927c1892493693b89135 https://git.kernel.org/stable/c/12cf91e23b126718a96b914f949f2cdfeadc7b2a https://git.kernel.org/stable/c/3e47740091b05ac8d7836a33afd8646b6863ca52 https://git.kernel.org/stable/c/32a6cfc67675ee96fe107aeed5af9776fec63f11 https://git.kernel.org/stable/c/5de9e9dd1828db9b8b962f7ca42548bd596deb8a https://git.kernel.org/stable/c/2525d1ba225b5c167162fa344013c408e8b4de36 https://git.kernel.org/stable/c/f6c30bfe5a49bc38cae985083a11016800708fea https://git.kernel.org/stable/c/e26b6d39270f5eab0087453d9b544189a •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 1CVE-2024-26581 – netfilter: nft_set_rbtree: skip end interval element from gc
https://notcve.org/view.php?id=CVE-2024-26581
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: skip end interval element from gc rbtree lazy gc on insert might collect an end interval element that has been just added in this transactions, skip end interval elements that are not yet active. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: nft_set_rbtree: omitir elemento de intervalo final de gc rbtree lazy gc al insertar puede recopilar un elemento de intervalo final que se acaba de agregar en estas transacciones, omitir elementos de intervalo final que aún no están activo. A flaw was found in the Linux kernel’s Netfilter subsystem. This issue occurs in the nft_set_rbtree. rbtree lazy gc on insert, which might collect an end interval element just added in a transaction and skip the end interval elements not yet active. • https://github.com/madfxr/CVE-2024-26581-Checker https://git.kernel.org/stable/c/acaee227cf79c45a5d2d49c3e9a66333a462802c https://git.kernel.org/stable/c/893cb3c3513cf661a0ff45fe0cfa83fe27131f76 https://git.kernel.org/stable/c/50cbb9d195c197af671869c8cadce3bd483735a0 https://git.kernel.org/stable/c/89a4d1a89751a0fbd520e64091873e19cc0979e8 https://git.kernel.org/stable/c/f718863aca469a109895cb855e6b81fff4827d71 https://git.kernel.org/stable/c/cd66733932399475fe933cb3ec03e687ed401462 https://git.kernel.org/stable/c/10e9cb39313627f2eae4cd70c4b742074e998fd8 https: •