Page 391 of 3129 results (0.022 seconds)

CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: inet: inet_defrag: prevent sk release while still in use ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf ("inet: frag: Always orphan skbs inside ip_defrag()") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: inet: inet_defrag: evita la liberación de sk mientras aún está en uso ip_local_out() y otras funciones pueden pasar skb->sk como argumento de función. Si el skb es un fragmento y el reensamblaje ocurre antes de que regrese dicha llamada a la función, el sk no debe liberarse. • https://git.kernel.org/stable/c/7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab https://git.kernel.org/stable/c/1b6de5e6575b56502665c65cf93b0ae6aa0f51ab https://git.kernel.org/stable/c/9705f447bf9a6cd088300ad2c407b5e1c6591091 https://git.kernel.org/stable/c/4318608dc28ef184158b4045896740716bea23f0 https://git.kernel.org/stable/c/7d0567842b78390dd9b60f00f1d8f838d540e325 https://git.kernel.org/stable/c/f4877225313d474659ee53150ccc3d553a978727 https://git.kernel.org/stable/c/e09cbe017311508c21e0739e97198a8388b98981 https://git.kernel.org/stable/c/18685451fc4e546fc0e718580d32df3c0 • CWE-124: Buffer Underwrite ('Buffer Underflow') •

CVSS: 5.5EPSS: 0%CPEs: 17EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: tracing/trigger: Fix to return error if failed to alloc snapshot Fix register_snapshot_trigger() to return error code if it failed to allocate a snapshot instead of 0 (success). Unless that, it will register snapshot trigger without an error. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: rastreo/activador: Corrección para devolver error si no se pudo asignar la instantánea. Corrección de Register_snapshot_trigger() para devolver código de error si no se pudo asignar una instantánea en lugar de 0 (éxito). A menos que eso, registrará la activación de la instantánea sin error. • https://git.kernel.org/stable/c/57f2a2ad73e99a7594515848f4da987326a15981 https://git.kernel.org/stable/c/0026e356e51ab3b54322eeb445c75a087ede5b9d https://git.kernel.org/stable/c/0bbe7f719985efd9adb3454679ecef0984cb6800 https://git.kernel.org/stable/c/7c6feb347a4bb1f02e55f6814c93b5f7fab887a8 https://git.kernel.org/stable/c/a289fd864722dcf5363fec66a35965d4964df515 https://git.kernel.org/stable/c/7054f86f268c0d9d62b52a4497dd0e8c10a7e5c7 https://git.kernel.org/stable/c/ffa70d104691aa609a18a9a6692049deb35f431f https://git.kernel.org/stable/c/733c611a758c68894a4480fb999637476 •

CVSS: -EPSS: 0%CPEs: 11EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: scsi: Revert "scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock" This reverts commit 1a1975551943f681772720f639ff42fbaa746212. This commit causes interrupts to be lost for FCoE devices, since it changed sping locks from "bh" to "irqsave". Instead, a work queue should be used, and will be addressed in a separate commit. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: scsi: Revertir "scsi: fcoe: Reparar posible punto muerto en &fip->ctlr_lock" Esto revierte el commit 1a1975551943f681772720f639ff42fbaa746212. Este commit provoca que se pierdan las interrupciones para los dispositivos FCoE, ya que cambió los bloqueos de sping de "bh" a "irqsave". En su lugar, se debe utilizar una cola de trabajo, que se abordará en un commit separado. • https://git.kernel.org/stable/c/264eae2f523d2aae38188facb4ece893023f25da https://git.kernel.org/stable/c/d2bf25674cea74b865d367d09be5dfe9aff5922a https://git.kernel.org/stable/c/9cce8ef7a6fa858bbcacd8679a5ca5a4fd3a6df3 https://git.kernel.org/stable/c/076fb40cf27ab9232d8cce1f007e663e46705302 https://git.kernel.org/stable/c/5a5fb3b1754fa2b4db95f0151b4af0fb6f8918ec https://git.kernel.org/stable/c/1a1975551943f681772720f639ff42fbaa746212 https://git.kernel.org/stable/c/4ea46b479a00dd232f0dbc81fdc27f9330ecb3ad https://git.kernel.org/stable/c/694ddc5bf35a5b6f9acb6e4724324c910 •

CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Reset IH OVERFLOW_CLEAR bit Allows us to detect subsequent IH ring buffer overflows as well. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/amdgpu: Restablecer el bit IH OVERFLOW_CLEAR También nos permite detectar desbordamientos posteriores del búfer en anillo IH. A flaw was found in the Linux kernel. The IH OVERFLOW_CLEAR bit was not reset. • https://git.kernel.org/stable/c/9a9d00c23d170d4ef5a1b28e6b69f5c85dd12bc1 https://git.kernel.org/stable/c/a28f4d1e0bed85943d309ac243fd1c200f8af9a2 https://git.kernel.org/stable/c/8983397951b4b0bd51bb4b4ba9749424e1ccbb70 https://git.kernel.org/stable/c/2827633c9dab6304ec4cdbf369363219832e605d https://git.kernel.org/stable/c/7330256268664ea0a7dd5b07a3fed363093477dd https://access.redhat.com/security/cve/CVE-2024-26915 https://bugzilla.redhat.com/show_bug.cgi?id=2275790 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •

CVSS: -EPSS: 0%CPEs: 2EXPL: 0

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix incorrect mpc_combine array size [why] MAX_SURFACES is per stream, while MAX_PLANES is per asic. The mpc_combine is an array that records all the planes per asic. Therefore MAX_PLANES should be used as the array size. Using MAX_SURFACES causes array overflow when there are more than 3 planes. [how] Use the MAX_PLANES for the mpc_combine array size. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: drm/amd/display: corrige el tamaño incorrecto de la matriz mpc_combine [por qué] MAX_SURFACES es por flujo, mientras que MAX_PLANES es por asic. mpc_combine es una matriz que registra todos los planos por asic. • https://git.kernel.org/stable/c/0bd8ef618a42d7e6ea3f701065264e15678025e3 https://git.kernel.org/stable/c/39079fe8e660851abbafa90cd55cbf029210661f •