CVE-2024-36031 – keys: Fix overwrite of key expiration on instantiation
https://notcve.org/view.php?id=CVE-2024-36031
In the Linux kernel, the following vulnerability has been resolved: keys: Fix overwrite of key expiration on instantiation The expiry time of a key is unconditionally overwritten during instantiation, defaulting to turn it permanent. This causes a problem for DNS resolution as the expiration set by user-space is overwritten to TIME64_MAX, disabling further DNS updates. Fix this by restoring the condition that key_set_expiry is only called when the pre-parser sets a specific expiry. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: claves: se corrige la sobrescritura de la caducidad de la clave al crear instancias. El tiempo de caducidad de una clave se sobrescribe incondicionalmente durante la creación de instancias, y de forma predeterminada se vuelve permanente. • https://git.kernel.org/stable/c/97be1e865e70e5a0ad0a5b5f5dca5031ca0b53ac https://git.kernel.org/stable/c/2552b32b0b349df160a509fe49f5f308cb922f2b https://git.kernel.org/stable/c/791d5409cdb974c31a1bc7a903ea729ddc7d83df https://git.kernel.org/stable/c/afc360e8a1256acb7579a6f5b6f2c30b85b39301 https://git.kernel.org/stable/c/39299bdd2546688d92ed9db4948f6219ca1b9542 https://git.kernel.org/stable/c/ad2011ea787928b2accb5134f1e423b11fe80a8a https://git.kernel.org/stable/c/ed79b93f725cd0da39a265dc23d77add1527b9be https://git.kernel.org/stable/c/e4519a016650e952ad9eb27937f8c447d • CWE-324: Use of a Key Past its Expiration Date CWE-665: Improper Initialization •
CVE-2023-52882 – clk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change
https://notcve.org/view.php?id=CVE-2023-52882
In the Linux kernel, the following vulnerability has been resolved: clk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change While PLL CPUX clock rate change when CPU is running from it works in vast majority of cases, now and then it causes instability. This leads to system crashes and other undefined behaviour. After a lot of testing (30+ hours) while also doing a lot of frequency switches, we can't observe any instability issues anymore when doing reparenting to stable clock like 24 MHz oscillator. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: clk: sunxi-ng: h6: CPUX reparent durante el cambio de velocidad de CPUX de PLL. Mientras que el cambio de velocidad de reloj de CPUX de PLL cuando la CPU se está ejecutando, funciona en la gran mayoría de los casos, de vez en cuando provoca inestabilidad. • https://git.kernel.org/stable/c/524353ea480b0094c16f2b5684ce7e0a23ab3685 https://git.kernel.org/stable/c/fe11826ffa200e1a7a826e745163cb2f47875f66 https://git.kernel.org/stable/c/bfc78b4628497eb6df09a6b5bba9dd31616ee175 https://git.kernel.org/stable/c/f1fa9a9816204ac4b118b2e613d3a7c981355019 https://git.kernel.org/stable/c/70f64cb29014e4c4f1fabd3265feebd80590d069 https://git.kernel.org/stable/c/0b82eb134d2942ecc669e2ab2be3f0a58d79428a https://git.kernel.org/stable/c/9708e5081cfc4f085690294163389bcf82655f90 https://git.kernel.org/stable/c/7e91ed763dc07437777bd012af7a2bd44 •
CVE-2024-36030 – octeontx2-af: fix the double free in rvu_npc_freemem()
https://notcve.org/view.php?id=CVE-2024-36030
In the Linux kernel, the following vulnerability has been resolved: octeontx2-af: fix the double free in rvu_npc_freemem() Clang static checker(scan-build) warning: drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c:line 2184, column 2 Attempt to free released memory. npc_mcam_rsrcs_deinit() has released 'mcam->counters.bmap'. Deleted this redundant kfree() to fix this double free problem. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: octeontx2-af: arreglar el doble libre en rvu_npc_freemem() ¿Advertencia del verificador estático de Clang (scan-build)? drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c:línea 2184, columna 2 Intento de liberar memoria liberada. npc_mcam_rsrcs_deinit() ha lanzado 'mcam->counters.bmap'. Se eliminó este kfree() redundante para solucionar este problema de doble liberación. • https://git.kernel.org/stable/c/dd7842878633453e38d6a4927593dd28b9d8ab91 https://git.kernel.org/stable/c/f5aa87a2c0a72132ffc793fb0a5375b2a65d520a https://git.kernel.org/stable/c/6e965eba43e9724f3e603d7b7cc83e53b23d155e https://access.redhat.com/security/cve/CVE-2024-36030 https://bugzilla.redhat.com/show_bug.cgi?id=2284295 • CWE-415: Double Free •
CVE-2024-36029 – mmc: sdhci-msm: pervent access to suspended controller
https://notcve.org/view.php?id=CVE-2024-36029
In the Linux kernel, the following vulnerability has been resolved: mmc: sdhci-msm: pervent access to suspended controller Generic sdhci code registers LED device and uses host->runtime_suspended flag to protect access to it. The sdhci-msm driver doesn't set this flag, which causes a crash when LED is accessed while controller is runtime suspended. Fix this by setting the flag correctly. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mmc: sdhci-msm: acceso prohibido al controlador suspendido El código sdhci genérico registra el dispositivo LED y utiliza el indicador host->runtime_suspended para proteger el acceso al mismo. El controlador sdhci-msm no establece este indicador, lo que provoca un bloqueo cuando se accede al LED mientras el controlador está suspendido en tiempo de ejecución. • https://git.kernel.org/stable/c/67e6db113c903f2b8af924400b7b43ade4b9ac5c https://git.kernel.org/stable/c/1200481cd6069d16ce20133bcd86f5825e26a045 https://git.kernel.org/stable/c/a957ea5aa3d3518067a1ba32c6127322ad348d20 https://git.kernel.org/stable/c/56b99a52229d7f8cd1f53d899f57aa7eb4b199af https://git.kernel.org/stable/c/f653b04a818c490b045c97834d559911479aa1c5 https://git.kernel.org/stable/c/f8def10f73a516b771051a2f70f2f0446902cb4f •
CVE-2024-36028 – mm/hugetlb: fix DEBUG_LOCKS_WARN_ON(1) when dissolve_free_hugetlb_folio()
https://notcve.org/view.php?id=CVE-2024-36028
In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix DEBUG_LOCKS_WARN_ON(1) when dissolve_free_hugetlb_folio() When I did memory failure tests recently, below warning occurs: DEBUG_LOCKS_WARN_ON(1) WARNING: CPU: 8 PID: 1011 at kernel/locking/lockdep.c:232 __lock_acquire+0xccb/0x1ca0 Modules linked in: mce_inject hwpoison_inject CPU: 8 PID: 1011 Comm: bash Kdump: loaded Not tainted 6.9.0-rc3-next-20240410-00012-gdb69f219f4be #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 RIP: 0010:__lock_acquire+0xccb/0x1ca0 RSP: 0018:ffffa7a1c7fe3bd0 EFLAGS: 00000082 RAX: 0000000000000000 RBX: eb851eb853975fcf RCX: ffffa1ce5fc1c9c8 RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffffa1ce5fc1c9c0 RBP: ffffa1c6865d3280 R08: ffffffffb0f570a8 R09: 0000000000009ffb R10: 0000000000000286 R11: ffffffffb0f2ad50 R12: ffffa1c6865d3d10 R13: ffffa1c6865d3c70 R14: 0000000000000000 R15: 0000000000000004 FS: 00007ff9f32aa740(0000) GS:ffffa1ce5fc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ff9f3134ba0 CR3: 00000008484e4000 CR4: 00000000000006f0 Call Trace: <TASK> lock_acquire+0xbe/0x2d0 _raw_spin_lock_irqsave+0x3a/0x60 hugepage_subpool_put_pages.part.0+0xe/0xc0 free_huge_folio+0x253/0x3f0 dissolve_free_huge_page+0x147/0x210 __page_handle_poison+0x9/0x70 memory_failure+0x4e6/0x8c0 hard_offline_page_store+0x55/0xa0 kernfs_fop_write_iter+0x12c/0x1d0 vfs_write+0x380/0x540 ksys_write+0x64/0xe0 do_syscall_64+0xbc/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff9f3114887 RSP: 002b:00007ffecbacb458 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007ff9f3114887 RDX: 000000000000000c RSI: 0000564494164e10 RDI: 0000000000000001 RBP: 0000564494164e10 R08: 00007ff9f31d1460 R09: 000000007fffffff R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000c R13: 00007ff9f321b780 R14: 00007ff9f3217600 R15: 00007ff9f3216a00 </TASK> Kernel panic - not syncing: kernel: panic_on_warn set ... CPU: 8 PID: 1011 Comm: bash Kdump: loaded Not tainted 6.9.0-rc3-next-20240410-00012-gdb69f219f4be #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> panic+0x326/0x350 check_panic_on_warn+0x4f/0x50 __warn+0x98/0x190 report_bug+0x18e/0x1a0 handle_bug+0x3d/0x70 exc_invalid_op+0x18/0x70 asm_exc_invalid_op+0x1a/0x20 RIP: 0010:__lock_acquire+0xccb/0x1ca0 RSP: 0018:ffffa7a1c7fe3bd0 EFLAGS: 00000082 RAX: 0000000000000000 RBX: eb851eb853975fcf RCX: ffffa1ce5fc1c9c8 RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffffa1ce5fc1c9c0 RBP: ffffa1c6865d3280 R08: ffffffffb0f570a8 R09: 0000000000009ffb R10: 0000000000000286 R11: ffffffffb0f2ad50 R12: ffffa1c6865d3d10 R13: ffffa1c6865d3c70 R14: 0000000000000000 R15: 0000000000000004 lock_acquire+0xbe/0x2d0 _raw_spin_lock_irqsave+0x3a/0x60 hugepage_subpool_put_pages.part.0+0xe/0xc0 free_huge_folio+0x253/0x3f0 dissolve_free_huge_page+0x147/0x210 __page_handle_poison+0x9/0x70 memory_failure+0x4e6/0x8c0 hard_offline_page_store+0x55/0xa0 kernfs_fop_write_iter+0x12c/0x1d0 vfs_write+0x380/0x540 ksys_write+0x64/0xe0 do_syscall_64+0xbc/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff9f3114887 RSP: 002b:00007ffecbacb458 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007ff9f3114887 RDX: 000000000000000c RSI: 0000564494164e10 RDI: 0000000000000001 RBP: 0000564494164e10 R08: 00007ff9f31d1460 R09: 000000007fffffff R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000c R13: 00007ff9f321b780 R14: 00007ff9f3217600 R15: 00007ff9f3216a00 </TASK> After git bisecting and digging into the code, I believe the root cause is that _deferred_list field of folio is unioned with _hugetlb_subpool field. In __update_and_free_hugetlb_folio(), folio->_deferred_ ---truncated--- En el kernel de Linux, se resolvió la siguiente vulnerabilidad: mm/hugetlb: corrija DEBUG_LOCKS_WARN_ON(1) cuando dissolve_free_hugetlb_folio() Cuando hice pruebas de falla de memoria recientemente, aparece la siguiente advertencia: DEBUG_LOCKS_WARN_ON(1) ADVERTENCIA: CPU: 8 PID: 1011 en kernel/locking/lockdep.c:232 __lock_acquire+0xccb/0x1ca0 Módulos vinculados en: mce_inject hwpoison_inject CPU: 8 PID: 1011 Comm: bash Kdump: cargado No contaminado 6.9.0-rc3-next-20240410-00012-gdb69f219f4be #3 Hardware nombre: PC estándar QEMU (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 01/04/2014 RIP: 0010:__lock_acquire+0xccb/0x1ca0 RSP: 0018:ffffa7a1c7fe3bd0 EFLAGS: 00000082 RAX: 0000000000000000 RBX: eb851eb853975fcf RCX: ffffa1ce5fc1c9c8 RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffffa1ce5fc1c9c0 RBP: 1c6865d3280 R08: fffffffb0f570a8 R09: 0000000000009ffb R10: 0000000000000286 R11: fffffffb0f2ad50 R12: ffffa1c6865d3d10 R13: ffffa1c6865d3c70 : 0000000000000000 R15: 0000000000000004 FS: 00007ff9f32aa740( 0000) GS:ffffa1ce5fc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ff9f3134ba0 CR3: 00000008484e 4000 CR4: 00000000000006f0 Seguimiento de llamadas: lock_acquire+0xbe/0x2d0 _raw_spin_lock_irqsave+0x3a/0x60 hugepage_subpool_put_pages. part.0+0xe/0xc0 free_huge_folio+0x253/0x3f0 dissolve_free_huge_page+0x147/0x210 __page_handle_poison+0x9/0x70 Memory_failure+0x4e6/0x8c0 hard_offline_page_store+0x55/0xa0 kernfs_fop_write_iter+0x12c/ 0x1d0 vfs_write+0x380/0x540 ksys_write+0x64/0xe0 do_syscall_64+0xbc /0x1d0 Entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff9f3114887 RSP: 002b:00007ffecbacb458 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007ff9f3114887 RDX: 000000000000000c RSI: 0000564494164e10 RDI: 0000000000000001 RBP: 0000564494164e10 00007ff9f31d1460 R09: 000000007fffffff R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000c R13: 00007ff9f321b780 R14: 00007ff9f3217600 R15: 00007ff9f3216a00 Pánico del kernel: no se sincroniza: kernel: pánico_on_warn configurado... CPU: 8 PID: 1011 Comm: bash Kdump: cargado No contaminado 6.9 .0-rc3-next-20240410-00012-gdb69f219f4be #3 Nombre del hardware: PC estándar QEMU (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 01/04/2014 Llamada Seguimiento: pánico+0x326/0x350 check_panic_on_warn+0x4f/0x50 __warn+0x98/0x190 report_bug+0x18e/0x1a0 handle_bug+0x3d/0x70 exc_invalid_op+0x18/0x70 asm_exc_invalid_op+0x1a/0x20 RIP: 0010:__lock_adquirir+0xccb/0x1ca0 RSP : 0018:ffffa7a1c7fe3bd0 EFLAGS: 00000082 RAX: 0000000000000000 RBX: eb851eb853975fcf RCX: ffffa1ce5fc1c9c8 RDX: 00000000ffffffd8 RSI: 027 RDI: ffffa1ce5fc1c9c0 RBP: ffffa1c6865d3280 R08: fffffffb0f570a8 R09: 0000000000009ffb R10: 00000000000000286 R11: fffffffb0f2ad50 R12: ffffa1c6865d 3d10 R13: ffffa1c6865d3c70 R14: 0000000000000000 R15 : 0000000000000004 lock_acquire+0xbe/0x2d0 _raw_spin_lock_irqsave+0x3a/0x60 hugepage_subpool_put_pages.part.0+0xe/0xc0 free_huge_folio+0x253/0x3f0 dissolve_free_huge_page+0x147/0x210 __page_handle_ veneno+0x9/0x70 error_de_memoria+0x4e6/0x8c0 hard_offline_page_store+0x55/0xa0 kernfs_fop_write_iter+0x12c/ 0x1d0 vfs_write+0x380/0x540 ksys_write+0x64/0xe0 do_syscall_64+0xbc/0x1d0 Entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff9f3114887 RSP: 002b:00007ffecbacb4 58 EFLAGS: 00000246 ORIG_RAX: 00000000000000001 RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007ff9f3114887 RDX: 000000000000000c RSI : 0000564494164e10 RDI: 0000000000000001 RBP: 0000564494164e10 R08: 00007ff9f31d1460 R09: 000000007ffffff R10: 0000000000000000 R11: 000000000000246 R12: 000000000000000c R13: 00007ff9f321b780 R14: 00007ff9f3217600 R15: 00007ff9f3216a00 Después de que git divida e indague en el código, creo que la causa raíz es que el campo _deferred_list del folio está unido con el campo _hugetlb_subpool. En __update_and_free_hugetlb_folio(), folio->_deferred_ ---truncado--- • https://git.kernel.org/stable/c/1b4ce2952b4f33e198d5e993acff0611dff1e399 https://git.kernel.org/stable/c/32c877191e022b55fe3a374f3d7e9fb5741c514d https://git.kernel.org/stable/c/9a1a43a0e7e96911eaa00ad20b20f2edefb31d8a https://git.kernel.org/stable/c/2effe407f7563add41750fd7e03da4ea44b98099 https://git.kernel.org/stable/c/7e0a322877416e8c648819a8e441cf8c790b2cce https://git.kernel.org/stable/c/9c9b32d46afab2d911897914181c488954012300 https://git.kernel.org/stable/c/52ccdde16b6540abe43b6f8d8e1e1ec90b0983af https://access.redhat.com/security/cve/CVE-2024-36028 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •